ZenStack Release v1.2.0

Features

• TanStack Query V5 support! In the plugin configuration, set the "version" field to "v5" to generate targeting V5. #780
• Support for using a custom model (marked with @@auth attribute) to resolve auth() function in access policies. Previously it was required to have a model named "User". #774

Improvements and Fixes

• VSCode extension: make ZModel's syntax highlighting more consistent with Prisma extension #791

• Improved automatic query invalidation for TanStack Query and SWR hooks. #698

  • Upon mutation, queries with nested read will also be invalidated if the nested reading part is potentially affected by the mutation.

    E.g., creating a Post will invalidate queries like useFindUniqueUser({ where: { id }, include: { posts: true } }).

  • Upon deletion, "cascade" relation settings will be respected, and queries involving models that're indirectly deleted due to cascade will also be invalidated.

    E.g., creating a User will invalidate queries like useFindManyPost() if the User <-> Post relation specifies cascade deletion.

• A getQueryKey helper function is generated together with TanStack/SWR hooks for computing the query key given a query operation and args. #697

New Contributors

• A big ❤️THANK YOU❤️ to @jasonmacdonald for the contribution to this release. Welcome to the contributors family!

Full Changelog: v1.1.1...v1.2.0

ZenStack Release v1.1.1

Fixes and Improvements

• Fixed incorrect policy injection for certain nested create/update/upsert #764
• Fixed runtime exception when an update payload contains fields with undefined values

Full Changelog: v1.1.0...v1.1.1

ZenStack Release v1.1.0

Features

• Server adapter for Nuxt V3! docs
• @zenstackhq/tanstack-query plugin now supports "vue" target. You can use it with the Nuxt server adapter for Vue.js-based full-stack development docs. Checkout the todo sample.
• Support configuring what models to include for zod and trpc plugins. Please beware that even with a list of models specified for the "zod" plugin, during generation it'll traverse and include all referenced models recursively. trpc-docs zod-docs #728

Fixes and Improvements

• Upgrading Zod dependency to the latest "3.22.4" release. Older Zod is vulnerable to ReDos attack. Please consider upgrading Zod dependency in your project as well.
• ZModel: added missing Max enum declaration and extra parameter to the @default attribute for MSSQL #724
• ZModel: allow models without field declarations #734
• ZModel: support using "view" and "import" as declarations names #735
• ZModel: support using string literal as keys in object expressions #744
• ZModel: report errors when member access is made on an array field #756
• OpenAPI: do not generate "id" field in create input if the field has default value #736
• TRPC: added "eslint ignore" comment generation for helper.ts #753
• Added "model-meta" and "policy" entries to "package.json" of the generated ".zenstack" package for better compatibility #755

New Contributors

• Welcome our new contributor @Lordfirespeed 👏👏👏

Full Changelog: v1.0.2...v1.1.0

ZenStack Release v1.0.2

What's Changed

• Fixing an incorrect version dependency from zenstack package to @zenstackhq/runtime.

Full Changelog: v1.0.1...v1.0.2

ZenStack Release v1.0.1

Yes, ZenStack is V1 now 🎉!

What's Changed

• Fixed policy generation error when using collection predicate expressions in field-level access policies #703
• Fixed wrong query injection when nesting a create inside update #714
• Support Postgres extensions #713
• Tighten up ZModel validation for comparing scalar values against array values (==, !=) #704
• Added missing package.json exports for "@zenstackhq/runtime/zod/objects" by @abdullahahmeda

This marks our first stable release 🎉! Thank everyone for the great support along the way!

What's next?

• ZenStack will start to follow semver
• We'll continue iterating minor and patch versions on the V1 track while avoiding breaking changes and major/risky changes
• We're working on a V2 roadmap and will share it with the community soon

Full Changelog: v1.0.0-beta.23...v1.0.1

ZenStack Release v1.0.0-beta.23

New Features

• @zenstackhq/tanstack-query and @zenstackhq/swr plugins now generate Infinite findMany queries for supporting easier pagination. See documentation for tanstack-query and swr.

Fixes and Improvements

• Upgraded Prisma V4 dependencies to address a security audit warning
• Fixed the issue that the generated trpc code is not properly processed by vite
• More precise Zod typing when refinement is applied by @tlancina #676
• Fixed code generation error when there're unused enums in ZModel #674
• Make sure fastify plugin always return a reply to avoid stalling requests by @NeoN0x #684
• Added missing exports to "@zenstackhq/tanstack-query" package
• Fixed incorrect count result when complex policy conditions and where filters are mixed #689
• Exception thrown by enhanced PrismaClient now carries raw ZodError if the failure is due to zod validation #682
• Added "noUncheckedInput" option to zod plugin to turn off generation of "Unchecked" Prisma input types #681
• zenstack generate command now gives a warning if ZenStack packages of mismatched versions are detected #547
• zenstack generate command now checks for newer versions and prompts #175
• New CLI command line options:
  • "-o, --output": set the default output directory for the built-in plugins
  • "--no-default-plugins": turns off automatic running of built-in plugins
  • "--no-compile": turns off automatic compilation of code generated by built-in plugins
• enhance API now has a new loadPath option to load model metadata, policies and zod schemas from a custom location.

New Contributors

• @tlancina made their first contribution in #678
• @NeoN0x made their first contribution in #685

A big ❤️ THANK YOU ❤️ for the great contribution from @tlancina and @NeoN0x !

Full Changelog: v1.0.0-beta.21...v1.0.0-beta.23

ZenStack Release v1.0.0-beta.21

New Features

• TRPC plugin now generates more flexible typings for routers and allows you to merge your own routers without breaking their typing - by @mateus-p , an example scenario here
• Zod plugin now exports detailed Prisma input object schemas through @zenstackhq/runtime/zod/objects #647 - by @abdullahahmeda
• Add support for Prisma's fluent API #401
• TRPC plugin now generates the (previously missing) count procedure #618
• ZModel schema now allows escaping characters in string literals with backslashes #416

Fixes and Improvements

• @zenstackhq/server how has explicit "exports" in package.json, making it more friendly to bundlers - by @krist7599555
• Fixed zod and openapi generation issue when Prisma's "fullTextSearch" preview feature is enabled #650
• Fixed the problem that very small float number literal is output as "e-notation" in generated Prisma schema #646 with help from @sitch
• Fixed incorrect zod schema generation when field-validation attributes (@gt etc.) are used on Decimal fields #657
• Auxiliary fields (zenstack_guard and zenstack_transaction) previously generated into Prisma schema are finally removed!
• Policy generation errors when this keyword is used in field-level policy rules #665

Breaking Changes

• Not really breaking, but may be surprising. The zenstack_guard and zenstack_transaction fields previously generated by ZenStack are not used anymore and have been removed. This will cause changes in the generated Prisma schema, and you can choose to create a new migration file to sync the changes to the database.
• ZenStack CLI now does more strict checking on "==" and "!=" operators in policy rules. If you compare incompatible fields (e.g., fields of relation to different models), the CLI will emit errors.

New Contributors

Big ❤️ THANK YOU ❤️ to our amazing new contributors! @mateus-p @abdullahahmeda @krist7599555

We're very close to a V1 release now!!!

---

Full Changelog: v1.0.0-beta.20...v1.0.0-beta.21

ZenStack Release v1.0.0-beta.20

New Features

1. Field-level access policies

You can now use @allow and @deny attributes to attach access policies to fields (for "read" and "update" operations" only). Non-readable fields will be omitted when returned, and non-updatable fields will cause rejection if they're included as part of an update.

E.g.:

model Post {
    id Int @id
    private Boolean @default(false)
    title String @allow("read", !private)
}

More details here.

2. Comparing fields in access policy rules

You can now compare fields (of the current model) in access policy rules. Such comparison is compiled down to Prisma's field reference.

E.g.:

model Foo {
    id Int @id
    x Int
    y Int
    @@allow("read", x > y)
}

3. Access policies support for Prisma Pulse

If you use an enhanced client to subscribe to Prisma Pulse events, the subscription will also be injected (with "read" policy rules) so that only readable events will be notified.

Fixes and Improvements

• Zode code generation issue when there're multiple fields of the same enum type #632
• Policy injection accidentally overwrites user-provided filters #634
• Incorrect typing of generated policy definitions #639
• Incorrect code generation for models not using Pascal casing

Btw, Prisma 5.2 has been released, and ZenStack now fully supports this version. If you're using Prisma 5, please make sure to upgrade.

Full Changelog: v1.0.0-beta.18...v1.0.0-beta.20

ZenStack Release v1.0.0-beta.18

What's Changed

• Fixed incorrect filter injection for nested reads #624
• Fixed incorrect injection to create call when policy rules reference foreign keys #627
• Added runtime check and throws error when creating enhanced PrismaClient with user context but the user object doesn't have id field(s) #599

Breaking Changes

Related to the fix to issue #599 , previously if you call enhance (or withPolicy) with a user context without id field like:

const db = enhance(prisma, { user: {} });

it worked as if you passed in undefined user, and the policy engine treated it like an anonymous user. This behavior caused some users to accidentally provide anonymous users without being aware of it.

With the fix, such a call will result in an error thrown, complaining that you must pass in id fields. To represent an anonymous user, you can pass undefined user or an undefined context:

const db = enhance(prisma);

Full Changelog: v1.0.0-beta.16...v1.0.0-beta.18

ZenStack Release v1.0.0-beta.16

What's Changed

• New enhance API

  Added a new enhance API as a replacement to withPresets, which includes all essential enhancements to PrismaClient. The withPresets API, found to have a confusing name by many, will be deprecated in a future release.

• Policy check refactor and performance improvement

  This release contains a major refactor to the access policy engine, bringing two significant improvements:

  • The new engine doesn't rely on the auxiliary fields (zenstack_guard & zenstack_transaction) for policy checks anymore. The aux fields are still generated in this release but will be removed in a future one.
  • Performance improvements, especially for the nested read of to-one relationships. Now read filtering is fully done with query injection and never does post-read checks.

• Fixed incorrect relation ownership analysis for self-relations. #609

Breaking Changes

• Requires Prisma minimum version 4.8.0

  The minimum supported Prisma version is increased to 4.8.0. This is mainly for being able to filter nullable to-one relations during query (so we don't need to do post-read filtering). A warning will be printed when you run CLI to create an enhanced PrismaClient at runtime if a lower Prisma version is detected.

• Policy check behavior changes when reading with an enhanced PrismaClient

  In the new release, read queries (findXXX, aggregate, count, groupBy) never throws rejection errors due to access policy violations. They behave as if the rows not satisfying "read" policies don't exist.

  Attention should be made to reading nested "to-one" relations since the behavior changes in this release.

  • Non-nullable to-one relations
    In previous releases, if you nested-read a non-nullable to-one relation, if that relation fails the policy check, the entire read will be rejected by throwing an error (with Prisma error code "P2004"). In the new release, it'll cause the top-level read to be filtered out. E.g.:

    const post = await db.post.findUnique({ where: id, include: { author: true } });
    // In previous releases, if `author` is not readable, the call results in an error thrown.
    // In the new release, it'll return null (as if the top-level `post` read is filtered) 

  • Nullable to-one relations
    In previous releases, if you nested-read a nullable to-one relation, if that relation fails the policy check, the entire read will be rejected by throwing an error (with Prisma error code "P2004"). In the new release, it'll cause the relation field to be set null. E.g.:

    const user = await db.user.findUnique({ where: id, include: { profile: true } });
    // In previous releases, if `profile` is not readable, the call results in an error thrown.
    // In the new release, the read will succeed (as long as `user` is readable`) and the `profile` field will be set null

Full Changelog: v1.0.0-beta.10...v1.0.0-beta.16