Security-driven version bumps; both stay within their existing major.
next 15.2.9 → 15.5.18 closes (1 high + 6 moderate next-specific CVEs):
- DoS via Server Components (high)
- Image Optimizer cache key confusion / content injection (moderate)
- Improper middleware redirect handling → SSRF (moderate)
- HTTP request smuggling in rewrites (moderate)
- Unbounded next/image disk cache growth → storage exhaustion (moderate)
- Self-hosted DoS via Image Optimizer remotePatterns (moderate)
drizzle-orm 0.38.4 → 0.45.2 closes:
- SQL injection via improperly escaped SQL identifiers (high)
Drizzle 0.45 changed query-error wrapping: outer Error.message is now
generic ("Failed query: insert into ...") with the postgres error on
.cause. Two integration test suites updated to assert on
cause.code === '23505' (postgres unique_violation) instead of message
regex — more robust + unambiguous.
eslint-config-next bumped 15.2.9 → 15.5.18 to match.
drizzle-kit bumped 0.30.6 → 0.31.10 to match.
Note: next-env.d.ts is auto-generated by next at build time; not
committed here (the new triple-slash routes reference would fail the
project's eslint rule, and CI regenerates it anyway).
Tests: 1185/1185 vitest passing.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds integration test covering:
- idx_yoh_active: only one active ownership row per yacht
- idx_br_active: only one active reservation per berth (non-active rows
are ignored by the partial index)
- Case-insensitive company name uniqueness within a port, with same-name
companies allowed across different ports
Extends tests/helpers/factories.ts with async DB-inserting factories for
ports, clients, berths, yachts (+ ownership history row) and companies.
The new factories use the app's `db` handle so FK and partial unique
indexes are enforced by Postgres. The in-memory data helpers used by
unit tests (makeAuditMeta, makeCreateClientInput, permission helpers)
are preserved.
