[dev] [Marfuen] mariano/prisma-pg-ssl-fix#2418
Conversation
PR SummaryMedium Risk Overview This updates connection creation to avoid pg@8/Prisma v7 defaults that reject RDS Proxy certificates when Written by Cursor Bugbot for commit 461924c. This will update automatically on new commits. Configure here. |
Marfuen
force-pushed
the
mariano/prisma-pg-ssl-fix
branch
from
7392906 to
2b62a89
Compare
Marfuen
force-pushed
the
mariano/prisma-pg-ssl-fix
branch
from
2b62a89 to
461924c
Compare
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| case 'verify-ca': case 'verify-full': return { rejectUnauthorized: true }; | ||
| default: return undefined; | ||
| } | ||
| } |
There was a problem hiding this comment.
getSslConfig duplicated across five files plus template
Low Severity
The getSslConfig function is copy-pasted identically into five separate client.ts files (apps/api, apps/app, apps/framework-editor, apps/portal, packages/db/src) and a sixth time inside a template literal in packages/db/scripts/combine-schemas.js. Since it's a pure utility with no dependency on app-specific types, it could live in a single shared location (e.g., exported from packages/db). Six copies of security-sensitive SSL logic increases the risk of inconsistent future fixes.
Additional Locations (2)
| function createPrismaClient(): PrismaClient { | ||
| const adapter = new PrismaPg({ connectionString: process.env.DATABASE_URL! }); | ||
| const url = process.env.DATABASE_URL!; | ||
| const adapter = new PrismaPg({ connectionString: url, ssl: getSslConfig(url) }); |
There was a problem hiding this comment.
Connection string sslmode may override explicit ssl option
High Severity
The pg docs warn that when a connectionString contains sslmode, the parsed SSL config replaces an explicitly provided ssl object entirely. Since the DATABASE_URL already contains sslmode=require, the ssl: { rejectUnauthorized: false } returned by getSslConfig may be silently discarded by pg.Pool, leaving rejectUnauthorized at its default true — which is the exact behavior this PR aims to fix. Worth verifying that PrismaPg doesn't hit this documented pg pitfall; the safer approach may be to strip sslmode from the URL before passing it as connectionString, or use individual connection parameters instead.
Additional Locations (2)
# [3.14.0](v3.13.1...v3.14.0) (2026-04-02) ### Bug Fixes * add SSL support to PrismaPg adapter for RDS/staging (rejectUnauthorized: false) ([#2418](#2418)) ([451c6a1](451c6a1)) * **api:** pin prisma@7.6.0 in Dockerfile generate step (prevents stale v6 binary resolution) ([#2423](#2423)) ([13a7b77](13a7b77)) * **api:** upgrade Dockerfile base images for Prisma v7 Node.js requirement (bun 1.3.11, node 22) ([#2425](#2425)) ([dc9351c](dc9351c)) * **app:** comment button gets disabled with numbered formatting ([#2368](#2368)) ([0586dfe](0586dfe)) * **auth:** make Microsoft OAuth tenantId configurable via env var ([#2412](#2412)) ([ffb260b](ffb260b)), closes [#2411](#2411) * **company:** make Access Request form options in Documents ([#2369](#2369)) ([f461c4d](f461c4d)) * **db:** point prisma.config.ts to schema directory for multi-file schema support in migrations ([#2422](#2422)) ([8a05e29](8a05e29)) * **db:** remove dotenv/config import from prisma.config.ts (not available in Docker build context) ([#2426](#2426)) ([a98cf93](a98cf93)) * **db:** use process.env fallback for DATABASE_URL in prisma.config.ts ([#2416](#2416)) ([3e29382](3e29382)) * default to SSL for non-localhost connections, remove buggy cleanUrl stripping ([#2430](#2430)) ([98213f8](98213f8)) * Enable 'Ready for Review' menu for client on Document Finding ([#2404](#2404)) ([12e5e3a](12e5e3a)) * handle stale Ramp sync provider in legacy orgs ([3d6d1d4](3d6d1d4)) * install ca-certificates before wget, clean apt after download ([#2433](#2433)) ([772ac48](772ac48)) * install ca-certificates before wget, clean apt after download ([#2434](#2434)) ([b7b7944](b7b7944)) * **portal:** remove getJwtToken and use session-cookie auth directly ([67aacf5](67aacf5)) * scope stale provider cleanup to ramp only ([a3313cd](a3313cd)) * set trigger.dev runtime to node-22 (Prisma v7 requires node >=20.19 || >=22.12) ([#2419](#2419)) ([f688334](f688334)) * strip sslmode from connection string before passing to pg (prevent double-parsing) ([#2420](#2420)) ([00e6f13](00e6f13)) * strip sslmode from DATABASE_URL to avoid conflict with explicit ssl option ([#2435](#2435)) ([335dcd2](335dcd2)) * use AWS RDS CA bundle for proper SSL verification, simplify client SSL config ([#2432](#2432)) ([863f14b](863f14b)) * use installed prisma binary instead of bunx (fixes prisma/config resolution in Docker) ([#2427](#2427)) ([fab6693](fab6693)) * use process.env fallback for DATABASE_URL in all prisma.config.ts files (build envs have no DB) ([#2417](#2417)) ([977a705](977a705)) ### Features * **app, api, framework-editor:** restructure compliance app and add framework editor CLI ([30516d4](30516d4)) * migrate prisma from v6 to v7 ([59e0db9](59e0db9)) * remove Ramp integration entirely ([a04c486](a04c486))
|
🎉 This PR is included in version 3.14.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
2 participants
This is an automated pull request to merge mariano/prisma-pg-ssl-fix into dev.
It was created by the [Auto Pull Request] action.