Introduction

pgfence is a Postgres migration safety CLI for Node.js teams. It tells you what lock each DDL statement takes, what it blocks, and gives you the safe rewrite to use instead, before you merge.

The Problem

Your ORM migration just took down production for 47 seconds.

A seemingly innocent line grabbed an ACCESS EXCLUSIVE lock on your 12M-row users table. Every query queued behind it. Healthchecks failed. Pods restarted. Customers noticed.

-- This looks harmless. It is not.
ALTER TABLE users ADD COLUMN created_at TIMESTAMPTZ NOT NULL DEFAULT now();
-- ACCESS EXCLUSIVE lock on entire table for duration of rewrite

ORMs hide this from you. pgfence makes it visible before you deploy.

What pgfence Does

pgfence analyzes your SQL migration files before they hit production:

• Lock mode: exactly which Postgres lock each DDL statement acquires and what it blocks
• Risk level: Low, Medium, High, or Critical, scaled by actual table size when available
• Safe rewrite recipes: the exact expand/contract SQL to run instead
• Policy violations: missing lock_timeout, CONCURRENTLY inside transactions, and more

How It Works

pgfence uses libpg-query, actual PostgreSQL parser bindings, to produce a real AST from your migration files. It never uses regex. Every check is deterministic.

It extracts or transpiles SQL from raw .sql files and code-based ORM migrations (TypeORM, Knex, Sequelize). Prisma and Drizzle support means reading their generated SQL migration files directly. After extraction, pgfence maps each DDL statement to a lock mode using Postgres's documented lock matrix.

Ecosystem

• Prisma documents pgfence publicly in its integration guide.
• pgfence is listed in the public pglt Related Work page.
• The OSS package ships pgfence analyze, pgfence trace, the pgfence lsp / pgfence-lsp server entrypoints, and CLI, JSON, GitHub, SARIF, and GitLab reporters.

Alternatives