Skip to content

feat(pgpm): add CLOSED license, comment out security-related dbname updates, rename sqitchDir to pgpmDir #504

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pyramation merged 1 commit into from
Dec 27, 2025
Merged

feat(pgpm): add CLOSED license, comment out security-related dbname updates, rename sqitchDir to pgpmDir #504

pyramation merged 1 commit into from
Dec 27, 2025

Conversation

@pyramation
Copy link
Contributor

@pyramation pyramation commented Dec 27, 2025

Summary

This PR makes three changes to the export-migrations.ts file in pgpm/core:

  1. License field: Added license: 'CLOSED' to the answers object passed to initModule for both exported packages (database dump and services)

  2. Security-related SQL commented out: Commented out the UPDATE meta_public.apis/sites SET dbname = current_database() statements with a TODO note explaining these may be a security leak that needs further research

  3. Variable rename: Renamed sqitchDir to pgpmDir for consistency with pgpm naming conventions

Review & Testing Checklist for Human

  • Verify the commented-out SQL doesn't break import functionality: The UPDATE statements were rebinding dbname to the target database after import. Commenting them out means the dbname field in meta_public.apis and meta_public.sites will retain whatever value was exported. Confirm this is the intended behavior.

  • Confirm "CLOSED" is the correct license string: This is not a standard SPDX identifier. Verify the template system accepts this value and it produces the expected license field in generated package.json files.

  • Test an actual export flow if possible: Run pgpm export against a database with the required schemas to verify the exported packages are generated correctly with the new license value.

Notes

This is PR 1 of a planned series. PR 2 will rename the Sqitch-related types and functions (SqitchRow → PgpmRow, writeSqitchPlan → writePgpmPlan, etc.).

Link to Devin run: https://app.devin.ai/sessions/7e7813472a0643aa88ccb509b288050a
Requested by: Dan Lynch (@pyramation)

@pyramation
feat(pgpm): add CLOSED license, comment out security-related dbname u…
89d9156 
…pdates, rename sqitchDir to pgpmDir

- Add license: 'CLOSED' to both database dump and services package exports
- Comment out UPDATE meta_public.apis/sites SET dbname statements with research notes
  (potential security leak - needs further investigation)
- Rename sqitchDir variable to pgpmDir for consistency with pgpm naming
- Update JSDoc comment to reference PGPM instead of Sqitch
@devin-ai-integration
Copy link
Contributor

devin-ai-integration bot commented Dec 27, 2025

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@pyramation pyramation mentioned this pull request Dec 27, 2025
Merged
3 tasks
@pyramation pyramation merged commit 863db03 into main Dec 27, 2025
34 checks passed
@pyramation pyramation deleted the devin/1766797944-export-license-security-cleanup branch December 27, 2025 01:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pyramation