@trycompai/db 2.1.3 → 2.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/dist/ssl-config.d.ts.map +1 -1
  2. package/dist/ssl-config.js +13 -12
  3. package/package.json +1 -2
  4. package/certs/rds-global-bundle.pem +0 -2736
package/dist/ssl-config.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"ssl-config.d.ts","sourceRoot":"","sources":["../src/ssl-config.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,SAAS,GACjB,SAAS,GACT;IAAE,mBAAmB,EAAE,MAAM,SAAS,CAAA;CAAE,GACxC;IAAE,kBAAkB,EAAE,KAAK,CAAA;CAAE,CAAC;AAgBlC,wBAAgB,gBAAgB,CAC9B,WAAW,EAAE,MAAM,EACnB,GAAG,GAAE,OAAO,CAAC,MAAM,CAAC,UAAU,CAAe,GAC5C,SAAS,CAeX"}
1
+ {"version":3,"file":"ssl-config.d.ts","sourceRoot":"","sources":["../src/ssl-config.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,SAAS,GACjB,SAAS,GACT;IAAE,mBAAmB,EAAE,MAAM,SAAS,CAAA;CAAE,GACxC;IAAE,kBAAkB,EAAE,KAAK,CAAA;CAAE,CAAC;AAgBlC,wBAAgB,gBAAgB,CAC9B,WAAW,EAAE,MAAM,EACnB,GAAG,GAAE,OAAO,CAAC,MAAM,CAAC,UAAU,CAAe,GAC5C,SAAS,CAcX"}
package/dist/ssl-config.js CHANGED
@@ -15,18 +15,19 @@ function isLocalhostUrl(connectionString) {
15
15
  }
16
16
  }
17
17
  function resolveSslConfig(databaseUrl, env = process.env) {
18
- const isLocalhost = isLocalhostUrl(databaseUrl);
19
- const hasCABundle = !!env.NODE_EXTRA_CA_CERTS;
20
- const allowInsecure = env.PRISMA_ALLOW_INSECURE_TLS === '1';
21
- if (isLocalhost)
18
+ if (isLocalhostUrl(databaseUrl))
22
19
  return undefined;
23
- // Verified TLS: rely on Node's TLS context (NODE_EXTRA_CA_CERTS adds the AWS
24
- // RDS CA to the trust store). Skip hostname check because connections may
25
- // traverse an AWS NLB whose hostname isn't in the RDS Proxy cert's SAN list.
26
- // The chain check still rejects forged or wrong-CA certs.
27
- if (hasCABundle)
28
- return { checkServerIdentity: () => undefined };
29
- if (allowInsecure)
20
+ if (env.PRISMA_ALLOW_INSECURE_TLS === '1')
30
21
  return { rejectUnauthorized: false };
31
- throw new Error('Refusing to connect to a non-local Postgres without TLS verification. Set NODE_EXTRA_CA_CERTS to a CA bundle, or set PRISMA_ALLOW_INSECURE_TLS=1 if you intentionally want unverified TLS.');
22
+ // Verified TLS via Node's default trust store, which includes Amazon Root
23
+ // CA 1 — where AWS RDS Proxy chains terminate. Hostname check is skipped
24
+ // because connections traverse an AWS NLB whose hostname isn't in the RDS
25
+ // Proxy cert's SAN list; the chain check still rejects forged or wrong-CA
26
+ // certs.
27
+ //
28
+ // Previously this returned `{ ca: RDS_CA_BUNDLE, ... }` — but `ssl.ca`
29
+ // *replaces* Node's trust store rather than augmenting it, and the bundle
30
+ // only contains regional RDS CAs (not Amazon Root CA 1), so RDS Proxy
31
+ // chain validation failed at runtime (P1011 / TlsConnectionError).
32
+ return { checkServerIdentity: () => undefined };
32
33
  }
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@trycompai/db",
3
3
  "description": "Database package with Prisma client and schema for Comp AI",
4
- "version": "2.1.3",
4
+ "version": "2.3.0",
5
5
  "dependencies": {
6
6
  "@prisma/adapter-pg": "7.6.0",
7
7
  "@prisma/client": "7.6.0",
@@ -36,7 +36,6 @@
36
36
  },
37
37
  "files": [
38
38
  "dist",
39
- "certs",
40
39
  "README.md",
41
40
  "INTEGRATION_GUIDE.md"
42
41
  ],