fix(deps): bump drizzle-orm to 0.45.2, bump mcp

[waleedlatif1]

Summary

• Bumps drizzle-orm from ^0.44.5 to ^0.45.2 across the monorepo to resolve Dependabot alert #98 (GHSA-gpj5-g38j-94v9 / CVE-2026-39356, High, CVSS 7.5).
• Affected files: root package.json overrides, apps/sim/package.json (deps + overrides), apps/docs/package.json, packages/db/package.json, and bun.lock.

Vulnerability

Drizzle ORM < 0.45.2 failed to escape embedded identifier delimiters in escapeName() across the PostgreSQL, MySQL, SQLite, SingleStore, and Gel dialects. Untrusted input passed to identifier/alias APIs (e.g. sql.identifier(), .as()) could break out of the quoted identifier and inject SQL — potentially enabling data disclosure, schema enumeration, or destructive operations depending on context.

0.45.2 is the first patched version on the 0.x line.

Test plan

• bun install regenerates lockfile cleanly with drizzle-orm@0.45.2
• packages/db tsc --noEmit passes
• CI: type-check, lint, tests across the monorepo
• Smoke check: workflows, tables, knowledge base reads/writes against the DB

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs	Ready	Preview, Comment	Apr 22, 2026 2:11am

[cursor]

PR Summary

Medium Risk
Primarily a dependency bump, but it upgrades the ORM used for database query generation across multiple apps/packages, which could introduce subtle SQL/typing behavior changes at runtime.

Overview
Updates drizzle-orm to ^0.45.2 across the monorepo (root overrides, apps/sim, apps/docs, and packages/db) and refreshes bun.lock accordingly.

This is a security-motivated bump intended to pick up the upstream fix for identifier escaping in Drizzle ORM.

^{Reviewed by Cursor Bugbot for commit 25bc827. Configure here.}

[gitguardian]

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secret in your pull request

GitGuardian id	GitGuardian status	Secret	Commit	Filename
29606901	Triggered	Generic High Entropy Secret	a54dcbe	apps/sim/providers/utils.test.ts	View secret

🛠 Guidelines to remediate hardcoded secrets

1. Understand the implications of revoking this secret by investigating where it is used in your code.
2. Replace and store your secret safely. Learn here the best practices.
3. Revoke and rotate this secret.
4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

• following these best practices for managing and storing secrets including API keys and other credentials
• install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.

---

^{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}

[greptile-apps]

Greptile Summary

This PR is a targeted security patch that bumps drizzle-orm from ^0.44.5 (resolved 0.44.7) to ^0.45.2 across all five affected manifests and regenerates the lockfile to resolve GHSA-gpj5-g38j-94v9 (SQL identifier-injection via unescaped delimiter in escapeName()). The version range ^0.45.2 correctly limits future auto-upgrades to the 0.45.x patch series, and drizzle-kit@0.31.10 (unchanged) remains in the lockfile — the PR author confirms tsc --noEmit passes for packages/db, which suggests build-time compatibility is intact.

Confidence Score: 5/5

Safe to merge — all five manifests are updated consistently and the lockfile pins the patched version.

This is a single-purpose security dependency bump with no logic changes. All package.json files are updated in lockstep, the lockfile resolves to the correct 0.45.2, and the PR author confirms type-checking passes for the core DB package. No P0/P1 findings were identified.

No files require special attention; the remaining smoke-test items in the checklist (CI, workflow integration tests) are a normal gate for any dependency update.

Important Files Changed

Filename	Overview
package.json	Root overrides updated: drizzle-orm bumped from ^0.44.5 to ^0.45.2 to force the patched version across the monorepo.
apps/sim/package.json	Both the direct dependency and the local overrides block updated to ^0.45.2; consistent with root-level change.
apps/docs/package.json	Direct drizzle-orm dependency bumped to ^0.45.2; straightforward single-line update.
packages/db/package.json	Core DB package dependency updated to ^0.45.2; PR author reports tsc --noEmit passing for this package.
bun.lock	Lockfile correctly resolves drizzle-orm to 0.45.2 (from the previously-pinned 0.44.7); also adds new transitive entries for hono, @hono/node-server, json-schema-typed, and nested @google/genai/@modelcontextprotocol/sdk — these are indirect deps pulled in during the lockfile refresh, not by drizzle-orm itself.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["Untrusted input (user-controlled string)"]
    B["sql.identifier() / .as() / escapeName()"]
    C{"drizzle-orm version?"}
    D["< 0.45.2 (VULNERABLE)\nDelimiter not escaped\n→ SQL injection possible"]
    E[">= 0.45.2 (PATCHED)\nDelimiter correctly escaped\n→ identifier safely quoted"]
    F["Query executed safely"]
    G["SQL injection: data disclosure,\nschema enumeration, destructive ops"]

    A --> B --> C
    C -->|"^0.44.5 (old)"| D --> G
    C -->|"^0.45.2 (new)"| E --> F

    style D fill:#f66,color:#fff
    style G fill:#f66,color:#fff
    style E fill:#6a6,color:#fff
    style F fill:#6a6,color:#fff

Loading

_{Reviews (1): Last reviewed commit: "fix(deps): bump drizzle-orm to 0.45.2 (G..." | Re-trigger Greptile}