npm - prisma-generator-express - Versions diffs - 1.26.1 → 1.28.0 - Mend

prisma-generator-express 1.26.1 → 1.28.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md +11 -2
package/dist/generators/generateRouter.js +1 -1
package/package.json +1 -1
package/src/generators/generateRouter.ts +1 -1

package/README.md CHANGED Viewed

@@ -418,6 +418,7 @@ const projectConfig = {
 ```
 A request with `{ where: { title: { contains: 'demo' } } }` produces:
 ```
 WHERE status = 'published'
   AND isDeleted = false
@@ -484,7 +485,7 @@ const userConfig = {
 The client can filter by `title` inside the relation, but `published = true` is always enforced.
-### Select, include, and omit in shapes
+### Select and include in shapes
 Shapes can restrict which response fields and relations the client may request:
 ```ts
@@ -513,6 +514,10 @@ The client can only select from the whitelisted fields and relations. Attempting
 `select` and `include` are mutually exclusive at the same level in both the shape and the client request.
+For read operations, the shape's `select` or `include` serves two roles: it whitelists what the client is allowed to request, and it provides the default projection when the client omits `select`/`include` from the request. If the client sends a request without `select` or `include`, the shape's projection is automatically applied — the client does not need to duplicate the field list. If the client does send `select` or `include`, it is validated against the shape as a whitelist.
+This means a single shape declaration like the example above defines both the security boundary (which fields are allowed) and the default API response shape (which fields are returned when the client doesn't specify).
 ### Nested include with forced where and pagination
 Nested includes on to-many relations support `where`, `orderBy`, `cursor`, `take`, and `skip`:
@@ -573,6 +578,8 @@ const userConfig = {
 The client can include `include` or `select` in the request body. If the shape does not define projection, the client cannot request one. Batch methods (`createMany`, `updateMany`, `deleteMany`) do not support projection.
+For mutations, projection shapes only validate and constrain client-requested projections by default — if the client omits `select`/`include`, Prisma returns the full record. This differs from read operations, where the shape's projection is automatically applied as default. Enable `enforceProjection` in the prisma-guard generator config to always apply mutation projection shapes.
 ### Upsert
 Upsert uses `create` and `update` shape keys instead of `data`:
@@ -796,7 +803,7 @@ app.listen(3000)
 In this setup:
 - Admins can filter by any allowed field, include relations, and take up to 200 rows
-- Viewers can only see published, non-deleted projects with a restricted field set
+- Viewers can only see published, non-deleted projects with a restricted field set — the `select` shape automatically applies as the default projection, so viewer clients don't need to send `select` in the request
 - Create: admins set any allowed field; viewers always create drafts with priority 1
 - Delete: only admins can delete; viewers hitting the delete endpoint get a `CallerError` because there is no `viewer` shape for delete
 - Tenant isolation is automatic — every query is scoped to the tenant from `x-tenant-id`
@@ -855,6 +862,8 @@ Read and single-record write operations support three response shaping parameter
 The `omit` parameter requires Prisma 6.2.0+. On versions 6.0.x–6.1.x, requests using `omit` return 400.
+When using guard shapes, the shape's `select` or `include` defines both the whitelist and the default projection for read operations. See [Select and include in shapes](#select-and-include-in-shapes).
 ## BigInt and Decimal handling
 BigInt and Decimal values are serialized as strings in JSON responses. Buffer and Uint8Array values are serialized as base64 strings. The OpenAPI spec documents BigInt and Decimal fields as `type: string`.

package/dist/generators/generateRouter.js CHANGED Viewed

@@ -127,7 +127,7 @@ export function ${routerFunctionName}(config: RouteConfig = {}) {
   if (qbEnabled) {
     const qbConfig = getQueryBuilderConfig(config)
     if (qbConfig) {
-      import('../queryBuilder.js').then(mod => mod.startQueryBuilder(qbConfig)).catch((err) => { if (_env.NODE_ENV !== 'production') console.warn('[query-builder]', err) })
+      try { require('../queryBuilder').startQueryBuilder(qbConfig) } catch (err) { if (_env.NODE_ENV !== 'production') console.warn('[query-builder]', err) }
     }
   }

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "prisma-generator-express",
   "description": "Prisma generator for Hono CRUD API with OpenAPI documentation",
-  "version": "1.26.1",
+  "version": "1.28.0",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "license": "MIT",

package/src/generators/generateRouter.ts CHANGED Viewed

@@ -140,7 +140,7 @@ export function ${routerFunctionName}(config: RouteConfig = {}) {
   if (qbEnabled) {
     const qbConfig = getQueryBuilderConfig(config)
     if (qbConfig) {
-      import('../queryBuilder.js').then(mod => mod.startQueryBuilder(qbConfig)).catch((err) => { if (_env.NODE_ENV !== 'production') console.warn('[query-builder]', err) })
+      try { require('../queryBuilder').startQueryBuilder(qbConfig) } catch (err) { if (_env.NODE_ENV !== 'production') console.warn('[query-builder]', err) }
     }
   }