chore(deps): bump drizzle-orm from 0.44.7 to 0.45.2#529
Conversation
dependabot
Bot
added
dependencies
dependabot
Bot
changed the title
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/drizzle-orm-0.45.2
branch
from
9a16e06 to
feebd54
Compare
dependabot
Bot
changed the title
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/drizzle-orm-0.45.2
branch
from
feebd54 to
e55a13b
Compare
![minsky-reviewer[bot]](https://avatars.githubusercontent.com/u/52695?s=60&v=4){kind=small}
There was a problem hiding this comment.
Independent adversarial review (Chinese-wall)
Reviewer: minsky-reviewer[bot] via openai:gpt-5
Tier: unknown
Findings
-
[BLOCKING] package.json:99 — Dependency updated to drizzle-orm "^0.45.2" but no corresponding lockfile changes were included
- Evidence: The PR diff only touches package.json; there are no changes to yarn.lock, package-lock.json, or pnpm-lock.yaml.
- Failure mode: If the repository commits a lockfile (common setup), omitting the lockfile update will leave builds installing the old resolved version, causing CI/prod to diverge from local expectations and from the stated security fix in 0.45.2. Please run the project’s package manager (npm/yarn/pnpm) and commit the updated lockfile, or explicitly confirm the repo’s policy is “no lockfile in VCS.”
-
[NON-BLOCKING] PR description/version mismatch vs actual source version
- Evidence: PR description states “bump from 0.44.7 to 0.45.2,” but package.json shows the previous constraint was "^0.44.2" and is now "^0.45.2" (package.json:99).
- Impact: Auditability/confusion when skimming history or security updates. Suggest correcting the PR description to reflect the actual starting version.
-
[NON-BLOCKING] Unpinned range may admit future 0.45.x changes at install time
- Evidence: package.json:99 uses caret "^0.45.2", which allows upgrades to <0.46.0 on fresh installs.
- Risk: Even within 0.x, minor/patches may introduce behavior changes. If deterministic builds matter, ensure the lockfile is committed and CI doesn’t do floating installs; alternatively consider pinning or using Renovate/Dependabot with lockfile updates.
-
[NON-BLOCKING] Potential cross-package drift in a multi-package repo
- Evidence: Only the root package.json is modified in this PR.
- Risk: If there are other package.json files (examples/, packages/*/, tools/) that also depend on drizzle-orm, they may remain on 0.44.x and miss the 0.45.2 security fix. Please confirm there aren’t additional consumers, or update them as well.
-
[NON-BLOCKING] Behavior change risk from 0.45.x (escaping fixes) not accounted for in tests
- Evidence: Release notes for 0.45.2: “Fixed sql.identifier(), sql.as() escaping issues… causing a possible SQL Injection (CWE-89).”
- Risk: Generated SQL will now be escaped correctly. Any tests or code that asserted exact SQL strings or relied on the previous (buggy) escaping could break. Please ensure full DB/integration tests are run and scan the codebase for usage of sql.identifier()/sql.as() to confirm no regressions.
-
[NON-BLOCKING] Check drizzle-kit compatibility
- Evidence: package.json:98 still has drizzle-kit "^0.31.2".
- Risk: While likely fine, ensure there are no peer/compatibility warnings in CI when pairing drizzle-orm 0.45.x with drizzle-kit 0.31.x.
Spec verification
- Bump drizzle-orm dependency to 0.45.2 in package.json: Met
- PR description accurately reflects source version bumped from: Not Met (description says 0.44.7; code shows 0.44.2)
Documentation impact
- Consider adding a short note to CHANGELOG or release notes highlighting the dependency update includes a security fix (escaping) in drizzle-orm 0.45.2.
- If you maintain a security policy or advisories, link this upgrade rationale there.
Event: REQUEST_CHANGES
Rationale: The absence of a lockfile update (if the repo tracks one) is a concrete, high-risk desync that can lead to inconsistent installs and negate the intended security fix. Please update/commit the lockfile or explicitly confirm the repository does not track one. Also, correct the PR description mismatch. The remaining items are non-blocking but recommended checks.
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/drizzle-orm-0.45.2
branch
from
e55a13b to
6d6cbbb
Compare
There was a problem hiding this comment.
Independent adversarial review (Chinese-wall)
Reviewer: minsky-reviewer[bot] via openai:gpt-5
Tier: unknown
Findings
-
[BLOCKING] bun.lock — Lockfile not updated to reflect the bumped drizzle-orm version
- Evidence: package.json now declares "drizzle-orm": "^0.45.2" (package.json: dependencies), but bun.lock still pins drizzle-orm to 0.44.2.
- Snippet from bun.lock: "drizzle-orm": ["drizzle-orm@0.44.2", …]
- Failure mode: With bun.lock committed, installs will continue to resolve 0.44.2. This silently defeats the stated upgrade and leaves the project on a version with a known SQL injection vulnerability fixed in 0.45.2 (per the release notes). CI/prod parity and security posture are impacted.
- Required action: Run Bun’s resolver (e.g., bun install) and commit the updated bun.lock so it resolves drizzle-orm 0.45.2.
- Evidence: package.json now declares "drizzle-orm": "^0.45.2" (package.json: dependencies), but bun.lock still pins drizzle-orm to 0.44.2.
-
[NON-BLOCKING] PR description vs repo history mismatch on “from 0.44.7”
- Evidence: PR description says “bump from 0.44.7 to 0.45.2,” but the previous constraint in package.json was "^0.44.2" and bun.lock pinned 0.44.2.
- Impact: Minor documentation/metadata inconsistency; no functional impact.
Spec verification
- No task spec provided. Using PR description (“Bumps drizzle-orm from 0.44.7 to 0.45.2”) as intent.
- Update dependency in manifest: Met (package.json shows ^0.45.2)
- Ensure consistent lockfile resolution: Not Met (bun.lock still at 0.44.2)
- Note security fix present in 0.45.2 effectively applied: Not Met until lockfile updated
Documentation impact
- No additional docs appear required. However, given that 0.45.2 includes a security fix, it would be helpful to add a short note in the changelog/release notes indicating the lockfile was updated to ensure the fix is actually consumed.
Conclusion: REQUEST_CHANGES
The unresolved lockfile leaves the repository resolving drizzle-orm 0.44.2, which undermines the stated security fix in 0.45.2. Please update bun.lock (e.g., run bun install) and commit the changes. After that, this should be good to go.
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/drizzle-orm-0.45.2
branch
from
6d6cbbb to
f6de6d6
Compare
There was a problem hiding this comment.
Independent adversarial review (Chinese-wall)
Reviewer: minsky-reviewer[bot] via openai:gpt-5
Tier: unknown
Findings
-
[BLOCKING] bun.lock:1 (RIGHT) — Lockfile still resolves drizzle-orm to 0.44.2, defeating the security upgrade to 0.45.2
- Evidence: package.json now declares "drizzle-orm": "^0.45.2" (package.json dependencies), but bun.lock still pins drizzle-orm to 0.44.2 in multiple places:
- workspaces[""] -> dependencies shows "drizzle-orm": "^0.44.2"
- packages map includes: "drizzle-orm": ["drizzle-orm@0.44.2", …]
- Failure mode: With bun.lock committed, installs will continue to resolve 0.44.2, silently defeating the upgrade and leaving the project without the 0.45.2 SQL injection fix noted in the release notes.
- Required action: Run bun install (or the repo’s standard lockfile update command) and commit the refreshed bun.lock resolving drizzle-orm to 0.45.2.
- Evidence: package.json now declares "drizzle-orm": "^0.45.2" (package.json dependencies), but bun.lock still pins drizzle-orm to 0.44.2 in multiple places:
-
[NON-BLOCKING] package.json:1 (RIGHT) — PR description claims bump from 0.44.7, but repo previously pinned 0.44.2
- Evidence: The diff shows the previous version was "^0.44.2", and bun.lock likewise references 0.44.2.
- Impact: Minor inconsistency; could mislead changelog readers. Consider updating the PR description to reflect the actual from-version.
Spec verification
- Update dependency constraint to drizzle-orm 0.45.2 in package.json — Met
- Evidence: package.json dependencies changed from "drizzle-orm": "^0.44.2" to "^0.45.2".
- Ensure lockfile is updated so installs resolve the new version — Not Met
- Evidence: bun.lock still includes drizzle-orm@0.44.2; no entry resolving 0.45.2.
Documentation impact
- No additional docs changes required beyond possibly correcting the PR description “from-version” to match the repo’s prior state (0.44.2).
REQUEST_CHANGES
This dependency bump updates package.json but leaves the Bun lockfile pinned to drizzle-orm 0.44.2. Please update and commit bun.lock so installs resolve to 0.45.2 (which includes a critical SQL injection fix). After the lockfile is corrected, the PR should be good to merge.
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/drizzle-orm-0.45.2
branch
from
f6de6d6 to
1f52059
Compare
There was a problem hiding this comment.
Independent adversarial review (Chinese-wall)
Reviewer: minsky-reviewer[bot] via openai:gpt-5
Tier: unknown
Blocking: the root bun.lock still resolves drizzle-orm to 0.44.x, so installs won’t pick up the 0.45.2 security fix. Also, services/reviewer/package.json still pins drizzle-orm ^0.44.x (and its bun.lock resolves 0.44.7), leaving that service on the vulnerable series. Please (1) run bun install to refresh the root lockfile to 0.45.2, and (2) bump services/reviewer/package.json to ^0.45.2 and update its bun.lock accordingly. After these are fixed, the security upgrade can be merged confidently.
Findings
- [BLOCKING] bun.lock:1 — Lockfile still resolves drizzle-orm to 0.44.x, defeating the intended security upgrade to 0.45.2
package.json now declares "drizzle-orm": "^0.45.2", but bun.lock remains pinned to 0.44.x: - workspaces[""] -> dependencies shows "drizzle-orm": "^0.44.2"
- packages map contains an entry for "drizzle-orm": ["drizzle-orm@0.44.2", …]
With bun.lock committed, installs will continue to resolve 0.44.2, silently negating the SQL injection escaping fix in 0.45.2 noted in the upstream release notes. Please run your package manager (e.g.,bun install) and commit the updated lockfile so it resolves drizzle-orm 0.45.2. - [BLOCKING] services/reviewer/package.json:1 — Secondary package.json still declares drizzle-orm ^0.44.x; misses the security bump to 0.45.2
This repo contains a second consumer at services/reviewer/package.json, which still specifies "drizzle-orm": "^0.44.2". This means the reviewer service will continue to install 0.44.x — lacking the 0.45.2 escaping fix. Please bump this manifest to ^0.45.2 as well to keep all in-repo consumers on the fixed version.
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/drizzle-orm-0.45.2
branch
from
1f52059 to
f602b4f
Compare
There was a problem hiding this comment.
Independent adversarial review (Chinese-wall)
Reviewer: minsky-reviewer[bot] via openai:gpt-5
Tier: unknown
This dependency bump changes the root manifest to drizzle-orm ^0.45.2, but two blocking issues remain that prevent the upgrade from taking effect. The committed Bun lockfile still resolves drizzle-orm 0.44.2 and even lists the workspace dependency as ^0.44.2, so installs will not pick up the security fix in 0.45.2. Additionally, a secondary consumer at services/reviewer/package.json continues to pin drizzle-orm ^0.44.2, leaving that service on the vulnerable series. Please bump the secondary manifest and regenerate/commit bun.lock so all workspaces resolve to 0.45.2.
Non-blocking notes: the PR description claims “from 0.44.7,” while the repo previously used 0.44.2; consider correcting for audit clarity. Also, 0.45.2’s escaping fixes may affect tests that assert raw SQL; ensure integration coverage. After addressing the lockfile and secondary package, this should be ready to merge.
Findings
- [BLOCKING] bun.lock:1 — Lockfile still resolves
drizzle-ormto 0.44.x, defeating the intended security upgrade to 0.45.2
The repository commits a Bun lockfile (bun.lock), but it is not updated to reflect the bump todrizzle-orm0.45.2.
Evidence in bun.lock:
workspaces[""] -> dependenciesstill lists"drizzle-orm": "^0.44.2"(near the top of the file).- The
packagesmap contains an entry for"drizzle-orm": ["drizzle-orm@0.44.2", …](later in the file), with no entry resolving 0.45.2.
With this lockfile, installs will continue to resolve drizzle-orm@0.44.2, silently negating the security fix in 0.45.2 (release notes mention escaping fixes for sql.identifier()/sql.as() addressing CWE-89 risk). Please run your package manager (e.g., bun install) and commit the updated bun.lock so it resolves drizzle-orm@0.45.2 and the workspace dependency block reflects ^0.45.2.
- [BLOCKING] services/reviewer/package.json:1 — Secondary
package.jsonstill pinsdrizzle-orm^0.44.x; misses the security bump to 0.45.2
This PR updates the rootpackage.jsonto"drizzle-orm": "^0.45.2", butservices/reviewer/package.jsonstill declares"drizzle-orm": "^0.44.2"(seeservices/reviewer/package.json:17). The reviewer service will therefore continue to install0.44.x, lacking the escaping fix in 0.45.2.
Action:
- Bump
services/reviewer/package.jsonto"drizzle-orm": "^0.45.2". - Regenerate and commit the lockfile (
bun install) so all workspaces resolve to0.45.2. - [NON-BLOCKING] package.json:1 — PR description/history mismatch on “from 0.44.7” vs repo’s prior state (0.44.2)
The PR description claims a bump “from 0.44.7 to 0.45.2,” but the repository previously declared"drizzle-orm": "^0.44.2"(andbun.lockpins0.44.2). This might confuse changelog readers and security auditors.
Suggestion: Adjust the PR description (or commit message) to reflect the actual starting version (0.44.2).
- [NON-BLOCKING] package.json:99 — Consider the impact of the 0.45.2 escaping fixes on tests/assertions of raw SQL
Upstream 0.45.2 fixes escaping insql.identifier()andsql.as(). If your tests assert exact SQL strings or relied on previous buggy escaping, they may fail after the upgrade. Please ensure integration tests are run and scan the codebase for usages of these helpers to preempt surprises.
Spec verification
| Criterion | Status | Evidence |
|---|---|---|
| Update dependency in manifest to drizzle-orm 0.45.2 | Met | package.json: dependencies changed to "drizzle-orm": "^0.45.2" |
| Ensure lockfile is updated so installs resolve drizzle-orm 0.45.2 | Not Met | bun.lock: workspaces[""] -> dependencies still shows "drizzle-orm": "^0.44.2"; packages map resolves drizzle-orm@0.44.2 (no 0.45.2 entry) |
| Update all in-repo consumers (e.g., services/*) that depend on drizzle-orm to 0.45.2 | Not Met | services/reviewer/package.json:17 declares "drizzle-orm": "^0.44.2" |
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/drizzle-orm-0.45.2
branch
from
f602b4f to
02524d9
Compare
There was a problem hiding this comment.
Independent adversarial review (Chinese-wall)
Reviewer: minsky-reviewer[bot] via openai:gpt-5
Tier: unknown
The prior blocking findings remain unresolved. The repository’s Bun lockfile still resolves drizzle-orm to 0.44.2, which undermines the intended security upgrade to 0.45.2. Additionally, a secondary consumer at services/reviewer/package.json still declares drizzle-orm ^0.44.2, leaving that service on the vulnerable series. Please (1) bump services/reviewer/package.json to ^0.45.2 and (2) run bun install and commit the updated bun.lock so all workspaces resolve 0.45.2. Once these are fixed, this PR should be ready to merge.
Findings
- [BLOCKING] bun.lock:1 — Lockfile still resolves
drizzle-ormto 0.44.x, defeating the intended security upgrade to 0.45.2
The repository tracks a Bun lockfile (bun.lock), but it has not been updated to reflect the dependency bump. Evidence inbun.lock: workspaces[""] -> dependencieslists"drizzle-orm": "^0.44.2"near the top of the file.- The
packagesmap contains an entry for"drizzle-orm": ["drizzle-orm@0.44.2", …]and no entry resolving0.45.2.
With this lockfile, installs will continue to resolvedrizzle-orm@0.44.2, silently negating the 0.45.2 escaping/security fix cited in the PR description. Please run your package manager (e.g.,bun install) and commit the updatedbun.lockso it resolvesdrizzle-orm@0.45.2and the workspace dependency block reflects^0.45.2. Refer tobun.lock:1for the file anchor. - [BLOCKING] services/reviewer/package.json:1 — Secondary
package.jsonstill pinsdrizzle-orm^0.44.x; misses the bump to 0.45.2
This repository has a second consumer ofdrizzle-ormatservices/reviewer/package.json, which still declares"drizzle-orm": "^0.44.2"(services/reviewer/package.json:17). That service will continue to install 0.44.x, lacking the 0.45.2 escaping fix described in the upstream release notes.
Action required:
- Bump
services/reviewer/package.jsonto"drizzle-orm": "^0.45.2". - Regenerate and commit the lockfile (
bun install) so all workspaces resolve to 0.45.2.
This is part of ensuring the security update is applied consistently across all in-repo consumers.
Spec verification
| Criterion | Status | Evidence |
|---|---|---|
| Update dependency in manifest to drizzle-orm 0.45.2 | Met | package.json: dependencies list changed from "drizzle-orm": "^0.44.2" to "drizzle-orm": "^0.45.2" (see package.json content at repo HEAD). |
| Ensure lockfile is updated so installs resolve drizzle-orm 0.45.2 | Not Met | bun.lock: workspaces[""] -> dependencies still shows "drizzle-orm": "^0.44.2"; packages map resolves drizzle-orm@0.44.2. No entry for 0.45.2. |
| Update all in-repo consumers (e.g., services/*) that depend on drizzle-orm to 0.45.2 | Not Met | services/reviewer/package.json:17 declares "drizzle-orm": "^0.44.2". Only the root package.json has been updated. |
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/drizzle-orm-0.45.2
branch
from
02524d9 to
2059ed2
Compare
There was a problem hiding this comment.
Independent adversarial review (Chinese-wall)
Reviewer: minsky-reviewer[bot] via openai:gpt-5
Tier: unknown
Thanks for the quick follow-up. Both manifests now declare "drizzle-orm": "^0.45.2" (root and services/reviewer), addressing the multi-workspace coverage concern. However, the Bun lockfile is still stale and continues to resolve drizzle-orm to 0.44.2 for the root workspace and the reviewer service. This defeats the intended 0.45.2 security fix.
Blocking: please regenerate and commit bun.lock (e.g., run bun install at the repo root) so all workspaces resolve drizzle-orm@0.45.2. After the lockfile reflects the new version, this PR should be ready to merge.
Findings
- [BLOCKING] bun.lock:1 — Lockfile still resolves
drizzle-ormto 0.44.x, defeating the intended security upgrade to 0.45.2
The repository tracks a Bun lockfile (bun.lock), but it has not been updated to reflect the dependency bump.
Evidence in bun.lock:
workspaces[""] -> dependenciesstill lists"drizzle-orm": "^0.44.2"near the top of the file.- The
packagesmap contains an entry resolving"drizzle-orm": ["drizzle-orm@0.44.2", …], and no entry for0.45.2.
With this lockfile committed, installs will continue to resolve drizzle-orm@0.44.2, silently negating the 0.45.2 escaping/security fix cited in the PR description. Please run your package manager (e.g., bun install) and commit the updated bun.lock so it resolves drizzle-orm@0.45.2 and the workspace dependency block reflects ^0.45.2. This is required for CI/prod parity and to ensure the security fix is actually consumed.
- [BLOCKING] services/reviewer/package.json:1 — Secondary workspace lock resolution still pins
drizzle-orm^0.44.x via bun.lock; ensure lockfile updated after bumping this manifest
You correctly bumpedservices/reviewer/package.jsonto"drizzle-orm": "^0.45.2"(seeservices/reviewer/package.json:17), addressing the prior round's request to update all in-repo consumers. However,bun.lockstill listsservices/reviewer's dependency as"drizzle-orm": "^0.44.2"underworkspaces.services/reviewer.dependencies, and the resolved package entry remainsdrizzle-orm@0.44.2.
Until bun.lock is regenerated, the reviewer service will continue to install 0.44.2, missing the 0.45.2 escaping fix. After updating both manifests, please run bun install at the repo root and commit the refreshed bun.lock so all workspaces (including services/reviewer) resolve drizzle-orm@0.45.2.
Spec verification
| Criterion | Status | Evidence |
|---|---|---|
| Update dependency in manifest to drizzle-orm 0.45.2 | Met | package.json: dependencies lists "drizzle-orm": "^0.45.2" (see package.json: dependencies); services/reviewer/package.json also updated to ^0.45.2 at line ~17. |
| Ensure lockfile is updated so installs resolve drizzle-orm 0.45.2 | Not Met | bun.lock: workspaces[""] -> dependencies shows "drizzle-orm": "^0.44.2"; services/reviewer workspace block also shows "drizzle-orm": "^0.44.2". The packagesmap containsdrizzle-orm@0.44.2and no entry for0.45.2`. |
| Update all in-repo consumers (e.g., services/*) that depend on drizzle-orm to 0.45.2 | Met | services/reviewer/package.json:17 changed from "drizzle-orm": "^0.44.2" to "drizzle-orm": "^0.45.2". Root package.json was already bumped to ^0.45.2. |
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/drizzle-orm-0.45.2
branch
from
2059ed2 to
225badf
Compare
There was a problem hiding this comment.
Independent adversarial review (Chinese-wall)
Reviewer: minsky-reviewer[bot] via openai:gpt-5
Tier: unknown
The manifests now correctly declare drizzle-orm ^0.45.2 in both the root and services/reviewer packages. However, the committed Bun lockfile still pins drizzle-orm to 0.44.2 and shows ^0.44.2 in the workspace dependency blocks, which will cause installs to resolve the vulnerable series and negate the intended security upgrade. Please run bun install at the repo root and commit the refreshed bun.lock resolving drizzle-orm 0.45.2 across all workspaces. Once the lockfile is updated, this should be ready to merge.
Findings
- [BLOCKING] bun.lock:1 — Lockfile still resolves
drizzle-ormto 0.44.x, defeating the intended security upgrade to 0.45.2
The repository tracks a Bun lockfile (bun.lock), but it has not been updated to reflect the dependency bump todrizzle-orm0.45.2.
Evidence in bun.lock:
workspaces[""] -> dependenciesstill lists"drizzle-orm": "^0.44.2"near the top of the file.workspaces["services/reviewer"].dependenciesalso shows"drizzle-orm": "^0.44.2".- The
packagesmap contains an entry for"drizzle-orm": ["drizzle-orm@0.44.2", …]and no entry resolving0.45.2.
With this lockfile committed, installs will continue to resolve drizzle-orm@0.44.2, silently negating the 0.45.2 escaping/security fix cited in the PR description. Please run your package manager (e.g., bun install) at the repo root and commit the updated bun.lock so all workspaces resolve drizzle-orm@0.45.2 and the workspace dependency blocks reflect ^0.45.2. This is required for CI/prod parity and to ensure the security fix is actually consumed.
Spec verification
| Criterion | Status | Evidence |
|---|---|---|
| Update dependency in manifest to drizzle-orm 0.45.2 | Met | Root package.json and services/reviewer/package.json both list "drizzle-orm": "^0.45.2" (see package.json: dependencies and services/reviewer/package.json: dependencies). |
| Ensure lockfile is updated so installs resolve drizzle-orm 0.45.2 | Not Met | bun.lock still lists workspaces[""] -> dependencies.drizzle-orm: "^0.44.2" and workspaces["services/reviewer"].dependencies.drizzle-orm: "^0.44.2", and the packages map resolves drizzle-orm@0.44.2 (no 0.45.2 entry). See bun.lock:1 content. |
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/drizzle-orm-0.45.2
branch
from
225badf to
16abdd8
Compare
There was a problem hiding this comment.
Independent adversarial review (Chinese-wall)
Reviewer: minsky-reviewer[bot] via openai:gpt-5
Tier: unknown
The prior blocking issue remains: the Bun lockfile still pins drizzle-orm to 0.44.2, which will defeat the intended security upgrade. Both manifests (root and services/reviewer) are correctly bumped to ^0.45.2 — thanks for addressing that — but bun.lock was not regenerated and still resolves 0.44.x under workspaces and in the packages map. Please run bun install at the repo root and commit the updated lockfile so CI/prod resolve 0.45.2. Once the lockfile is updated, this should be good to merge.
Findings
- [BLOCKING] bun.lock:1 — Lockfile still resolves drizzle-orm to 0.44.x, defeating the intended security upgrade to 0.45.2
The repository tracks a Bun lockfile (bun.lock), but it has not been updated to reflect the dependency bump todrizzle-orm0.45.2.
Concrete evidence in bun.lock:
workspaces[""] -> dependencies.drizzle-ormstill lists"^0.44.2"near the top of the file.workspaces["services/reviewer"].dependencies.drizzle-ormalso lists"^0.44.2".- The
packagesmap contains an entry resolving"drizzle-orm": ["drizzle-orm@0.44.2", …]and there is no entry for0.45.2.
With this lockfile committed, installs will continue to resolve drizzle-orm@0.44.2, silently negating the 0.45.2 escaping/security fix cited in the PR description (upstream notes fix escaping for sql.identifier() / sql.as() addressing CWE-89 risk). Please run your package manager (e.g., bun install) at the repo root and commit the updated bun.lock so all workspaces resolve drizzle-orm@0.45.2 and the workspace dependency blocks reflect ^0.45.2. This is required for CI/prod parity and to ensure the security fix is actually consumed.
Inline comments
- package.json:112 — Nice — root manifest bumped to
^0.45.2. Oncebun.lockis regenerated, CI should pick up the fixed version. Given 0.45.2 includes an escaping/security fix, consider scanning for usages ofsql.identifier()/sql.as()to catch any test assertions that may need updates. - services/reviewer/package.json:18 — Thanks for also bumping the reviewer service to
^0.45.2. Please runbun installat the repo root and commit the updatedbun.lockso this workspace resolvesdrizzle-orm@0.45.2as well.
Spec verification
| Criterion | Status | Evidence |
|---|---|---|
| Update drizzle-orm dependency to 0.45.2 in all relevant manifests | Met | Root manifest updated: package.json shows "drizzle-orm": "^0.45.2" under dependencies (package.json: dependencies). Secondary workspace updated: services/reviewer/package.json also lists "drizzle-orm": "^0.45.2" (services/reviewer/package.json: dependencies). |
| Ensure the lockfile is updated so installs resolve drizzle-orm 0.45.2 | Not Met | bun.lock still references drizzle-orm 0.44.2 in multiple places: workspaces[""] -> dependencies.drizzle-orm: "^0.44.2", workspaces["services/reviewer"].dependencies.drizzle-orm: "^0.44.2", and the packages map entry "drizzle-orm": ["drizzle-orm@0.44.2", …]. See bun.lock:1 content. |
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/drizzle-orm-0.45.2
branch
from
16abdd8 to
441bd3a
Compare
There was a problem hiding this comment.
Independent adversarial review (Chinese-wall)
Reviewer: minsky-reviewer[bot] via openai:gpt-5
Tier: unknown
The manifests correctly bump drizzle-orm to ^0.45.2 in both the root and services/reviewer packages. However, the committed Bun lockfile still pins drizzle-orm to 0.44.2 in the workspace sections and package resolution map, which would leave CI/prod installing the vulnerable version and negate the intended security fix. Please run bun install at the repo root and commit the updated bun.lock so it resolves drizzle-orm@0.45.2. After the lockfile is refreshed, this should be good to merge.
Findings
-
[BLOCKING] bun.lock:1 — Lockfile still resolves
drizzle-ormto 0.44.x, defeating the intended upgrade to 0.45.2
The repository commits a Bun lockfile (bun.lock), but it has not been regenerated after bumpingdrizzle-ormto^0.45.2in both manifests. Concrete evidence inbun.lock: -
workspaces[""] -> dependencies.drizzle-ormis still"^0.44.2"(near the top of the file). -
workspaces["services/reviewer"].dependencies.drizzle-ormis also"^0.44.2". -
The
packagesmap contains a resolution for"drizzle-orm": ["drizzle-orm@0.44.2", …]and there is no entry for0.45.2.
With this lockfile, installs in CI/prod will continue to resolve drizzle-orm@0.44.2, silently negating the 0.45.2 escaping/security fix highlighted in the PR description. Please run your package manager (e.g., bun install) at the repo root and commit the refreshed bun.lock so all workspaces resolve drizzle-orm@0.45.2 and the workspace dependency blocks reflect ^0.45.2. This is required for CI/prod parity and to ensure the security fix is actually consumed.
Inline comments
- package.json:112 — Looks good — root
dependenciesnow specify"drizzle-orm": "^0.45.2". Oncebun.lockis regenerated (e.g.,bun installat repo root), CI should pick up0.45.2with the escaping/security fix. - services/reviewer/package.json:18 — Thanks for updating the reviewer service to
"drizzle-orm": "^0.45.2"as well. Please regenerate and commitbun.lockso this workspace also resolvesdrizzle-orm@0.45.2in CI/prod.
Spec verification
| Criterion | Status | Evidence |
|---|---|---|
| Update drizzle-orm dependency to 0.45.2 in all relevant manifests | Met | Both manifests list 0.45.2: |
- Root:
package.jsonshows"drizzle-orm": "^0.45.2"underdependencies(package.json: dependencies section). - Reviewer service:
services/reviewer/package.jsonshows"drizzle-orm": "^0.45.2"(services/reviewer/package.json:15-22). |
| Ensure the lockfile is updated so installs resolve drizzle-orm 0.45.2 | Not Met |bun.lockstill references 0.44.2: workspaces[""] -> dependencies.drizzle-orm: "^0.44.2"workspaces["services/reviewer"].dependencies.drizzle-orm: "^0.44.2"packagesmap entry:"drizzle-orm": ["drizzle-orm@0.44.2", …](no 0.45.2 entry). Seebun.lock:1content. |
dependabot
Bot
changed the title
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/drizzle-orm-0.45.2
branch
from
441bd3a to
640bdcf
Compare
There was a problem hiding this comment.
Independent adversarial review (Chinese-wall)
Reviewer: minsky-reviewer[bot] via openai:gpt-5
Tier: unknown
The manifests correctly bump drizzle-orm to ^0.45.2 in both the root and services/reviewer packages. However, the committed Bun lockfile still pins drizzle-orm to 0.44.2 in the workspace blocks and package resolutions, which will cause CI/prod to install the vulnerable 0.44.x line and negate the intended security fix. Please run bun install at the repo root and commit the refreshed bun.lock so all workspaces resolve drizzle-orm@0.45.2. Once the lockfile is updated, this should be ready to merge.
Findings
-
[BLOCKING] bun.lock:1 — Lockfile still resolves
drizzle-ormto 0.44.x; security upgrade to 0.45.2 not applied in CI/prod
The repository tracks a Bun lockfile (bun.lock), but it has not been regenerated after bumpingdrizzle-ormto^0.45.2in both manifests. Concrete evidence inbun.lock: -
workspaces[""] -> dependencies.drizzle-ormis still"^0.44.2"(near the top of the file). -
workspaces["services/reviewer"].dependencies.drizzle-ormis also"^0.44.2". -
The
packagesmap contains onlydrizzle-orm@0.44.2and no entry for0.45.2.
With this lockfile committed, installs in CI/prod will continue to resolve drizzle-orm@0.44.2, silently negating the 0.45.2 escaping/security fix highlighted in the PR description. Action required: run your package manager (e.g., bun install) at the repo root and commit the refreshed bun.lock so all workspaces resolve drizzle-orm@0.45.2 and the workspace dependency blocks reflect ^0.45.2. This is necessary for CI/prod parity and to ensure the security fix is actually consumed.
Spec verification
| Criterion | Status | Evidence |
|---|---|---|
| Update drizzle-orm dependency to 0.45.2 in all relevant manifests | Met | Both manifests list 0.45.2: |
- Root:
package.jsonshows"drizzle-orm": "^0.45.2"underdependencies(package.json: dependencies section). - Reviewer service:
services/reviewer/package.jsonshows"drizzle-orm": "^0.45.2"(services/reviewer/package.json: dependencies). |
| Ensure the lockfile is updated so installs resolve drizzle-orm 0.45.2 | Not Met |bun.lockstill referencesdrizzle-orm0.44.2 in multiple places: workspaces[""] -> dependencies.drizzle-orm: "^0.44.2"workspaces["services/reviewer"].dependencies.drizzle-orm: "^0.44.2"packagesmap entry lists onlydrizzle-orm@0.44.2(no 0.45.2). Seebun.lock:1content. |
dependabot
Bot
changed the title
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/drizzle-orm-0.45.2
branch
from
640bdcf to
904432f
Compare
There was a problem hiding this comment.
Independent adversarial review (Chinese-wall)
Reviewer: minsky-reviewer[bot] via openai:gpt-5
Tier: unknown
Thank you for bumping drizzle-orm to ^0.45.2 in both the root and reviewer service manifests — that addresses the multi-manifest drift from prior rounds. However, the committed Bun lockfile was not regenerated and still resolves drizzle-orm to 0.44.2. With this lockfile, CI/prod will continue to install the vulnerable 0.44.x series, negating the intended security fix from 0.45.2. Please run bun install at the repo root and commit the updated bun.lock so all workspaces resolve 0.45.2. Once the lockfile is updated, this should be good to merge.
Findings
-
[BLOCKING] bun.lock:1 — Lockfile still resolves
drizzle-ormto 0.44.x, defeating the intended security upgrade to 0.45.2
The repository commits a Bun lockfile (bun.lock), but it was not regenerated after bumpingdrizzle-ormto^0.45.2in both manifests. Concrete evidence inbun.lock: -
workspaces[""] -> dependencies.drizzle-ormis still"^0.44.2"(near the top of the file). -
workspaces["services/reviewer"].dependencies.drizzle-ormis also"^0.44.2". -
The
packagesmap contains onlydrizzle-orm@0.44.2and no entry for0.45.2.
With this lockfile, installs in CI/prod will continue to resolve drizzle-orm@0.44.2, silently negating the 0.45.2 escaping/security fix highlighted in the PR description (upstream notes fixes for sql.identifier() / sql.as() addressing CWE-89 risk). Action required: run your package manager (e.g., bun install) at the repo root and commit the refreshed bun.lock so all workspaces resolve drizzle-orm@0.45.2 and the workspace dependency blocks reflect ^0.45.2. This is necessary for CI/prod parity and to ensure the security fix is actually consumed.
Spec verification
| Criterion | Status | Evidence |
|---|---|---|
| Update drizzle-orm dependency to 0.45.2 in all relevant manifests | Met | Both manifests list 0.45.2: |
- Root:
package.jsonshows"drizzle-orm": "^0.45.2"underdependencies(package.json: dependencies section). - Reviewer service:
services/reviewer/package.jsonshows"drizzle-orm": "^0.45.2"(services/reviewer/package.json: dependencies). |
| Ensure the lockfile is updated so installs resolve drizzle-orm 0.45.2 | Not Met |bun.lockstill referencesdrizzle-orm0.44.2 in multiple places and no entry for 0.45.2 exists. See:bun.lock:workspaces[""] -> dependencies.drizzle-orm: "^0.44.2",workspaces["services/reviewer"].dependencies.drizzle-orm: "^0.44.2", andpackagesmap includes"drizzle-orm": ["drizzle-orm@0.44.2", …]. |
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/drizzle-orm-0.45.2
branch
from
904432f to
4d361ae
Compare
There was a problem hiding this comment.
Independent adversarial review (Chinese-wall)
Reviewer: minsky-reviewer[bot] via openai:gpt-5
Tier: unknown
The prior blocking issue remains: the Bun lockfile was not regenerated. Although both manifests now specify drizzle-orm ^0.45.2 (including services/reviewer), bun.lock still records ^0.44.2 and resolves drizzle-orm@0.44.2 with no 0.45.2 entry. This means CI/prod will install the vulnerable 0.44.x and the intended security fix (escaping in sql.identifier()/sql.as()) won’t be consumed. Please run bun install at the repo root and commit the updated bun.lock so all workspaces resolve 0.45.2. Once the lockfile is updated, this should be ready to merge.
Findings
-
[BLOCKING] bun.lock:1 — Lockfile still resolves
drizzle-ormto 0.44.x — upgrade to 0.45.2 not applied in CI/prod
The repository commits a Bun lockfile (bun.lock), but it was not regenerated after bumpingdrizzle-ormto^0.45.2in both manifests. Concrete evidence inbun.lockat repo HEAD: -
workspaces[""] -> dependencies.drizzle-ormis still"^0.44.2"(near the top of the file). -
workspaces["services/reviewer"].dependencies.drizzle-ormis also"^0.44.2". -
The
packagesmap contains onlydrizzle-orm@0.44.2and no entry for0.45.2.
With this lockfile, installs in CI/prod will continue to resolve drizzle-orm@0.44.2, silently negating the 0.45.2 escaping/security fix highlighted in the PR description (upstream notes fixes for sql.identifier() / sql.as() addressing CWE-89 risk). Action required: run your package manager (e.g., bun install) at the repo root and commit the refreshed bun.lock so all workspaces resolve drizzle-orm@0.45.2 and the workspace dependency blocks reflect ^0.45.2. This is necessary for CI/prod parity and to ensure the security fix is actually consumed.
Spec verification
| Criterion | Status | Evidence |
|---|---|---|
| Update drizzle-orm dependency to 0.45.2 in all relevant manifests | Met | Both manifests list 0.45.2: |
- Root: package.json shows "drizzle-orm": "^0.45.2" under dependencies (package.json).
- Reviewer service: services/reviewer/package.json shows "drizzle-orm": "^0.45.2" (services/reviewer/package.json). |
| Ensure the lockfile is updated so installs resolve drizzle-orm 0.45.2 | Not Met | bun.lock still references drizzle-orm 0.44.2 in multiple places and no entry for 0.45.2 exists. See bun.lock: workspaces[""] -> dependencies.drizzle-orm: "^0.44.2"; workspaces["services/reviewer"].dependencies.drizzle-orm: "^0.44.2"; packages map includes only "drizzle-orm@0.44.2". |
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/drizzle-orm-0.45.2
branch
from
4d361ae to
ab46c4b
Compare
There was a problem hiding this comment.
Independent adversarial review (Chinese-wall)
Reviewer: minsky-reviewer[bot] via openai:gpt-5
Tier: 3
The previous blocking issue remains: the Bun lockfile was not regenerated. While both manifests now declare drizzle-orm ^0.45.2, bun.lock still pins drizzle-orm to 0.44.2 for the root and reviewer workspaces and has no 0.45.2 package entry. This defeats the intended security upgrade in CI/prod.
Please run bun install at the repo root and commit the updated bun.lock so all workspaces resolve drizzle-orm@0.45.2. Once the lockfile reflects 0.45.2, this should be ready to merge.
Findings
- [BLOCKING] bun.lock:1 — Lockfile still resolves
drizzle-ormto 0.44.x — upgrade to 0.45.2 not applied in CI/prod
The repository commits a Bun lockfile (bun.lock), but it was not regenerated after bumpingdrizzle-ormto^0.45.2in both manifests.
Concrete evidence in bun.lock at repo HEAD:
workspaces[""] -> dependencies.drizzle-ormstill lists"^0.44.2"near the top of the file.workspaces["services/reviewer"].dependencies.drizzle-ormalso lists"^0.44.2"in the workspace block.- The
packagesmap contains onlydrizzle-orm@0.44.2and there is no entry for0.45.2.
With this lockfile, installs in CI/prod will continue to resolve drizzle-orm@0.44.2, silently negating the 0.45.2 escaping/security fix highlighted in the PR description (upstream notes fixes for sql.identifier() / sql.as() addressing CWE-89 risk).
Action required: run your package manager (e.g., bun install) at the repo root and commit the refreshed bun.lock so all workspaces resolve drizzle-orm@0.45.2 and the workspace dependency blocks reflect ^0.45.2. This is necessary for CI/prod parity and to ensure the security fix is actually consumed.
Spec verification
| Criterion | Status | Evidence |
|---|---|---|
| Update dependency in manifest to drizzle-orm 0.45.2 | Met | Both manifests list 0.45.2: |
- package.json: dependencies -> "drizzle-orm": "^0.45.2"
- services/reviewer/package.json: dependencies -> "drizzle-orm": "^0.45.2" |
| Ensure the lockfile is updated so installs resolve drizzle-orm 0.45.2 | Not Met | bun.lock: top-level workspaces[""] -> dependencies.drizzle-orm is still "^0.44.2"; services/reviewer workspace also lists "^0.44.2" in its block; packages map contains only drizzle-orm@0.44.2 and no entry for 0.45.2. |
Bumps [drizzle-orm](https://github.com/drizzle-team/drizzle-orm) from 0.44.7 to 0.45.2. - [Release notes](https://github.com/drizzle-team/drizzle-orm/releases) - [Commits](drizzle-team/drizzle-orm@0.44.7...0.45.2) --- updated-dependencies: - dependency-name: drizzle-orm dependency-version: 0.45.2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/drizzle-orm-0.45.2
branch
from
ab46c4b to
2f79837
Compare
There was a problem hiding this comment.
Independent adversarial review (Chinese-wall)
Reviewer: minsky-reviewer[bot] via openai:gpt-5
Tier: 3
The manifests correctly bump drizzle-orm to ^0.45.2 in both the root and reviewer service, addressing earlier scope gaps. However, the committed Bun lockfile still pins drizzle-orm to 0.44.2 in the workspace dependency blocks and package resolutions, meaning CI/prod will not pick up the critical 0.45.2 escaping/security fix. Please run bun install at the repo root and commit the refreshed bun.lock so all workspaces resolve drizzle-orm@0.45.2. Once the lockfile is updated, this should be clear to merge.
Findings
-
[BLOCKING] bun.lock:1 — Lockfile still resolves
drizzle-ormto 0.44.x — upgrade to 0.45.2 not applied in CI/prod
The repository commits a Bun lockfile (bun.lock), but it has not been regenerated after bumpingdrizzle-ormto^0.45.2in both manifests. Concrete evidence inbun.lockat repo HEAD: -
workspaces[""] -> dependencies.drizzle-ormis still"^0.44.2"(near the top of the file). -
workspaces["services/reviewer"].dependencies.drizzle-ormis also"^0.44.2". -
The
packagesmap contains onlydrizzle-orm@0.44.2and there is no entry for0.45.2.
With this lockfile committed, installs in CI/prod will continue to resolve drizzle-orm@0.44.2, silently negating the 0.45.2 escaping/security fix highlighted in the PR description (upstream notes fixes for sql.identifier() / sql.as() addressing CWE-89 risk).
Action required: run your package manager (e.g., bun install) at the repo root and commit the refreshed bun.lock so all workspaces resolve drizzle-orm@0.45.2 and the workspace dependency blocks reflect ^0.45.2. This is necessary for CI/prod parity and to ensure the security fix is actually consumed.
Spec verification
| Criterion | Status | Evidence |
|---|---|---|
| Update drizzle-orm dependency to 0.45.2 in all relevant manifests | Met | Both manifests list 0.45.2: |
- Root:
package.jsonshows"drizzle-orm": "^0.45.2"underdependencies(package.json: dependencies section). - Reviewer service:
services/reviewer/package.jsonshows"drizzle-orm": "^0.45.2"(services/reviewer/package.json: dependencies). |
| Ensure the lockfile is updated so installs resolve drizzle-orm 0.45.2 | Not Met |bun.lockstill referencesdrizzle-orm0.44.2 in multiple places and no entry for 0.45.2 exists. Seebun.lock:workspaces[""] -> dependencies.drizzle-orm: "^0.44.2",workspaces["services/reviewer"].dependencies.drizzle-orm: "^0.44.2", andpackagesmap includes"drizzle-orm": ["drizzle-orm@0.44.2", …]. |
Bumps drizzle-orm from 0.44.7 to 0.45.2.
Release notes
Sourced from drizzle-orm's releases.
Commits
273c780+ 0.45.2 (#5534)4aa6ecfKit updates (#5490)e8e6edffeat(drizzle-kit): support d1 via binding (#5302)a086f59Fixed pg-native Pool detection in node-postgres transactions breaking in envi...c445637Merge pull request #5095 from drizzle-team/main-workflowse7b3aaaMerge branch 'main' into main-workflows0d885a5refactor: Update condition for run-feature job to improve clarity and functio...45a1ffbMerge pull request #5087 from drizzle-team/main-workflows6357645chore: Comment out NEON_HTTP_CONNECTION_STRING requirement in release workflows53dec98refactor: Simplify release router workflow by removing unnecessary switch job...Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for drizzle-orm since your current version.