chore(deps): bump drizzle-orm to 0.45.2 (CVE-2026-39356)

[chitcommit]

Summary

• Bumps drizzle-orm 0.39.1 → 0.45.2 to patch CVE-2026-39356 / GHSA-gpj5-g38j-94v9 — SQL injection via improperly escaped sql.identifier() / sql.as().
• Bumps drizzle-kit 0.31.9 → 0.31.10 (latest 0.31.x, compatible with orm 0.45).
• 0.45.2 is the lowest version that patches the advisory (first_patched_version: 0.45.2).

Refs #126 (drive accept-list to zero).

Breaking changes encountered

None required code changes in chittyfinance. Survey of the 0.40 → 0.45 release notes against this codebase:

Release	Change	Impact here
0.40	Gel dialect added	N/A — Postgres only
0.41	Opt-in mode: 'number' | 'bigint' for decimal/numeric	None — we don't pass mode, default string behavior preserved (heavy decimal() use in database/system.schema.ts unaffected)
0.42	pgEnum accepts TS enums; duplicate-export cleanup	None
0.43	cross join + lateral joins; removed .fullJoin() from MySQL	None — Postgres only, we don't use cross/lateral
0.44	DrizzleQueryError wraps driver errors	None — server/lib/error-handling.ts and middleware do not inspect driver error.code (verified by grep)
0.45	$onUpdate handling SQL values, bun-sql Date fix	None
0.45.2	SQL identifier escaping fix (THE FIX)	None — purely security fix

Files changed: package.json (2 lines), pnpm-lock.yaml (regenerated). No source code touched.

Verification

• npm run check: clean (tsc passes with 0.45.2 types).
• npm test: 23 failed / 293 passed — identical to pre-bump baseline (confirmed by stashing the bump and rerunning). Failures are pre-existing and unrelated to drizzle.
• pnpm audit --prod --json: drizzle-orm no longer appears in high/critical advisories. CVE-2026-39356 is gone from the dep graph.

Accept-list follow-up

The CVE-2026-39356 / GHSA-gpj5-g38j-94v9 entries can now be removed from the accept-list in .github/workflows/security-gates.yml in a separate small PR. This PR intentionally does NOT touch the accept-list to keep concerns separate; the gated audit step continues to pass because the CVE is no longer present.

Test plan

• npm run check clean
• npm test baseline unchanged (23 fail / 293 pass before and after)
• pnpm audit --prod shows no drizzle-orm advisories
• No application logic changes
• CI green on push (auto-merge enabled)

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated core package dependencies to latest stable versions.

[github-actions]

@coderabbitai review

Please evaluate:

• Security implications
• Credential exposure risk
• Dependency supply chain concerns
• Breaking API changes

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

This PR introduces a GitHub Actions workflow for automated PR merging and bumps the Drizzle ORM library to a significantly newer version along with a minor Drizzle Kit update. The changes are maintenance-focused with no breaking modifications to application code.

Changes

GitHub Actions Auto-Merge Workflow

Layer / File(s)	Summary
Auto-Arm Merge workflow definition .github/workflows/auto-arm-merge.yml	New workflow triggers on PR opened, ready_for_review, and reopened events and delegates to a reusable workflow from the shared organization repository to execute the auto-merge logic.

Dependency Updates

Layer / File(s)	Summary
Drizzle ORM and Kit version bumps package.json	drizzle-orm dependency upgraded from ^0.39.1 to ^0.45.2 (major version bump); drizzle-kit dev dependency upgraded from ^0.31.9 to ^0.31.10.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

• Drive dep-audit accept-list to zero — drizzle major bump + transitive cleanup #126: The drizzle-orm version bump directly addresses the dependency audit and transitive security advisories tracked in that issue by upgrading to a compatible stable version.

Suggested reviewers

• mrniceweird

Poem

🐰 A workflow for merging, so swift and so clean,
Dependencies bumped to the freshest we've seen,
Drizzle flows faster in versions that shine,
Auto-merge automation—a feature so fine!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately summarizes the main change: bumping drizzle-orm to address a specific CVE, which is the primary objective of this security patch PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/deps-drizzle-orm-cve-39356

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Code Review — PR #129: drizzle-orm CVE-2026-39356 bump

Overview

This PR patches a high-severity SQL injection vulnerability (CVE-2026-39356 / GHSA-gpj5-g38j-94v9) in drizzle-orm's sql.identifier() / sql.as() escaping by bumping from 0.39.1 → 0.45.2. The fix itself is correct and urgently needed. However, there are a few things worth calling out before merging.

---

Issues

1. Unrelated workflow file bundled into a security patch PR

The new .github/workflows/auto-arm-merge.yml is completely unrelated to the CVE fix and should be in its own PR. Mixing a pipeline change with a security patch muddies the blast radius and makes rollback harder if either change needs to be reverted independently.

2. auto-arm-merge.yml references an external workflow at @main — unpinned SHA

uses: chittyfoundation/.github/.github/workflows/auto-arm-merge.yml@main

Pinning to a branch name rather than a commit SHA means this workflow can be silently updated by any push to chittyfoundation/.github main. GitHub's hardening guide recommends pinning external workflows/actions to a full commit SHA. This is a supply-chain risk — at minimum use a tag, ideally a commit SHA.

3. Lockfile regeneration bumped far more than drizzle

The PR description says "Files changed: package.json (2 lines), pnpm-lock.yaml (regenerated). No source code touched." — technically accurate, but the lockfile regeneration silently pulled in many other in-range updates:

Package	Old	New
pg	8.16.3	8.21.0
@modelcontextprotocol/sdk	1.27.1	1.29.0
jose (JWT)	6.1.3	6.2.3
openid-client	6.8.1	6.8.4
oauth4webapi	3.8.3	3.8.6
express-session	1.18.2	1.19.0
express-rate-limit	8.3.0	8.5.2
dotenv	17.2.3	17.4.2
react-hook-form	7.71.1	7.77.0
esbuild	0.27.2	0.27.7 / 0.28.0

The pg, jose, and openid-client bumps are security-adjacent. They're all in-range and likely fine, but the PR description should acknowledge them so reviewers know what they're approving. It's also worth confirming pnpm audit --prod is fully clean post-bump, not just free of the drizzle CVE.

---

What Looks Good

• Correct target version. 0.45.2 is the first_patched_version per the advisory — not over-pinned, not under-pinned.
• drizzle-zod compatibility preserved. drizzle-zod@0.7.1 resolves cleanly against the new drizzle-orm peer in the lockfile.
• Breaking-changes table is thorough — the 0.40–0.45 changelog survey against this codebase is exactly the due diligence reviewers need.
• Test baseline confirmed unchanged — stashing the bump and rerunning to verify the 23-fail/293-pass parity is good practice.
• Deferred accept-list cleanup — keeping scope narrow is correct; removing the GHSA entry in a follow-up PR is the right call.

---

Suggested Actions Before Merge

1. Move auto-arm-merge.yml to its own PR (or explain in a commit message why it belongs here).
2. Pin the external workflow to a commit SHA, not @main.
3. Update the PR description to acknowledge the full set of transitive bumps.
4. Run pnpm audit --prod --json and post the full clean output as a PR comment, not just the drizzle-specific result.

---

Overall this is a well-structured security patch with solid documentation. The CVE fix is correct; the bundled unrelated workflow and its unpinned SHA are the items worth addressing before merge.

🤖 Generated with Claude Code

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f4b4d84b31

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Limit this lockfile update to the Drizzle packages

When this lockfile is deployed, the Drizzle CVE patch also upgrades unrelated top-level runtime dependencies that were not changed in package.json (for example @modelcontextprotocol/sdk is now locked to 1.29.0, and the same importer section also bumps React Query, express-session, jose, pg, etc.). That means production behavior can change for auth/session/MCP/API code under a Drizzle-only security change, making regressions much harder to attribute; please regenerate the lockfile with only drizzle-orm/drizzle-kit targeted so the security fix stays isolated.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Pin the reusable auto-merge workflow

Because this new workflow runs for every opened/reopened PR, delegating the whole job to chittyfoundation/.github at the mutable main ref means any later change or compromise in that repository immediately changes this repo's auto-merge behavior without a reviewed change here. Pin the reusable workflow to an immutable SHA or a controlled release tag so PR merge automation cannot drift underneath this repository.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Point the reusable workflow at an existing file

This caller references auto-arm-merge.yml, but the public chittyfoundation/.github workflow directory at main currently lists documentation_check.yml, metadata_check.yml, new_repo_setup.yml, portfolio-hardening.yml, pr-governance.yml, and reusable-ci-pipeline.yml—not this file. As soon as a PR is opened or reopened, GitHub Actions will fail to resolve the called workflow, adding a permanently failing required check if this workflow is protected; update the uses: path/ref to an existing reusable workflow before enabling it.

Useful? React with 👍 / 👎.