Skip to content

Sync drizzle-orm fork to v1 RC4#28

Draft
joe-thom wants to merge 1747 commits into
mainfrom
joe-thom/drizzle-v1-rc4-sync
Draft

Sync drizzle-orm fork to v1 RC4#28
joe-thom wants to merge 1747 commits into
mainfrom
joe-thom/drizzle-v1-rc4-sync

Conversation

@joe-thom

@joe-thom joe-thom commented Jul 17, 2026

Copy link
Copy Markdown

What changed

Synchronizes the Replit fork to upstream Drizzle v1 RC4 beta commit 748058e837d9c4247330e3d45580cbdae52bffda while preserving upstream ancestry. The only source-tree deviation is a fork-specific CI path that runs lint, Drizzle ORM build, Drizzle Kit type tests, and the relevant package build instead of upstream’s full release matrix.

Why

The fork has diverged from upstream since May 2025, and the previous RC2 migration mixed the upstream import with Replit-specific compatibility changes. The upstream matrix is also not viable in the fork today: test skips intentionally expired on July 1, and the fork token receives 403 responses when downloading some cross-job artifacts. The full matrix remains unchanged in drizzle-team/drizzle-orm; only replit/drizzle-orm uses the focused path.

Reviewer guidance

Excluding .github/workflows/release-feature-branch.yaml, this merge resolves the fork tree to exactly match the pinned upstream commit. Replit-specific package publishing and pid2 compatibility are isolated in #29.

CodeQL reports 23 alerts in the imported upstream tree because the base fork is old. This PR does not silently dismiss or suppress them; merging requires a human baseline decision for those pre-existing upstream findings.

Test plan

  • Source tree matches pinned upstream RC4 outside the fork CI workflow.
  • pnpm lint:check
  • pnpm --filter drizzle-orm build
  • pnpm --filter drizzle-kit test:types
  • pnpm --filter drizzle-kit build
  • actionlint .github/workflows/release-feature-branch.yaml reports no workflow syntax errors; its remaining SC2086 findings are in pre-existing release shell blocks.

Stack

Revertibility

Safe to revert. This changes source history and CI only; it does not publish packages or modify persistent data.

~ written by Zerg 👾 (wp-961c729b)

Sukairo-02 and others added 30 commits April 15, 2026 12:57
* [WIP: kit] Reworked casings: moved casing control from `db` instance to `table`\`view`\`schema` via `import { snakeCase } from "drizzle-orm/dialect-core"`

* Updated kit to not use casings

* Removed casing from kit config & commands

* Updated tests

* Updated tests

* Fixed test
* added batch for d1 in kit and orm migrate

* d1 kit and orm batch fixes

* fixed attw

* attw fixes

* rolled back changes in up-migrator for sqlite/sqlite-proxy + moved proxy integrations for up-migrators into separate logic

* up-migrator update for proxy

* fixes for sqlite proxy

* marked mssql as optional peer dep + fixes in d1 kit callback

* fixed attw

* sqlite-proxy up migrator update

- used db.session.values instead of db.session.all
this helps to remove remoteMigrateCallback from drizzle-kit for d1
- added query.length check so d1 http does not fail

* commutativity rewrite

* release notes

* feat: Add cert validation (drizzle-team#5588)

* Add introspection tests for mariadb primary keys and update column name handling in MySQL dialect (drizzle-team#5578)

Co-authored-by: AndriiSherman <andreysherman11@gmail.com>

* fix mock

* fix ignore-conflicts

---------

Co-authored-by: AndriiSherman <andreysherman11@gmail.com>
Co-authored-by: Roman Nabukhotnyi <97584054+RomanNabukhotnyi@users.noreply.github.com>
…nternally loggable, obfuscated `new Function()` to avoid bundler crashes, improved jit mapper, const type for generic pg codecs
* Updated `netlify-db` constructor, added `@netlify/db` package to peer dependencies

* Updated skip dates

* Updated skip date

* release notes

---------

Co-authored-by: AndriiSherman <andreysherman11@gmail.com>
…decs sometimes mutating data passed for input
dankochetov and others added 25 commits June 24, 2026 15:21
…hintSchema` inference

Under moduleResolution:"node" the MCP SDK's registerTool generic resolves zod/v3 and
zod/v4/core as distinct module paths, then tries to unify them with the caller's zod
schema. This causes tsc to exhaust heap (TS2589 / SIGABRT) when the typetest suite
reaches server.ts via schema.ts's dynamic import.

Two sources of explosion, both fixed in server.ts only:

1. registerTool generic: cast McpServer to a local McpServerCompat interface whose
   registerTool takes z.ZodTypeAny (not the deep ShapeOutput<ZodObject<...>>
   instantiation). Runtime behavior is identical — the same Zod schemas are passed.

2. hintSchema 37-member union: the assignability check against the pinned type was
   still evaluated. Changed to a double-cast (as unknown as z.ZodTypeAny) so tsc
   skips the assignability proof entirely.

handler args change from inferred typed params to Record<string,unknown> with
inline casts — no effect on the MCP wire protocol or runtime validation.
MCP adapter:
- Return an `invalid_hints` envelope for malformed hints (loosened tool input schema) instead of an MCP `InvalidParams` protocol error
- Serialize tool calls so concurrent `generate`/`push` can't interleave snapshot reads/writes
- Guard dotenv from writing to the MCP stdout stream under `DOTENV_CONFIG_DEBUG`/`QUIET`
- Add a defensive handler catch and import `Hint` from `../sdk`

SDK:
- Resolve the migration `output` format from the active CLI context in `prepare{Generate,Push,Check}`, so the SDK wrappers no longer pass `output: 'json'` twice

Docs:
- Move the MCP tool list, consent round-trip, and config details from the README into a dedicated `MCP.md`
- Drop obsolete/redundant lines in `README.md` and `JSON_CONTRACT.md` and reword the tool descriptions
…the installable skills catalog

Complete drizzle-kit's machine surface for the three remaining lifecycle commands, each climbing the CLI-JSON → SDK → MCP pattern:

- CLI `--output text|json` for `export`, `up`, and `pull` — text byte-identical, JSON a typed envelope (`export` `{statements, warnings}` with no joined `sql`; `up` `{upgraded}`; `pull` a paths-only manifest that never emits `missing_hints`). All human chatter gated on `outputFormat()==='text'` and every `console.error`/`console.log`+`process.exit(1)` path converted to a typed throw.
- Root SDK exports `exportSql` (reserved-word alias for `export`), `up`, and `pull`, each returning the byte-identical CLI envelope side-effect-free at the host-process boundary — growing the public surface to `['check','defineConfig','exportSql','generate','pull','push','up']` (7 keys).
- MCP `export` (`readOnlyHint`+`idempotentHint`), `up` (`idempotentHint`, not `readOnlyHint`), and `pull` (config-path-only input; per-call `com.drizzle.team/pull.destructiveHint` `_meta` signal when `--init`) tools, registered as thin consumers of the SDK functions.
- Typed `database_driver_error` with redacted fields for `pull` connect/introspect and `--init` migrate failures; a credential-leak sentinel regression proving no auth substrings reach any channel.
- A `drizzle-pull` installable skill, snapshot-diff collapse guidance folded into the `drizzle-migrations` skill, declarative skill descriptions, and the umbrella `drizzle` skill revision bumped to `9`.
- Contract docs swept — `JSON_CONTRACT.md` / `SDK.md` / `MCP.md` / `OUTPUT_MODES.md` and the `drizzle-responses-and-errors` skill.
- CLI ≡ SDK conformance scenarios for `export` / `up` / `pull` and a 7-key public-surface regression. Zero new runtime dependencies.
… contract, and refresh the hint skills

- Reorder `resolver(entity, hints?, defaultSchema)` and flatten `ResolverOutput<T>` to `{ created, deleted, renamedOrMoved }`; type `mockResolver` via the shared `Resolver<T>`.
- Stop prompting for server-dialect `add_not_null` / `add_unique` push confirms; give SQLite's table-wipe an honest `table_recreate` reason.
- Carry a structured conflict target through the commutativity engine and `check` conflict envelope, and delete the `post-comment.mjs` regex reverse-parsers.
- Refresh the hint skills and `HINTS.md`: drop hardcoded counts, correct the schema-namespace placeholder, reword confirm phrasing, fix the stale destructive-change list, reference sibling skills by name, and trim stale missing-hints report test guards.
…e-prompt direction, and bump the bundle revision
Add the machine-readable `pull`/`up`/`export` surface, a `drizzle-kit mcp` adapter, and expand the skills catalog
…nto account identity generations, improved `INSERT INTO table SELECT ...`

Co-authored-by: Mario564 <ka.mario564@gmail.com>
…viving mcp/sdk tests into `tests/other`

Drive the `cli-json` and `push-non-tty-guard` tests against real in-memory databases — PGlite, `BetterSqlite3`, and libsql — instead of fabricated `ddl`/`diff`/`introspect` mocks: the `confirm_data_loss` matrix (collapsed to one real-DB test per kind), the explain/no_changes/missing_hints/schema-warning/rename representatives, the turso `no_changes` envelope, and the pull `ok` manifests all now run on real engines and real DBs, and the postgres tests connect through the real `pglite` driver (passing the test's `PGlite` client as credentials) rather than mocking `cli/connections`. Prove credential redaction against a real failed connection rather than a planted driver message. Delete tests for things unlikely to change (the skill catalog presence/frontmatter checks) and the redundant CLI≡SDK conformance/parity suites, the tautological `hints-missing` tests, the two pure-function idempotence tests, and the vacuous MCP credential-leak and static annotation blocks. Trim the SDK type-contract ceremony; keep the SDK no-stdout and no-interactive regression guards as explicit per-verb tests over shared mock helpers. Fix the `TEST_CONFIG_PATH_PREFIX` comment and the triple-stacked `postgres/ddl` `vi.doMock` in `cli-json`. Move the surviving mcp and sdk tests under `tests/other` so the `kit:other` CI shard runs them — `tests/sdk`, `tests/mcp`, and `tests/skills` were not covered by any shard.

Gate every dialect push handler's progress view on `outputFormat() === 'json'` (using `EmptyProgressView`), matching how the introspect path already suppresses progress in json mode — so json-mode runs render nothing and the tests no longer need to mock `cli/views`.

Give postgres and sqlite a per-dialect `SchemaSource` (`fromFilenames` / `fromSchema`) next to each `prepareFromSchemaFiles`, and make their `push`/`generate` `handle()` obtain the schema via `schemaSource.load()` — so a command's schema can come from `.ts` files on disk or be supplied as a prebuilt schema (tests / programmatic callers) without mocking the loader. Tests pass `SchemaSource.fromSchema(fromExports(...))` directly; the missing-schema-path coverage stays on the real `fromFilenames` path.

Move every remaining dialect-specific structured-error and confirm_data_loss guard off mocked `cli-json` envelopes onto real-DB dialect tests driving the live diff engine and `suggestions`: `drop_pk_dependency`, `fk_target_not_unique`, and the `type_change` confirm_data_loss hint in `tests/mysql/constraints.test.ts`; `rename_schema_unsupported` and `rename_blocked_by_check_constraint` in `tests/mssql/push.test.ts`.
…mocks, dependency injection over module mocking, and CI-shard coverage
…ge` and drop `util` from the CLI imports allowlist

Keeps drizzle-kit source free of the Node `util` builtin so the config-validation path stays platform-agnostic. `res.error` is a `ZodError` whose `.message` is exactly `JSON.stringify(error.issues, null, 2)` — the same rendering the previous `inspect(res.error)` produced — and the structured `issues` are already passed to `ConfigValidationCliError`. The `util` entry in the `imports-issues` CLI import-graph allowlist was paired with the now-removed import, so it goes too.
The drizzle-kit `attw` job runs `attw-fork/src/run.ts` with no mode, which checked every resolution kind including `node10`; `drizzle-kit/payload/*` fail under `node10` because the legacy `moduleResolution: node` algorithm cannot follow `exports` subpaths. Make the no-mode default check `node16-cjs`/`node16-esm` + `bundler` only, and drop the `node10` shard from the `attw-orm` matrices in `release-feature-branch`, `release-feature-branch-beelink`, and `release-latest` so drizzle-orm is not `node10`-gated either. Verified locally: no-mode attw on the built drizzle-kit tarball exits 0 (Passed 9), while `node10` mode still fails the 4 `payload` subpaths.
@joe-thom joe-thom added the zergling-authored Authored by a Zerg zergling label Jul 17, 2026

@github-advanced-security github-advanced-security AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CodeQL found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

@wiz-a44d115bc1

wiz-a44d115bc1 Bot commented Jul 17, 2026

Copy link
Copy Markdown

Wiz Scan Summary

⚠️ Many findings detected
Many findings were detected, but only a subset of the findings are displayed inline due to API constraints. To view all findings inline, please click here.
Scanner Findings
Vulnerability Finding Vulnerabilities 1 High 4 Medium
Data Finding Sensitive Data -
Secret Finding Secrets 34 Low
IaC Misconfiguration IaC Misconfigurations 17 Low
SAST Finding SAST Findings 175 Medium 30 Low
Software Management Finding Software Management Findings -
Total 1 High 179 Medium 81 Low

View scan details in Wiz

To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

zergling-authored Authored by a Zerg zergling

Projects

None yet

Development

Successfully merging this pull request may close these issues.

9 participants