Hardening the Data Layer: The node-postgres Static Analysis Standard
Eliminate the #1 database vulnerability. An automated static analysis protocol for preventing SQL injection and connection leaks in production.
Postgres is the backbone of your production infrastructure. For engineering leaders, database security isn't a training problemβit's a governance problem. Here is the automated static analysis standard for node-postgres.
Quick Install
npm install --save-dev eslint-plugin-pg
Flat Config
// eslint.config.js
import pg from "eslint-plugin-pg";
export default [pg.configs.recommended];
Run ESLint
npx eslint .
You'll see output like:
src/users.ts
15:3 error π CWE-89 OWASP:A03 CVSS:9.8 | Unsafe SQL query detected
Fix: Use parameterized query: client.query('SELECT * FROM users WHERE id = $1', [id])
src/orders.ts
28:5 error π CWE-772 | pool.connect() without client.release()
Fix: Add client.release() in finally block
Rule Overview
| Rule | CWE | What it catches |
|---|---|---|
no-unsafe-query | CWE-89 | SQL injection via string concatenation |
no-missing-client-release | CWE-772 | Connection pool leaks |
prevent-double-release | CWE-415 | Double release crashes |
no-transaction-on-pool | CWE-362 | Transaction race conditions |
prefer-pool-query | CWE-400 | Unnecessary connect/release |
no-unsafe-copy-from | CWE-22 | Path traversal in COPY FROM |
no-unsafe-search-path | CWE-426 | search_path hijacking |
no-batch-insert-loop | Perf | N+1 query patterns |
| Plus 5 more... |
Quick Wins
Before
// β SQL Injection
const query = `SELECT * FROM users WHERE id = '${userId}'`;
await pool.query(query);
After
// β
Parameterized Query
const query = "SELECT * FROM users WHERE id = $1";
await pool.query(query, [userId]);
Before
// β Connection Leak
const client = await pool.connect();
const result = await client.query("SELECT * FROM users");
return result.rows;
// Missing client.release()!
After
// β
Guaranteed Release
const client = await pool.connect();
try {
const result = await client.query("SELECT * FROM users");
return result.rows;
} finally {
client.release();
}
Available Presets
// Security + best practices
pg.configs.recommended;
// All rules enabled
pg.configs.all;
Customizing Rules
// eslint.config.js
import pg from "eslint-plugin-pg";
export default [
pg.configs.recommended,
{
rules: {
// Downgrade to warning
"pg/prefer-pool-query": "warn",
// Increase strictness
"pg/no-unsafe-query": [
"error",
{
allowLiteral: false,
},
],
},
},
];
Performance
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Benchmark: 1000 files β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β eslint-plugin-pg: 785ms β
β 100% precision (0 false positives in tests) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Combine with Other Plugins
import pg from "eslint-plugin-pg";
import secureCoding from "eslint-plugin-secure-coding";
export default [pg.configs.recommended, secureCoding.configs.recommended];
Quick Reference
# Install
npm install --save-dev eslint-plugin-pg
# Config (eslint.config.js)
import pg from 'eslint-plugin-pg';
export default [pg.configs.recommended];
# Run
npx eslint .
π¦ npm: eslint-plugin-pg π Full Rule List
π Using node-postgres? Drop a star on GitHub!
The Interlace ESLint Ecosystem Interlace is a high-fidelity suite of static code analyzers designed to automate security, performance, and reliability for the modern Node.js stack. With over 330 rules across 18 specialized plugins, it provides 100% coverage for OWASP Top 10, LLM Security, and Database Hardening.
Explore the full Documentation
Β© 2026 Ofri Peretz. All rights reserved.
Build Securely. I'm Ofri Peretz, a Security Engineering Leader and the architect of the Interlace Ecosystem. I build static analysis standards that automate security and performance for Node.js fleets at scale.