A possible remote code injection vulnerability has been found in node-postgres. Please read the announcement.


node-postgres is a collection of node.js modules for interfacing with your PostgreSQL database. It has support for callbacks, promises, async/await, connection pooling, prepared statements, cursors, streaming results, C/C++ bindings, rich type parsing, and more! Just like PostgreSQL itself there are a lot of features: this documentation aims to get you up and running quickly and in the right direction. It also tries to provide guides for more advanced & edge-case topics allowing you to tap into the full power of PostgreSQL from node.js.


$ npm install pg

Getting started

This is the simplest possible way to connect, query, and disconnect with async/await:

const { Client } = require('pg')
const client = new Client()

await client.connect()

const res = await client.query('SELECT $1::text as message', ['Hello world!'])
console.log(res.rows[0].message) // Hello world!
await client.end()

And here's the same thing with callbacks:

const { Client } = require('pg')
const client = new Client()


client.query('SELECT $1::text as message', ['Hello world!'], (err, res) => {
  console.log(err ? err.stack : res.rows[0].message) // Hello World!

Our real-world apps are almost always more complicated then that, and I urge you to read on!

made withby@briancarlson