security: bump drizzle-orm and better-auth to patch CVEs

[AviPeltz]

Summary

• Bump drizzle-orm 0.45.1 → 0.45.2 across 10 workspaces (patches GHSA-gpj5-g38j-94v9 / CVE-2026-39356).
• Bump better-auth + @better-auth/{api-key,expo,oauth-provider,stripe} 1.5.6 → 1.6.5 across 6 workspaces (patches GHSA-xr8f-h2gw-9xh6).
• No code changes — lockfile-only upgrade to the minimum fixed versions (which also happen to be the latest stable).

Why / Context

Two Dependabot high-severity advisories on main:

1. Drizzle ORM — SQL injection via improperly escaped identifiers (GHSA-gpj5-g38j-94v9)
Dialect-specific escapeName() did not double embedded " / ` in identifiers, so untrusted input reaching sql.identifier() or .as() could break out of identifier quoting.

• Exposure in this repo: the only call sites are in apps/api/src/app/api/electric/[...path]/utils.ts and apps/electric-proxy/src/where.ts, and they pass column.name from static schema objects (tasks.organizationId, organizations.id, …) — no untrusted input flows to identifier construction today. So this was not directly exploitable, but upgrading is cheap defense-in-depth.

2. @better-auth/oauth-provider — unprivileged client registration (GHSA-xr8f-h2gw-9xh6)
Client-creation endpoints did not invoke the authorization callback, so clientPrivileges restrictions could be bypassed by any authenticated user.

• Exposure in this repo: the provider is wired up in packages/auth/src/server.ts and exposed via .well-known/oauth-authorization-server + .well-known/openid-configuration. Current config sets allowDynamicClientRegistration: true and allowUnauthenticatedClientRegistration: true, so the CVE is not the immediate concern — but upgrading unblocks future use of clientPrivileges. (Revisiting those flags tracked as a follow-up.)

How It Works

Pure version bumps in package.json files + regenerated bun.lock. All better-auth packages were moved together (1.5.6 → 1.6.5) to keep the family version-aligned and avoid peer-dep drift. All drizzle-orm consumers are pinned to the same version (0.45.2) across the workspace.

Manual QA Checklist

Manual QA was not performed for this PR — it is a lockfile-only dependency bump with no code changes, and the behavior surface (drizzle queries, better-auth sessions) is covered by typecheck and the existing test suite. Reviewers should flag if any runtime smoke test is expected before merge.

Testing

• bun install — clean resolve, 32 packages installed
• bun run typecheck — ✅ 25/25 packages pass
• bun run lint — ✅ 3538 files, no issues
• bun test — 2657 pass, 3 fail (verified pre-existing on baseline by stashing these changes and rerunning the same tests; failures are in buildForkAgentLaunch.test.ts (tRPC localhost connection refused), useOrderedSections.test.tsx (renderer client init ordering), and setup.test.ts (config-parsing noise) — none reference better-auth or drizzle-orm)

Follow-ups

• Reconsider allowUnauthenticatedClientRegistration: true in packages/auth/src/server.ts:204 — currently anyone can register OAuth clients via Dynamic Client Registration. Out of scope for this security patch; tracked separately.

Risks / Rollout / Rollback

• Risk: low. Minor-version bumps within semver-compatible ranges; full type surface re-validated.
• Rollout: merge and ship normally.
• Rollback: revert this PR — all changes are isolated to package.json files and bun.lock, so a revert + bun install fully restores prior state.

---

Summary by cubic

Upgraded drizzle-orm to 0.45.2 and the better-auth package family to 1.6.5 across the monorepo to patch high‑severity CVEs. Dependency version bumps only; no app code changes.

• Dependencies
  • drizzle-orm: 0.45.1 → 0.45.2 — patches GHSA-gpj5-g38j-94v9 / CVE-2026-39356 (identifier escaping).
  • better-auth and @better-auth/{api-key,expo,oauth-provider,stripe}: 1.5.6 → 1.6.5 — patches GHSA-xr8f-h2gw-9xh6.

^{Written for commit 4f1aa4c. Summary will update on new commits.}

Summary by CodeRabbit

Chores

• Updated core authentication and database management framework dependencies across all applications and packages to their latest stable versions. These updates deliver improved system stability and reliability, enhanced application performance and user responsiveness, better overall technology stack compatibility, an improved security posture, and full access to critical bug fixes and optimizations.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 08630f7f-786a-4844-816a-dc2abf543cba

📥 Commits

Reviewing files that changed from the base of the PR and between aa23ae3 and 4f1aa4c.

⛔ Files ignored due to path filters (1)

• bun.lock is excluded by !**/*.lock

📒 Files selected for processing (12)

• apps/admin/package.json
• apps/api/package.json
• apps/desktop/package.json
• apps/electric-proxy/package.json
• apps/mobile/package.json
• apps/web/package.json
• packages/auth/package.json
• packages/db/package.json
• packages/host-service/package.json
• packages/local-db/package.json
• packages/mcp/package.json
• packages/trpc/package.json

---

📝 Walkthrough

Walkthrough

Updates dependency versions across the monorepo: better-auth and its plugins from 1.5.6 to 1.6.5, and drizzle-orm from 0.45.1 to 0.45.2. Changes span multiple applications and packages.

Changes

Cohort / File(s)	Summary
Applications with better-auth Updates apps/admin/package.json, apps/api/package.json, apps/desktop/package.json, apps/mobile/package.json, apps/web/package.json	Upgraded better-auth and related plugins (@better-auth/oauth-provider, @better-auth/api-key, @better-auth/stripe, @better-auth/expo) from 1.5.6 to 1.6.5. Some apps also include drizzle-orm updates to 0.45.2.
Application with Database Update apps/electric-proxy/package.json	Updated drizzle-orm from 0.45.1 to 0.45.2.
Core Authentication Package packages/auth/package.json	Bumped better-auth and all related plugins from 1.5.6 to 1.6.5 and upgraded drizzle-orm from 0.45.1 to 0.45.2.
Database and Infrastructure Packages packages/db/package.json, packages/host-service/package.json, packages/local-db/package.json, packages/mcp/package.json, packages/trpc/package.json	Updated drizzle-orm from 0.45.1 to 0.45.2 across all packages.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 Hop, hop, hooray for the version bumps today,
better-auth springs to 1.6.5, hip hip hurrah!
drizzle-orm flows to 0.45.2 with glee,
Dependencies dance across the monorepo tree! 🌳✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically identifies the main change: a security-focused dependency bump for drizzle-orm and better-auth to address CVEs.
Description check	✅ Passed	The PR description is comprehensive and well-structured, covering all key template sections: a detailed summary of changes, context for why upgrades are needed, testing verification, risks, and follow-ups.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch security/bump-drizzle-better-auth

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR is a security-motivated dependency bump with no code changes — only package.json and bun.lock modifications. It upgrades two dependency families to patch two high-severity CVEs:

• drizzle-orm 0.45.1 → 0.45.2 across 10 workspaces (patches GHSA-gpj5-g38j-94v9 / CVE-2026-39356, SQL injection via improperly escaped identifiers in escapeName()).
• better-auth + @better-auth/{api-key,expo,oauth-provider,stripe} 1.5.6 → 1.6.5 across 6 workspaces (patches GHSA-xr8f-h2gw-9xh6, unprivileged OAuth client registration bypass).

Key observations:

• All version bumps are internally consistent between package.json files and bun.lock. Transitive packages (@better-auth/core, @better-auth/utils, @better-auth/drizzle-adapter, better-call) are all correctly updated in the lockfile.
• The new better-auth@1.6.5 narrows its drizzle-orm peer dependency from >=0.41.0 to ^0.45.2, which is exactly satisfied by the pinned 0.45.2 — no version skew risk.
• The PR description accurately characterizes the actual exposure level in this codebase (Drizzle identifiers sourced from static schema only; allowDynamicClientRegistration/allowUnauthenticatedClientRegistration already open in better-auth config).
• The follow-up to revisit allowUnauthenticatedClientRegistration: true in packages/auth/src/server.ts is appropriate and correctly deferred out of scope.

Confidence Score: 5/5

Safe to merge — pure lockfile-only security patch with consistent version bumps across all workspaces, validated by typecheck, lint, and test suite.

All changes are mechanical version bumps with no code modifications. Version alignment is consistent across all 13 files and the lockfile. Transitive dependency graph in bun.lock is coherent (no orphaned old versions, peer deps satisfied). The PR author verified bun run typecheck (25/25 pass), bun run lint (clean), and bun test (pre-existing failures only, none related to these packages).

No files require special attention — all changes are straightforward version bumps. The follow-up to revisit allowUnauthenticatedClientRegistration in packages/auth/src/server.ts is appropriately deferred.

Important Files Changed

Filename	Overview
packages/auth/package.json	All four @better-auth/* plugins and better-auth core bumped 1.5.6 → 1.6.5; drizzle-orm bumped 0.45.1 → 0.45.2. This is the central auth package — highest value security upgrade in the PR.
apps/api/package.json	Bumps @better-auth/oauth-provider, better-auth, and drizzle-orm — the API surface most directly impacted by the CVEs patched in this PR.
bun.lock	Lockfile regenerated consistently; all transitive @better-auth/* and drizzle-orm hashes/checksums updated to match new versions with no orphaned old entries detected.
apps/desktop/package.json	Bumps @better-auth/api-key, @better-auth/stripe, better-auth, and drizzle-orm — straightforward version alignment with rest of workspace.
apps/admin/package.json	Bumps better-auth and drizzle-orm — clean, consistent with other workspaces.
apps/web/package.json	Bumps better-auth only (no drizzle dependency in this workspace) — correct scoping.
apps/mobile/package.json	Bumps @better-auth/expo and better-auth — consistent with rest of the family upgrade.
apps/electric-proxy/package.json	Bumps drizzle-orm only — one of the two call-site packages for identifier construction mentioned in the CVE analysis.
packages/db/package.json	Bumps drizzle-orm 0.45.1 → 0.45.2 — clean, consistent change.
packages/host-service/package.json	Bumps drizzle-orm 0.45.1 → 0.45.2 — clean, consistent change.
packages/local-db/package.json	Bumps drizzle-orm 0.45.1 → 0.45.2 — clean, consistent change.
packages/mcp/package.json	Bumps drizzle-orm 0.45.1 → 0.45.2 — clean, consistent change.
packages/trpc/package.json	Bumps drizzle-orm 0.45.1 → 0.45.2 — clean, consistent change.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    subgraph CVE1["CVE-2026-39356 — drizzle-orm SQL injection"]
        D1["drizzle-orm 0.45.1 - escapeName improperly escaped identifiers"]
        D2["drizzle-orm 0.45.2 - identifiers properly escaped"]
        D1 -->|bump| D2
    end

    subgraph CVE2["GHSA-xr8f-h2gw-9xh6 — better-auth unprivileged client reg"]
        B1["better-auth 1.5.6 - clientPrivileges bypass in oauth-provider"]
        B2["better-auth 1.6.5 - authorization callback enforced"]
        B1 -->|bump| B2
    end

    subgraph Drizzle["drizzle-orm consumers — 10 workspaces"]
        W1[apps/admin] & W2[apps/api] & W3[apps/desktop] & W4[apps/electric-proxy]
        W7[packages/auth] & W8[packages/db] & W9[packages/host-service]
        W10[packages/local-db] & W11[packages/mcp] & W12[packages/trpc]
    end

    subgraph BetterAuth["better-auth consumers — 6 workspaces"]
        BA1[apps/admin] & BA2[apps/api] & BA3[apps/desktop]
        BA5[apps/mobile] & BA6[apps/web] & BA7[packages/auth]
    end

    D2 --> Drizzle
    B2 --> BetterAuth

Loading

_{Reviews (1): Last reviewed commit: "security: bump drizzle-orm and better-au..." | Re-trigger Greptile}

[cubic-dev-ai]

No issues found across 13 files

[github-actions]

🧹 Preview Cleanup Complete

The following preview resources have been cleaned up:

• ✅ Neon database branch
• ✅ Electric Fly.io app

Thank you for your contribution! 🎉