Releases: flvmnt/pgfence
Releases · flvmnt/pgfence
v0.2.1
Security
- Fix shell injection in GitHub Action — all inputs now passed through env vars and bash array, eliminating injection vectors and fixing paths with spaces
Bug Fixes
- Correct lock mode for REFRESH MATERIALIZED VIEW CONCURRENTLY — was EXCLUSIVE, now correctly SHARE UPDATE EXCLUSIVE per PostgreSQL docs (allows reads AND writes)
- Eliminate silent failures in plugin system — plugin errors logged to stderr instead of silently swallowed
- Eliminate silent failures in extractors — TypeORM now matches
queryRunner.manager.query(), Knex/Sequelize transpilers emit warnings for dynamic table names instead of returning empty results - Add missing rule coverage — default case for unknown constraint types, DROP SCHEMA CASCADE detection, DropStmt/TruncateStmt/RenameStmt added to lock tracking
- Per-file parse error handling — a syntax error in one file no longer aborts analysis of the entire batch
- maxRisk includes policy violations — error-level policy violations now reflected in maxRisk (was showing SAFE with error-level violations)
- SARIF coverage summary — Trust Contract compliance: SARIF output now includes coverage stats
- Error handling improvements — start-after only catches ENOENT, cloud hooks always log errors, stats file schema validated, config JSON validated
Chores
- Exclude
tests/cloud/from vitest config - Add
@iarna/tomlas optional dependency - Fix duplicate drizzle detection condition
- Flag
CreateProcedureStmtas unanalyzable
v0.2.0
What's new
5 new DDL rules
ALTER TYPE ... ADD VALUE(enum evolution)ATTACH/DETACH PARTITIONREFRESH MATERIALIZED VIEWREINDEX TABLE/INDEX/SCHEMA/DATABASECREATE/DROP/ENABLE/DISABLE TRIGGER
Expanded policy checks
- Lock timeout ordering validation (must come before DDL)
- Wide lock window detection
- Savepoint/rollback awareness
- Timeout-too-permissive warnings
ORM extractor improvements
- Knex: builder chain extraction (
table.string(),table.integer(), etc.) - Knex: conditional migration support
- TypeORM: conditional
queryRunner.query()extraction - Sequelize:
queryInterfacemethod extraction
New CLI flags
--pg-version— tune analysis for your Postgres version (11–17)--stats-file— provide table stats JSON for size-aware risk scoring
Other
- Plugin system for custom rules
- Schema snapshot support
- Transaction state tracking
- 48 new tests (153 total)
Full Changelog: v0.1.5...v0.2.0
v0.1.4
Full Changelog: v0.1.3...v0.1.4
v0.1.3
v0.1.2
What's new
Features
- SARIF output —
--output sarifemits SARIF 2.1.0 for GitHub Code Scanning. Upload withgithub/codeql-action/upload-sarifto get inline annotations on pull requests.
Fixes
pgfence-ignoresyntax — bare-- pgfence-ignoresuppresses all checks for a statement;-- pgfence-ignore: <ruleId>suppresses specific rules. Legacy-- pgfence: ignoresyntax still works.- Parser lookback bug — bounded the inline-ignore comment search window so directives cannot bleed across statements.
- Backfill recipes — safe rewrite steps now use the
CTE + ctid + FOR UPDATE SKIP LOCKEDpattern, matching production-grade batched backfill practice.
Documentation
- Added Postgres Version Support section (
--min-pg-version) - Added Known Limitations section (dynamic SQL, PL/pgSQL, stored procedures)
- Added Suppressing Warnings section with full syntax reference
v0.1.1
Patch release fixing scoped package name.
Bug fixes:
- Fixed
action.ymlto use@flvmnt/pgfenceinstead of unscopedpgfence - Fixed
pgfence inithook to use@flvmnt/pgfenceinstead of unscopedpgfence
Both the GitHub Action and git hook installer were referencing a package name that doesn't exist, causing failures in CI and pre-commit hooks.
v0.1.0
Initial public release.
- 28 DDL safety checks with Postgres lock mode analysis
- Extractors for SQL, TypeORM, Prisma, and Knex migrations
- DB-size-aware risk scoring via stats snapshot or direct connection
- Safe rewrite recipes (expand/contract sequences)
- Policy checks: lock_timeout, statement_timeout, CONCURRENTLY-in-tx
- CLI, JSON, and GitHub PR comment output formats
- GitHub Action for CI integration
- Git hook installer (
pgfence init)