build(deps): bump drizzle-orm from 0.45.1 to 0.45.2 in /frontend in the npm_and_yarn group across 1 directory

[dependabot]

Bumps the npm_and_yarn group with 1 update in the /frontend directory: drizzle-orm.

Updates drizzle-orm from 0.45.1 to 0.45.2

Release notes

Sourced from drizzle-orm's releases.

0.45.2

• Fixed sql.identifier(), sql.as() escaping issues. Previously all the values passed to this functions were not properly escaped causing a possible SQL Injection (CWE-89) vulnerability

Thanks to @​EthanKim88, @​0x90sh and @​wgoodall01 for reaching out to us with a reproduction and suggested fix

Commits

• 273c780 + 0.45.2 (#5534)
• 4aa6ecf Kit updates (#5490)
• e8e6edf feat(drizzle-kit): support d1 via binding (#5302)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Note

Medium Risk
Upgrades the ORM dependency, which can subtly affect SQL generation/runtime behavior; however it is a patch-level update primarily addressing escaping/security issues.

Overview
Updates frontend to use drizzle-orm 0.45.2 (from 0.45.1) and refreshes pnpm-lock.yaml accordingly.

The lockfile update also rolls forward several transitive frontend build/runtime packages (notably codemirror-related packages, browserslist/caniuse data, and some webpack/terser toolchain entries) as part of dependency resolution.

^{Reviewed by Cursor Bugbot for commit 9d3103d. Bugbot is set up for automated code reviews on this repo. Configure here.}

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[greptile-apps]

Greptile Summary

This PR bumps drizzle-orm from 0.45.1 to 0.45.2 in the frontend package. The patch release is a security fix addressing a SQL injection vulnerability (CWE-89) in sql.identifier() and sql.as() — previously, values passed to these functions were not properly escaped. The pnpm-lock.yaml also picks up several minor transitive dependency updates (CodeMirror packages, lezer packages, browserslist, terser, etc.) as part of the resolution.

• Security patch: fixes improper escaping in sql.identifier() / sql.as() (CWE-89 SQL injection)
• No usage of sql.identifier() or sql.as() was found in the codebase, so direct exploit surface is minimal, but the fix is still worth applying
• Transitive lock-file updates (CodeMirror, lezer, browserslist, terser) are incidental and low-risk

Confidence Score: 5/5

Safe to merge — this is a targeted security patch with no breaking changes and no direct exploit surface in the existing codebase.

Patch-level version bump that fixes a SQL injection CVE. The codebase has no calls to the affected sql.identifier() or sql.as() APIs, so there is no functional risk. Transitive lock-file updates are minor and low-risk. No code changes, no logic changes, no API surface modified.

No files require special attention.

Vulnerabilities

• This update specifically fixes a SQL injection vulnerability (CWE-89) in drizzle-orm's sql.identifier() and sql.as() helpers (prior to 0.45.2, user-supplied values were not properly escaped).
• A search of the frontend codebase found no direct calls to sql.identifier() or sql.as(), so the immediate exploit surface within this repo is limited, but upgrading eliminates the risk if such calls are added in the future.
• No new security concerns introduced by this PR.

Important Files Changed

Filename	Overview
frontend/package.json	Bumps drizzle-orm specifier from ^0.45.1 to ^0.45.2 — a security patch release fixing SQL injection in sql.identifier()/sql.as()
frontend/pnpm-lock.yaml	Lockfile updated to resolve drizzle-orm@0.45.2 and picks up minor transitive bumps for CodeMirror, lezer, browserslist, and terser packages

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["drizzle-orm 0.45.1\n(vulnerable)"] -->|"CWE-89: sql.identifier()\nand sql.as() not\nproperly escaped"| B["SQL Injection Risk"]
    C["drizzle-orm 0.45.2\n(patched)"] -->|"Proper escaping\napplied"| D["SQL Injection Fixed"]
    E["This PR"] -->|"Bumps version"| C
    B -.->|"Not directly exploited\nin this codebase\n(no sql.identifier/sql.as usage found)"| F["Minimal immediate\nexploit surface"]

Loading

_{Reviews (1): Last reviewed commit: "build(deps): bump drizzle-orm" | Re-trigger Greptile}