guardian · dependabot · Feb 9, 2026 · Feb 10, 2026 · Feb 12, 2026 · Feb 12, 2026
@@ -107,6 +107,8 @@ jobs:
 
       - name: perform a DEV database migration
         run: npm -w cli start migrate -- --stage DEV
+        env:
+          DATABASE_URL: postgresql://postgres:not_at_all_secret@localhost:5432/postgres
 
       - name: basic database tests
         run: psql -d postgresql://postgres:not_at_all_secret@localhost:5432/postgres -v ON_ERROR_STOP=1 -f sql/ci.sql

@@ -1,6 +1,7 @@
 # Created by https://www.toptal.com/developers/gitignore/api/node,macos,intellij,visualstudiocode,go
 # Edit at https://www.toptal.com/developers/gitignore?templates=node,macos,intellij,visualstudiocode,go
 
+packages/common/src/prisma-client
 ### Go ###
 # If you prefer the allow list template instead of the deny list, see community template:
 # https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore

@@ -3,6 +3,9 @@ import prettier from 'eslint-plugin-prettier';
 import eslintPluginUnicorn from 'eslint-plugin-unicorn';
 
 export default [
+	{
+		ignores: ['**/*/dist/**', 'packages/common/src/prisma-client/**'],
+	},
 	...guardian.configs.recommended,
 	...guardian.configs.jest,
 	{
@@ -14,6 +17,5 @@ export default [
 			'prettier/prettier': 'error',
 			'unicorn/prefer-array-flat-map': 'error',
 		},
-		ignores: ['**/*/dist/**'],
 	},
 ];
@@ -22399,6 +22399,7 @@ spec:
                 "Endpoint.Address",
               ],
             },
+            "NODE_EXTRA_CA_CERTS": "/var/runtime/ca-cert.pem",
             "QUERY_LOGGING": "false",
             "STACK": "deploy",
             "STAGE": "PROD",
@@ -22732,6 +22733,7 @@ spec:
                 "Endpoint.Address",
               ],
             },
+            "NODE_EXTRA_CA_CERTS": "/var/runtime/ca-cert.pem",
             "QUERY_LOGGING": "false",
             "STACK": "deploy",
             "STAGE": "PROD",
@@ -23144,6 +23146,7 @@ spec:
                 "Endpoint.Address",
               ],
             },
+            "NODE_EXTRA_CA_CERTS": "/var/runtime/ca-cert.pem",
             "QUERY_LOGGING": "false",
             "STACK": "deploy",
             "STAGE": "PROD",
@@ -23873,6 +23876,7 @@ spec:
                 "Endpoint.Address",
               ],
             },
+            "NODE_EXTRA_CA_CERTS": "/var/runtime/ca-cert.pem",
             "QUERY_LOGGING": "false",
             "STACK": "deploy",
             "STAGE": "PROD",
@@ -24192,6 +24196,7 @@ spec:
                 "Endpoint.Address",
               ],
             },
+            "NODE_EXTRA_CA_CERTS": "/var/runtime/ca-cert.pem",
             "QUERY_LOGGING": "false",
             "STACK": "deploy",
             "STAGE": "PROD",
@@ -25616,6 +25621,7 @@ spec:
                 "Endpoint.Address",
               ],
             },
+            "NODE_EXTRA_CA_CERTS": "/var/runtime/ca-cert.pem",
             "QUERY_LOGGING": "false",
             "STACK": "deploy",
             "STAGE": "PROD",
@@ -28535,6 +28541,7 @@ spec:
             "INTERACTIVE_MONITOR_TOPIC_ARN": {
               "Ref": "TopicBFC7AF6E",
             },
+            "NODE_EXTRA_CA_CERTS": "/var/runtime/ca-cert.pem",
             "QUERY_LOGGING": "false",
             "STACK": "deploy",
             "STAGE": "PROD",

@@ -50,6 +50,7 @@ export class CloudBuster {
 				DATABASE_HOSTNAME: db.dbInstanceEndpointAddress,
 				QUERY_LOGGING: 'false',
 				CUT_OFF_IN_DAYS: digestCutOffInDays.toString(),
+				NODE_EXTRA_CA_CERTS: '/var/runtime/ca-cert.pem',
 			},
 			timeout: Duration.minutes(2),
 			memorySize: 512,

@@ -35,6 +35,7 @@ export function addCloudqueryUsageLambda(
 			DATABASE_HOSTNAME: db.dbInstanceEndpointAddress,
 			QUERY_LOGGING: 'false', // Set this to 'true' to enable SQL query logging
 			CQ_API_KEY_PATH: cloudqueryApiKey.secretName,
+			NODE_EXTRA_CA_CERTS: '/var/runtime/ca-cert.pem',
 		},
 		rules: [
 			{

@@ -68,6 +68,7 @@ export function addDataAuditLambda(scope: GuStack, props: DataAuditProps) {
 		environment: {
 			DATABASE_HOSTNAME: db.dbInstanceEndpointAddress,
 			QUERY_LOGGING: 'false', // Set this to 'true' to enable SQL query logging,
+			NODE_EXTRA_CA_CERTS: '/var/runtime/ca-cert.pem',
 		},
 		monitoringConfiguration: { noMonitoring: true },
 		rules: [

@@ -33,6 +33,7 @@ export function addGithubActionsUsageLambda(
 		environment: {
 			DATABASE_HOSTNAME: db.dbInstanceEndpointAddress,
 			QUERY_LOGGING: 'false', // Set this to 'true' to enable SQL query logging
+			NODE_EXTRA_CA_CERTS: '/var/runtime/ca-cert.pem',
 		},
 		runtime: Runtime.NODEJS_20_X,
 		timeout: Duration.minutes(10),

@@ -31,6 +31,7 @@ export class Obligatron {
 			environment: {
 				DATABASE_HOSTNAME: db.dbInstanceEndpointAddress,
 				QUERY_LOGGING: 'false', // Set this to 'true' to enable SQL query logging
+				NODE_EXTRA_CA_CERTS: '/var/runtime/ca-cert.pem',
 			},
 			timeout: Duration.minutes(5),
 			// Unfortunately Prisma doesn't support streaming data from Postgres at the moment https://github.com/prisma/prisma/issues/5055

@@ -33,6 +33,7 @@ export function addRefreshMaterializedViewLambda(
 		environment: {
 			DATABASE_HOSTNAME: db.dbInstanceEndpointAddress,
 			QUERY_LOGGING: 'false', // Set this to 'true' to enable SQL query logging
+			NODE_EXTRA_CA_CERTS: '/var/runtime/ca-cert.pem',
 		},
 		runtime: Runtime.NODEJS_20_X,
 		timeout: Duration.minutes(10),

@@ -61,6 +61,7 @@ export class Repocop {
 				GITHUB_ORG: gitHubOrg,
 				CUT_OFF_IN_DAYS: digestCutOffInDays.toString(),
 				BRANCH_PROTECTION_ENABLED: 'true',
+				NODE_EXTRA_CA_CERTS: '/var/runtime/ca-cert.pem',
 			},
 			vpc,
 			securityGroups: [dbSecurityGroup],

@@ -19,7 +19,8 @@ export async function migrateDevDatabase(): Promise<number> {
 	);
 
 	console.log(`Running prisma migrate reset --force`);
-	const { stdout } = await $`npx -w common prisma migrate reset --force`;
+	const { stdout } =
+		await $`npx -w common prisma migrate reset --force --config prisma.config.ts --schema prisma/schema.prisma`;
 	console.log(stdout);
 
 	console.log('Running prisma db pull to update schema.prisma');

@@ -3,7 +3,8 @@
 	"version": "1.0.0",
 	"type": "module",
 	"scripts": {
-		"build": "esbuild src/index.ts --bundle --platform=node --target=node20 --outdir=dist --external:@aws-sdk --external:@prisma/client --external:prisma",
+		"build": "esbuild src/index.ts --bundle --platform=node --target=node20 --outdir=dist --external:@aws-sdk --external:@prisma/client --external:prisma  --format=esm --banner:js=\"import { createRequire } from 'module'; const require = createRequire(import.meta.url);\"",
+		"postbuild": "cp package.json dist/package.json",
 		"start": "APP=cloudbuster CUT_OFF_IN_DAYS=60 tsx src/run-locally.ts",
 		"test": "node --import tsx --test \"**/*.test.ts\"",
 		"typecheck": "tsc --noEmit"

@@ -1,6 +1,6 @@
 import assert from 'assert';
 import { describe, it } from 'node:test';
-import type { cloudbuster_fsbp_vulnerabilities } from '@prisma/client';
+import type { cloudbuster_fsbp_vulnerabilities } from 'common/prisma-client/client.js';
 import type { SecurityHubSeverity } from 'common/types.js';
 import {
 	createDigestForAccount,

@@ -4,7 +4,7 @@ import type {
 	Anghammarad,
 	AnghammaradNotification,
 } from '@guardian/anghammarad';
-import type { cloudbuster_fsbp_vulnerabilities } from '@prisma/client';
+import type { cloudbuster_fsbp_vulnerabilities } from 'common/prisma-client/client.js';
 import { stringToSeverity } from 'common/src/functions.js';
 import { logger } from 'common/src/logs.js';
 import type { SecurityHubSeverity, Severity } from 'common/src/types.js';

@@ -1,6 +1,6 @@
 import assert from 'assert';
 import { describe, it } from 'node:test';
-import type { cloudbuster_fsbp_vulnerabilities } from '@prisma/client';
+import type { cloudbuster_fsbp_vulnerabilities } from 'common/prisma-client/client.js';
 import type { SecurityHubFinding } from 'common/types.js';
 import {
 	findingsToGuardianFormat,

@@ -1,4 +1,4 @@
-import type { cloudbuster_fsbp_vulnerabilities } from '@prisma/client';
+import type { cloudbuster_fsbp_vulnerabilities } from 'common/prisma-client/client.js';
 import { isWithinSlaTime, stringToSeverity } from 'common/src/functions.js';
 import type { SecurityHubFinding } from 'common/src/types.js';
 import type { GroupedFindings } from './types.js';

@@ -1,8 +1,8 @@
 import { SNSClient } from '@aws-sdk/client-sns';
 import { Anghammarad } from '@guardian/anghammarad';
-import type { cloudbuster_fsbp_vulnerabilities } from '@prisma/client';
 import { awsClientConfig } from 'common/aws.js';
 import { logger } from 'common/logs.js';
+import type { cloudbuster_fsbp_vulnerabilities } from 'common/prisma-client/client.js';
 import { getFsbpFindings } from 'common/src/database-queries.js';
 import { getPrismaClient } from 'common/src/database-setup.js';
 import type { SecurityHubSeverity } from 'common/src/types.js';

@@ -1,5 +1,5 @@
 import type { Action } from '@guardian/anghammarad';
-import type { cloudbuster_fsbp_vulnerabilities } from '@prisma/client';
+import type { cloudbuster_fsbp_vulnerabilities } from 'common/prisma-client/client.js';
 
 export interface Digest {
 	accountId: string;

@@ -5,7 +5,8 @@
     "test": "node --import tsx --test \"**/*.test.ts\"",
     "start": "APP=cloudquery-usage tsx src/run-locally.ts",
     "prebuild": "rm -rf dist",
-    "build": "esbuild src/index.ts --bundle --platform=node --target=node20 --outdir=dist --external:@prisma/client --external:prisma",
+		"build": "esbuild src/index.ts --bundle --platform=node --target=node20 --outdir=dist --external:@prisma/client --external:prisma  --format=esm --banner:js=\"import { createRequire } from 'module'; const require = createRequire(import.meta.url);\"",
+		"postbuild": "cp package.json dist/package.json",
     "typecheck": "tsc --noEmit"
   },
   "type": "module"

@@ -1,4 +1,7 @@
-import type { cloudquery_plugin_usage, PrismaClient } from '@prisma/client';
+import type {
+	cloudquery_plugin_usage,
+	PrismaClient,
+} from 'common/prisma-client/client.js';
 
 export function saveResults(
 	client: PrismaClient,

@@ -1,6 +1,6 @@
 import assert from 'node:assert';
 import { describe, test } from 'node:test';
-import type { cloudquery_plugin_usage } from '@prisma/client';
+import type { cloudquery_plugin_usage } from 'common/prisma-client/client.js';
 import { usageSummaryToDatabaseRows } from './transform.js';
 import type { UsageSummaryResponseForPaidRows } from './types.js';
 

@@ -1,4 +1,4 @@
-import type { cloudquery_plugin_usage } from '@prisma/client';
+import type { cloudquery_plugin_usage } from 'common/prisma-client/client.js';
 import type { UsageSummaryResponseForPaidRows } from './types.js';
 
 export function usageSummaryToDatabaseRows(

@@ -6,7 +6,7 @@
 		"node": ">=18"
 	},
 	"scripts": {
-		"postinstall": "prisma generate",
+		"postinstall": "npx prisma generate",
 		"test": "node --import tsx --test \"**/*.test.ts\"",
 		"typecheck": "tsc"
 	},
@@ -17,13 +17,14 @@
 		"@aws-sdk/rds-signer": "^3.1000.0",
 		"@octokit/auth-app": "^8.2.0",
 		"@octokit/graphql": "^9.0.3",
+		"@prisma/adapter-pg": "^7.3.0",
+		"@prisma/client": "^7.3.0",
 		"octokit": "^5.0.5",
-		"octokit-plugin-create-pull-request": "^6.0.1",
-		"@prisma/client": "^6.19.0"
+		"octokit-plugin-create-pull-request": "^6.0.1"
 	},
 	"devDependencies": {
-		"prisma": "^6.19.0",
 		"@octokit/types": "^16.0.0",
-		"@types/aws-lambda": "^8.10.161"
+		"@types/aws-lambda": "^8.10.161",
+		"prisma": "^7.3.0"
 	}
-}
+}
@@ -1,8 +1,21 @@
 import path from 'node:path';
+import { loadEnvFile } from 'node:process';
 import { defineConfig } from 'prisma/config';
+import { getDatabaseConnectionString } from 'common/src/database-setup.js';
+
+if (process.env.STAGE !== 'PROD' && process.env.STAGE !== 'CODE') {
+	loadEnvFile(path.resolve('../../.env'));
+}
 
 export default defineConfig({
 	schema: path.join('prisma', 'schema.prisma'),
+	datasource: {
+		url: getDatabaseConnectionString({
+			hostname: process.env.DATABASE_HOSTNAME as string,
+			user: process.env.DATABASE_USER as string,
+			password: process.env.DATABASE_PASSWORD as string,
+		}),
+	},
 	migrations: {
 		path: path.join('prisma', 'migrations'),
 	},

@@ -1,12 +1,12 @@
 generator client {
-  provider        = "prisma-client-js"
+  provider        = "prisma-client"
+  output          = "../src/prisma-client"
   previewFeatures = ["views"]
   binaryTargets   = ["native", "linux-arm64-openssl-3.0.x"]
 }
 
 datasource db {
   provider = "postgresql"
-  url      = env("DATABASE_URL")
 }
 
 model aws_cloudformation_stacks {

@@ -2,7 +2,7 @@ import type {
 	aws_securityhub_findings,
 	PrismaClient,
 	view_repo_ownership,
-} from '@prisma/client';
+} from 'common/prisma-client/client.js';
 import { toNonEmptyArray } from './functions.js';
 import type {
 	NonEmptyArray,

@@ -1,7 +1,9 @@
 import { Signer } from '@aws-sdk/rds-signer';
-import { PrismaClient } from '@prisma/client';
-import { awsClientConfig } from 'common/aws.js';
-import { getEnvOrThrow } from 'common/functions.js';
+import { PrismaPg } from '@prisma/adapter-pg';
+import { config } from 'dotenv';
+import { awsClientConfig } from 'common/src/aws.js';
+import { getEnvOrThrow } from 'common/src/functions.js';
+import { PrismaClient } from 'common/src/prisma-client/client.js';
 
 export interface DatabaseConfig {
 	/**
@@ -50,6 +52,8 @@ async function getRdsToken(stage: string, hostname: string, username: string) {
 }
 
 export function getDevDatabaseConfig(): Promise<DatabaseConfig> {
+	config({ path: `../../.env` });
+
 	return Promise.resolve({
 		hostname: getEnvOrThrow('DATABASE_HOSTNAME'),
 		user: getEnvOrThrow('DATABASE_USER'),
@@ -80,12 +84,12 @@ export function getDatabaseConnectionString(config: DatabaseConfig) {
 }
 
 export function getPrismaClient(config: PrismaConfig): PrismaClient {
+	const adapter = new PrismaPg({
+		connectionString: config.databaseConnectionString,
+	});
+
 	return new PrismaClient({
-		datasources: {
-			db: {
-				url: config.databaseConnectionString,
-			},
-		},
+		adapter,
 		...(config.withQueryLogging && {
 			log: [
 				{