-
-
Notifications
You must be signed in to change notification settings - Fork 145
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Snyk] Upgrade drizzle-orm from 0.34.1 to 0.36.0 #1220
base: develop
Are you sure you want to change the base?
[Snyk] Upgrade drizzle-orm from 0.34.1 to 0.36.0 #1220
Conversation
Snyk has created this PR to upgrade drizzle-orm from 0.34.1 to 0.36.0. See this package in npm: drizzle-orm See this project in Snyk: https://app.snyk.io/org/nialljoemaher/project/8ac19f6c-c7f2-4720-acd1-09701979877c?utm_source=github&utm_medium=referral&page=upgrade-pr
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
Important Review skippedIgnore keyword(s) in the title. ⛔ Ignored keywords (1)
Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
Snyk has created this PR to upgrade drizzle-orm from 0.34.1 to 0.36.0.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
The recommended version is 26 versions ahead of your current version.
The recommended version was released on 22 days ago.
Release notes
Package name: drizzle-orm
New Features
The third parameter in Drizzle ORM becomes an array
Instead of this
You can now do this
Row-Level Security (RLS)
With Drizzle, you can enable Row-Level Security (RLS) for any Postgres table, create policies with various options, and define and manage the roles those policies apply to.
Drizzle supports a raw representation of Postgres policies and roles that can be used in any way you want. This works with popular Postgres database providers such as
Neon
andSupabase
.In Drizzle, we have specific predefined RLS roles and functions for RLS with both database providers, but you can also define your own logic.
Enable RLS
If you just want to enable RLS on a table without adding policies, you can use
.enableRLS()
As mentioned in the PostgreSQL documentation:
export const users = pgTable('users', {
id: integer(),
}).enableRLS();
Roles
Currently, Drizzle supports defining roles with a few different options, as shown below. Support for more options will be added in a future release.
export const admin = pgRole('admin', { createRole: true, createDb: true, inherit: true });
If a role already exists in your database, and you don’t want drizzle-kit to ‘see’ it or include it in migrations, you can mark the role as existing.
export const admin = pgRole('admin').existing();
Policies
To fully leverage RLS, you can define policies within a Drizzle table.
Example of pgPolicy with all available properties
import { integer, pgPolicy, pgRole, pgTable } from 'drizzle-orm/pg-core';
export const admin = pgRole('admin');
export const users = pgTable('users', {
id: integer(),
}, (t) => [
pgPolicy('policy', {
as: 'permissive',
to: admin,
for: 'delete',
using: sql
</span><span class="pl-kos">,</span> <span class="pl-c1">withCheck</span>: <span class="pl-en">sql</span><span class="pl-s">
,}),
]);
Link Policy to an existing table
There are situations where you need to link a policy to an existing table in your database.
The most common use case is with database providers like
Neon
orSupabase
, where you need to add a policyto their existing tables. In this case, you can use the
.link()
APIimport { pgPolicy } from "drizzle-orm/pg-core";
import { authenticatedRole, realtimeMessages } from "drizzle-orm/supabase";
export const policy = pgPolicy("authenticated role insert policy", {
for: "insert",
to: authenticatedRole,
using: sql``,
}).link(realtimeMessages);
Migrations
If you are using drizzle-kit to manage your schema and roles, there may be situations where you want to refer to roles that are not defined in your Drizzle schema. In such cases, you may want drizzle-kit to skip managing these roles without having to define each role in your drizzle schema and marking it with
.existing()
.In these cases, you can use
entities.roles
indrizzle.config.ts
. For a complete reference, refer to the thedrizzle.config.ts
documentation.By default,
drizzle-kit
does not manage roles for you, so you will need to enable this feature indrizzle.config.ts
.import { defineConfig } from "drizzle-kit";
export default defineConfig({
dialect: 'postgresql',
schema: "./drizzle/schema.ts",
dbCredentials: {
url: process.env.DATABASE_URL!
},
verbose: true,
strict: true,
entities: {
roles: true
}
});
In case you need additional configuration options, let's take a look at a few more examples.
You have an
admin
role and want to exclude it from the list of manageable rolesimport { defineConfig } from "drizzle-kit";
export default defineConfig({
...
entities: {
roles: {
exclude: ['admin']
}
}
});
You have an
admin
role and want to include it in the list of manageable rolesimport { defineConfig } from "drizzle-kit";
export default defineConfig({
...
entities: {
roles: {
include: ['admin']
}
}
});
If you are using
Neon
and want to exclude Neon-defined roles, you can use the provider optionimport { defineConfig } from "drizzle-kit";
export default defineConfig({
...
entities: {
roles: {
provider: 'neon'
}
}
});
If you are using
Supabase
and want to exclude Supabase-defined roles, you can use the provider optionimport { defineConfig } from "drizzle-kit";
export default defineConfig({
...
entities: {
roles: {
provider: 'supabase'
}
}
});
import { defineConfig } from "drizzle-kit";
export default defineConfig({
...
entities: {
roles: {
provider: 'supabase',
exclude: ['new_supabase_role']
}
}
});
RLS on views
With Drizzle, you can also specify RLS policies on views. For this, you need to use
security_invoker
in the view's WITH options. Here is a small example:.with({
securityInvoker: true,
})
.as((qb) =>
qb
.select({
...getTableColumns(roomsUsers),
email: profiles.email,
})
.from(roomsUsers)
.innerJoin(profiles, eq(roomsUsers.userId, profiles.id))
);
Using with Neon
The Neon Team helped us implement their vision of a wrapper on top of our raw policies API. We defined a specific
/neon
import with thecrudPolicy
function that includes predefined functions and Neon's default roles.Here's an example of how to use the
crudPolicy
function:import { integer, pgRole, pgTable } from 'drizzle-orm/pg-core';
export const admin = pgRole('admin');
export const users = pgTable('users', {
id: integer(),
}, (t) => [
crudPolicy({ role: admin, read: true, modify: false }),
]);
This policy is equivalent to:
import { integer, pgPolicy, pgRole, pgTable } from 'drizzle-orm/pg-core';
export const admin = pgRole('admin');
export const users = pgTable('users', {
id: integer(),
}, (t) => [
pgPolicy(
crud-<span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">admin</span><span class="pl-kos">.</span><span class="pl-c1">name</span><span class="pl-kos">}</span></span>-policy-insert
, {for: 'insert',
to: admin,
withCheck: sql
false
,}),
pgPolicy(
crud-<span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">admin</span><span class="pl-kos">.</span><span class="pl-c1">name</span><span class="pl-kos">}</span></span>-policy-update
, {for: 'update',
to: admin,
using: sql
false
,withCheck: sql
false
,}),
pgPolicy(
crud-<span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">admin</span><span class="pl-kos">.</span><span class="pl-c1">name</span><span class="pl-kos">}</span></span>-policy-delete
, {for: 'delete',
to: admin,
using: sql
false
,}),
pgPolicy(
crud-<span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">admin</span><span class="pl-kos">.</span><span class="pl-c1">name</span><span class="pl-kos">}</span></span>-policy-select
, {for: 'select',
to: admin,
using: sql
true
,}),
]);
Neon
exposes predefinedauthenticated
andanaonymous
roles and related functions. If you are usingNeon
for RLS, you can use these roles, which are marked as existing, and the related functions in your RLS queries.export const authenticatedRole = pgRole('authenticated').existing();
export const anonymousRole = pgRole('anonymous').existing();
export const authUid = (userIdColumn: AnyPgColumn) => sql
(select auth.user_id() = <span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">userIdColumn</span><span class="pl-kos">}</span></span>)
;For example, you can use the
Neon
predefined roles and functions like this:import { authenticatedRole } from 'drizzle-orm/neon';
import { integer, pgPolicy, pgRole, pgTable } from 'drizzle-orm/pg-core';
export const admin = pgRole('admin');
export const users = pgTable('users', {
id: integer(),
}, (t) => [
pgPolicy(
policy-insert
, {for: 'insert',
to: authenticatedRole,
withCheck: sql
false
,}),
]);
Using with Supabase
We also have a
/supabase
import with a set of predefined roles marked as existing, which you can use in your schema.This import will be extended in a future release with more functions and helpers to make using RLS and
Supabase
simpler.For example, you can use the
Supabase
predefined roles like this:import { serviceRole } from 'drizzle-orm/supabase';
import { integer, pgPolicy, pgRole, pgTable } from 'drizzle-orm/pg-core';
export const admin = pgRole('admin');
export const users = pgTable('users', {
id: integer(),
}, (t) => [
pgPolicy(
policy-insert
, {for: 'insert',
to: serviceRole,
withCheck: sql
false
,}),
]);
The
/supabase
import also includes predefined tables and functions that you can use in your applicationconst auth = pgSchema('auth');
export const authUsers = auth.table('users', {
id: uuid().primaryKey().notNull(),
});
const realtime = pgSchema('realtime');
export const realtimeMessages = realtime.table(
'messages',
{
id: bigserial({ mode: 'bigint' }).primaryKey(),
topic: text().notNull(),
extension: text({
enum: ['presence', 'broadcast', 'postgres_changes'],
}).notNull(),
},
);
export const authUid = sql
(select auth.uid())
;export const realtimeTopic = sql
realtime.topic()
;This allows you to use it in your code, and Drizzle Kit will treat them as existing databases,
using them only as information to connect to other entities
import { sql } from "drizzle-orm/sql";
import { authenticatedRole, authUsers } from "drizzle-orm/supabase";
export const profiles = pgTable(
"profiles",
{
id: uuid().primaryKey().notNull(),
email: text().notNull(),
},
(table) => [
foreignKey({
columns: [table.id],
// reference to the auth table from Supabase
foreignColumns: [authUsers.id],
name: "profiles_id_fk",
}).onDelete("cascade"),
pgPolicy("authenticated can view all profiles", {
for: "select",
// using predefined role from Supabase
to: authenticatedRole,
using: sql
true
,}),
]
);
Let's check an example of adding a policy to a table that exists in
Supabase
import { pgPolicy } from "drizzle-orm/pg-core";
import { authenticatedRole, realtimeMessages } from "drizzle-orm/supabase";
export const policy = pgPolicy("authenticated role insert policy", {
for: "insert",
to: authenticatedRole,
using: sql``,
}).link(realtimeMessages);
Bug fixes
New LibSQL driver modules
Drizzle now has native support for all
@ libsql/client
driver variations:@ libsql/client
- defaults to node import, automatically changes to web if target or platform is set for bundler, e.g.esbuild --platform=browser
const db = drizzle({ connection: {
url: process.env.DATABASE_URL,
authToken: process.env.DATABASE_AUTH_TOKEN
}});
@ libsql/client/node
node compatible module, supports :memory:, file, wss, http and turso connection protocolsconst db = drizzle({ connection: {
url: process.env.DATABASE_URL,
authToken: process.env.DATABASE_AUTH_TOKEN
}});
@ libsql/client/web
module for fullstack web frameworks like next, nuxt, astro, etc.const db = drizzle({ connection: {
url: process.env.DATABASE_URL,
authToken: process.env.DATABASE_AUTH_TOKEN
}});
@ libsql/client/http
module for http and https connection protocolsconst db = drizzle({ connection: {
url: process.env.DATABASE_URL,
authToken: process.env.DATABASE_AUTH_TOKEN
}});
@ libsql/client/ws
module for ws and wss connection protocols