build(deps): bump the db-prod group across 1 directory with 4 updates

[dependabot]

Bumps the db-prod group with 4 updates in the /db directory: @clickhouse/client, cassandra-driver, kysely and umzug.

Updates @clickhouse/client from 1.18.3 to 1.18.4

Release notes

Sourced from @​clickhouse/client's releases.

1.11.2 (Common, Node.js)

A minor release to allow further investigation regarding uncaught error issues with #410.

Types

• Added missing lightweight_deletes_sync typing to ClickHouseSettings (#422, [pratimapatel2008])

Improvements (Node.js)

• Added a new configuration option: capture_enhanced_stack_trace; see the JS doc in the Node.js client package. Note that it is disabled by default due to a possible performance impact. (#427)
• Added more try-catch blocks to the Node.js connection layer. (#427)

#410: ClickHouse/clickhouse-js#410 #422: ClickHouse/clickhouse-js#422 #427: ClickHouse/clickhouse-js#427 [pratimapatel2008]: https://github.com/pratimapatel2008

1.11.1 (Common, Node.js, Web)

Bug fixes

• Fixed an issue with URLEncoded special characters in the URL configuration for username or password. (#407)

Improvements

• (Node.js only) Added support for streaming on 32-bit platforms. (#403, shevchenkonik)

1.11.0 (Common, Node.js, Web)

New features

• It is now possible to provide custom HTTP headers when calling the query/insert/command/exec methods using the http_headers option. NB: http_headers specified this way will override http_headers set on the client instance level. (#394, @​DylanRJohnston)
• (Web only) It is now possible to provide a custom fetch implementation to the client. (#315, @​lucacasonato)

1.9.1 (Node.js only)

• Fixed an uncaught exception that could happen in case of malformed ClickHouse response when response compression is enabled (#363)

1.9.0 (Common, Node.js, Web)

New features

• Added input_format_json_throw_on_bad_escape_sequence to the ClickhouseSettings type. (#355, @​emmanuel-bonin)
• The client now exports TupleParam wrapper class, allowing tuples to be properly used as query parameters. Added support for JS Map as a query parameter. (#359)

Improvements

• The client will throw a more informative error if the buffered response is larger than the max allowed string length in V8, which is 2**29 - 24 bytes. (#357)

1.8.1 (Node.js only)

Bug fixes

• When a custom HTTP agent is used, the HTTP or HTTPS request implementation is now correctly chosen based on the URL protocol. (#352)

... (truncated)

Changelog

Sourced from @​clickhouse/client's changelog.

1.18.4

A release-infrastructure-only version bump (no user-facing changes). See 1.18.5 for the next release with user-facing improvements.

Commits

• See full diff in compare view

Updates cassandra-driver from 4.8.0 to 4.9.0

Changelog

Sourced from cassandra-driver's changelog.

4.9.0

2026-04-23

This release marks the first release of the driver under the Apache Software
Foundation, following its donation from DataStax.

Features

• [NODEJS-692] - Add Node.js v24 support
• [CASSNODEJS-2] - Update CONTRIBUTING.md after ASF donation, drop Node.js 18 support
• [CASSNODEJS-4] - Update DRIVER_NAME after donation to ASF
• [CASSNODEJS-3] - Public CI after Donation

Bug fixes

• [PR #432] - Fix retry on socket error
• [NODEJS-693] - Remove broken jsdoc from 4.8.0
• [NODEJS-691] - Fix generated timestamp on retry

Commits

• 1c0a7df ninja-fix: Changelog and version bump for 4.9.0
• e5957d6 CASSNODEJS-3: Public CI after Donation
• d3ddcbf CASSNODEJS-4 Update DRIVER_NAME after donation to ASF
• 65507c5 Bump picomatch from 2.3.1 to 2.3.2
• b0a6b61 Bump serialize-javascript and mocha
• 8fa4399 Bump tar-fs from 2.1.2 to 2.1.4
• 6c70446 CASSNODEJS-2 Update CONTRIBUTING.md after ASF donation (#453)
• 3b4ce72 Donation to Apache Cassandra and ASF
• acea0b9 NODEJS-691 Fix generated timestamp on retry (#438)
• c0a6c5f Added NPM badge to README.md (#437)
• Additional commits viewable in compare view

Updates kysely from 0.28.17 to 0.29.0

Release notes

Sourced from kysely's releases.

0.29.0

Hey 👋

This one's a banger! 💥 💥 💥

We got $pickTables, $omitTables compile-time helpers to narrow the world view of downstream queries, cutting down on compilation complexity/time while at it!

const results = await db
  .$pickTables<'person' | 'pet'>() // <----- now `DB` is only { person: {...}, pet: {...} } for following methods.
  .selectFrom('person')
  .innerJoin('pet', 'pet.owner_id', 'person.id')
  .selectAll()
  .execute()
const results = await db
.$omitTables<'toy'>() // <----- now DB doesn't have a "toy" table description for following methods.
.selectFrom('person')
.innerJoin('pet', 'pet.owner_id', 'person.id')
.selectAll()
.execute()

We got a new ReadonlyKysely<DB> helper type that turns your instance into a compile-time readonly instance!

import { Kysely } from 'kysely'
import type { ReadonlyKysely } from 'kysely/readonly'
export const db = new Kysely<Database>({...}) as never as ReadonlyKysely<Database>
db.selectFrom('person').selectAll() // no problem.
db.selectNoFrom(sqlnow().as('now')) // no problem.
db.deleteFrom('person') // compilation error + deprecation!
db.insertInto('person').values({...}) // compilation error + deprecation!
db.mergeInto('person')...  // compilation error + deprecation!
db.updateTable('person').set('first_name', 'Timmy') // compilation error + deprecation!
sql....execute(db) // compilation error!
// etc. etc.

We got a brand new PGlite dialect. With it comes a new supportsMultipleConnections adapter flag that uses a new centralized connection mutex when false - should help simplify all SQLite dialects out here!

import { PGlite } from '@electric-sql/pglite'
import { Kysely, PGliteDialect } from 'kysely'
const db = new Kysely<DB>({
// ...
</tr></table>

... (truncated)

Commits

• 820f722 0.29.0
• 8aed478 chore(deps): bump actions/setup-node from 6.3.0 to 6.4.0 (#1813)
• 2bf653c chore(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 (#1812)
• c995453 chore(deps): bump github/codeql-action from 3.35.1 to 4.35.4 (#1816)
• 30d1b62 chore(deps-dev): bump @​types/node from 25.6.0 to 25.6.1 (#1815)
• b11e037 chore(deps): bump step-security/harden-runner from 2.17.0 to 2.19.1 (#1814)
• 1e68a0d fix(ci): better-sqlite3 node.js version mismatches since pnpm action bump. ...
• 9e0bfc0 chore: remove npm bump in publish workflow.
• a8133c9 chore: revert better-sqlite3 bump.
• 7f98851 add dependabot.
• Additional commits viewable in compare view

Updates umzug from 3.8.2 to 3.8.3

Release notes

Sourced from umzug's releases.

v3.8.3

mostly just a security patch update

pnpm audit --prod output before 4272daa25ac2fed4e71973f04253f8219f42c26c:

┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ Validator is Vulnerable to Incomplete Filtering of One │
│                     │ or More Instances of Special Elements                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ validator                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <13.15.22                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=13.15.22                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ . > @rushstack/ts-command-line@4.19.1 >                │
│                     │ @rushstack/terminal@0.10.0 >                           │
│                     │ @rushstack/node-core-library@4.0.2 > z-schema@5.0.5 >  │
│                     │ validator@13.11.0                                      │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-vghf-hv5q-vc2g      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ Picomatch has a ReDoS vulnerability via extglob        │
│                     │ quantifiers                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ picomatch                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=4.0.0 <4.0.4                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.0.4                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ . > tinyglobby@0.2.13 > fdir@6.4.4 > picomatch@4.0.2   │
│                     │                                                        │
│                     │ . > tinyglobby@0.2.13 > picomatch@4.0.2                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-c2c7-rcm5-vvqj      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ validator.js has a URL validation bypass vulnerability │
│                     │ in its isURL function                                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ validator                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <13.15.20                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=13.15.20                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ . > @rushstack/ts-command-line@4.19.1 >                │
</tr></table> 

... (truncated)

Commits

• d79c19f 3.8.3
• b70ce38 Merge branch 'main' of https://github.com/sequelize/umzug
• 4272daa Clear production dependency audit findings
• abda313 chore(deps): update dependency uuid to v14 [security] (#719)
• 61d255d chore(deps): update dependency lodash to v4.18.1 [security] (#721)
• fed3a8d bump test timeout? (#711)
• 165efc6 update vitest coverage package
• 9c7e96f no output in tests
• 8bce216 bump sqlite3 and vitest
• 317623c lint fix
• Additional commits viewable in compare view