Skip to content

v1.2.0

Choose a tag to compare

@kristofer84 kristofer84 released this 20 Mar 18:02

Security

  • SQL injection via column names fixed — all column/identifier names are now quoted with PostgreSQL double-quote escaping (quoteIdent) in update_data, delete_data, insert_data, count_rows, alter_table, and create_table
  • SSL rejectUnauthorized correctedsslmode=require now properly validates server certificates (rejectUnauthorized: true); previously it disabled validation
  • DDL injection prevented — column types and default values in create_table and alter_table are now validated via sanitizeType() and sanitizeDefault()

Features

  • dry_run implementedupdate_data and delete_data now honour the dry_run: true parameter, returning a preview of affected rows without modifying any data
  • Row limit enforcedupdate_data and delete_data now cap affected rows at the declared limit (default 1000, max 10000) using a ctid subquery
  • Statement timeout — all connections now apply a 30-second query timeout by default, configurable via DB_STATEMENT_TIMEOUT env var

Refactoring

  • Extracted triplicated SSL configuration logic into a single buildSslConfig() helper

Testing

  • CI now spins up a real PostgreSQL 16 service and runs the full integration test suite
  • dry_run tests are now active (were previously skipped)
  • npm test runs node test-tools.mjs