Drizzle ORM SQL Injection Flaw Forces Emergency Dependency Audit on Booster-AI Codebase

A HIGH severity SQL injection vulnerability in Drizzle ORM versions prior to 0.45.2 has surfaced within the Booster-AI project, triggering an urgent dependency audit and blocking the CI pipeline's security gate. The flaw, catalogued as GHSA-gpj5-g38j-94v9, stems from improperly escaped SQL identifiers and was uncovered during investigation of CI failures on pull request #16, which integrates Playwright MCP. The vulnerability exists on the main branch and fails the `pnpm audit --audit-level=high --prod` security check, creating an immediate compliance issue for the project's dependency management workflow.

The Drizzle team has addressed the flaw in version 0.45.2, but the upgrade carries potential breaking changes documented in the 0.44.x to 0.45.2 changelog. Beyond bumping the dependency in `apps/api/package.json` and other workspace consumers, the remediation requires comprehensive schema validation using `drizzle-kit check` and `drizzle-kit generate` commands. More critically, developers must audit all dynamic SQL identifier usage throughout the codebase—a task complicated by the project's adherence to snake_case DDL naming conventions in CLAUDE.md, which may interact unpredictably with Drizzle's identifier handling mechanisms.

The incident exposes systemic risk from ORM-layer vulnerabilities in Node.js ecosystems. While the project's naming conventions minimize exposure to tilde-based identifier injection, the advisory signals that any dynamic identifier passed to Drizzle warrants manual review. The fallout extends beyond patching: CI pipelines configured to enforce audit-level thresholds can halt deployments when HIGH-severity advisories surface in direct or indirect dependencies, demanding more proactive dependency monitoring strategies.