sqlite: enable defensive mode by default

louwers · aduh95 · commit 1967aec35eeb · 2026-02-10T17:39:13.000+01:00
PR-URL: #61266 Reviewed-By: René <contact.9a5d6388@renegade334.me.uk> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Edy Silva <edigleyssonsilva@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Jake Yuesong Li <jake.yuesong@gmail.com>
diff --git a/doc/api/sqlite.md b/doc/api/sqlite.md
@@ -102,6 +102,9 @@ exposed by this class execute synchronously.
 <!-- YAML
 added: v22.5.0
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/61266
+    description: Enable `defensive` by default.
   - version:
       - v24.12.0
     pr-url: https://github.com/nodejs/node/pull/60217
@@ -149,7 +152,7 @@ changes:
   * `defensive` {boolean} If `true`, enables the defensive flag. When the defensive flag is enabled,
     language features that allow ordinary SQL to deliberately corrupt the database file are disabled.
     The defensive flag can also be set using `enableDefensive()`.
-    **Default:** `false`.
+    **Default:** `true`.
 
 Constructs a new `DatabaseSync` instance.
 
diff --git a/src/node_sqlite.h b/src/node_sqlite.h
@@ -79,7 +79,7 @@ class DatabaseOpenConfiguration {
   bool return_arrays_ = false;
   bool allow_bare_named_params_ = true;
   bool allow_unknown_named_params_ = false;
-  bool defensive_ = false;
+  bool defensive_ = true;
 };
 
 class DatabaseSync;
diff --git a/test/parallel/test-sqlite-config.js b/test/parallel/test-sqlite-config.js
@@ -20,9 +20,9 @@ function checkDefensiveMode(db) {
   }
 }
 
-test('by default, defensive mode is off', (t) => {
+test('by default, defensive mode is on', (t) => {
   const db = new DatabaseSync(':memory:');
-  t.assert.strictEqual(checkDefensiveMode(db), false);
+  t.assert.strictEqual(checkDefensiveMode(db), true);
 });
 
 test('when passing { defensive: true } as config, defensive mode is on', (t) => {
@@ -32,13 +32,20 @@ test('when passing { defensive: true } as config, defensive mode is on', (t) =>
   t.assert.strictEqual(checkDefensiveMode(db), true);
 });
 
+test('when passing { defensive: false } as config, defensive mode is off', (t) => {
+  const db = new DatabaseSync(':memory:', {
+    defensive: false
+  });
+  t.assert.strictEqual(checkDefensiveMode(db), false);
+});
+
 test('defensive mode on after calling db.enableDefensive(true)', (t) => {
   const db = new DatabaseSync(':memory:');
   db.enableDefensive(true);
   t.assert.strictEqual(checkDefensiveMode(db), true);
 });
 
-test('defensive mode should be off after calling db.enableDefensive(false)', (t) => {
+test('defensive mode off after calling db.enableDefensive(false)', (t) => {
   const db = new DatabaseSync(':memory:', {
     defensive: true
   });
