knex 3.2.8 → 3.2.9

package/CHANGELOG.md

@@ -1,5 +1,16 @@
 # Master (Unreleased)
 
+# 3.2.9 - 3 April, 2026
+
+### Bug fixes
+
+- fix: support DELETE... LIMIT in dialects that support it (mysql), but continue to disallow ones that don't [#6429](https://github.com/knex/knex/issues/6429)
+- fix(postgres): escape double quotes in searchPath to prevent SQL injection [#6411](https://github.com/knex/knex/issues/6411)
+- fix(sqlite): append RETURNING statement when insert empty row [#5471](https://github.com/knex/knex/issues/5471)
+- fix: add type support for Array<Buffer> [#6428](https://github.com/knex/knex/issues/6428)
+
+# 3.2.8 - 30 March, 2026
+
 ### Bug fixes
 
 - Reverts the breaking changes added in [#6227](https://github.com/knex/knex/issues/6227). This means that the ESM import of Knex is reverted to `import { knex } from 'knex/knex.mjs` [#6422](https://github.com/knex/knex/issues/6422)

package/lib/dialects/mysql/query/mysql-querycompiler.js

@@ -27,12 +27,15 @@ class QueryCompiler_MySQL extends QueryCompiler {
 
     this._emptyInsertValue = '() values ()';
   }
-  // Compiles an `delete` allowing comments
+  // Compiles a `delete` query, allowing comments and LIMIT.
   del() {
     const sql = super.del();
     if (sql === '') return sql;
     const comments = this.comments();
-    return (comments === '' ? '' : comments + ' ') + sql;
+    const limit = this.limit();
+    return (
+      (comments === '' ? '' : comments + ' ') + sql + (limit ? ` ${limit}` : '')
+    );
   }
 
   // Compiles an `insert` query, allowing for multiple
@@ -287,6 +290,12 @@ class QueryCompiler_MySQL extends QueryCompiler {
   }
 }
 
+// MySQL supports LIMIT on single-table DELETE statements.
+QueryCompiler_MySQL.prototype.invalidClauses = {
+  delete: ['having'],
+  truncate: ['where', 'having', 'limit'],
+};
+
 // Set the QueryBuilder & QueryCompiler on the client object,
 // in case anyone wants to modify things to suit their own purposes.
 module.exports = QueryCompiler_MySQL;

package/lib/dialects/postgres/index.js

@@ -174,7 +174,9 @@ class Client_PG extends Client {
       path = [path];
     }
 
-    path = path.map((schemaName) => `"${schemaName}"`).join(',');
+    path = path
+      .map((schemaName) => `"${schemaName.replace(/"/g, '""')}"`)
+      .join(',');
 
     return new Promise(function (resolver, rejecter) {
       connection.query(`set search_path to ${path}`, function (err) {

package/lib/dialects/sqlite3/query/sqlite-querycompiler.js

@@ -42,14 +42,16 @@ class QueryCompiler_SQLite3 extends QueryCompiler {
         insertValues[0] &&
         isEmpty(insertValues[0])
       ) {
-        return {
-          sql: sql + this._emptyInsertValue,
-        };
+        sql += this._emptyInsertValue;
+        const { returning } = this.single;
+        if (returning) sql += this._returning(returning);
+        return { sql, returning };
       }
     } else if (typeof insertValues === 'object' && isEmpty(insertValues)) {
-      return {
-        sql: sql + this._emptyInsertValue,
-      };
+      sql += this._emptyInsertValue;
+      const { returning } = this.single;
+      if (returning) sql += this._returning(returning);
+      return { sql, returning };
     }
 
     const insertData = this._prepInsert(insertValues);

package/lib/query/querycompiler.js

@@ -48,7 +48,7 @@ const methodAliases = {
   first: 'select',
   pluck: 'select',
 };
-const invalidClauses = {
+const defaultInvalidClauses = {
   delete: ['having', 'limit'],
   truncate: ['where', 'having', 'limit'],
 };
@@ -77,9 +77,12 @@ class QueryCompiler {
     this.builder = this.formatter.builder;
   }
 
-  // Categorically refuse to execute certain queries that have defined certain clause groups
+  // Categorically refuse to execute certain queries that have defined certain clause groups.
   // For example, if a "having" clause is defined but we're executing a "delete" query, that
   // is never valid in any of the supported dialects.
+  //
+  // Dialects override `invalidClauses` on the prototype to adjust which clauses are
+  // disallowed for each verb (e.g. MySQL allows `limit` on `delete`).
   _preValidate() {
     // Query builders don't really store the SQL verb they expect to generate; this would
     // be nicer if we could avoid the fanout of "call an arbitrary method on one of a dozen
@@ -87,12 +90,13 @@ class QueryCompiler {
     // methods used by the codebase for now.
     const method = this.method;
     const verb = hasOwn(methodAliases, method) ? methodAliases[method] : method;
-    if (!hasOwn(invalidClauses, verb)) return;
+
+    const invalid = this.invalidClauses[verb];
+    if (!invalid) return;
 
     // For certain verbs, certain clauses just don't exist / aren't supported. The list
     // here is intentionally not complete; it's just checking the things that allow users
     // to make dangerous errors.
-    const invalid = invalidClauses[verb];
     for (let i = 0; i < invalid.length; i++) {
       const clause = invalid[i];
 
@@ -1631,4 +1635,6 @@ class QueryCompiler {
   }
 }
 
+QueryCompiler.prototype.invalidClauses = defaultInvalidClauses;
+
 module.exports = QueryCompiler;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "knex",
-  "version": "3.2.8",
+  "version": "3.2.9",
   "description": "A batteries-included SQL query & schema builder for PostgresSQL, MySQL, CockroachDB, MSSQL and SQLite3",
   "main": "knex.js",
   "types": "types/index.d.ts",

package/types/index.d.ts

@@ -501,6 +501,7 @@ declare namespace Knex {
     | Array<Date>
     | Array<boolean>
     | Buffer
+    | Array<Buffer>
     | Record<string, unknown>
     | Knex.Raw;