node-postgres (pg)

registrynpm

package namepg

maintainernode-postgres Contributors

node-postgres (`pg`) is the low-level PostgreSQL client for Node.js, used directly or as the underlying transport for higher-level ORMs (Prisma, TypeORM, Drizzle). It handles connection pooling, TLS, and query execution against PostgreSQL. The connection config holds the database password in plain text during connection setup.

api usage

Checking node-postgres (pg)

pg 8.12.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash

curl "https://api.attestd.io/v1/check?product=pg&version=8.12.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

json

{
  "product": "pg",
  "version": "8.12.0",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}

attack surface

Why this package is monitored

Low-level database drivers parse and transmit plaintext credentials during connection establishment. A compromised driver can log connection credentials before the TLS handshake or intercept unencrypted query results on connections without `sslmode=verify-full`.

Attestd monitors pg using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

npm_deprecation

npm package versions with deprecation messages containing targeted attack language such as malicious, backdoor, or compromised. Confidence 0.80.

Supply chain overview All npm packages Prisma Client TypeORM Drizzle ORM postgresql CVE coverage Response fields