Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
postgres-migrations
Advanced tools
A PostgreSQL migration library inspired by the Stack Overflow system described in Nick Craver's blog.
Requires Node 10.17.0+
Supports PostgreSQL 9.4+
There are two ways to use the API.
Either, pass a database connection config object:
import {createDb, migrate} from "postgres-migrations"
async function() {
const dbConfig = {
database: "database-name"
user: "postgres",
password: "password",
host: "localhost",
port: 5432,
}
await createDb(databaseName, {
...dbConfig,
defaultDatabase: "postgres", // defaults to "postgres"
})
await migrate(dbConfig, "path/to/migration/files")
}
Or, pass a pg
client:
import {createDb, migrate} from "postgres-migrations"
async function() {
const dbConfig = {
database: "database-name",
user: "postgres",
password: "password",
host: "localhost",
port: 5432,
}
{
const client = new pg.Client({
...dbConfig,
database: "postgres",
})
await client.connect()
try {
await createDb(databaseName, {client})
} finally {
await client.end()
}
}
{
const client = new pg.Client(dbConfig) // or a Pool, or a PoolClient
await client.connect()
try {
await migrate({client}, "path/to/migration/files")
} finally {
await client.end()
}
}
}
There is deliberately no concept of a 'down' migration. In the words of Nick Craver:
If we needed to reverse something, we could just push another migration negating whatever we did that went boom ... Why roll back when you can roll forward?
Migrations are guaranteed to run in the same order every time, on every system.
Some migration systems use timestamps for ordering migrations, where the timestamp represents when the migration file was created. This doesn't guarantee that the migrations will be run in the same order on every system.
For example, imagine Developer A creates a migration file in a branch. The next day, Developer B creates a migration in master, and deploys it to production. On day three Developer A merges in their branch and deploys to production.
The production database sees the migrations applied out of order with respect to their creation time. Any new development database will run the migrations in the timestamp order.
migrations
tableA migrations
table is created as the first migration, before any user-supplied migrations. This keeps track of all the migrations which have already been run.
Previously run migration scripts shouldn't be modified, since we want the process to be repeated in the same way for every new environment.
This is enforced by hashing the file contents of a migration script and storing this in migrations
table. Before running a migration, the previously run scripts are hashed and checked against the database to ensure they haven't changed.
Ensures each migration is atomic. Either it completes successfully, or it is rolled back and the process is aborted.
An exception is made when -- postgres-migrations disable-transaction
is included at the top of the migration file. This allows migrations such as CREATE INDEX CONCURRENTLY
which cannot be run inside a transaction.
If anything fails, the migration in progress is rolled back and an exception is thrown.
As of v4, advisory locks are used to control concurrency. If two migration runs are kicked off concurrently, one will wait for the other to finish before starting. Once a process has acquired a lock, it will run each of the pending migrations before releasing the lock again.
Logs from two processes A
and B
running concurrently should look something like the following.
B Connected to database
B Acquiring advisory lock...
A Connected to database
A Acquiring advisory lock...
B ... aquired advisory lock
B Starting migrations
B Starting migration: 2 migration-name
B Finished migration: 2 migration-name
B Starting migration: 3 another-migration-name
B Finished migration: 3 another-migration-name
B Successfully applied migrations: migration-name, another-migration-name
B Finished migrations
B Releasing advisory lock...
B ... released advisory lock
A ... aquired advisory lock
A Starting migrations
A No migrations applied
A Finished migrations
A Releasing advisory lock...
A ... released advisory lock
Warning: the use of advisory locks will cause problems when using transaction pooling or statement pooling in PgBouncer. A similar system is used in Rails, see this for an explanation of the problem.
Migrations should only be run once, but this is a good principle to follow regardless.
Once applied (to production), a migration cannot be changed.
This is enforced by storing a hash of the file contents for each migration in the migrations table.
These hashes are checked when running migrations.
Backwards incompatible changes can usually be made in a few stages.
For an example, see this blog post.
A migration file must match the following pattern:
[id][separator][name][extension]
Section | Accepted Values | Description |
---|---|---|
id | Any integer or left zero integers | Consecutive integer ID. Must start from 1 and be consecutive, e.g. if you have migrations 1-4, the next one must be 5. |
separator | _ or - or nothing | |
name | Any length text | |
extension | .sql or .js | File extensions supported not case sensitive |
Example:
migrations
├ 1_create-initial-tables.sql
├ 2-alter-initial-tables.SQL
└ 3-alter-initial-tables-again.js
Or, if you want better ordering in your filesystem:
migrations
├ 00001_create-initial-tables.sql
├ 00002-alter-initial-tables.sql
└ 00003_alter-initial-tables-again.js
Migrations will be performed in the order of the ids. If ids are not consecutive or if multiple migrations have the same id, the migration run will fail.
Note that file names cannot be changed later.
By using .js
extension on your migration file you gain access to all NodeJS features and only need to export a method called generateSql
that returns a string
literal like:
// ./migrations/helpers/create-main-table.js
module.exports = `
CREATE TABLE main (
id int primary key
);`
// ./migrations/helpers/create-secondary-table.js
module.exports = `
CREATE TABLE secondary (
id int primary key
);`
// ./migrations/1-init.js
const createMainTable = require("./create-main-table")
const createSecondaryTable = require("./create-secondary-table")
module.exports.generateSql = () => `${createMainTable}
${createSecondaryTable}`
If you want sane date handling, it is recommended you use the following code snippet to fix a node-postgres
bug:
const pg = require("pg")
const parseDate = val =>
val === null ? null : moment(val).format("YYYY-MM-DD")
const DATATYPE_DATE = 1082
pg.types.setTypeParser(DATATYPE_DATE, val => {
return val === null ? null : parseDate(val)
})
Stack Overflow: How We Do Deployment - 2016 Edition (Database Migrations)
Database Migrations Done Right
Database versioning best practices
postgres-migrations
The tests require Docker to be installed.
FAQs
Stack Overflow style database migrations for PostgreSQL
The npm package postgres-migrations receives a total of 13,706 weekly downloads. As such, postgres-migrations popularity was classified as popular.
We found that postgres-migrations demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.