v0.12.0 — Enterprise Audit: Security, API Pre-freeze, Zero Panics
Enterprise-level audit of the entire codebase: 32 findings from 4 independent audits, all resolved. 7 PRs merged (#23-#29).
Breaking Changes
var→func— All 32 exported expression builders and error helpers are now proper functions. Improves godoc, prevents reassignment.ErrNotFoundremainsvar.Distinct(bool)→Distinct()— No parameter, always enables DISTINCT.GenerateParamName()→GenerateParamName(index int)— Now dialect-aware.QueryParams()deprecated — UseParams()instead.
Security
- All column names in INSERT/UPDATE/UPSERT SQL now properly quoted via
QuoteIdentifier() - Model API PK columns use
Eq()expression instead of raw string interpolation - Null-byte defense added to
QuoteIdentifier()in all 3 dialects - Functional expressions (CASE, COALESCE, etc.) now handle table-aliased columns
Zero Panics
17 panic paths converted to stored buildErr errors. Affected: Where(), OrWhere(), Having(), FromSelect(), With(), WithRecursive(), JOIN ON, BatchInsert, LikeExp.EscapeChars(). Model(nil) returns clean error. pgx driver registered.
New Features
- Tx symmetry:
BatchInsert(),BatchUpdate(),Upsert(),NewQuery()on transactions - ToSQL() on all 6 query types (was 3)
- ModelQuery.WithContext(ctx) — per-operation context
- Query.Params() — canonical parameter accessor
Correctness Fixes
- HAVING placeholder renumber for multi-arg clauses on PostgreSQL
QuoteTableName/QuoteColumnNamenow use dialect (was hardcoded")- Validator applied to builder queries (was raw SQL only)
- Empty
Insert()/Update()returns error instead of broken SQL - Missing named params
{:name}detected and reported - Schema-qualified tables:
From("public.users u")→"public"."users" AS "u" - SQL operator spacing:
"col" = ?instead of"col"=?
Testing
- 1576 lines of new integration tests with reserved word columns (
order,select,group,user,table,where,index) - All 3 databases tested in CI: PostgreSQL 15, MySQL 8, SQLite
- 50+ subtests covering security, table aliases, Model API, ToSQL consistency, Tx symmetry, schema-qualified tables
Full Changelog: v0.11.1...v0.12.0