Skip to content

fix: bump drizzle-orm to 0.45.2 (CVE-2026-39356)#14

Merged
MerverliPy merged 2 commits into
mainfrom
fix/drizzle-orm-cve
Jul 3, 2026
Merged

fix: bump drizzle-orm to 0.45.2 (CVE-2026-39356)#14
MerverliPy merged 2 commits into
mainfrom
fix/drizzle-orm-cve

Conversation

@MerverliPy

Copy link
Copy Markdown
Owner

Patches CVE-2026-39356 — Drizzle ORM SQL injection via improperly escaped SQL identifiers (HIGH).

Impact: eval package was pinned to ^0.38.0 which doesn't include the fix. Updated all three consumers to resolve to 0.45.2.

Changed files:

  • packages/eval/package.json: ^0.38.0^0.45.2
  • bun.lock: Updated resolvers

Verification: Storage tests pass. Dependabot alert #1 should auto-close after merge.

@MerverliPy MerverliPy merged commit 7357377 into main Jul 3, 2026
3 of 6 checks passed
@MerverliPy MerverliPy deleted the fix/drizzle-orm-cve branch July 3, 2026 14:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant