sql-render 0.1.3 → 0.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +28 -15
  2. package/package.json +1 -1
package/README.md CHANGED
@@ -1,5 +1,10 @@
1
1
  # sql-render
2
2
 
3
+ [![CI](https://github.com/bug3/sql-render/actions/workflows/ci.yml/badge.svg)](https://github.com/bug3/sql-render/actions/workflows/ci.yml)
4
+ [![npm version](https://img.shields.io/npm/v/sql-render)](https://www.npmjs.com/package/sql-render)
5
+ [![license](https://img.shields.io/npm/l/sql-render)](LICENSE)
6
+ [![node](https://img.shields.io/node/v/sql-render)](package.json)
7
+
3
8
  Type-safe `{{variable}}` templating for `.sql` files with built-in injection protection.
4
9
 
5
10
  - Zero runtime dependencies
@@ -45,21 +50,27 @@ const getEvents = defineQuery<{
45
50
  const { sql } = getEvents({
46
51
  tableName: 'prod_events',
47
52
  status: 'active',
48
- startDate: '2024-01-01',
53
+ startDate: '2022-02-22',
49
54
  orderBy: 'created_at',
50
- limit: 100,
55
+ limit: 99,
51
56
  });
52
57
  ```
53
58
 
54
59
  Result:
55
60
 
56
61
  ```sql
57
- SELECT event_id, event_name
58
- FROM prod_events
59
- WHERE status = 'active'
60
- AND created_at >= '2024-01-01'
61
- ORDER BY created_at
62
- LIMIT 100
62
+ SELECT
63
+ event_id,
64
+ event_name
65
+ FROM
66
+ prod_events
67
+ WHERE
68
+ status = 'active'
69
+ AND created_at >= '2022-02-22'
70
+ ORDER BY
71
+ created_at
72
+ LIMIT
73
+ 99
63
74
  ```
64
75
 
65
76
  ## Schema Validation
@@ -80,9 +91,9 @@ const getEvents = defineQuery('./queries/getEvents.sql', {
80
91
  const { sql } = getEvents({
81
92
  tableName: 'prod_events',
82
93
  status: 'active',
83
- startDate: '2024-01-01',
94
+ startDate: '2022-02-22',
84
95
  orderBy: 'created_at',
85
- limit: 100,
96
+ limit: 99,
86
97
  });
87
98
  ```
88
99
 
@@ -91,15 +102,15 @@ const { sql } = getEvents({
91
102
  | Type | Format | Example |
92
103
  |------|--------|---------|
93
104
  | `schema.string` | Any string (with SQL injection check) | `'hello'` |
94
- | `schema.number` | Finite number | `42`, `3.14` |
105
+ | `schema.number` | Finite number | `33`, `3.14` |
95
106
  | `schema.boolean` | `true` / `false` | `true` |
96
- | `schema.isoDate` | `YYYY-MM-DD` | `'2026-04-01'` |
97
- | `schema.isoTimestamp` | ISO 8601 with timezone | `'2026-04-01T13:57:34.000Z'` |
107
+ | `schema.isoDate` | `YYYY-MM-DD` | `'2022-02-22'` |
108
+ | `schema.isoTimestamp` | ISO 8601 with timezone | `'2022-02-22T22:02:22.000Z'` |
98
109
  | `schema.identifier` | SQL identifier (up to `db.schema.table`) | `'public.users'` |
99
110
  | `schema.uuid` | RFC 4122 UUID | `'550e8400-e29b-41d4-a716-446655440000'` |
100
111
  | `schema.positiveInt` | Positive integer | `100` |
101
112
  | `schema.enum(...)` | Whitelist of allowed values | `schema.enum('asc', 'desc')` |
102
- | `schema.s3Path` | S3 URI | `'s3://bucket/path/'` |
113
+ | `schema.s3Path` | S3 URI | `'s3://athena-results/queries/'` |
103
114
 
104
115
  ### Custom Schema Types
105
116
 
@@ -157,7 +168,7 @@ import { SQL_INJECTION_PATTERNS } from 'sql-render';
157
168
  | Schema mismatch | `Schema missing definitions for template variables: [id]` |
158
169
  | Missing params | `Missing variables in params: [tableName, limit]` |
159
170
  | Extra params | `Extra variables not in template: [foo]` |
160
- | Schema validation | `Schema validation failed for 'status'` |
171
+ | Schema validation | `Schema validation failed for 'status': received string ("invalid")` |
161
172
  | Type validation | `SQL injection pattern detected in 'status': ...` |
162
173
  | Null/undefined | `Validation failed for 'key': value cannot be null or undefined` |
163
174
  | Invalid descriptor | `Invalid schema descriptor for 'key': must have a validate(val) method` |
@@ -170,6 +181,8 @@ This is effective for engines that don't support parameterized queries (e.g., At
170
181
 
171
182
  The built-in denylist does not guarantee 100% protection against all SQL injection vectors. For stricter control, define [custom schema types](#custom-schema-types) tailored to your project's specific validation needs.
172
183
 
184
+ To report a vulnerability, see [SECURITY.md](SECURITY.md).
185
+
173
186
  ## sql-formatter Compatibility
174
187
 
175
188
  The `{{variable}}` syntax is fully compatible with [sql-formatter](https://github.com/sql-formatter-org/sql-formatter). A `paramTypes` custom regex is required so that `{{variables}}` containing SQL keywords (e.g. `{{limit}}`) are treated as parameters instead of being parsed as SQL.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "sql-render",
3
- "version": "0.1.3",
3
+ "version": "0.1.4",
4
4
  "description": "Type-safe {{variable}} templating for .sql files with built-in injection protection",
5
5
  "author": "bug3",
6
6
  "repository": {