Update dependency pg-promise to v11 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
pg-promise	^8.2.1 -> ^11.0.0

GitHub Vulnerability Alerts

CVE-2025-29744

pg-promise before 11.5.5 is vulnerable to SQL Injection due to improper handling of negative numbers.

---

Release Notes

vitaly-t/pg-promise (pg-promise)

v11.5.5

Compare Source

• Addressing sql injection issue; All negative numbers are now wrapped in parentheses.
• Dev dependencies updated.

Thanks to @​paul-gerste-sonarsource!

v11.5.4

Compare Source

• Dependencies updated, including the driver, to v8.11.3

v11.5.3

Compare Source

• Following up on driver fix-update, see issue #​888

v11.5.2

Compare Source

This update is to clarify the full range of environments officially supported:

• PostgreSql v10 - v15
• NodeJS v14 - v18

It is worth noting that:

• It may work with PostgreSql v9, but it is no longer officially supported.
• It should work with NodeJS v20, but it is not officially supported yet (we support LTS versions of NodeJS only).

The CI has been updated accordingly. No functional changes.

v11.5.1

Compare Source

• Updated dependencies, including the driver, to v8.11.1
• Fixed #​884 - CI build issue in test

v11.5.0

Compare Source

• Many dependencies updated, including Postgres driver.
• Minor documentation updates.

Please note that at the time of publishing this, GitHub CI started showing problems again, unrelated to the project. All tests pass locally fine, disregard Failed Build status for the time being.

v11.4.3

Compare Source

• Updated dependencies
• Marked method batch as deprecated.

v11.4.2

Compare Source

• Dev dependencies updated
• Semantic refactoring of the code

v11.4.1

Compare Source

• Corrected TypeScript signature for the Pool's property log.

v11.4.0

Compare Source

• Updated dependencies: "pg" -> "8.10.0" and "pg-query-stream" -> "4.4.0"
• Extended IPool TypeScript declaration with properties expiredCount + log. The latter in case you want to log what the pool is doing:

db.$pool.log = (msg: string, err?: any) => {
    console.log('Pool:', msg, err); // report what the pool is doing
}

v11.3.0

Compare Source

• Following #​867, amended missed connection + default properties within TypeScript declarations:
  • lock_timeout - abort any statement that waits longer than the specified duration
  • idle_in_transaction_session_timeout - terminate any session with an open transaction that has been idle for longer

v11.2.0

Compare Source

Quick follow up on issues within the previous release:

• Corrected type of stream property to Socket
• Temporarily disabled CI for PG v14 and v15, until the integration issue is resolved.

v11.1.0

Compare Source

• Upgraded the underlying driver; see its changes.
• Added property stream to the connection parameters in TypeScript declarations.

Please ignore CI errors that are due to this issue, which can be addressed later.

v11.0.2

Compare Source

CI integration added, thanks to @​dplewis

v11.0.1

Compare Source

Removed use of operator ??=, which was causing error under NodeJS version < 15.

v11.0.0

Compare Source

BREAKING CHANGES

• Initialization option noLocking and all the locking logic has been removed. It was a bit of an over-engineering thing.
• Parameters for events connect, disconnect and receive have changed (wrapped into an object)
• Connection option poolSize has been retired. You should just use option max now, for the pool size.
• NodeJS v14 is now the required minimum

OTHER CHANGES

• Documentation updates
• DEV dependencies updated

v10.15.4

Compare Source

• Fixes #​854 TypeScript declaration issue.

v10.15.3

Compare Source

• Updating pg-subset declarations, to let pg-iterator detect types automatically.

v10.15.2

Compare Source

• Fixing #​853 (crash in NodeJS v12)

v10.15.1

Compare Source

• Event error now reports query + params even for regular query errors (see pr #​852)

v10.15.0

Compare Source

• Minimum version of NodeJS required is now v12.0.0 (was v8.0.0 previously). See the check.

v10.14.2

Compare Source

• Assertions were refactored internally, so now they can be overridden via global.pgPromiseAssert. See assert-options module.
• Improved Buffer detection
• Documentation updates

v10.14.1

Compare Source

Fixes for TypeScript declarations:

• Fixing declaration for method result
• Fixing declaration for txMode namespace, so it is consistent with how the library works:

Example of correct txMode usage:

import {txMode} from 'pg-promise';

const {isolationLevel, TransactionMode} = txMode;

const mode = new TransactionMode({tiLevel: isolationLevel.none});

Or, you still can extract those from both uninitialized library:

import * as pgPromise from 'pg-promise';

const {isolationLevel, TransactionMode} = pgPromise.txMode; // from uninitialized library

... and from initialized library instance:

import * as pgPromise from 'pg-promise';

const pgp = pgPromise({/* init options */}); // initializing the library

const {isolationLevel, TransactionMode} = pgp.txMode; // from initialized library

v10.14.0

Compare Source

• Type Result (returned from methods result and multiResult) is now iterable, automatically exposing rows of data:

const res = await db.result('select * from users');
for (const r of res) {
    console.log(r); // print each row
}

Above, res (of type Result) is now iterable, automatically exposing res.rows.values().

To that end, the typescript declarations have been updated accordingly.

TypeScript example

class User {
    id: number;
    login: string;
    active: boolean;
}

// example of typed query result

const res = await db.result<IResultExt<User>>('select * from users');
for (const r of res) {
    // r here is strongly-typed
    console.log(r);
}

v10.12.1

Compare Source

• Fixes #​848

v10.12.0

Compare Source

• Updated all dependencies
• Merged PR #​822
• Merged PR #​826

v10.11.1

Compare Source

• Documentation updates: Removed Gitter link, moving into Discussions
• Dev dependencies updated

v10.11.0

Compare Source

• Implemented #​800 - added support for connection option allowExitOnIdle, to let process exit when pool is idle. This means you no longer need to destroy the connection pool inside tests or any run-through process. Instead, just set allowExitOnIdle: true within the database connection parameters.
• Updated all dependencies, including the base pg driver to v8.7.1
• Removed tests integration for Travis CI. Adding it to GitHub Actions is still just a plan - see #​799, but right now there is no CI, only manualy-run tests.
• Refactored many tests + examples
• Documentation updates

v10.10.2

Compare Source

• Updated dependencies
• Documentation updates

v10.10.1

Compare Source

• Implemented #​782, to return Promise from method done, specifically for direct connections. This was added mainly for consistency with the underlying driver.
• Updated documentation
• Updated DEV dependencies

v10.9.5

Compare Source

• Changed how useCount for connections is incremented, to make sure it never overfloats, and never resets to zero.
• DEV dependencies updated.

v10.9.4

Compare Source

• Removing pg-native from dependencies, which crawled into the package during tests, yet again.

Damn NPM, with its auto-save features!!! 😠

v10.9.3

Compare Source

• Update for #​774, changed how savepoints are named, to use the new sp_x_y form. See Transaction Limitations.

v10.9.2

Compare Source

• Fixes #​777

v10.9.1

Compare Source

• Extending on #​175, added global instance support to QueryFile class.

v10.9.0

Compare Source

• Fixing #​175

v10.8.7

Compare Source

• Added support for #​743, to allow pg replacement with a mock.
• DEV dependencies updated.

v10.8.6

Compare Source

• spex dependency updated.

v10.8.5

Compare Source

• Makes TypeScript stricter. In this update specifically, everything in helpers is now more type-strict.

v10.8.4

Compare Source

• Updated pg-minify dependency
• Updated assert-options dependency

v10.8.3

Compare Source

• spex dependency upgraded to v3.1.0. See PR-14.

v10.8.1

Compare Source

• Updated dependencies. pg-query-stream now requires >= v4.0.0

v10.8.0

Compare Source

Following up on #​765, this release extends filter :alias, to auto-split name, based on ., to support composite SQL names.

See also: Alias Filter.

v10.7.5

Compare Source

• Concludes all SSL-related issues from #​764

v10.7.4

Compare Source

• Trying to resolve all issues listed in #​764

v10.7.3

Compare Source

• TypeScript: Improving IPool declaration.

v10.7.2

Compare Source

• Updated TypeScript declarations: db.$pool is now strongly-typed as IPool.
• DEV dependencies updated

v10.7.1

Compare Source

• Dependencies updated
• Removed space following proc/func name.
• xs:code integration

v10.7.0

Compare Source

• Implemented #​756
• Updated dependencies

v10.6.2

Compare Source

• Minor code refactoring + dev dependencies updated.

v10.6.1

Compare Source

• Updated the driver dependency, with the fix for #​748

v10.6.0

Compare Source

• Refactoring out some old code and documentation
• Multiple dependencies updated, including the latest driver + TypeScript v4

v10.5.8

Compare Source

• Dependencies updated, including the driver, which should bring performance improvements for bytea type, see this PR.

v10.5.7

Compare Source

• Improved TypeScript declarations, including #​735
• Updated dependencies

v10.5.6

Compare Source

• Dependencies updated, including pg driver to v8.2.1

v10.5.5

Compare Source

• Fixed invalid setters in the code

v10.5.4

Compare Source

• Dependences updated, including pg driver to v8.1.0

v10.5.3

Compare Source

• Minor TypeScript declaration fix for #​722

v10.5.2

Compare Source

• Fixing #​717 - adding NodeJS v14 support.
• Dependencies updated.

v10.5.1

Compare Source

• Dependencies updated, including the driver to v8.0.2

v10.5.0

Compare Source

• Driver has been updated to version 8.0.0; See its changelog.
• Removed hiding password in connection, as the driver now handles it.
• Removed idleTimeoutMillis (in TypeScript) from defaults, due to this bug, and #​703
• Updated dependencies + documentation

v10.4.4

Compare Source

• Dependencies updated, including the driver to v7.18.2
• Added test coverage for the color console

v10.4.3

Compare Source

• Improving error reporting for event handlers.
• Refactoring strings to use ES6 syntax everywhere.
• DEV dependencies updated.

v10.4.2

Compare Source

• Improved errors + warnings reporting.

v10.4.1

Compare Source

• Removed manakin dependency, replacing it with a simpler local implementation.
• Updated most of dependencies, both for PROD and DEV.

v10.4.0

Compare Source

• Updated driver to the latest 7.18.1, see #​687
• Dropped support for pg-query-stream < 3.0.0, see #​695
• Dropped support for Nodejs < 8.0.0 (because of the new streams)

v10.3.5

Compare Source

• Fixed #​680, and potentially similar connectivity issues, to auto-kill non-queryable connections.

This is an important overall-connectivity fix on the base driver, which sometimes would give us a dead connection.

v10.3.4

Compare Source

• Fixed #​682
• Minor code refactoring + documentation updates

There has been a discrepancy with the driver, as it's undergone many changes when it comes to supporting connection timeouts.

Property connect_timeout now has been removed from the defaults of the driver, and property connectionTimeoutMillis added to the connection parameters, which is the only correct way to set the connection timeout:

const db = pgp({
    database: 'my-db'
    /* other connection properties */

    connectionTimeoutMillis: 2000 // set connection timeout to 2 seconds
});

Note that this change affects only TypeScript clients.

v10.3.3

Compare Source

• Implemented #​692

Method proc had a limited functionality, without supporting procedures with output parameters. The method's signature has been revised, to let you get the output values + optionally transform them.

Example

Say, you have a procedure like this one:

CREATE OR REPLACE PROCEDURE test_proc(INOUT output1 INT, INOUT output2 TEXT)
LANGUAGE plpgsql AS $$
BEGIN
    output1 := 123;
    output2 := concat(output2, '-hello!');
END;$$;

Then the following calls can be made now:

await db.proc('test_proc', [null, 'world']);
//=> {output1: 123, output2: 'world-hello!'}

await db.proc('test_proc', [null, 'world'], a => a.output2);
//=> 'world-hello!'

v10.3.2

Compare Source

• Migrated tests to PostgreSQL v11
• Documentation updates
• DEV dependencies updated

No code changes.

After some tests, and looking at what's going on with the driver, decided again upgrading, for now, until it becomes something better. Sometime in January 2020, perhaps.

v10.3.1

Compare Source

• Removed now obsolete min connection option from the TypeScript. The connection pool no longer supports it.

v10.3.0

Compare Source

• Driver updated to v7.14.0
• DEV dependencies updated

v10.2.1

Compare Source

pg-native crawled into 10.2.0 package, yet again, after my local tests, thanks to the npm's damn auto-save feature, and it got published unknowingly 😠

This update just throws pg-native away from the package, as it doesn't belong there.

v10.2.0

Compare Source

• Implemented #​675 feature, to support killing manual connections
• Documentation updates

UPDATE

The package got crippled here, with pg-native dependency injected by mistake. Removed in 10.2.1.

v10.1.0

Compare Source

Implemented #​673 - adding serverVersion everywhere.

---

Now you have the server version inside any task or transaction context (see TaskContext):

db.task(t => {
    console.log('Server Version:', t.ctx.serverVersion);
});

And the low-level Client type has been extended as well:

db.connect().then(c => {
    console.log('Server Version:', c.client.serverVersion);
    c.done();
})

NOTE: This feature is not available with Native Bindings

v10.0.1

Compare Source

Documentation updates only.

v10.0.0

Compare Source

Below are breaking changes:

• Implemented #​670. Method proc signature has changed, and it now produces the new CALL procName() syntax, for native stored procedures, which requires PostgreSQL v11 or later.
• Fixed #​671. Methods proc and func now will add double quotes around the name, if it not same-case or contains extended symbols (using alias).

v9.3.6

Compare Source

• A few minor improvements and code refactoring.
• Updating DEV dependencies
• Adding tests

v9.3.5

Compare Source

Quick patch for #​667, to let TypeScript also infer the client type for events within the initialization options.

Example

import * as pgPromise from 'pg-promise';

const pgp: pgPromise.IMain<{}, MyClient> = pgPromise({
    connect(client) {
        // client type is inferred correctly here, as type MyClient
    }
});

v9.3.4

Compare Source

• Implemented #​667
• DEV dependencies updated

No code changes.

v9.3.3

Compare Source

Finalizing #​657, added many tests, and changed internal BigInt replacement pattern to "123#bigint", which should not break anything by accident.

v9.3.2

Compare Source

Patches #​657 to properly format BigInt when used with JSON Filter and as.json function.

v9.3.1

Compare Source

Improving on #​657, with support for JSON serialization for BigInt, i.e. now JSON Filter will work for BigInt, as well as method as.json, and all inner serializations within the library.

v9.3.0

Compare Source

• Implemented #​657, to support native BigInt type.
• DEV dependencies updated
• Documentation updates

BigInt Native Support

Now you can enable native BigInt support when running under Node.js v10.4.0 or later.

The following will make types BIGINT and BIGSERIAL arrive as BigInt type:

pgp.pg.types.setTypeParser(20, BigInt); // Type Id 20 = BIGINT | BIGSERIAL

And if you make use of arrays of BigInt, you can convert them with this:

// 1016 = Type Id for arrays of BigInt values
const parseBigIntArray = pgp.pg.types.getTypeParser(1016);
pgp.pg.types.setTypeParser(1016, a => parseBigIntArray(a).map(BigInt));

And the query-formatting engine now lets you use type BigInt for query values directly:

// 123n = BigInt('123')
await db.oneOrNone('SELECT * FROM table WHERE id = $1', [123n]);

// Example of the type changing into BigInt as it goes through the converter:
await db.one('SELECT $1::bigint as value', [123]); //=> {value: 123n}

v9.2.1

Compare Source

A quick follow-up on v9.2.0 release:

• Updating TypeScript declarations for the modified API
• Adding tests

v9.2.0

Compare Source

Major refactoring within the query-formatting engine + the helpers namespace, to support more generic way of propagating formatting options through all layers of the library.

Method as.format now supports option capSQL, which currently will only affect arrays, to be formatted using ARRAY instead of array. And helpers namespace is affected by this automatically, while the global capSQL option is used in the absence of the one set locally.

Method as.array now supports the same option capSQL.

v9.1.4

Compare Source

Documentation updates only.

v9.1.3

Compare Source

v9.1.2

Compare Source

Dependency updates.

v9.1.1

Compare Source

• Key dependencies updated - spex, assert-options and pg-minify.
• Code examples updated

If you are using TypeScript, and importing types for extensions batch, sequence or page, you may need to update those, as types were replaced with interfaces, to make them extendable.

Also, all errors that can be generated by the above methods are no longer ES5 errors, they are now proper ES6 error classes.

v9.1.0

Compare Source

Implementation of #​642 has been merged into the main branch, for the official release.

Dropped connections are now processed differently, without returning them into the pool. It is a major internal change, but other than that, nothing changed within the client's protocol.

From the previous updates, TypeScript issues related to the strict mode have been resolved also.

This update is a must-have, especially if you are writing in TypeScript's strict mode.

v9.0.3

Compare Source

Major TypeScript updates, no code changes.

• Implemented #​645
• Updated TypeScript for the driver, to keep up with the latest

In reality, there was substantial refactoring within TypeScript declarations, to support strict mode, for the driver, plus other issues that came up within tests. And pg-promise-demo has been updated to take advantage of the strict mode compatibility.

And to make sure it stays that way, TypeScript tests in the project are now in strict mode, as per tsconfig.json.

Thanks @​72636c for pointing out the strict mode issue, and the initial PR.

v9.0.2

Compare Source

• Implemented #​643, which is a TypeScript update only, to support dynamic passwords.

v9.0.1

Compare Source

• Updated driver dependency to 7.12.1, which fixes the builtins issue.
• Added builtins property within TypeScript, i.e. pgp.pg.types.builtins
• Documentation updates

v9.0.0

Compare Source

Official v9 Release

• Closed issues for the v9 milestone: #​626, #​627, #​628, #​631, #​632 and #​633
• Official Documentation has been fully updated for v9.

Node.js and TypeScript Requirements

• Node.js v7.6 is now the new minimum version supported, as the one that started official ES2017 support.
• TypeScript v3.x is now required, while v2 is no longer supported.

TypeScript

Many declarations have been renamed and refactored to comply with the latest TypeScript recommendations. So if you are using TypeScript, you may need to update a few types. Follow the official start page for the TypeScript. And pg-promise-demo has been updated for v9.

ES6/ES7

Significant portion of the code has been rewritten from ES5 syntax to ES6, and ES7, which is why Node.js requirements were upgraded.

Removed Features

• The library no longer supports ES6 generators. Now you should use ES7 async/await only.
• Rarely, if ever, used functions objectToCode and buildSqlModule were removed from the utils namespace.

Removed Mixed Parameters

Such types as TableName, TransactionMode, PreparedStatement and ParameterizedQuery no longer support mixed parameterization, they now only support an object-parameter, with correct options, to avoid ambiguity.

Dependency Updates

• Updated the pg driver to the latest 7.12.0, plus internal assert-options module.
• A few DEV dependency updates also.

v8.7.5

Compare Source

• Improving ROLLBACK logic for failed connections, following this PR.
• Documentation updates.

v8.7.4

Compare Source

• Fixed #​565, for event receive to work with method stream again.
• DEV dependencies update
• Documentation updates

v8.7.3

Compare Source

• fixed #​622
• dependency updates

v8.7.2

Compare Source

• Fixing #​607, now all errors are ES6 classes, and when reported as unhanded, also contain complete details.
• Upgraded pg-minify to v1.2.0, with the same ES6 rewrite for errors, plus nested SQL comments support.
• Refactoring connectivity tests

v8.7.1

Compare Source

• Driver has been upgraded to v7.11.0, with support for finer-grained connectivity parameters (see PR-1847)
• Updated connection parameters + defaults to match what's in the latest driver
• Fixed some flaky connectivity tests

v8.7.0

Compare Source

• Fixing #​599 and #​600, thanks to @​johanneswuerbach

• Updating many dependencies, including:

  • Driver node-postgres to the latest 7.10.0
  • pg-minify that now supports C-escaped strings properly (see issue #​2)

v8.6.5

Compare Source

Updated dependencies + documentation.

v8.6.4

Compare Source

Updating dependencies, including the driver version to 7.9.0

v8.6.3

Compare Source

• Updating driver to v7.8.2.

v8.6.2

Compare Source

Patching 8.6.1 update with this PR.

v8.6.1

Compare Source

Minor breaking change: Finalizing assert-options integration, into type QueryFile that was missed in v8.6.0.

v8.6.0

Compare Source

• Minor Breaking Change: Integrating use of assert-options throughout the entire library, to help identifying errors related to invalid use of optional parameters anywhere in the API.
• Breaking Change: Renaming option default to def for method as.format, to avoid conflicts with the JavaScript reserved word.
• Dependency updates

v8.5.6

Compare Source

• Driver pg updated to 7.8.1
• DEV dependencies updated
• Removing bad tests

v8.5.5

Compare Source

• Dependency updates
• Documentation updates
• Fixing tests for MacOS

v8.5.4

Compare Source

• Improves releasing dead connections.
• Dependency updates

v8.5.3

Compare Source

v8.5.2

Compare Source

v8.5.1

Compare Source

v8.5.0

Compare Source

v8.4.6

Compare Source

v8.4.5

Compare Source

v8.4.4

Compare Source

v8.4.3

Compare Source

v8.4.2

Compare Source

v8.4.1

Compare Source

v8.4.0

Compare Source

v8.3.3

Compare Source

v8.3.2

Compare Source

v8.3.1

Compare Source

v8.3.0

Compare Source

v8.2.3

Compare Source

v8.2.2

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.