fix(db-postgres): bump drizzle-orm to 0.45.2 to resolve an SQL injection vulnerability and pg to 8.20.0 (#16168)

### What?

Upgrade `drizzle-orm` from 0.44.7 to 0.45.2 and `pg` from 8.16.3 to
8.20.0 (with `@types/pg` 8.10.2 → 8.20.0) across all database adapter
packages.

### Why?

**Security:**
[`drizzle-orm@0.45.2`](https://github.com/drizzle-team/drizzle-orm/releases/tag/0.45.2)
patches an SQL injection vulnerability (CWE-89) in `sql.identifier()`
and `sql.as()` where values were not properly escaped.

**Maintenance:** Bringing `pg` / `@types/pg` current picks up upstream
fixes and keeps the adapters aligned with the types the rest of the
monorepo already resolves.

The [`@vercel/postgres`](https://www.npmjs.com/package/@vercel/postgres)
→
[`@neondatabase/serverless`](https://www.npmjs.com/package/@neondatabase/serverless)
migration has been split out into a separate PR for independent review.
siimsams#1

### How?

- **`drizzle-orm` 0.44.7 → 0.45.2** in `db-postgres`, `db-sqlite`,
`db-d1-sqlite`, `db-vercel-postgres`, `drizzle`
- **`pg` 8.16.3 → 8.20.0** and **`@types/pg` 8.10.2 → 8.20.0** in
`db-postgres`, `db-vercel-postgres`, `drizzle`
- **`db-postgres/src/types.ts`:** Fix `PgDependency` type to `typeof
import('pg').default` — `@types/pg@8.20.0` added an `index.d.mts` with
ESM types where `PG` is a module-level declaration, making the old
`typeof import('pg')` incompatible with the default import
- **`db-vercel-postgres/src/connect.ts`:** Cast `client` to `pg.Pool` at
the two `drizzle()` call sites. `drizzle-orm@0.45.2` tightened
`NodePgClient` to `pg.Pool | PoolClient | Client`, and `VercelPool`
extends `@neondatabase/serverless`'s `Pool` (not `pg`'s), so the cast is
required to satisfy the stricter type while preserving runtime behavior.

---------

Co-authored-by: Sasha Rakhmatulin <sasha@ritsuko.dev>

Author: siimsams

packages/db-d1-sqlite/package.json

@@ -74,14 +74,14 @@
     "@payloadcms/drizzle": "workspace:*",
     "console-table-printer": "2.12.1",
     "drizzle-kit": "0.31.7",
-    "drizzle-orm": "0.44.7",
+    "drizzle-orm": "0.45.2",
     "prompts": "2.4.2",
     "to-snake-case": "1.0.0",
     "uuid": "11.1.0"
   },
   "devDependencies": {
     "@payloadcms/eslint-config": "workspace:*",
-    "@types/pg": "8.10.2",
+    "@types/pg": "8.20.0",
     "@types/to-snake-case": "1.0.0",
     "payload": "workspace:*"
   },

packages/db-postgres/package.json

@@ -75,11 +75,11 @@
   },
   "dependencies": {
     "@payloadcms/drizzle": "workspace:*",
-    "@types/pg": "8.10.2",
+    "@types/pg": "8.20.0",
     "console-table-printer": "2.12.1",
     "drizzle-kit": "0.31.7",
-    "drizzle-orm": "0.44.7",
-    "pg": "8.16.3",
+    "drizzle-orm": "0.45.2",
+    "pg": "8.20.0",
     "prompts": "2.4.2",
     "to-snake-case": "1.0.0",
     "uuid": "11.1.0"

packages/db-postgres/src/types.ts

@@ -1,24 +1,17 @@
+import type { DrizzleAdapter } from '@payloadcms/drizzle'
 import type {
   BasePostgresAdapter,
   GenericEnum,
   MigrateDownArgs,
   MigrateUpArgs,
   PostgresSchemaHook,
 } from '@payloadcms/drizzle/postgres'
-import type { DrizzleAdapter } from '@payloadcms/drizzle/types'
-import type { DrizzleConfig, ExtractTablesWithRelations } from 'drizzle-orm'
+import type { DrizzleConfig } from 'drizzle-orm'
 import type { NodePgDatabase } from 'drizzle-orm/node-postgres'
-import type {
-  PgDatabase,
-  PgQueryResultHKT,
-  PgSchema,
-  PgTableFn,
-  PgTransactionConfig,
-  PgWithReplicas,
-} from 'drizzle-orm/pg-core'
+import type { PgSchema, PgTableFn, PgTransactionConfig, PgWithReplicas } from 'drizzle-orm/pg-core'
 import type { Pool, PoolConfig } from 'pg'
 
-type PgDependency = typeof import('pg')
+type PgDependency = typeof import('pg').default
 
 export type Args = {
   /**

packages/db-sqlite/package.json

@@ -76,14 +76,14 @@
     "@payloadcms/drizzle": "workspace:*",
     "console-table-printer": "2.12.1",
     "drizzle-kit": "0.31.7",
-    "drizzle-orm": "0.44.7",
+    "drizzle-orm": "0.45.2",
     "prompts": "2.4.2",
     "to-snake-case": "1.0.0",
     "uuid": "11.1.0"
   },
   "devDependencies": {
     "@payloadcms/eslint-config": "workspace:*",
-    "@types/pg": "8.10.2",
+    "@types/pg": "8.20.0",
     "@types/to-snake-case": "1.0.0",
     "payload": "workspace:*"
   },

packages/db-vercel-postgres/package.json

@@ -75,19 +75,19 @@
   },
   "dependencies": {
     "@payloadcms/drizzle": "workspace:*",
-    "@vercel/postgres": "^0.9.0",
+    "@vercel/postgres": "^0.10.0",
     "console-table-printer": "2.12.1",
     "drizzle-kit": "0.31.7",
-    "drizzle-orm": "0.44.7",
-    "pg": "8.16.3",
+    "drizzle-orm": "0.45.2",
+    "pg": "8.20.0",
     "prompts": "2.4.2",
     "to-snake-case": "1.0.0",
     "uuid": "11.1.0"
   },
   "devDependencies": {
     "@hyrious/esbuild-plugin-commonjs": "0.2.6",
     "@payloadcms/eslint-config": "workspace:*",
-    "@types/pg": "8.10.2",
+    "@types/pg": "8.20.0",
     "@types/to-snake-case": "1.0.0",
     "esbuild": "0.27.1",
     "payload": "workspace:*"

packages/db-vercel-postgres/src/connect.ts

@@ -42,7 +42,7 @@ export const connect: Connect = async function connect(
     // Passed the poolOptions if provided,
     // else have vercel/postgres detect the connection string from the environment
     this.drizzle = drizzle({
-      client,
+      client: client as pg.Pool,
       logger,
       schema: this.schema,
     })
@@ -55,7 +55,7 @@ export const connect: Connect = async function connect(
           connectionString,
         }
         const pool = new VercelPool(options)
-        return drizzle({ client: pool, logger, schema: this.schema })
+        return drizzle({ client: pool as unknown as pg.Pool, logger, schema: this.schema })
       })
       const myReplicas = withReplicas(this.drizzle, readReplicas as any)
       this.drizzle = myReplicas

packages/drizzle/package.json

@@ -59,15 +59,15 @@
   "dependencies": {
     "console-table-printer": "2.12.1",
     "dequal": "2.0.3",
-    "drizzle-orm": "0.44.7",
+    "drizzle-orm": "0.45.2",
     "prompts": "2.4.2",
     "to-snake-case": "1.0.0",
     "uuid": "11.1.0"
   },
   "devDependencies": {
     "@libsql/client": "0.14.0",
     "@payloadcms/eslint-config": "workspace:*",
-    "@types/pg": "8.10.2",
+    "@types/pg": "8.20.0",
     "@types/to-snake-case": "1.0.0",
     "payload": "workspace:*"
   },