Releases

pgfence releases

Every release pgfence has shipped, with rule additions, Trust Contract changes, and migration notes. The authoritative changelog lives in the repo at CHANGELOG.md.

v0.6.1 2026-06-02

The Trust Contract follow-up release. Full announcement: pgfence 0.6.1: Trust Contract fixes after the audit pass.

False-negative fixes

  • TypeORM manager aliases and destructured query aliases are now tracked so destructive SQL does not disappear from coverage.
  • Knex destructured schema aliases are now tracked, including schema-builder calls such as dropTable.
  • Inline foreign keys now include referenced-table stats in size-aware risk scoring.
  • Constrained domains can be detected from schema snapshots, and unresolved custom types now emit a visible caveat.

Policy and boundary fixes

  • Late lock_timeout ordering now follows emitted ACCESS EXCLUSIVE checks such as CLUSTER, VACUUM FULL, inline foreign keys, and constrained-domain additions.
  • CLI stats-source precedence now honors explicit command-line intent: --db-url, then --stats-file, then configured sources.
  • Lint boundary checks now reject static and dynamic imports into excluded implementation areas, including bare relative import forms.

Documentation

  • ADD COLUMN default documentation now matches the analyzer: constant and stable defaults are metadata-only on PostgreSQL 11 and newer, while volatile defaults remain high risk.
  • Demo artifacts, generated Prisma workflow examples, and changelog copy were refreshed for 0.6.1.

v0.6.0 2026-05-25

The footguns and assistants release. Full announcement: pgfence 0.6: explain, RULES.md, and five footguns no other linter catches.

New surfaces

  • pgfence explain "<statement>": paste-and-run single-statement explainer. Returns lock mode, blocked operations, risk level, and safe rewrite recipe for any DDL. Reads from positional arg or stdin. --output json for machine consumption.
  • RULES.md: curated single-file rule catalog at the repo root, designed to be dropped into a project so in-editor coding assistants pick it up as context.
  • pgfence init --prisma-github-action: scaffolds .github/workflows/pgfence-prisma.yml for projects on Prisma.

New rules: production footguns no other linter catches

Verified against the PostgreSQL source (tablecmds.c, cluster.c, policy.c, pg_enum.c):

  • cluster: HIGH, ACCESS EXCLUSIVE. Recommends pg_repack.
  • replica-identity-full: HIGH. Catches the silent 10x-100x WAL amplification that saturates Debezium / pglogical consumers.
  • enable-rls / disable-rls: HIGH. Enabling without prior CREATE POLICY denies all rows. Disabling silently exposes them.
  • inherit / no-inherit: HIGH, ACCESS EXCLUSIVE on both parent and child.
  • create-policy: LOW informational. Calls out that the policy is inert until ROW LEVEL SECURITY is enabled.
  • create-enum-type: LOW. Postgres has no ALTER TYPE ... DROP VALUE; suggests lookup table or CHECK constraint.

Trust Contract polish

  • Coverage line across all five reporters (CLI, JSON, GitHub PR, GitLab, trace CLI) now includes a (lines A, B, ...) suffix that identifies where unanalyzable statements live.
  • JSON envelope exposes coverage.dynamicStatementLines for machine consumers.
  • LSP now respects unknownHandling=block: unanalyzable statements surface as Error severity in editor diagnostics, matching the CLI block-mode exit code.

Other changes

  • ALTER COLUMN DROP NOT NULL: LOW to MEDIUM. Brief ACCESS EXCLUSIVE still risks lock-queue stalls under concurrent long-running transactions.
  • libpg-query 16 to 17 (PG17 grammar parity), commander 13 to 14, patch sweep.
  • Published tarball: 173 KB to 110 KB (-36%).
  • homepage, bugs, repository fields added to package.json.

Fixes

  • examples/try-this/README.md: replaced em dashes with colons.
  • tests/cli.test.ts: wouldCiFail helper mirrors production shouldFailCI, including unknownHandling=block.
  • tests/cli.test.ts: --stats-file test now writes to tmpdir (parallel-safe).
  • src/index.ts: trace pg clients cleared after explicit .end() so the finally cleanup is a no-op.

v0.5.1 2026-04-29

  • Replaced VS Code Marketplace README badge with a stable Shields badge.
  • Fixed VACUUM (FULL false) parsing so pgfence only reports vacuum-full when FULL is enabled.
  • Added detection and tests for inline CREATE TABLE ... EXCLUDE constraints.

v0.5.0 2026-04-29

The Trust Contract release. Fail-closed ORM extraction, coverage visibility across CLI / JSON / GitHub / SARIF / GitLab reporters, hardened policy edge cases, LSP improvements (document symbols, folding ranges, inlay hints), and release-boundary checks that prevent local-only paths from shipping in the npm tarball.

Older releases

Earlier release notes are tracked in CHANGELOG.md in the repo.