fix(deps): bump drizzle-orm 0.45.2 + adopt MCP SDK 1.25.3 native types

[waleedlatif1]

Summary

• Security: bump drizzle-orm 0.44.5 → 0.45.2 to patch GHSA-gpj5-g38j-94v9 (SQL injection via escapeName typo, CVSS 7.5). No breaking changes affect our usage — all .as() callsites use literal aliases.
• MCP SDK: adopt native @modelcontextprotocol/sdk 1.25.3 types — JSONRPCResultResponse (renamed from JSONRPCResponse), Tool['inputSchema'], and Tool['annotations'] replace hand-written shapes. Drop spurious tools: {} from client capabilities (it's a server capability).
• Type cleanup (no behavior change): replace hand-written WebhookRecord/WorkflowRecord/FileMetadataRecord/PolledWebhook* interfaces with typeof table.$inferSelect aliases, removing several as unknown as ... casts. The hand-written types had drifted (e.g. they declared workspaceId: string when the column is nullable); the schema-derived types are honest, and one consumer site (processPolledWebhookEvent) now correctly handles string | null via ?? undefined.
• Refactor: simplify insertFileMetadata to use .returning() instead of field-by-field copies (-75 lines). All idempotency paths preserved (restore-deleted, return-existing, 23505 race).

Test plan

• tsc --noEmit clean across apps/sim + packages/db
• Vitest suites pass: 243 MCP, 46 webhooks, 29 uploads
• bun.lock resolves a single drizzle-orm@0.45.2; @browserbasehq/stagehand keeps its own nested MCP SDK 1.20.2 (separate copy, by design)
• Manual smoke: trigger a Gmail/Outlook poll, upload a file, hit the MCP serve route

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Apr 22, 2026 2:42am

[cursor]

PR Summary

Medium Risk
Upgrades core dependencies (drizzle-orm, MCP SDK) and adjusts MCP/webhook/upload code to match new type shapes; most changes are type/refactor but touch DB writes and protocol integration points where subtle runtime incompatibilities could surface.

Overview
Updates dependencies to address a drizzle-orm security advisory (0.44.5 → 0.45.2) and bumps @modelcontextprotocol/sdk (1.20.2 → 1.25.3), updating MCP client/server code to use the SDK’s renamed/stronger types (e.g., JSONRPCResultResponse, Tool['inputSchema'], Tool['annotations']) and simplifying client capabilities handling.

Cleans up several areas to use Drizzle schema-inferred row types ($inferSelect) instead of hand-written interfaces (webhook polling records, uploads metadata, polled webhook processing), which also fixes nullable workspaceId handling in processPolledWebhookEvent. Refactors insertFileMetadata to use .returning() and generateId() while preserving restore/idempotency and unique-constraint race paths.

^{Reviewed by Cursor Bugbot for commit 3bb327f. Configure here.}

[greptile-apps]

Greptile Summary

This PR bundles a security patch (drizzle-orm 0.44.5 → 0.45.2, fixing SQL-injection CVE GHSA-gpj5-g38j-94v9), an MCP SDK upgrade to 1.25.3 with native type adoption, and a type-cleanup pass that replaces several hand-written DB row interfaces with $inferSelect aliases. The previously reported restored-undefined race in insertFileMetadata is addressed by falling through to the INSERT path when the UPDATE affects zero rows.

Confidence Score: 5/5

Safe to merge — security fix, clean type alignment, and no behavioral regressions identified.

All changes are well-scoped: the drizzle bump is a security patch with no breaking API changes; the MCP SDK type renames are mechanical; the $inferSelect aliases eliminate drift without altering runtime behavior; the prior P1 concern about the restore race has been resolved; and tsc --noEmit is reported clean.

No files require special attention.

Important Files Changed

Filename	Overview
apps/sim/lib/uploads/server/metadata.ts	Refactored to use typeof workspaceFiles.$inferSelect and .returning() throughout; the previously flagged restored race condition is now handled by falling through to INSERT; uuid.v4() replaced with project-standard generateId().
apps/sim/lib/webhooks/processor.ts	Replaced hand-written PolledWebhookRecord/PolledWorkflowRecord with schema-derived types; adds ?? undefined coercion for the now-nullable workspaceId in all three payload/metadata sites.
apps/sim/lib/webhooks/polling/types.ts	Replaces hand-written WebhookRecord/WorkflowRecord interfaces with typeof webhook.$inferSelect / typeof workflow.$inferSelect; drifted fields (e.g. non-nullable workspaceId) are corrected.
apps/sim/lib/mcp/client.ts	Drops spurious tools: {} from client capabilities (it is a server capability); removes unused hasCapability() method; hasListChangedCapability() simplified to use proper SDK typing.
apps/sim/app/api/mcp/serve/[serverId]/route.ts	Adopts JSONRPCResultResponse (renamed from JSONRPCResponse) and Tool['inputSchema'] from MCP SDK 1.25.3 native types, removing the hand-written schema cast.
bun.lock	Resolves a single drizzle-orm@0.45.2; MCP SDK 1.25.3 brings in @hono/node-server, jose, and zod@4.3.6 as nested deps (not shared with the project's zod 3.x); stagehand retains its own nested MCP 1.20.2 copy.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[insertFileMetadata] --> B{Key exists and deletedAt set?}
    B -->|Yes| C[UPDATE with returning]
    C --> D{restored defined?}
    D -->|Yes| E[return restored]
    D -->|No: concurrent hard-delete| F
    B -->|No| F{Key exists not deleted?}
    F -->|Yes| G[return existing record]
    F -->|No| H[INSERT with returning]
    H --> I{Success?}
    I -->|Yes| J[return inserted]
    I -->|No: 23505 race| K[SELECT after error]
    K --> L{Found?}
    L -->|Yes| M[return existingAfterError]
    L -->|No| N[throw error]

Loading

_{Reviews (2): Last reviewed commit: "chore(uploads): align metadata.ts with g..." | Re-trigger Greptile}

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 3bb327f. Configure here.}