Update dependency pg-promise to v11 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
pg-promise	^10.3.5 -> ^11.5.5

GitHub Vulnerability Alerts

CVE-2025-29744

pg-promise before 11.5.5 is vulnerable to SQL Injection due to improper handling of negative numbers.

---

Release Notes

vitaly-t/pg-promise (pg-promise)

v11.5.5

Compare Source

• Addressing sql injection issue; All negative numbers are now wrapped in parentheses.
• Dev dependencies updated.

Thanks to @​paul-gerste-sonarsource!

v11.5.4

Compare Source

• Dependencies updated, including the driver, to v8.11.3

v11.5.3

Compare Source

• Following up on driver fix-update, see issue #​888

v11.5.2

Compare Source

This update is to clarify the full range of environments officially supported:

• PostgreSql v10 - v15
• NodeJS v14 - v18

It is worth noting that:

• It may work with PostgreSql v9, but it is no longer officially supported.
• It should work with NodeJS v20, but it is not officially supported yet (we support LTS versions of NodeJS only).

The CI has been updated accordingly. No functional changes.

v11.5.1

Compare Source

• Updated dependencies, including the driver, to v8.11.1
• Fixed #​884 - CI build issue in test

v11.5.0

Compare Source

• Many dependencies updated, including Postgres driver.
• Minor documentation updates.

Please note that at the time of publishing this, GitHub CI started showing problems again, unrelated to the project. All tests pass locally fine, disregard Failed Build status for the time being.

v11.4.3

Compare Source

• Updated dependencies
• Marked method batch as deprecated.

v11.4.2

Compare Source

• Dev dependencies updated
• Semantic refactoring of the code

v11.4.1

Compare Source

• Corrected TypeScript signature for the Pool's property log.

v11.4.0

Compare Source

• Updated dependencies: "pg" -> "8.10.0" and "pg-query-stream" -> "4.4.0"
• Extended IPool TypeScript declaration with properties expiredCount + log. The latter in case you want to log what the pool is doing:

db.$pool.log = (msg: string, err?: any) => {
    console.log('Pool:', msg, err); // report what the pool is doing
}

v11.3.0

Compare Source

• Following #​867, amended missed connection + default properties within TypeScript declarations:
  • lock_timeout - abort any statement that waits longer than the specified duration
  • idle_in_transaction_session_timeout - terminate any session with an open transaction that has been idle for longer

v11.2.0

Compare Source

Quick follow up on issues within the previous release:

• Corrected type of stream property to Socket
• Temporarily disabled CI for PG v14 and v15, until the integration issue is resolved.

v11.1.0

Compare Source

• Upgraded the underlying driver; see its changes.
• Added property stream to the connection parameters in TypeScript declarations.

Please ignore CI errors that are due to this issue, which can be addressed later.

v11.0.2

Compare Source

CI integration added, thanks to @​dplewis

v11.0.1

Compare Source

Removed use of operator ??=, which was causing error under NodeJS version < 15.

v11.0.0

Compare Source

BREAKING CHANGES

• Initialization option noLocking and all the locking logic has been removed. It was a bit of an over-engineering thing.
• Parameters for events connect, disconnect and receive have changed (wrapped into an object)
• Connection option poolSize has been retired. You should just use option max now, for the pool size.
• NodeJS v14 is now the required minimum

OTHER CHANGES

• Documentation updates
• DEV dependencies updated

v10.15.4

Compare Source

• Fixes #​854 TypeScript declaration issue.

v10.15.3

Compare Source

• Updating pg-subset declarations, to let pg-iterator detect types automatically.

v10.15.2

Compare Source

• Fixing #​853 (crash in NodeJS v12)

v10.15.1

Compare Source

• Event error now reports query + params even for regular query errors (see pr #​852)

v10.15.0

Compare Source

• Minimum version of NodeJS required is now v12.0.0 (was v8.0.0 previously). See the check.

v10.14.2

Compare Source

• Assertions were refactored internally, so now they can be overridden via global.pgPromiseAssert. See assert-options module.
• Improved Buffer detection
• Documentation updates

v10.14.1

Compare Source

Fixes for TypeScript declarations:

• Fixing declaration for method result
• Fixing declaration for txMode namespace, so it is consistent with how the library works:

Example of correct txMode usage:

import {txMode} from 'pg-promise';

const {isolationLevel, TransactionMode} = txMode;

const mode = new TransactionMode({tiLevel: isolationLevel.none});

Or, you still can extract those from both uninitialized library:

import * as pgPromise from 'pg-promise';

const {isolationLevel, TransactionMode} = pgPromise.txMode; // from uninitialized library

... and from initialized library instance:

import * as pgPromise from 'pg-promise';

const pgp = pgPromise({/* init options */}); // initializing the library

const {isolationLevel, TransactionMode} = pgp.txMode; // from initialized library

v10.14.0

Compare Source

• Type Result (returned from methods result and multiResult) is now iterable, automatically exposing rows of data:

const res = await db.result('select * from users');
for (const r of res) {
    console.log(r); // print each row
}

Above, res (of type Result) is now iterable, automatically exposing res.rows.values().

To that end, the typescript declarations have been updated accordingly.

TypeScript example

class User {
    id: number;
    login: string;
    active: boolean;
}

// example of typed query result

const res = await db.result<IResultExt<User>>('select * from users');
for (const r of res) {
    // r here is strongly-typed
    console.log(r);
}

v10.12.1

Compare Source

• Fixes #​848

v10.12.0

Compare Source

• Updated all dependencies
• Merged PR #​822
• Merged PR #​826

v10.11.1

Compare Source

• Documentation updates: Removed Gitter link, moving into Discussions
• Dev dependencies updated

v10.11.0

Compare Source

• Implemented #​800 - added support for connection option allowExitOnIdle, to let process exit when pool is idle. This means you no longer need to destroy the connection pool inside tests or any run-through process. Instead, just set allowExitOnIdle: true within the database connection parameters.
• Updated all dependencies, including the base pg driver to v8.7.1
• Removed tests integration for Travis CI. Adding it to GitHub Actions is still just a plan - see #​799, but right now there is no CI, only manualy-run tests.
• Refactored many tests + examples
• Documentation updates

v10.10.2

Compare Source

• Updated dependencies
• Documentation updates

v10.10.1

Compare Source

• Implemented #​782, to return Promise from method done, specifically for direct connections. This was added mainly for consistency with the underlying driver.
• Updated documentation
• Updated DEV dependencies

v10.9.5

Compare Source

• Changed how useCount for connections is incremented, to make sure it never overfloats, and never resets to zero.
• DEV dependencies updated.

v10.9.4

Compare Source

• Removing pg-native from dependencies, which crawled into the package during tests, yet again.

Damn NPM, with its auto-save features!!! 😠

v10.9.3

Compare Source

• Update for #​774, changed how savepoints are named, to use the new sp_x_y form. See Transaction Limitations.

v10.9.2

Compare Source

• Fixes #​777

v10.9.1

Compare Source

• Extending on #​175, added global instance support to QueryFile class.

v10.9.0

Compare Source

• Fixing #​175

v10.8.7

Compare Source

• Added support for #​743, to allow pg replacement with a mock.
• DEV dependencies updated.

v10.8.6

Compare Source

• spex dependency updated.

v10.8.5

Compare Source

• Makes TypeScript stricter. In this update specifically, everything in helpers is now more type-strict.

v10.8.4

Compare Source

• Updated pg-minify dependency
• Updated assert-options dependency

v10.8.3

Compare Source

• spex dependency upgraded to v3.1.0. See PR-14.

v10.8.1

Compare Source

• Updated dependencies. pg-query-stream now requires >= v4.0.0

v10.8.0

Compare Source

Following up on #​765, this release extends filter :alias, to auto-split name, based on ., to support composite SQL names.

See also: Alias Filter.

v10.7.5

Compare Source

• Concludes all SSL-related issues from #​764

v10.7.4

Compare Source

• Trying to resolve all issues listed in #​764

v10.7.3

Compare Source

• TypeScript: Improving IPool declaration.

v10.7.2

Compare Source

• Updated TypeScript declarations: db.$pool is now strongly-typed as IPool.
• DEV dependencies updated

v10.7.1

Compare Source

• Dependencies updated
• Removed space following proc/func name.
• xs:code integration

v10.7.0

Compare Source

• Implemented #​756
• Updated dependencies

v10.6.2

Compare Source

• Minor code refactoring + dev dependencies updated.

v10.6.1

Compare Source

• Updated the driver dependency, with the fix for #​748

v10.6.0

Compare Source

• Refactoring out some old code and documentation
• Multiple dependencies updated, including the latest driver + TypeScript v4

v10.5.8

Compare Source

• Dependencies updated, including the driver, which should bring performance improvements for bytea type, see this PR.

v10.5.7

Compare Source

• Improved TypeScript declarations, including #​735
• Updated dependencies

v10.5.6

Compare Source

• Dependencies updated, including pg driver to v8.2.1

v10.5.5

Compare Source

• Fixed invalid setters in the code

v10.5.4

Compare Source

• Dependences updated, including pg driver to v8.1.0

v10.5.3

Compare Source

• Minor TypeScript declaration fix for #​722

v10.5.2

Compare Source

• Fixing #​717 - adding NodeJS v14 support.
• Dependencies updated.

v10.5.1

Compare Source

• Dependencies updated, including the driver to v8.0.2

v10.5.0

Compare Source

• Driver has been updated to version 8.0.0; See its changelog.
• Removed hiding password in connection, as the driver now handles it.
• Removed idleTimeoutMillis (in TypeScript) from defaults, due to this bug, and #​703
• Updated dependencies + documentation

v10.4.4

Compare Source

• Dependencies updated, including the driver to v7.18.2
• Added test coverage for the color console

v10.4.3

Compare Source

• Improving error reporting for event handlers.
• Refactoring strings to use ES6 syntax everywhere.
• DEV dependencies updated.

v10.4.2

Compare Source

• Improved errors + warnings reporting.

v10.4.1

Compare Source

• Removed manakin dependency, replacing it with a simpler local implementation.
• Updated most of dependencies, both for PROD and DEV.

v10.4.0

Compare Source

• Updated driver to the latest 7.18.1, see #​687
• Dropped support for pg-query-stream < 3.0.0, see #​695
• Dropped support for Nodejs < 8.0.0 (because of the new streams)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.