chore(deps): bump drizzle-orm from 0.45.1 to 0.45.2

[dependabot]

Bumps drizzle-orm from 0.45.1 to 0.45.2.

Release notes

Sourced from drizzle-orm's releases.

0.45.2

• Fixed sql.identifier(), sql.as() escaping issues. Previously all the values passed to this functions were not properly escaped causing a possible SQL Injection (CWE-89) vulnerability

Thanks to @​EthanKim88, @​0x90sh and @​wgoodall01 for reaching out to us with a reproduction and suggested fix

Commits

• 273c780 + 0.45.2 (#5534)
• 4aa6ecf Kit updates (#5490)
• e8e6edf feat(drizzle-kit): support d1 via binding (#5302)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Bump drizzle-orm from 0.45.1 to 0.45.2

Updates the drizzle-orm dependency in package.json from ^0.45.1 to ^0.45.2 and refreshes the lockfile accordingly.

^{Macroscope summarized 740a41b.}

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.

[greptile-apps]

Greptile Summary

This PR bumps drizzle-orm from 0.45.1 to 0.45.2 — a patch release that fixes a SQL injection vulnerability (CWE-89) in sql.identifier() and sql.as(). Values passed to these helpers were previously not properly escaped, allowing potential injection attacks. The changes touch only package.json and pnpm-lock.yaml with correct version and integrity hash updates.

• Fixes CWE-89 SQL injection in sql.identifier() / sql.as() — if this codebase uses either of these helpers, the fix is directly applicable and important to land
• pnpm-lock.yaml integrity hash correctly updated to the new release (sha512-kY0B…)
• package.json range updated from ^0.45.1 → ^0.45.2, locking out the vulnerable patch
• No API or behavioural changes are expected from this patch bump; Dependabot's compatibility score is available for confidence

Pre-existing note (not introduced by this PR): package.json still lists better-sqlite3: ^12.8.0 as a direct dependency, and the lockfile resolves drizzle-orm against better-sqlite3. Per the platform's migration to PostgreSQL (drizzle-orm/node-postgres / pg.Pool), this driver should no longer be needed — worth cleaning up in a follow-up.

Confidence Score: 5/5

Safe to merge — minimal, correct patch version bump that resolves a known SQL injection vulnerability with no API changes.

The change is a single patch-level dependency bump driven by a security fix. The diff is correct (version string and lockfile integrity hash both updated consistently), there are no API surface changes, and Dependabot's compatibility score indicates a smooth upgrade path. All observations are pre-existing issues unrelated to this PR.

No files require special attention — changes are confined to manifest and lockfile.

Important Files Changed

Filename	Overview
package.json	Bumps drizzle-orm specifier from ^0.45.1 to ^0.45.2 to pull in the SQL-injection security fix; change is correct and minimal.
pnpm-lock.yaml	Lockfile updated consistently: specifier, resolved version, and SHA-512 integrity hash all reflect 0.45.2; no unexpected transitive dependency changes.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["drizzle-orm 0.45.1\n⚠️ sql.identifier() / sql.as()\nnot properly escaped\n(CWE-89 SQL Injection)"] -->|"Dependabot bump"| B["drizzle-orm 0.45.2\n✅ sql.identifier() / sql.as()\nproperly escaped"]
    B --> C["package.json\nspecifier: ^0.45.2"]
    B --> D["pnpm-lock.yaml\nintegrity hash updated"]
    C & D --> E["Safe to merge"]

Loading

_{Reviews (1): Last reviewed commit: "chore(deps): bump drizzle-orm from 0.45...." | Re-trigger Greptile}

[github-actions]

Coverage Report

Status	Category	Percentage	Covered / Total
🔵	Lines	71.18%	3806 / 5347
🔵	Statements	70.69%	3982 / 5633
🔵	Functions	73.32%	753 / 1027
🔵	Branches	60.28%	1893 / 3140

File Coverage

No changed files found.

Generated in workflow #1365 for commit 740a41b by the Vitest Coverage Report Action

[TSavo]

Closing — wopr is in the platform monorepo now.

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.