Closed realmikesolo closed 3 weeks ago
@realmikesolo is attempting to deploy a commit to the Vercel Labs Team on Vercel.
A member of the Team first needs to authorize it.
It's an interesting choice to move away from a project that enterprises and governments support to one that's unknown and may require security reviews. What benefits make this worth it?
@m-torin if you would like to use Prisma, that's great. Please do! I don't have anything against Prisma. In fact, we just worked with them on this https://db-latency.vercel.app/.
I made some edits based on the review, updated the Drizzle
schema, upgraded drizzle-kit
to version 0.21.1
, and created a new Prisma
compatible schema with an initial migration. These can be used if switching from Prisma
to Drizzle ORM
. The migration was created after pulling the DDL from an existing database, which was initially used with Prisma
. The only thing that needs to be done is to set the email
field in the User
table to 'not null' for type compatibility with the Drizzle
adapter for next-auth
.
Currently, there are two bugs related to drizzle-kit
removing foreign key constraints and recreating them, and drizzle-kit
detecting changes in timestamp
precision even when there are none. These should be fixed soon. Once they are resolved, the Prisma
compatible schema can be used. If it's a new project, it's recommended to use the standard Drizzle
schema.
Please let me know if anything needs updating.
Bugs with Drizzle-kit were fixed
The latest updates on your projects. Learn more about Vercel for Git ↗︎
Name | Status | Preview | Comments | Updated (UTC) |
---|---|---|---|---|
platforms | ❌ Failed (Inspect) | Jun 4, 2024 2:10pm |
New and removed dependencies detected. Learn more about Socket for GitHub ↗︎
Package | New capabilities | Transitives | Size | Publisher |
---|---|---|---|---|
npm/clsx@2.1.1 | None | 0 |
8.55 kB | lukeed |
npm/drizzle-kit@0.22.5 | None | 0 |
0 B | |
npm/pg@8.12.0 | environment, network | 0 |
77.6 kB | brianc |
npm/postcss@8.4.38 | environment, filesystem | +2 |
343 kB | ai |
npm/prettier@3.3.1 | environment, filesystem, unsafe | 0 |
8.25 MB | prettier-bot |
npm/tailwind-merge@2.3.0 | None | +1 |
727 kB | dcas |
npm/tailwindcss@3.4.4 | environment, filesystem Transitive: network, shell, unsafe | +87 |
14.2 MB | adamwathan |
npm/typescript@5.4.5 | None | 0 |
32.4 MB | typescript-bot |
🚮 Removed packages: npm/clsx@2.0.0, npm/next-auth@4.24.5, npm/prettier@3.1.0, npm/prisma@5.5.2, npm/react@18.2.0, npm/tailwind-merge@2.0.0, npm/tailwindcss@3.3.5, npm/typescript@5.2.2
🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎
To accept the risk, merge this PR and you will not be notified again.
Alert | Package | Note | Source |
---|---|---|---|
Nonpermissive License | npm/@vercel/analytics@1.3.1 |
|
|
Copyleft License | npm/@vercel/analytics@1.3.1 |
|
|
Nonpermissive License | npm/@vercel/analytics@1.1.1 |
| |
Copyleft License | npm/@vercel/analytics@1.1.1 |
|
(Experimental) A license not known to be considered permissive was found
Determine whether use of material not offered under a known permissive license works for you
(Experimental) Copyleft license information was found
Determine whether use of copyleft material works for you
Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.
If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.
To ignore an alert, reply with a comment starting with @SocketSecurity ignore
followed by a space separated list of ecosystem/package-name@version
specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0
or ignore all packages with @SocketSecurity ignore-all
@SocketSecurity ignore npm/@vercel/analytics@1.3.1
@SocketSecurity ignore npm/@vercel/analytics@1.1.1
@leerob @realmikesolo - this seems to break Github auth as it might happen that Github login that's in the example returns null for the email, due to the schema email field being set to notNull in users table. This happens when the person trying to login in Github email preferences has Keep my email addresses private checked.
Submitted issue for tracking: https://github.com/vercel/platforms/issues/412
@mdichtler we're a bit confused with @realmikesolo as of now, since originally Prisma's adapter did have this field as just unique, then the Next Auth author mentioned that field(we might've got it wrong) can be .notNull
and even for github they will still get the email if it's null. If the field can be null
or empty string - it can't be unique
either
@AlexBlokh - I'm free for the next hour if you want to troubleshoot this a bit - add my discord: @martindichtler also attaching screenshot of my github profile where email is set to null. This is logged from auth.ts line 14 (profile callback)
@mdichtler here's a conversation with the NextAuth team in Discord
They advise us to do a migration of id -> email
where email is null before declaring a schema and seems like they consider this a bug, but we tend to just make this field nullable
since it doesn't make sense to have it not null
This PR was made to migrate from Prisma to Drizzle ORM. It involves rewriting the database interactions using
Drizzle ORM
.Instructions
If you directly start the project with Drizzle ORM
lib/legacy-schema.ts
file as it is only used when migrating from Prisma.lib/schema.ts
will be used for database queries.drizzle-kit push
command to apply your changes to the database. Learn more about the push command here.If you migrating from Prisma
lib/schema.ts
file and renamelib/legacy-schema.ts
tolib/schema.ts
.email
column inusers
table is set tonot null
to ensure compatibility with drizzle next-auth adapter. Apply this change by running thedrizzle-kit push
command. Learn more aboutpush
command here.