Skip to content

0.8.6 - JSON, UPSERT, EXPLAIN, and Rust fixes

Choose a tag to compare

View all tags
@ocean ocean released this 07 Jan 07:53
· 262 commits to main since this release
0.8.6
caa255c
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Release v0.8.6

Major Features

Named Parameters Execution Support

Full support for SQLite named parameter syntax (:name, @name, $name) in prepared statements and direct execution. Parameters are transparently converted from maps to positional arguments internally.

# Use named parameters in queries
{:ok, _, result, state} = EctoLibSql.handle_execute(
  "SELECT * FROM users WHERE email = :email AND status = :status",
  %{"email" => "[email protected]", "status" => "active"},
  [],
  state
)

Works seamlessly with prepared statements, transactions, batch operations, and cursor streaming.

EXPLAIN QUERY PLAN Support

Full support for SQLite's EXPLAIN QUERY PLAN via Ecto's Repo.explain/2 and Repo.explain/3. Returns structured query plans for optimisation and debugging.

{:ok, plan} = Repo.explain(:all, from(u in User, where: u.active == true))
# Returns: [%{"id" => 2, "parent" => 0, "notused" => 0, "detail" => "SCAN users"}]

CTE (Common Table Expression) Support

Full support for SQL WITH clauses including recursive CTEs. Enables complex hierarchical queries and improved query organisation.

query = "hierarchy"
        |> with_cte("hierarchy", as: ^base_query)
        |> recursive_ctes(true)
        |> select([h], h.name)
Repo.all(query)

Query-Based UPSERT Support

Extended on_conflict support to handle query-based updates with keyword list syntax for dynamic operations.

Repo.insert(changeset,
  on_conflict: [set: [name: "updated", updated_at: DateTime.utc_now()]],
  conflict_target: [:email]
)

STRICT Table Option

Added support for SQLite's STRICT table option for stronger type enforcement at INSERT/UPDATE time.

create table(:users, options: [strict: true]) do
  add :name, :string
  add :age, :integer
end

Security Enhancements

CVE-2025-47736 Protection

Defence-in-depth measures against SQL injection via named parameters:

  • Comprehensive parameter validation to prevent atom table exhaustion
  • Improved parameter extraction to avoid malicious input exploitation
  • Validates all named parameters against statement introspection
  • Proper error handling for invalid or malicious parameter names

See SECURITY.md for full details.

Bug Fixes & Improvements

Statement Caching

  • Replaced unbounded persistent_term cache with bounded ETS LRU cache
  • Prevents memory leaks from unlimited prepared statement caching
  • Configurable cache size with automatic eviction

Error Handling

  • Propagate parameter introspection errors instead of silently falling back
  • Descriptive errors for invalid argument types
  • Improved error messages throughout

Code Quality

  • Fixed all Credo warnings
  • Improved test reliability and coverage
  • Better state threading and error handling
  • Removed redundant UTF-8 validation code

Documentation

  • Added generated/computed columns documentation
  • Enhanced JSON/JSONB function documentation
  • Comprehensive test coverage for all new features
  • Cross-connection security test suite

🔗 Resources

Full Changelog: 0.8.3...0.8.6

Assets 2
Loading