fix(deps): update dependency drizzle-orm to v0.45.2 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
drizzle-orm (source)	0.31.2 → 0.45.2

GitHub Vulnerability Alerts

CVE-2026-39356

Summary

Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName() implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or backticks.

As a result, applications that pass attacker-controlled input to APIs that construct SQL identifiers or aliases, such as sql.identifier(), .as(), may allow an attacker to terminate the quoted identifier and inject SQL.

Affected components

The issue affects the identifier escaping logic used by the PostgreSQL, MySQL, SQLite, SingleStore, and Gel dialects.

Impact

This issue only affects applications that pass untrusted runtime input into identifier or alias construction. Common examples include dynamic sorting, dynamic report builders, and CTE or alias names derived from request parameters.

Depending on the database dialect, query context, and database permissions, successful exploitation may enable blind or direct data disclosure, schema enumeration, query manipulation, privilege escalation, or destructive operations.

Applications that use only static schema objects, or that strictly map user input through an allowlist of known column or alias names, are not affected.

Details

In affected versions, escapeName() wrapped the identifier but did not escape the quote delimiter inside the identifier value:

• PostgreSQL / SQLite / Gel: " was not doubled to ""
• MySQL / SingleStore: ` was not doubled to ``

Because of this, crafted input containing the dialect-specific identifier delimiter could break out of the quoted identifier and be interpreted as SQL syntax.

A representative vulnerable pattern is dynamic sorting using untrusted input:

const sortField = req.query.sort || 'id';

const rows = await db
  .select()
  .from(users)
  .orderBy(sql.identifier(sortField));

##### Severity
- CVSS Score: 7.5 / 10 (High)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N`

---

### Release Notes

<details>
<summary>drizzle-team/drizzle-orm (drizzle-orm)</summary>

### [`v0.45.2`](https://redirect.github.com/drizzle-team/drizzle-orm/releases/tag/0.45.2)

[Compare Source](https://redirect.github.com/drizzle-team/drizzle-orm/compare/0.45.1...0.45.2)

- Fixed `sql.identifier()`, `sql.as()` escaping issues. Previously all the values passed to this functions were not properly escaped
  causing a possible SQL Injection (CWE-89) vulnerability

Thanks to [@&#8203;EthanKim88](https://redirect.github.com/EthanKim88), [@&#8203;0x90sh](https://redirect.github.com/0x90sh) and [@&#8203;wgoodall01](https://redirect.github.com/wgoodall01) for reaching out to us with a reproduction and suggested fix

### [`v0.45.1`](https://redirect.github.com/drizzle-team/drizzle-orm/releases/tag/0.45.1)

[Compare Source](https://redirect.github.com/drizzle-team/drizzle-orm/compare/0.45.0...0.45.1)

- Fixed pg-native Pool detection in node-postgres transactions breaking in environments with forbidden `require()` ([#&#8203;5107](https://redirect.github.com/drizzle-team/drizzle-orm/issues/5107))

### [`v0.45.0`](https://redirect.github.com/drizzle-team/drizzle-orm/releases/tag/0.45.0)

[Compare Source](https://redirect.github.com/drizzle-team/drizzle-orm/compare/0.44.7...0.45.0)

- Fixed pg-native Pool detection in node-postgres transactions
- Allowed subqueries in select fields
- Updated typo algorythm => algorithm
- Fixed `$onUpdate` not handling `SQL` values (fixes [#&#8203;2388](https://redirect.github.com/drizzle-team/drizzle-orm/issues/2388), tests implemented by [L-Mario564](https://redirect.github.com/L-Mario564) in [#&#8203;2911](https://redirect.github.com/drizzle-team/drizzle-orm/pull/2911))
- Fixed `pg` mappers not handling `Date` instances in `bun-sql:postgresql` driver responses for `date`, `timestamp` types (fixes [#&#8203;4493](https://redirect.github.com/drizzle-team/drizzle-orm/issues/4493))

### [`v0.44.7`](https://redirect.github.com/drizzle-team/drizzle-orm/releases/tag/0.44.7)

[Compare Source](https://redirect.github.com/drizzle-team/drizzle-orm/compare/0.44.6...0.44.7)

- fix durable sqlite transaction return value [#&#8203;3746](https://redirect.github.com/drizzle-team/drizzle-orm/issues/3746) - thanks [@&#8203;joaocstro](https://redirect.github.com/joaocstro)

### [`v0.44.6`](https://redirect.github.com/drizzle-team/drizzle-orm/releases/tag/0.44.6)

[Compare Source](https://redirect.github.com/drizzle-team/drizzle-orm/compare/0.44.5...0.44.6)

- feat: add $replicas reference [#&#8203;4874](https://redirect.github.com/drizzle-team/drizzle-orm/issues/4874)

### [`v0.44.5`](https://redirect.github.com/drizzle-team/drizzle-orm/releases/tag/0.44.5)

[Compare Source](https://redirect.github.com/drizzle-team/drizzle-orm/compare/0.44.4...0.44.5)

- Fixed invalid usage of `.one()` in `durable-sqlite` session
- Fixed spread operator related crash in sqlite `blob` columns
- Better browser support for sqlite `blob` columns
- Improved sqlite `blob` mapping

### [`v0.44.4`](https://redirect.github.com/drizzle-team/drizzle-orm/releases/tag/0.44.4)

[Compare Source](https://redirect.github.com/drizzle-team/drizzle-orm/compare/0.44.3...0.44.4)

- Fix wrong DrizzleQueryError export. thanks [@&#8203;nathankleyn](https://redirect.github.com/nathankleyn)

### [`v0.44.3`](https://redirect.github.com/drizzle-team/drizzle-orm/releases/tag/0.44.3)

[Compare Source](https://redirect.github.com/drizzle-team/drizzle-orm/compare/0.44.2...0.44.3)

- Fixed types of `$client` for clients created by drizzle function

```ts
await db.$client.[...]

• Added the updated_at column to the neon_auth.users_sync table definition.

v0.44.2

Compare Source

• [BUG]: Fixed type issues with joins with certain variations of tsconfig: #​4535, #​4457

v0.44.1

Compare Source

• [BUG]: Drizzle can no longer run on Durable Objects

v0.44.0

Compare Source

Error handling

Starting from this version, we’ve introduced a new DrizzleQueryError that wraps all errors from database drivers and provides a set of useful information:

1. A proper stack trace to identify which exact Drizzle query failed
2. The generated SQL string and its parameters
3. The original stack trace from the driver that caused the DrizzleQueryError

Drizzle cache module

Drizzle sends every query straight to your database by default. There are no hidden actions, no automatic caching or invalidation - you’ll always see exactly what runs. If you want caching, you must opt in.

By default, Drizzle uses a explicit caching strategy (i.e. global: false), so nothing is ever cached unless you ask. This prevents surprises or hidden performance traps in your application. Alternatively, you can flip on all caching (global: true) so that every select will look in cache first.

Out first native integration was built together with Upstash team and let you natively use upstash as a cache for your drizzle queries

import { upstashCache } from "drizzle-orm/cache/upstash";
import { drizzle } from "drizzle-orm/...";

const db = drizzle(process.env.DB_URL!, {
  cache: upstashCache({
    // 👇 Redis credentials (optional — can also be pulled from env vars)
    url: '<UPSTASH_URL>',
    token: '<UPSTASH_TOKEN>',
    // 👇 Enable caching for all queries by default (optional)
    global: true,
    // 👇 Default cache behavior (optional)
    config: { ex: 60 }
  })
});

You can also implement your own cache, as Drizzle exposes all the necessary APIs, such as get, put, mutate, etc.
You can find full implementation details on the website

import Keyv from "keyv";
export class TestGlobalCache extends Cache {
  private globalTtl: number = 1000;
  // This object will be used to store which query keys were used
  // for a specific table, so we can later use it for invalidation.
  private usedTablesPerKey: Record<string, string[]> = {};
  constructor(private kv: Keyv = new Keyv()) {
    super();
  }
  // For the strategy, we have two options:
  // - 'explicit': The cache is used only when .$withCache() is added to a query.
  // - 'all': All queries are cached globally.
  // The default behavior is 'explicit'.
  override strategy(): "explicit" | "all" {
    return "all";
  }
  // This function accepts query and parameters that cached into key param,
  // allowing you to retrieve response values for this query from the cache.
  override async get(key: string): Promise<any[] | undefined> {
    ...
  }
  // This function accepts several options to define how cached data will be stored:
  // - 'key': A hashed query and parameters.
  // - 'response': An array of values returned by Drizzle from the database.
  // - 'tables': An array of tables involved in the select queries. This information is needed for cache invalidation.
  //
  // For example, if a query uses the "users" and "posts" tables, you can store this information. Later, when the app executes
  // any mutation statements on these tables, you can remove the corresponding key from the cache.
  // If you're okay with eventual consistency for your queries, you can skip this option.
  override async put(
    key: string,
    response: any,
    tables: string[],
    config?: CacheConfig,
  ): Promise<void> {
    ...
  }
  // This function is called when insert, update, or delete statements are executed.
  // You can either skip this step or invalidate queries that used the affected tables.
  //
  // The function receives an object with two keys:
  // - 'tags': Used for queries labeled with a specific tag, allowing you to invalidate by that tag.
  // - 'tables': The actual tables affected by the insert, update, or delete statements,
  //   helping you track which tables have changed since the last cache update.
  override async onMutate(params: {
    tags: string | string[];
    tables: string | string[] | Table<any> | Table<any>[];
  }): Promise<void> {
    ...
  }
}

For more usage example you can check our docs

v0.43.1

Compare Source

Fixes

• Fixed incorrect types of schema enums in PostgreSQL

v0.43.0

Compare Source

Features

• Added cross join (#​1414)
• Added lateral left, inner, cross joins to PostgreSQL, MySQL, Gel, SingleStore
• Added drizzle connection attributes to SingleStore's driver instances

Fixes

• Removed unsupported by dialect full join from MySQL select api
• Forced Gel columns to always have explicit schema & table prefixes due to potential errors caused by lack of such prefix in subquery's selection when there's already a column bearing same name in context
• Added missing export for PgTextBuilderInitial type
• Removed outdated IfNotImported type check from SingleStore driver initializer
• Fixed incorrect type inferrence for insert and update models with non-strict tsconfigs (#​2654)
• Fixed invalid spelling of nowait flag (#​3554)
• Add join lateral support
• Remove .fullJoin() from MySQL API

v0.42.0

Compare Source

Features

Duplicate imports removal

When importing from drizzle-orm using custom loaders, you may encounter issues such as: SyntaxError: The requested module 'drizzle-orm' does not provide an export named 'eq'

This issue arose because there were duplicated exports in drizzle-orm. To address this, we added a set of tests that checks every file in drizzle-orm to ensure all exports are valid. These tests will fail if any new duplicated exports appear.

In this release, we’ve removed all duplicated exports, so you should no longer encounter this issue.

pgEnum and mysqlEnum now can accept both strings and TS enums

If you provide a TypeScript enum, all your types will be inferred as that enum - so you can insert and retrieve enum values directly. If you provide a string union, it will work as before.

enum Test {
  a = 'a',
  b = 'b',
  c = 'c',
}

const tableWithTsEnums = mysqlTable('enums_test_case', {
  id: serial().primaryKey(),
  enum1: mysqlEnum(Test).notNull(),
  enum2: mysqlEnum(Test).default(Test.a),
});

await db.insert(tableWithTsEnums).values([
  { id: 1, enum1: Test.a, enum2: Test.b, enum3: Test.c },
  { id: 2, enum1: Test.a, enum3: Test.c },
  { id: 3, enum1: Test.a },
]);

const res = await db.select().from(tableWithTsEnums);

expect(res).toEqual([
  { id: 1, enum1: 'a', enum2: 'b', enum3: 'c' },
  { id: 2, enum1: 'a', enum2: 'a', enum3: 'c' },
  { id: 3, enum1: 'a', enum2: 'a', enum3: 'b' },
]);

Improvements

• Make inArray accept ReadonlyArray as a value - thanks @​Zamiell
• Pass row type parameter to @planetscale/database's execute - thanks @​ayrton
• New InferEnum type - thanks @​totigm

Issues closed

• Add first-class support for TS native enums
• [FEATURE]: support const enums
• [BUG]: SyntaxError: The requested module 'drizzle-orm' does not provide an export named 'lte'

v0.41.0

Compare Source

• bigint, number modes for SQLite, MySQL, PostgreSQL, SingleStore decimal & numeric column types
• Changed behavior of sql-js query preparation to query prebuild instead of db-side prepare due to need to manually free prepared queries, removed .free() method
• Fixed MySQL, SingleStore varchar allowing not specifying length in config
• Fixed MySQL, SingleStore binary, varbinary data\type mismatches
• Fixed numeric\decimal data\type mismatches: #​1290, #​1453
• Fixed drizzle-studio + AWS Data Api connection issue: #​3224
• Fixed isConfig utility function checking types of wrong fields
• Enabled supportBigNumbers in auto-created mysql2 driver instances
• Fixed custom schema tables querying in RQBv1: #​4060
• Removed in-driver mapping for postgres types 1231 (numeric[]), 1115 (timestamp[]), 1185 (timestamp_with_timezone[]), 1187 (interval[]), 1182 (date[]), preventing precision loss and data\type mismatches
• Fixed SQLite buffer-mode blob sometimes returning number[]

v0.40.1

Compare Source

Updates to neon-http for @neondatabase/serverless@1.0.0 - thanks @​jawj

Starting from this version, drizzle-orm will be compatible with both @neondatabase/serverless <1.0 and >1.0

v0.40.0

Compare Source

New Features

Added Gel dialect support and gel-js client support

Drizzle is getting a new Gel dialect with its own types and Gel-specific logic. In this first iteration, almost all query-building features have been copied from the PostgreSQL dialect since Gel is fully PostgreSQL-compatible. The only change in this iteration is the data types. The Gel dialect has a different set of available data types, and all mappings for these types have been designed to avoid any extra conversions on Drizzle's side. This means you will insert and select exactly the same data as supported by the Gel protocol.

Drizzle + Gel integration will work only through drizzle-kit pull. Drizzle won't support generate, migrate, or push features in this case. Instead, drizzle-kit is used solely to pull the Drizzle schema from the Gel database, which can then be used in your drizzle-orm queries.

The Gel + Drizzle workflow:

1. Use the gel CLI to manage your schema.
2. Use the gel CLI to generate and apply migrations to the database.
3. Use drizzle-kit to pull the Gel database schema into a Drizzle schema.
4. Use drizzle-orm with gel-js to query the Gel database.

Here is a small example of how to connect to Gel using Drizzle:

// Make sure to install the 'gel' package 
import { drizzle } from "drizzle-orm/gel";
import { createClient } from "gel";

const gelClient = createClient();
const db = drizzle({ client: gelClient });

const result = await db.execute('select 1');

and drizzle-gel schema definition

import { gelTable, uniqueIndex, uuid, smallint, text } from "drizzle-orm/gel-core"
import { sql } from "drizzle-orm"

export const users = gelTable("users", {
    id: uuid().default(sql`uuid_generate_v4()`).primaryKey(),
    age: smallint(),
    email: text().notNull(),
    name: text(),
});

On the drizzle-kit side you can now use dialect: "gel"

// drizzle.config.ts
import { defineConfig } from 'drizzle-kit';

export default defineConfig({
  dialect: 'gel',
});

For a complete Get Started tutorial you can use our new guides:

• Get Started with Drizzle and Gel in a new project
• Get Started with Drizzle and Gel in a existing project

v0.39.3

Compare Source

• Remove react from peerDependencies

v0.39.2

Compare Source

• To be compatible with latest Neon Auth feature we renamed the pre-defined schema internally, from neon_identity to neon_auth - thanks @​pffigueiredo

v0.39.1

Compare Source

• Fixed SQLite onConflict clauses being overwritten instead of stacked - #​2276
• Added view support to aliasedTable()
• Fixed sql builder prefixing aliased views and tables with their schema

v0.39.0

Compare Source

New features

Bun SQL driver support

You can now use the new Bun SQL driver released in Bun v1.2.0 with Drizzle

In version 1.2.0, Bun has issues with executing concurrent statements, which may lead to errors if you try to run several queries simultaneously.
We've created a github issue that you can track. Once it's fixed, you should no longer encounter any such errors on Bun's SQL side

import { drizzle } from 'drizzle-orm/bun-sql';

const db = drizzle(process.env.PG_DB_URL!);

const result = await db.select().from(...);

or you can use Bun SQL instance

import { drizzle } from 'drizzle-orm/bun-sql';
import { SQL } from 'bun';

const client = new SQL(process.env.PG_DB_URL!);
const db = drizzle({ client });

const result = await db.select().from(...);

Current Limitations:

• json and jsonb inserts and selects currently perform an additional JSON.stringify on the Bun SQL side. Once this is removed, they should work properly. You can always use custom types and redefine the mappers to and from the database.
• datetime, date, and timestamp will not work properly when using mode: string in Drizzle. This is due to Bun's API limitations, which prevent custom parsers for queries. As a result, Drizzle cannot control the response sent from Bun SQL to Drizzle. Once this feature is added to Bun SQL, it should work as expected.
• array types currently have issues in Bun SQL.

You can check more in Bun docs

You can check more getting started examples in Drizzle docs

WITH now supports INSERT, UPDATE, DELETE and raw sql template

with and insert

const users = pgTable('users', {
  id: serial('id').primaryKey(),
  name: text('name').notNull(),
});

const sq = db.$with('sq').as(
    db.insert(users).values({ name: 'John' }).returning(),
);

const result = await db.with(sq).select().from(sq);

with and update

const users = pgTable('users', {
  id: serial('id').primaryKey(),
  name: text('name').notNull(),
});

const sq = db.$with('sq').as(
    db.update(users).set({ age: 25 }).where(eq(users.name, 'John')).returning(),
);
const result = await db.with(sq).select().from(sq);

with and delete

const users = pgTable('users', {
  id: serial('id').primaryKey(),
  name: text('name').notNull(),
});

const sq = db.$with('sq').as(
  db.delete(users).where(eq(users.name, 'John')).returning(),
);

const result = await db.with(sq).select().from(sq);

with and sql

const users = pgTable('users', {
  id: serial('id').primaryKey(),
  name: text('name').notNull(),
});

const sq = db.$with('sq', {
  userId: users.id,
  data: {
    name: users.name,
  },
}).as(sql`select * from ${users} where ${users.name} = 'John'`);

const result = await db.with(sq).select().from(sq);

New tables in /neon import

In this release you can use neon_identity schema and users_sync table inside this schema by just importing it from /neon

// "drizzle-orm/neon"
const neonIdentitySchema = pgSchema('neon_identity');

/**
 * Table schema of the `users_sync` table used by Neon Identity.
 * This table automatically synchronizes and stores user data from external authentication providers.
 *
 * @​schema neon_identity
 * @​table users_sync
 */
export const usersSync = neonIdentitySchema.table('users_sync', {
  rawJson: jsonb('raw_json').notNull(),
  id: text().primaryKey().notNull(),
  name: text(),
  email: text(),
  createdAt: timestamp('created_at', { withTimezone: true, mode: 'string' }),
  deletedAt: timestamp('deleted_at', { withTimezone: true, mode: 'string' }),
});

Utils and small improvements

getViewName util function

import { getViewName } from 'drizzle-orm/sql'

export const user = pgTable("user", {
  id: serial(),
  name: text(),
  email: text(),
});

export const userView = pgView("user_view").as((qb) => qb.select().from(user));

const viewName = getViewName(userView)

Bug fixed and GitHub issue closed

• [FEATURE]: allow INSERT in CTEs (WITH clauses)
• [FEATURE]: Support Raw SQL in CTE Query Builder
• [FEATURE]: include pre-defined database objects related to Neon Identity in drizzle-orm
• [BUG]: $count is undefined on withReplicas
• [FEATURE]: get[Materialized]ViewName, ie getTableName but for (materialized) views.
• [BUG]: $count API error with vercel-postgres
• [BUG]: Cannot use schema.coerce on refining drizzle-zod types
• [FEATURE]: Type Coercion in drizzle-zod
• [BUG]: The inferred type of X cannot be named without a reference to ../../../../../node_modules/drizzle-zod/schema.types.internal.mjs
• [BUG]: drizzle-zod excessively deep and possibly infinite types

v0.38.4

Compare Source

• New SingleStore type vector - thanks @​mitchwadair
• Fix wrong DROP INDEX statement generation, #​3866 - thanks @​WaciX
• Typo fixes - thanks @​stephan281094

v0.38.3

Compare Source

• Fix incorrect deprecation detection for table declarations

v0.38.2

Compare Source

New features

USE INDEX, FORCE INDEX and IGNORE INDEX for MySQL

In MySQL, the statements USE INDEX, FORCE INDEX, and IGNORE INDEX are hints used in SQL queries to influence how the query optimizer selects indexes. These hints provide fine-grained control over index usage, helping optimize performance when the default behavior of the optimizer is not ideal.

Use Index

The USE INDEX hint suggests to the optimizer which indexes to consider when processing the query. The optimizer is not forced to use these indexes but will prioritize them if they are suitable.

export const users = mysqlTable('users', {
  id: int('id').primaryKey(),
  name: varchar('name', { length: 100 }).notNull(),
}, () => [usersTableNameIndex]);

const usersTableNameIndex = index('users_name_index').on(users.name);

await db.select()
  .from(users, { useIndex: usersTableNameIndex })
  .where(eq(users.name, 'David'));

Ignore Index

The IGNORE INDEX hint tells the optimizer to avoid using specific indexes for the query. MySQL will consider all other indexes (if any) or perform a full table scan if necessary.

export const users = mysqlTable('users', {
  id: int('id').primaryKey(),
  name: varchar('name', { length: 100 }).notNull(),
}, () => [usersTableNameIndex]);

const usersTableNameIndex = index('users_name_index').on(users.name);

await db.select()
  .from(users, { ignoreIndex: usersTableNameIndex })
  .where(eq(users.name, 'David'));

Force Index

The FORCE INDEX hint forces the optimizer to use the specified index(es) for the query. If the specified index cannot be used, MySQL will not fall back to other indexes; it might resort to a full table scan instead.

export const users = mysqlTable('users', {
  id: int('id').primaryKey(),
  name: varchar('name', { length: 100 }).notNull(),
}, () => [usersTableNameIndex]);

const usersTableNameIndex = index('users_name_index').on(users.name);

await db.select()
  .from(users, { forceIndex: usersTableNameIndex })
  .where(eq(users.name, 'David'));

You can also combine those hints and use multiple indexes in a query if you need

v0.38.1

Compare Source

• Closed [FEATURE]: Add more flexible typing for usage with exactOptionalPropertyTypes

v0.38.0

Compare Source

Types breaking changes

A few internal types were changed and extra generic types for length of column types were added in this release. It won't affect anyone, unless you are using those internal types for some custom wrappers, logic, etc. Here is a list of all types that were changed, so if you are relying on those, please review them before upgrading

• MySqlCharBuilderInitial
• MySqlVarCharBuilderInitial
• PgCharBuilderInitial
• PgArrayBuilder
• PgArray
• PgVarcharBuilderInitial
• PgBinaryVectorBuilderInitial
• PgBinaryVectorBuilder
• PgBinaryVector
• PgHalfVectorBuilderInitial
• PgHalfVectorBuilder
• PgHalfVector
• PgVectorBuilderInitial
• PgVectorBuilder
• PgVector
• SQLiteTextBuilderInitial

New Features

• Added new function getViewSelectedFields
• Added $inferSelect function to views
• Added InferSelectViewModel type for views
• Added isView function

Validator packages updates

• drizzle-zod has been completely rewritten. You can find detailed information about it here
• drizzle-valibot has been completely rewritten. You can find detailed information about it here
• drizzle-typebox has been completely rewritten. You can find detailed information about it here

Thanks to @​L-Mario564 for making more updates than we expected to be shipped in this release. We'll copy his message from a PR regarding improvements made in this release:

• Output for all packages are now unminified, makes exploring the compiled code easier when published to npm.
• Smaller footprint. Previously, we imported the column types at runtime for each dialect, meaning that for example, if you're just using Postgres then you'd likely only have drizzle-orm and drizzle-orm/pg-core in the build output of your app; however, these packages imported all dialects which could lead to mysql-core and sqlite-core being bundled as well even if they're unused in your app. This is now fixed.
• Slight performance gain. To determine the column data type we used the is function which performs a few checks to ensure the column data type matches. This was slow, as these checks would pile up every quickly when comparing all data types for many fields in a table/view. The easier and faster alternative is to simply go off of the column's columnType property.
• Some changes had to be made at the type level in the ORM package for better compatibility with drizzle-valibot.

And a set of new features

• createSelectSchema function now also accepts views and enums.
• New function: createUpdateSchema, for use in updating queries.
• New function: createSchemaFactory, to provide more advanced options and to avoid bloating the parameters of the other schema functions

Bug fixes

• [FEATURE]: publish packages un-minified
• Don't allow unknown keys in drizzle-zod refinement
• [BUG]:drizzle-zod not working with pgSchema
• Add createUpdateSchema to drizzle-zod
• [BUG]:drizzle-zod produces wrong type
• [BUG]:Drizzle-zod:Boolean and Serial types from Schema are defined as enum when using CreateInsertSchema and CreateSelectSchema
• [BUG]: Drizzle typebox enum array wrong schema and type
• [BUG]:drizzle-zod not working with pgSchema
• [BUG]: drizzle-zod not parsing arrays correctly
• [BUG]: Drizzle typebox not supporting array
• [FEATURE]: Export factory functions from drizzle-zod to allow usage with extended Zod classes
• [FEATURE]: Add support for new pipe syntax for drizzle-valibot
• [BUG]: drizzle-zod's createInsertSchema() can't handle column of type vector
• [BUG]: drizzle-typebox fails to map geometry column to type-box schema
• [BUG]: drizzle-valibot does not provide types for returned schemas
• [BUG]: Drizzle-typebox types SQLite real field to string
• [BUG]: drizzle-zod: documented usage generates type error with exactOptionalPropertyTypes
• [BUG]: drizzle-zod does not respect/count db type range
• [BUG]: drizzle-zod not overriding optional
• [BUG]:drizzle-zod doesn't accept custom id value
• [FEATURE]: Support for Database Views in Drizzle Zod
• [BUG]: drizzle-valibot return type any
• [BUG]: drizzle-zod Type generation results in undefined types
• [BUG]: GeneratedAlwaysAs
• [FEATURE]: $inferSelect on a view
• [BUG]:Can't infer props from view in schema

v0.37.0

Compare Source

New Dialects

🎉 SingleStore dialect is now available in Drizzle

Thanks to the SingleStore team for creating a PR with all the necessary changes to support the MySQL-compatible part of SingleStore. You can already start using it with Drizzle. The SingleStore team will also help us iterate through updates and make more SingleStore-specific features available in Drizzle

import { int, singlestoreTable, varchar } from 'drizzle-orm/singlestore-core';
import { drizzle } from 'drizzle-orm/singlestore';

export const usersTable = singlestoreTable('users_table', {
  id: int().primaryKey(),
  name: varchar({ length: 255 }).notNull(),
  age: int().notNull(),
  email: varchar({ length: 255 }).notNull().unique(),
});

...

const db = drizzle(process.env.DATABASE_URL!);

db.select()...

You can check out our Getting started guides to try SingleStore!

New Drivers

🎉 SQLite Durable Objects driver is now available in Drizzle

You can now query SQLite Durable Objects in Drizzle!

For the full example, please check our Get Started Section

/// <reference types="@&#8203;cloudflare/workers-types" />
import { drizzle, DrizzleSqliteDODatabase } from 'drizzle-orm/durable-sqlite';
import { DurableObject } from 'cloudflare:workers'
import { migrate } from 'drizzle-orm/durable-sqlite/migrator';
import migrations from '../drizzle/migrations';
import { usersTable } from './db/schema';

export class MyDurableObject1 extends DurableObject {
  storage: DurableObjectStorage;
  db: DrizzleSqliteDODatabase<any>;

  constructor(ctx: DurableObjectState, env: Env) {
    super(ctx, env);
    this.storage = ctx.storage;
    this.db = drizzle(this.storage, { logger: false });
  }

    async migrate() {
        migrate(this.db, migrations);
    }

  async insert(user: typeof usersTable.$inferInsert) {
        await this.db.insert(usersTable).values(user);
    }

  async select() {
        return this.db.select().from(usersTable);
    }
}

export default {
  /**
   * This is the standard fetch handler for a Cloudflare Worker
   *
   * @&#8203;param request - The request submitted to the Worker from the client
   * @&#8203;param env - The interface to reference bindings declared in wrangler.toml
   * @&#8203;param ctx - The execution context of the Worker
   * @&#8203;returns The response to be sent back to the client
   */
  async fetch(request: Request, env: Env): Promise<Response> {
    const id: DurableObjectId = env.MY_DURABLE_OBJECT1.idFromName('durable-object');
    const stub = env.MY_DURABLE_OBJECT1.get(id);
    await stub.migrate();

    await stub.insert({
      name: 'John',
      age: 30,
      email: 'john@example.com',
      })
    console.log('New user created!')
  
    const users = await stub.select();
    console.log('Getting all users from the database: ', users)

        return new Response();
    }
}

Bug fixes

• [BUG]: $with is undefined on withReplicas
• [BUG]: Neon serverless driver accepts authToken as a promise, but the $withAuth does not

v0.36.4

Compare Source

New Package: drizzle-seed

Note

drizzle-seed can only be used with drizzle-orm@0.36.4 or higher. Versions lower than this may work at runtime but could have type issues and identity column issues, as this patch was introduced in drizzle-orm@0.36.4

Full Reference

The full API reference and package overview can be found in our official documentation

Basic Usage

In this example we will create 10 users with random names and ids

import { pgTable, integer, text } from "drizzle-orm/pg-core";
import { drizzle } from "drizzle-orm/node-postgres";
import { seed } from "drizzle-seed";

const users = pgTable("users", {
  id: integer().primaryKey(),
  name: text().notNull(),
});

async function main() {
  const db = drizzle(process.env.DATABASE_URL!);
  await seed(db, { users });
}

main();

Options

count

By default, the seed function will create 10 entities.
However, if you need more for your tests, you can specify this in the seed options object

await seed(db, schema, { count: 1000 });

seed

If you need a seed to generate a different set of values for all subsequent runs, you can define a different number
in the seed option. Any new number will generate a unique set of values

await seed(db, schema, { seed: 12345 });

The full API reference and package overview can be found in our official documentation

Features

Added OVERRIDING SYSTEM VALUE api to db.insert()

If you want to force you own values for GENERATED ALWAYS AS IDENTITY columns, you can use OVERRIDING SYSTEM VALUE

As PostgreSQL docs mentions

In an INSERT command, if ALWAYS is selected, a user-specified value is only accepted if the INSERT statement specifies OVERRIDING SYSTEM VALUE. If BY DEFAULT is selected, then the user-specified value takes precedence

await db.insert(identityColumnsTable).overridingSystemValue().values([
  { alwaysAsIdentity: 2 },
]);

Added .$withAuth() API for Neon HTTP driver

Using this API, Drizzle will send you an auth token to authorize your query. It can be used with any query available in Drizzle by simply adding .$withAuth() before it. This token will be used for a specific query

Examples

const token = 'HdncFj1Nm'

await db.$withAuth(token).select().from(usersTable);
await db.$withAuth(token).update(usersTable).set({ name: 'CHANGED' }).where(eq(usersTable.name, 'TARGET'))

Bug Fixes

• [BUG]: TypeScript error Please install '@​neondatabase/serverless' to allow Drizzle ORM to connect to the database

v0.36.3

Compare Source

New Features

Support for UPDATE ... FROM in PostgreSQL and SQLite

As the SQLite documentation mentions:

Note

The UPDATE-FROM idea is an extension to SQL that allows an UPDATE statement to be driven by other tables in the database.
The "target" table is the specific table that is being updated. With UPDATE-FROM you can join the target table
against other tables in the database in order to help compute which rows need updating and what
the new values should be on those rows

Similarly, the PostgreSQL documentation states:

Note

A table expression allowing columns from other tables to appear in the WHERE condition and update expressions

Drizzle also supports this feature starting from this version

For example, current query:

await db
  .update(users)
  .set({ cityId: cities.id })
  .from(cities)
  .where(and(eq(cities.name, 'Seattle'), eq(users.name, 'John')))

Will generate this sql

update "users" set "city_id" = "cities"."id" 
from "cities" 
where ("cities"."name" = $1 and "users"."name" = $2)

-- params: [ 'Seattle', 'John' ]

You can also alias tables that are joined (in PG, you can also alias the updating table too).

const c = alias(cities, 'c');
await db
  .update(users)
  .set({ cityId: c.id })
  .from(c);

Will generate this sql

update "users" set "city_id" = "c"."id" 
from "cities" "c"

In PostgreSQL, you can also return columns from the joined tables.

const updatedUsers = await db
  .update(users)
  .set({ cityId: cities.id })
  .from(cities)
  .returning({ id: users.id, cityName: cities.name });

Will generate this sql

update "users" set "city_id" = "cities"."id" 
from "cities" 
returning "users"."id", "cities"."name"

Support for INSERT INTO ... SELECT in all dialects

As the SQLite documentation mentions:

Note

The second form of the INSERT statement contains a SELECT statement instead of a VALUES clause.
A new entry is inserted into the table for each row of data returned by executing the SELECT statement.
If a column-list is specified, the number of columns in the result of the SELECT must be the same as
the number of items in the column-list. Otherwise, if no column-list is specified, the number of
columns in the result of the SELECT must be the same as the number of columns in the table.
Any SELECT statement, including compound SELECTs and SELECT statements with ORDER BY and/or LIMIT clauses,
may be used in an INSERT statement of this form.

Caution

To avoid a parsing ambiguity, the SELECT statement should always contain a WHERE clause, even if that clause is simply "WHERE true", if the upsert-clause is present. Without the WHERE clause, the parser does not know if the token "ON" is part of a join constraint on the SELECT, or the beginning of the upsert-clause.

As the PostgreSQL documentation mentions:

Note

A query (SELECT statement) that supplies the rows to be inserted

And as the MySQL documentation mentions:

Note

With INSERT ... SELECT, you can quickly insert many rows into a table from the result of a SELECT statement, which can select from one or many tables

Drizzle supports the current syntax for all dialects, and all of them share the same syntax. Let's review some common scenarios and API usage.
There are several ways to use select inside insert statements, allowing you to choose your preferred approach:

• You can pass a query builder inside the select function.
• You can use a query builder inside a callback.
• You can pass an SQL template tag with any custom select query you want to use

Query Builder

const insertedEmployees = await db
  .insert(employees)
  .select(
    db.select({ name: users.name }).from(users).where(eq(users.role, 'employee'))
  )
  .returning({
    id: employees.id,
    name: employees.name
  });

const qb = new QueryBuilder();
await db.insert(employees).select(
    qb.select({ name: users.name }).from(users).where(eq(users.role, 'employee'))
);

Callback

await db.insert(employees).select(
    () => db.select({ name: users.name }).from(users).where(eq(users.role, 'employee'))
);

await db.insert(employees).select(
    (qb) => qb.select({ name: users.name }).from(users).where(eq(users.role, 'employee'))
);

SQL template tag

await db.insert(employees).select(
    sql`select "users"."name" as "name" from "users" where "users"."role" = 'employee'`
);

await db.insert(employees).select(
    () => sql`select "users"."name" as "name" from "users" where "users"."role" = 'employee'`
);

v0.36.2

Compare Source

New Features

• Support more types in like, notLike, ilike and notIlike expressions

Bug and typo fixes

• Fixed typos in repository: thanks @​armandsalle, @​masto, @​wackbyte, @​Asher-JH, @​MaxLeiter

• Fixed .generated behavior with non-strict tsconfig

• Fix Drizzle ORM for expo-sqlite

• Fixed lack of schema name on columns in sql

• fix: Adjust neon http driver entity kind

• Export PgIntegerBuilderInitial type

• [MySQL] Correct $returningId() implementation to correctly store selected fields

v0.36.1

Compare Source

Bug Fixes

• [BUG]: Using sql.placeholder with limit and/or offset for a prepared statement produces TS error - thanks @​L-Mario564
• [BUG] If a query I am trying to modify with a dynamic query (....$dynamic()) contains any placeholders, I'm getting an error that says No value for placeholder.... provided - thanks @​L-Mario564
• [BUG]: Error thrown when trying to insert an array of new rows using generatedAlwaysAsIdentity() for the id column - thanks @​L-Mario564
• [BUG]: Unable to Use BigInt Types with Bun and Drizzle - thanks @​L-Mario564

v0.36.0

Compare Source

This version of drizzle-orm requires drizzle-kit@0.27.0 to enable all new features

New Features

The third parameter in Drizzle ORM becomes an array

The object API is still available but deprecated

Instead of this

pgTable('users', {
    id: integer().primaryKey(),
}, (t) => ({
    index: index('test').on(t.id),
}));

You can now do this

pgTable('users', {
    id: integer().primaryKey(),
}, (t) => [index('test').on(t.id)]);

Row-Level Security (RLS)

With Drizzle, you can enable Row-Level Security (RLS) for any Postgres table, create policies with various options, and define and manage the roles those policies apply to.

Drizzle supports a raw representation of Postgres policies and roles that can be used in any way you want. This works with popular Postgres database providers such as Neon and Supabase.

In Drizzle, we have specific predefined RLS roles and functions for RLS with both database providers, but you can also define your own logic.

Enable RLS

If you just want to enable RLS on a table without adding policies, you can use .enableRLS()

As mentioned in the PostgreSQL documentation:

If no policy exists for the table, a default-deny policy is used, meaning that no rows are visible or can be modified.
Operations that apply to the whole table, such as TRUNCATE and REFERENCES, are not subject to row security.

import { integer, pgTable } from 'drizzle-orm/pg-core';

export const users = pgTable('users', {
	id: integer(),
}).enableRLS();

If you add a policy to a table, RLS will be enabled automatically. So, there’s no need to explicitly enable RLS when adding policies to a table.

Roles

Currently, Drizzle supports defining roles with a few different options, as shown below. Support for more options will be added in a future release.

import { pgRole } from 'drizzle-orm/pg-core';

export const admin = pgRole('admin', { createRole: true, createDb: true, inherit: true });

If a role already exists in your database, and you don’t want drizzle-kit to ‘see’ it or include it in migrations, you can mark the role as existing.

import { pgRole } from 'drizzle-orm/pg-core';

export const admin = pgRole('admin').existing();

Policies

To fully leverage RLS, you can define policies within a Drizzle table.

In PostgreSQL, policies should be linked to an existing table. Since policies are always associated with a specific table, we decided that policy definitions should be defined as a parameter of pgTable

Example of pgPolicy with all available properties

import { sql } from 'drizzle-orm';
import { integer, pgPolicy, pgRole, pgTable } from 'drizzle-orm/pg-core';

export const admin = pgRole('admin');

export const users = pgTable('users', {
	id: integer(),
}, (t) => [
	pgPolicy('policy', {
		as: 'permissive',
		to: admin,
		for: 'delete',
		using: sql``,
		withCheck: sql``,
	}),
]);

Link Policy to an existing table

There are situations where you need to link a policy to an existing table in your database.
The most common use case is with database providers like Neon or Supabase, where you need to add a policy
to their existing tables. In this case, you can use the .link() API

import { sql } from "drizzle-orm";
import { pgPolicy } from "drizzle-orm/pg-core";
import { authenticatedRole, realtimeMessages } from "drizzle-orm/supabase";

export const policy = pgPolicy("authenticated role insert policy", {
  for: "insert",
  to: authenticatedRole,
  using: sql``,
}).link(realtimeMessages);

Migrations

If you are using drizzle-kit to manage your schema and roles, there may be situations where you want to refer to roles that are not defined in your Drizzle schema. In such cases, you may want drizzle-kit to skip managing these roles without having to define each role in your drizzle schema and marking it with .existing().

In these cases, you can use entities.roles in drizzle.config.ts. For a complete reference, refer to the the drizzle.config.ts documentation.

By default, drizzle-kit does not manage roles for you, so you will need to enable this feature in drizzle.config.ts.

// drizzle.config.ts
import { defineConfig } from "drizzle-kit";

export default defineConfig({
  dialect: 'postgresql',
  schema: "./drizzle/schema.ts",
  dbCredentials: {
    url: process.env.DATABASE_URL!
  },
  verbose: true,
  strict: true,
  entities: {
    roles: true
  }
});

In case you need additional configuration options, let's take a look at a few more examples.

You have an admin role and want to exclude it from the list of manageable roles

// drizzle.config.ts
import { defineConfig } from "drizzle-kit";

export default defineConfig({
  ...
  entities: {
    roles: {
      exclude: ['admin']
    }
  }
});

You have an admin role and want to include it in the list of manageable roles

// drizzle.config.ts
import { defineConfig } from "drizzle-kit";

export default defineConfig({
  ...
  entities: {
    roles: {
      include: ['admin']
    }
  }
});

If you are using Neon and want to exclude Neon-defined roles, you can use the provider option

// drizzle.config.ts
import { defineConfig } from "drizzle-kit";

export default defineConfig({
  ...
  entities: {
    roles: {
      provider: 'neon'
    }
  }
});

If you are using Supabase and want to exclude Supabase-defined roles, you can use the provider option

// drizzle.config.ts
import { defineConfig } from "drizzle-kit";

export default defineConfig({
  ...
  entities: {
    roles: {
      provider: 'supabase'
    }
  }
});

You may encounter situations where Drizzle is slightly outdated compared to new roles specified by your database provider.
In such cases, you can use the provider option and exclude additional roles:

// drizzle.config.ts
import { defineConfig } from "drizzle-kit";

export default defineConfig({
  .

</details>

---

### Configuration

📅 **Schedule**: (in timezone Asia/Jakarta)

- Branch creation
  - ""
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/NezuChan/postgrestify).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDIuMTEiLCJ1cGRhdGVkSW5WZXIiOiI0My4xMjAuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsibWV0YTogZGVwZW5kZW5jaWVzIl19-->