fix(db-postgres): bump drizzle-orm to 0.45.2 to resolve an SQL injection vulnerability and pg to 8.20.0

[siimsams]

What?

Upgrade drizzle-orm from 0.44.7 to 0.45.2 and pg from 8.16.3 to 8.20.0 (with @types/pg 8.10.2 → 8.20.0) across all database adapter packages.

Why?

Security: drizzle-orm@0.45.2 patches an SQL injection vulnerability (CWE-89) in sql.identifier() and sql.as() where values were not properly escaped.

Maintenance: Bringing pg / @types/pg current picks up upstream fixes and keeps the adapters aligned with the types the rest of the monorepo already resolves.

The @vercel/postgres → @neondatabase/serverless migration has been split out into a separate PR for independent review. fork payload

How?

• drizzle-orm 0.44.7 → 0.45.2 in db-postgres, db-sqlite, db-d1-sqlite, db-vercel-postgres, drizzle
• pg 8.16.3 → 8.20.0 and @types/pg 8.10.2 → 8.20.0 in db-postgres, db-vercel-postgres, drizzle
• db-postgres/src/types.ts: Fix PgDependency type to typeof import('pg').default — @types/pg@8.20.0 added an index.d.mts with ESM types where PG is a module-level declaration, making the old typeof import('pg') incompatible with the default import
• db-vercel-postgres/src/connect.ts: Cast client to pg.Pool at the two drizzle() call sites. drizzle-orm@0.45.2 tightened NodePgClient to pg.Pool | PoolClient | Client, and VercelPool extends @neondatabase/serverless's Pool (not pg's), so the cast is required to satisfy the stricter type while preserving runtime behavior.

[siimsams]

I went a bit down a rabbit hole with this one.

The initial goal was just to use maxLifetimeSeconds from pg.Pool, but payload's pg type version was outdated. While looking into that, I checked the changelogs of pg and @types/pg and decided to upgrade to the latest version since I did not see any breaking changes.

After that, I noticed Drizzle had released a patch related to SQL injection, so I upgraded that as well. While doing that, I ran into type issues around @vercel/postgres and saw that it is deprecated, so I ended up addressing that too.

This ended up being a much larger set of changes than originally intended. Let me know or split this up yourself if needed.

[r1tsuu]

Yeah let's make a PR which just updates PG and Drizzle, I'd like to review switching the package for vercel separately.

[siimsams]

@r1tsuu I split it out. The Neon one is here siimsams#1 I will switch base to payload as soon as this gets merged.

[siimsams]

Thank you for taking a look and approving. I'm wondering if these failing tests are flaky or did I break something? 🤔

[siimsams]

I solved the merge conflicts in package-lock.yaml.

EDIT:
I did it again. Messed up the PR message so force pushed the correct message.

[siimsams]

@r1tsuu can this be merged now that the release has happened?

[siimsams]

Thank you! ❤️