Drizzle ORM

registrynpm

package namedrizzle-orm

maintainerDrizzle Team

Drizzle ORM is a TypeScript-first SQL ORM that provides a type-safe query builder without runtime reflection. It is a growing alternative to Prisma in the Next.js ecosystem, particularly for serverless deployments where cold start times are sensitive. It connects to PostgreSQL, MySQL, and SQLite.

api usage

Checking Drizzle ORM

drizzle-orm 0.33.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash

curl "https://api.attestd.io/v1/check?product=drizzle-orm&version=0.33.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

json

{
  "product": "drizzle-orm",
  "version": "0.33.0",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}

attack surface

Why this package is monitored

Type-safe query builder packages compose SQL from typed inputs and execute queries against the database using a connection provided by the application. A backdoored version can log all composed SQL statements, which reveals the full schema and all queried data.

Attestd monitors drizzle-orm using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

npm_deprecation

npm package versions with deprecation messages containing targeted attack language such as malicious, backdoor, or compromised. Confidence 0.80.

Supply chain overview All npm packages node-postgres (pg)Prisma Client TypeORM postgresql CVE coverage Response fields