chore(deps): bump drizzle-orm from 1.0.0-beta.16-ea816b6 to 1.0.0-beta.20 in /packages/opencode

[dependabot]

Bumps drizzle-orm from 1.0.0-beta.16-ea816b6 to 1.0.0-beta.20.

Release notes

Sourced from drizzle-orm's releases.

1.0.0-beta.20

• Fixed sql.identifier(), sql.as() escaping issues. Previously all the values passed to this functions were not properly escaped causing a possible SQL Injection (CWE-89) vulnerability

Thanks to @​EthanKim88, @​0x90sh and @​wgoodall01 for reaching out to us with a reproduction and suggested fix

v1.0.0-beta.19

New Features

sqlcommenter support for PostgreSQL and MySQL

You can now add custom tags to the query. These tags will be appended to the end of each query, helping the database add metadata/tags to it. This will be especially useful with PlanetScale’s new Database Traffic Control feature

// raw string support
db.select().from().comment("key='val'");
db.select().from().comment("my_first_tag");
// developer friendly dedicated to tags
db.select().from().comment({ key: 'val' });

Example:

db.select().from(comments).comment({ priority: 'high', category: "analytics" });

select "id", "name" from "comments" /*priority='high',category='analytics'*/

The only limitation is that you can't use comments with a prepared statement:

// can't be used
const p = db.select().from().prepare();
// ❌
p.comment({ key: 'val' }).execute();

Bug fixes

• Fixed error message for the defineRelations function
• [BUG]: drizzle-kit push attempts to drop policies in excluded schemas (e.g. cron) despite schemaFilter: ["public"]
• [BUG]: error attempting to drizzle-kit migrate table with char array field generated using drizzle-kit generate
• [BUG]: Ignore Vim *.swp files in drizzle-kit generate
• [BUG]: drizzle-kit pull outputs access method name instead of operator class for ivfflat indexes
• [BUG]: drizzle-kit pull generates not enough data provided to build the relation
• drizzle-kit push fails with Turso/libSQL on table recreation: "cannot commit - no transaction is active"
• [BUG]: Cannot read properties of undefined (reading 'requestLayout') when running drizzle-kit introspect (MySQL)

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Summary by cubic

Upgrade drizzle-orm to 1.0.0-beta.20 in packages/opencode to pull in the fix for unsafe escaping in sql.identifier() and sql.as(). This addresses a potential SQL injection risk and includes recent bug fixes and optional sqlcommenter support.

• Dependencies
  • Bumped drizzle-orm from 1.0.0-beta.16-ea816b6 to 1.0.0-beta.20 in dependencies and overrides.

^{Written for commit 8e4e70a. Summary will update on new commits.}

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[github-actions]

This PR doesn't fully meet our contributing guidelines and PR template.

What needs to be fixed:

• PR description is missing required template sections. Please use the PR template.

Please edit this PR description to address the above within 2 hours, or it will be automatically closed.

If you believe this was flagged incorrectly, please let a maintainer know.

[github-actions]

Thanks for your contribution!

This PR doesn't have a linked issue. All PRs must reference an existing issue.

Please:

1. Open an issue describing the bug/feature (if one doesn't exist)
2. Add Fixes #<number> or Closes #<number> to this PR description

See CONTRIBUTING.md for details.

[cubic-dev-ai]

1 issue found across 1 file

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="packages/opencode/package.json">

<violation number="1" location="packages/opencode/package.json:50">
P2: `drizzle-kit` is still pinned to `1.0.0-beta.16-ea816b6` while `drizzle-orm` is bumped to `1.0.0-beta.20`. These packages are released in lockstep and the beta.19 release notes include drizzle-kit bug fixes that depend on matching ORM internals. The version skew can break `bun run db generate` or `bun run db push`. Bump `drizzle-kit` to `1.0.0-beta.20` as well.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.}

[cubic-dev-ai]

P2: drizzle-kit is still pinned to 1.0.0-beta.16-ea816b6 while drizzle-orm is bumped to 1.0.0-beta.20. These packages are released in lockstep and the beta.19 release notes include drizzle-kit bug fixes that depend on matching ORM internals. The version skew can break bun run db generate or bun run db push. Bump drizzle-kit to 1.0.0-beta.20 as well.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At packages/opencode/package.json, line 50:

<comment>`drizzle-kit` is still pinned to `1.0.0-beta.16-ea816b6` while `drizzle-orm` is bumped to `1.0.0-beta.20`. These packages are released in lockstep and the beta.19 release notes include drizzle-kit bug fixes that depend on matching ORM internals. The version skew can break `bun run db generate` or `bun run db push`. Bump `drizzle-kit` to `1.0.0-beta.20` as well.</comment>

<file context>
@@ -47,7 +47,7 @@
     "@typescript/native-preview": "catalog:",
     "drizzle-kit": "1.0.0-beta.16-ea816b6",
-    "drizzle-orm": "1.0.0-beta.16-ea816b6",
+    "drizzle-orm": "1.0.0-beta.20",
     "duckdb": "1.4.4",
     "playwright-core": "1.58.2",
</file context>