Skip to content

fix(deps): bump drizzle-orm 0.45.2 + adopt MCP SDK 1.25.3 native types#4252

Merged
waleedlatif1 merged 5 commits intostagingfrom
waleedlatif1/dependabot-63
Apr 22, 2026
Merged

fix(deps): bump drizzle-orm 0.45.2 + adopt MCP SDK 1.25.3 native types#4252
waleedlatif1 merged 5 commits intostagingfrom
waleedlatif1/dependabot-63

Conversation

@waleedlatif1
Copy link
Copy Markdown
Collaborator

@waleedlatif1 waleedlatif1 commented Apr 22, 2026
edited
Loading

Summary

  • Security: bump drizzle-orm 0.44.5 → 0.45.2 to patch GHSA-gpj5-g38j-94v9 (SQL injection via escapeName typo, CVSS 7.5). No breaking changes affect our usage — all .as() callsites use literal aliases.
  • MCP SDK: adopt native @modelcontextprotocol/sdk 1.25.3 types — JSONRPCResultResponse (renamed from JSONRPCResponse), Tool['inputSchema'], and Tool['annotations'] replace hand-written shapes. Drop spurious tools: {} from client capabilities (it's a server capability).
  • Type cleanup (no behavior change): replace hand-written WebhookRecord/WorkflowRecord/FileMetadataRecord/PolledWebhook* interfaces with typeof table.$inferSelect aliases, removing several as unknown as ... casts. The hand-written types had drifted (e.g. they declared workspaceId: string when the column is nullable); the schema-derived types are honest, and one consumer site (processPolledWebhookEvent) now correctly handles string | null via ?? undefined.
  • Refactor: simplify insertFileMetadata to use .returning() instead of field-by-field copies (-75 lines). All idempotency paths preserved (restore-deleted, return-existing, 23505 race).

Test plan

  • tsc --noEmit clean across apps/sim + packages/db
  • Vitest suites pass: 243 MCP, 46 webhooks, 29 uploads
  • bun.lock resolves a single drizzle-orm@0.45.2; @browserbasehq/stagehand keeps its own nested MCP SDK 1.20.2 (separate copy, by design)
  • Manual smoke: trigger a Gmail/Outlook poll, upload a file, hit the MCP serve route

waleedlatif1 and others added 3 commits April 21, 2026 19:31
@waleedlatif1 @claude
fix(deps): bump drizzle-orm to 0.45.2 (GHSA-gpj5-g38j-94v9)
22e2cde 
Resolves Dependabot alert #98. Drizzle ORM <0.45.2 improperly escaped
quoted SQL identifiers, allowing SQL injection via untrusted input
passed to APIs like sql.identifier() or .as().

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@waleedlatif1 @claude
chore(mcp): adopt native SDK types after @modelcontextprotocol/sdk 1.…
2e3a341 
…25.3 bump

Replace hand-written schema/annotation shapes with the SDK's exported
Tool, JSONRPCResultResponse, and Tool['annotations'] types so changes
upstream flow through automatically.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@waleedlatif1 @claude
refactor(types): use drizzle $inferSelect for row types
ffce93b 
Replace hand-written interfaces that duplicated schema shape with
typeof table.$inferSelect aliases for webhook, workflow, and
workspaceFiles rows. Also simplify metadata insert/update to use
.returning() instead of field-by-field copies.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 22, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
docs Skipped Skipped Apr 22, 2026 2:42am

Request Review

@cursor
Copy link
Copy Markdown

cursor Bot commented Apr 22, 2026
edited
Loading

PR Summary

Medium Risk
Upgrades core dependencies (drizzle-orm, MCP SDK) and adjusts MCP/webhook/upload code to match new type shapes; most changes are type/refactor but touch DB writes and protocol integration points where subtle runtime incompatibilities could surface.

Overview
Updates dependencies to address a drizzle-orm security advisory (0.44.50.45.2) and bumps @modelcontextprotocol/sdk (1.20.21.25.3), updating MCP client/server code to use the SDK’s renamed/stronger types (e.g., JSONRPCResultResponse, Tool['inputSchema'], Tool['annotations']) and simplifying client capabilities handling.

Cleans up several areas to use Drizzle schema-inferred row types ($inferSelect) instead of hand-written interfaces (webhook polling records, uploads metadata, polled webhook processing), which also fixes nullable workspaceId handling in processPolledWebhookEvent. Refactors insertFileMetadata to use .returning() and generateId() while preserving restore/idempotency and unique-constraint race paths.

Reviewed by Cursor Bugbot for commit 3bb327f. Configure here.

@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps Bot commented Apr 22, 2026
edited
Loading

Greptile Summary

This PR bundles a security patch (drizzle-orm 0.44.5 → 0.45.2, fixing SQL-injection CVE GHSA-gpj5-g38j-94v9), an MCP SDK upgrade to 1.25.3 with native type adoption, and a type-cleanup pass that replaces several hand-written DB row interfaces with $inferSelect aliases. The previously reported restored-undefined race in insertFileMetadata is addressed by falling through to the INSERT path when the UPDATE affects zero rows.

Confidence Score: 5/5

Safe to merge — security fix, clean type alignment, and no behavioral regressions identified.

All changes are well-scoped: the drizzle bump is a security patch with no breaking API changes; the MCP SDK type renames are mechanical; the $inferSelect aliases eliminate drift without altering runtime behavior; the prior P1 concern about the restore race has been resolved; and tsc --noEmit is reported clean.

No files require special attention.

Important Files Changed

Filename Overview
apps/sim/lib/uploads/server/metadata.ts Refactored to use typeof workspaceFiles.$inferSelect and .returning() throughout; the previously flagged restored race condition is now handled by falling through to INSERT; uuid.v4() replaced with project-standard generateId().
apps/sim/lib/webhooks/processor.ts Replaced hand-written PolledWebhookRecord/PolledWorkflowRecord with schema-derived types; adds ?? undefined coercion for the now-nullable workspaceId in all three payload/metadata sites.
apps/sim/lib/webhooks/polling/types.ts Replaces hand-written WebhookRecord/WorkflowRecord interfaces with typeof webhook.$inferSelect / typeof workflow.$inferSelect; drifted fields (e.g. non-nullable workspaceId) are corrected.
apps/sim/lib/mcp/client.ts Drops spurious tools: {} from client capabilities (it is a server capability); removes unused hasCapability() method; hasListChangedCapability() simplified to use proper SDK typing.
apps/sim/app/api/mcp/serve/[serverId]/route.ts Adopts JSONRPCResultResponse (renamed from JSONRPCResponse) and Tool['inputSchema'] from MCP SDK 1.25.3 native types, removing the hand-written schema cast.
bun.lock Resolves a single drizzle-orm@0.45.2; MCP SDK 1.25.3 brings in @hono/node-server, jose, and zod@4.3.6 as nested deps (not shared with the project's zod 3.x); stagehand retains its own nested MCP 1.20.2 copy.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[insertFileMetadata] --> B{Key exists and deletedAt set?}
    B -->|Yes| C[UPDATE with returning]
    C --> D{restored defined?}
    D -->|Yes| E[return restored]
    D -->|No: concurrent hard-delete| F
    B -->|No| F{Key exists not deleted?}
    F -->|Yes| G[return existing record]
    F -->|No| H[INSERT with returning]
    H --> I{Success?}
    I -->|Yes| J[return inserted]
    I -->|No: 23505 race| K[SELECT after error]
    K --> L{Found?}
    L -->|Yes| M[return existingAfterError]
    L -->|No| N[throw error]
Loading

Reviews (2): Last reviewed commit: "chore(uploads): align metadata.ts with g..." | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed Apr 22, 2026
View reviewed changes
Comment thread apps/sim/lib/uploads/server/metadata.ts Outdated
@waleedlatif1 @claude
fix(uploads): fall through to INSERT if restore-deleted row races a h…
0d9a14e 
…ard delete

If a hard delete races between the initial SELECT and the restore UPDATE,
.returning() yields no row. Previously the function would return undefined
and silently violate the Promise<FileMetadataRecord> contract. Now the
function falls through to the INSERT path, which already handles
uniqueness races via the 23505 catch.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@waleedlatif1 @claude
chore(uploads): align metadata.ts with global standards
3bb327f 
Replace dynamic uuid import with generateId() per @sim/utils/id
convention, narrow the error catch off `any`, and convert the inline
comment to TSDoc.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@waleedlatif1
Copy link
Copy Markdown
Collaborator Author

waleedlatif1 commented Apr 22, 2026

@greptile

@waleedlatif1
Copy link
Copy Markdown
Collaborator Author

waleedlatif1 commented Apr 22, 2026

@cursor review

cursor[bot]
cursor Bot reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

Reviewed by Cursor Bugbot for commit 3bb327f. Configure here.

@waleedlatif1 waleedlatif1 merged commit 45bf396 into staging Apr 22, 2026
14 checks passed
@waleedlatif1 waleedlatif1 deleted the waleedlatif1/dependabot-63 branch April 22, 2026 02:52
@waleedlatif1 waleedlatif1 mentioned this pull request Apr 22, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@waleedlatif1