Context
Spun out from #50 / #60. The triage in #50 covered three advisories; #60 ships the two that bump cleanly (minimatch, @modelcontextprotocol/sdk). This issue tracks the third — drizzle-orm GHSA-gpj5-g38j-94v9 — which needs additional code changes to land.
Why it didn't go into #60
Bumping drizzle-orm + drizzle-kit from 1.0.0-beta.12-a5629fb to 1.0.0-beta.21 (latest beta) breaks packages/cli typecheck because the beta track shipped two API changes between those versions:
1. migrate() signature changed
packages/cli/src/storage/db.ts:97 and packages/cli/test/storage/json-migration*.test.ts pass { sql, timestamp }[] to migrate(). The new signature requires either:
- A
MigrationConfig object (with migrationsFolder), or
- A
MigrationsJournal object whose entries include a name field
The custom JSON-migration loader needs to either provide name per entry or migrate to the migrationsFolder shape.
2. db.transaction() callback type tightened
packages/cli/src/storage/db.ts:146 defines a generic <T> transaction wrapper. Sync drivers (which we use — bun-sqlite) now produce a DrizzleTypeError<\"Sync drivers can't use async functions in transactions!\"> when T resolves to a Promise. The existing callback type triggers the conditional-type guard, and the cascading return-type error at line 150 (unknown not assignable to T) is the same root cause.
Fix is probably: constrain the generic to T extends Promise<any> ? never : T, or split into sync vs async overloads.
Why it's not exploitable today
grep -rn 'sql\\.identifier\\|\\.as(' packages/cli/src/ returns zero hits. The advisory requires sql.identifier() or .as() with attacker-controlled input. The CLI uses drizzle purely with hardcoded sqliteTable(...) definitions and eq() predicates against a local bun-sqlite database — no dynamic identifier path, no network surface. So the version is stale-but-safe; this is hygiene, not an active fire.
Acceptance criteria
drizzle-orm and drizzle-kit at 1.0.0-beta.21 or later in all three declaration sites (root catalog, packages/cli devDeps, packages/cli deps + overrides)packages/cli/src/storage/db.ts migrate() and db.transaction() updated to the new APIspackages/cli/test/storage/json-migration*.test.ts updated to matchbun turbo typecheck and bun turbo build both greenbun test storage suite passes (DB migration is the load-bearing path here)- Dependabot alert for
GHSA-gpj5-g38j-94v9 cleared
Related
Context
Spun out from #50 / #60. The triage in #50 covered three advisories; #60 ships the two that bump cleanly (
minimatch,@modelcontextprotocol/sdk). This issue tracks the third —drizzle-ormGHSA-gpj5-g38j-94v9— which needs additional code changes to land.Why it didn't go into #60
Bumping
drizzle-orm+drizzle-kitfrom1.0.0-beta.12-a5629fbto1.0.0-beta.21(latest beta) breakspackages/clitypecheck because the beta track shipped two API changes between those versions:1.
migrate()signature changedpackages/cli/src/storage/db.ts:97andpackages/cli/test/storage/json-migration*.test.tspass{ sql, timestamp }[]tomigrate(). The new signature requires either:MigrationConfigobject (withmigrationsFolder), orMigrationsJournalobject whose entries include anamefieldThe custom JSON-migration loader needs to either provide
nameper entry or migrate to themigrationsFoldershape.2.
db.transaction()callback type tightenedpackages/cli/src/storage/db.ts:146defines a generic<T>transaction wrapper. Sync drivers (which we use —bun-sqlite) now produce aDrizzleTypeError<\"Sync drivers can't use async functions in transactions!\">whenTresolves to a Promise. The existing callback type triggers the conditional-type guard, and the cascading return-type error at line 150 (unknownnot assignable toT) is the same root cause.Fix is probably: constrain the generic to
T extends Promise<any> ? never : T, or split into sync vs async overloads.Why it's not exploitable today
grep -rn 'sql\\.identifier\\|\\.as(' packages/cli/src/returns zero hits. The advisory requiressql.identifier()or.as()with attacker-controlled input. The CLI uses drizzle purely with hardcodedsqliteTable(...)definitions andeq()predicates against a localbun-sqlitedatabase — no dynamic identifier path, no network surface. So the version is stale-but-safe; this is hygiene, not an active fire.Acceptance criteria
drizzle-ormanddrizzle-kitat1.0.0-beta.21or later in all three declaration sites (root catalog,packages/clidevDeps,packages/clideps +overrides)packages/cli/src/storage/db.tsmigrate()anddb.transaction()updated to the new APIspackages/cli/test/storage/json-migration*.test.tsupdated to matchbun turbo typecheckandbun turbo buildboth greenbun teststorage suite passes (DB migration is the load-bearing path here)GHSA-gpj5-g38j-94v9clearedRelated