build(deps): bump drizzle-orm from 0.41.0 to 0.45.2

[dependabot]

Bumps drizzle-orm from 0.41.0 to 0.45.2.

Release notes

Sourced from drizzle-orm's releases.

0.45.2

• Fixed sql.identifier(), sql.as() escaping issues. Previously all the values passed to this functions were not properly escaped causing a possible SQL Injection (CWE-89) vulnerability

Thanks to @​EthanKim88, @​0x90sh and @​wgoodall01 for reaching out to us with a reproduction and suggested fix

0.45.1

• Fixed pg-native Pool detection in node-postgres transactions breaking in environments with forbidden require() (#5107)

0.45.0

• Fixed pg-native Pool detection in node-postgres transactions
• Allowed subqueries in select fields
• Updated typo algorythm => algorithm
• Fixed $onUpdate not handling SQL values (fixes #2388, tests implemented by L-Mario564 in #2911)
• Fixed pg mappers not handling Date instances in bun-sql:postgresql driver responses for date, timestamp types (fixes #4493)

0.44.7

• fix durable sqlite transaction return value #3746 - thanks @​joaocstro

0.44.6

• feat: add $replicas reference #4874

0.44.5

• Fixed invalid usage of .one() in durable-sqlite session
• Fixed spread operator related crash in sqlite blob columns
• Better browser support for sqlite blob columns
• Improved sqlite blob mapping

0.44.4

• Fix wrong DrizzleQueryError export. thanks @​nathankleyn

0.44.3

• Fixed types of $client for clients created by drizzle function

await db.$client.[...]

• Added the updated_at column to the neon_auth.users_sync table definition.

0.44.2

• [BUG]: Fixed type issues with joins with certain variations of tsconfig: #4535, #4457

0.44.1

• [BUG]: Drizzle can no longer run on Durable Objects

0.44.0

Error handling

Starting from this version, we’ve introduced a new DrizzleQueryError that wraps all errors from database drivers and provides a set of useful information:

... (truncated)

Commits

• 273c780 + 0.45.2 (#5534)
• 4aa6ecf Kit updates (#5490)
• e8e6edf feat(drizzle-kit): support d1 via binding (#5302)
• a086f59 Fixed pg-native Pool detection in node-postgres transactions breaking in envi...
• c445637 Merge pull request #5095 from drizzle-team/main-workflows
• e7b3aaa Merge branch 'main' into main-workflows
• 0d885a5 refactor: Update condition for run-feature job to improve clarity and functio...
• 45a1ffb Merge pull request #5087 from drizzle-team/main-workflows
• 6357645 chore: Comment out NEON_HTTP_CONNECTION_STRING requirement in release workflows
• 53dec98 refactor: Simplify release router workflow by removing unnecessary switch job...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for drizzle-orm since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[changeset-bot]

⚠️ No Changeset found

Latest commit: acfebd2

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
admin.ensnode.io	Error		Apr 8, 2026 4:41am
ensnode.io	Error		Apr 8, 2026 4:41am
ensrainbow.io	Error		Apr 8, 2026 4:41am

[greptile-apps]

Greptile Summary

This PR is a Dependabot-generated bump of drizzle-orm from 0.41.0 to 0.45.2 across the monorepo. The version is updated in both the pnpm workspace catalog (pnpm-workspace.yaml) and the pinned version in packages/ponder-subgraph/package.json, with the lockfile updated accordingly.

Key highlights of the version range:

• 0.45.2 (security): Fixes sql.identifier() / sql.as() escaping — a SQL injection vulnerability (CWE-89). This is the primary motivation for the upgrade.
• 0.45.0: Fixes $onUpdate not handling SQL values, pg-native Pool detection in node-postgres transactions, and bun-sql Date mapping.
• 0.44.x: Several minor bug fixes including durable SQLite transaction return values and type fixes for joins.
• The lockfile also resolves a minor @vitest/mocker peer variant (tsx@4.21.0 → tsx@4.20.6), which appears to be an incidental dependency resolution fix.

No application logic changes are included — this is a pure dependency upgrade.

Confidence Score: 5/5

Safe to merge — this is a security-relevant dependency bump with no breaking changes and a high Dependabot compatibility score.

The change is a pure dependency upgrade generated by Dependabot. The upgrade patches a SQL injection vulnerability (CWE-89) and includes several bug fixes. No application code is modified, all packages are updated consistently, and the lockfile is coherent. No P0/P1 findings were identified.

No files require special attention. Note that packages/ponder-subgraph/package.json pins drizzle-orm directly rather than using catalog: like other packages, but this is pre-existing behavior and both values are now in sync at 0.45.2.

Vulnerabilities

This upgrade resolves a known SQL injection vulnerability (CWE-89) in drizzle-orm affecting sql.identifier() and sql.as() — values passed to these functions were not properly escaped prior to 0.45.2. Upgrading is strongly recommended from a security standpoint. No new security concerns are introduced by this PR.

Important Files Changed

Filename	Overview
packages/ponder-subgraph/package.json	Bumps hardcoded drizzle-orm pin from 0.41.0 to 0.45.2; version matches the catalog, so no version skew.
pnpm-workspace.yaml	Updates catalog entry for drizzle-orm from 0.41.0 to 0.45.2; all catalog-referencing packages will receive the new version.
pnpm-lock.yaml	Lockfile updated: adds drizzle-orm@0.45.2 snapshot, removes old 0.41.0 entries, and resolves an incidental @vitest/mocker peer variant change.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["pnpm-workspace.yaml\ncatalog: drizzle-orm: 0.45.2"] --> B["packages using catalog:"]
    B --> C["apps/ensnode"]
    B --> D["apps/ensindexer"]
    B --> E["apps/..."]
    A2["packages/ponder-subgraph/package.json\ndrizzle-orm: 0.45.2 (pinned)"] --> F["@ensnode/ponder-subgraph"]
    G["pnpm-lock.yaml"] --> H["drizzle-orm@0.45.2 snapshot\nSecurity fix: sql.identifier/sql.as escaping"]

Loading

_{Reviews (1): Last reviewed commit: "build(deps): bump drizzle-orm from 0.41...." | Re-trigger Greptile}

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.