You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
SQL injection via column names fixed — all column/identifier names are now quoted with PostgreSQL double-quote escaping (quoteIdent) in update_data, delete_data, insert_data, count_rows, alter_table, and create_table
SSL rejectUnauthorized corrected — sslmode=require now properly validates server certificates (rejectUnauthorized: true); previously it disabled validation
DDL injection prevented — column types and default values in create_table and alter_table are now validated via sanitizeType() and sanitizeDefault()
Features
dry_run implemented — update_data and delete_data now honour the dry_run: true parameter, returning a preview of affected rows without modifying any data
Row limit enforced — update_data and delete_data now cap affected rows at the declared limit (default 1000, max 10000) using a ctid subquery
Statement timeout — all connections now apply a 30-second query timeout by default, configurable via DB_STATEMENT_TIMEOUT env var
Refactoring
Extracted triplicated SSL configuration logic into a single buildSslConfig() helper
Testing
CI now spins up a real PostgreSQL 16 service and runs the full integration test suite
dry_run tests are now active (were previously skipped)