chore(deps): bump kysely from 0.27.4 to 0.28.11

[dependabot]

Bumps kysely from 0.27.4 to 0.28.11.

Release notes

Sourced from kysely's releases.

0.28.11

Hey 👋

A small batch of bug fixes. Please report any issues. 🤞😰🤞

🚀 Features

🐞 Bugfixes

• Prevent re-use of finished trx outside callback by @​jacobpgn in kysely-org/kysely#1694

SQLite 📘

• returning needs to come before order by in sqlite for an update..where query. by @​hwisu in kysely-org/kysely#1691

📖 Documentation

• Add MariaDB Dialect by @​AwaludinAR in kysely-org/kysely#1646

📦 CICD & Tooling

• test: add runtime json dehydration tests. by @​igalklebanov in kysely-org/kysely#1688
• chore: bump dependencies. by @​igalklebanov in kysely-org/kysely#1693

⚠️ Breaking Changes

🐤 New Contributors

• @​hwisu made their first contribution in kysely-org/kysely#1691
• @​AwaludinAR made their first contribution in kysely-org/kysely#1646

Full Changelog: kysely-org/kysely@v0.28.10...v0.28.11

0.28.10

Hey 👋

A small batch of bug fixes. Please report any issues. 🤞😰🤞

🚀 Features

🐞 Bugfixes

• Add ExtractColumnType and DrainOuterGeneric type exports by @​mifi in kysely-org/kysely#1679
• fix: $narrowType compilation errors when composite: true. by @​igalklebanov in kysely-org/kysely#1681
• fix: executeTakeFirst compilation error when composite. by @​igalklebanov in kysely-org/kysely#1683
• fix: with/withRecursive compilation errors when composite. by @​igalklebanov in kysely-org/kysely#1684

PostgreSQL 🐘 / MSSQL 🥅

• fix: Migrator attempts to create custom migration schema even if it exists and fails on dialects that don't support if not exists. by @​austin-hall-skylight in kysely-org/kysely#1608

... (truncated)

Commits

• 102d477 0.28.11
• d365e74 docs: fix conditional selects examples.
• c37c3c6 Prevent re-use of finished trx outside callback (#1694)
• 0a265cb Add MariaDB Dialect (#1646)
• 6862970 bump hono.
• af85e9d bump wrangler.
• 68e1b4d bump react.
• c98cc47 bump pnpm.
• 117e50c bump jsr.
• 468491f bump playwright.
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for kysely since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[cursor]

Stale comment

Security Review

No high-confidence vulnerabilities found in this PR.

What I reviewed

• Dependency/supply-chain change: kysely upgraded from 0.27.x to 0.28.11 in apps/studio/package.json and package-lock.json.
• Code change: PostgresQueryCompiler.compileQuery(args.node, queryId) update in apps/studio/src/server/modules/database/database.ts.

Findings

• No confirmed injection, authz/authn bypass, secret leakage, SSRF, XSS, CSRF, or deserialization vulnerabilities introduced by this diff.
• The tracing path still logs SQL text and parameter count (not parameter values); this behavior appears pre-existing and unchanged in risk profile by this PR.

Result

• Security assessment: pass (no high-confidence vulnerabilities identified).

  

_{Sent by Cursor Automation: Find vulnerabilities (PR)}

[cursor]

Stale comment

Risk assessment: Medium.

Evidence from diff:

• Upgrades shared query-builder dependency kysely from 0.27.x to 0.28.11 in apps/studio/package.json (and lockfile).
• Updates runtime DB tracing path in apps/studio/src/server/modules/database/database.ts (compileQuery(args.node, queryId)), which is part of shared database execution instrumentation.
• Lockfile also reflects dependency metadata/engine changes for kysely.

Decision:

• Review is required (medium risk; shared backend/database surface).
• I did not approve this PR.
• Assigned reviewers: @gautammmanek, @seaerchin.
• CODEOWNERS applies (* @opengovsg/isomer-engineers), so this should land with owner review.

  

_{Sent by Cursor Automation: Assign PR reviewers (PR)}

[cursor]

Stale comment

Risk assessment: Medium.

Evidence from diff:

• apps/studio/package.json: bumps kysely from ^0.27.3 to ^0.28.11.
• apps/studio/src/server/modules/database/database.ts: updates shared DB tracing path from compileQuery(args.node) to compileQuery(args.node, queryId).
• package-lock.json: lockfile update including kysely package metadata (notably engine constraint now node >=20).

Why not Low/Very Low:

• This is not a docs/test-only or formatting-only change.
• It modifies a shared database plugin codepath and upgrades a core query-builder dependency used in production DB access.
• Regression blast radius is limited to one app, but the touched path is central to query execution instrumentation.

Decision:

• Code review required.
• Requested 2 reviewers with history on this codepath: @gautammmanek, @adriangohjw.
• No self-approval (medium-risk change and CODEOWNERS-governed path).

  

_{Sent by Cursor Automation: Assign PR reviewers (PR)}

[cursor]

Stale comment

Security review result: no high-confidence vulnerabilities found in this PR.

Evidence checked in diff:

• Dependency change is limited to kysely version bump (0.27.x -> 0.28.11) with lockfile resolved URL and integrity hash present.
• Code change in database.ts updates compileQuery(args.node, queryId) to match new API usage; it does not introduce dynamic SQL concatenation, auth boundary changes, or new external input handling.
• Existing tracing behavior still logs SQL text and parameter count only (not parameter values), so this PR does not introduce new secret-leak logging paths.

Uncertain concerns requiring additional validation: none from this diff.

  

_{Sent by Cursor Automation: Find vulnerabilities (PR)}

[cursor]

Security review for dependency bump kysely 0.27.4 -> 0.28.11:

No high-confidence vulnerabilities found in this PR diff.

Confirmed findings:

• None.

Uncertain / validation-needed concern (low confidence):

• package-lock.json also rewrites some workspace metadata ranges (for example eslint-plugin-react-hooks: beta -> * and typescript: latest -> *). This does not appear to change the currently locked resolved artifacts in this PR, but it can increase future supply-chain drift risk if lockfiles are regenerated inconsistently.

Recommended hardening:

• Keep installs in CI/release paths on npm ci (not npm install) to enforce lockfile integrity.
• Regenerate lockfiles using a pinned npm version to reduce unintended lockfile rewrites.

  

_{Sent by Cursor Automation: Find vulnerabilities (PR)}

[cursor]

Risk assessment: Medium.

Evidence from current diff:

• apps/studio/package.json and package-lock.json upgrade kysely from 0.27.x to 0.28.11 (shared query builder dependency).
• apps/studio/src/server/modules/database/database.ts changes DB tracing compilation call to compileQuery(args.node, queryId) in shared database plugin code.
• apps/studio/src/server/modules/resource/resource.service.ts updates orderBy call signature in runtime service code.
• apps/studio/src/server/modules/collection/__tests__/collection.router.test.ts updates test syntax accordingly.

Decision:

• Code review required (medium risk; shared backend/database surface changed).
• No self-approval (medium risk and CODEOWNERS-governed codepaths).
• Reviewer assignment unchanged: PR already has 3 requested reviewers, so no additional reviewers were added (limit is max 2 to add).

  

_{Sent by Cursor Automation: Assign PR reviewers (PR)}

[dependabot]

A newer version of kysely exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged.