Skip to content

Basic implementation of psql powered by postgres.js#106

Open
gitstart wants to merge 3 commits intovercel-labs:mainfrom
gitstart:add-psql
Open

Basic implementation of psql powered by postgres.js#106
gitstart wants to merge 3 commits intovercel-labs:mainfrom
gitstart:add-psql

Conversation

@gitstart
Copy link

@gitstart gitstart commented Feb 10, 2026

This PR adds support for implementing psql commands from agents. Key decisions include:

  • adding allowedPostgresHosts to explicitly set which pg hosts to allow (and ability to specify overrides for credentials to transparently let connections go through without agents getting secrets)
  • using postgres.js. This will remove support for web for postgres (as it should, given no easy way to use pg from browser).
  • support limited subset of psql for allowing remote sql comments (and no support for local files / dump and so on). For that a future PR can add support for http://pglite.dev/ to creating pg databases and safely work with dumps

@vercel
Copy link

vercel bot commented Feb 10, 2026

@gitstart is attempting to deploy a commit to the Vercel Labs Team on Vercel.

A member of the Team first needs to authorize it.

vercel[bot]
vercel bot reviewed Feb 10, 2026
View reviewed changes
src/commands/psql/parser.ts Outdated
tuplesOnly: false,
quiet: false,
singleTransaction: false,
variables: {},
Copy link

@vercel vercel bot Feb 10, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Prototype pollution vulnerability in psql formatJson: object built from user-controlled column names uses {} instead of Object.create(null).

Fix on Vercel

Copy link
Author

@gitstart gitstart Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed by using Object.create(null) instead of {} for the variables object. This prevents any prototype pollution attacks via the --set flag.

@gitstart
fix: address bot review feedback for psql
a5fe327 
- Fix prototype pollution in parser: use Object.create(null) for variables
- Fix -f flag: update getSqlToExecute to handle file input correctly
- Add 25 unit tests covering all functionality
@socket-security
Copy link

socket-security bot commented Feb 10, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addednpm/​postgres@​3.4.89910010084100

View full report

@gitstart
refactor: use real PostgreSQL for psql tests
f29384c 
- Split tests into 4 files (availability, basic, formats, errors)
- 44 tests with real PostgreSQL via postgres.js (no mocks)
- Tests skip gracefully if PostgreSQL unavailable
- Added PostgreSQL service to CI workflow
- Added docker-compose for local testing
- Follow repository patterns (env vs bash, multiple test files)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vercel vercel[bot] vercel[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gitstart