sqlstring is a JavaScript (Node.js) utility for generating MySQL-ready SQL by escaping values and SQL identifiers, and formatting queries with placeholders. It helps avoid SQL injection by producing an escaped SQL string on the client side, including support for `?` placeholders for values and `??` for identifiers (with notes about SQL mode and differences from prepared statements).
Project status
- Maintenance status: The repository’s last upstream push appears to be 2022-04-03, and the most recent tagged update (v2.3.3) is from 2022-03-06, so as of 2026-06-09 the source looks quiet/dormant rather than actively maintained.
- Update cadence: Updates are infrequent and irregular (not a steady rhythm): 2016 to 2017, then 2018, then a gap to 2020, and another gap to 2022.
AI summary generated
Recent updates
v2.3.3
v2.3.3 primarily changes how `SqlString.escape` detects `Date` objects, fixing escaping for `Date` instances coming from different JS realms (foreign isolates). The rest of the changes are tooling and CI updates, including updated lint/test tooling versions and migration from Travis CI to GitHub Actions.
v2.3.2
Release v2.3.2 has no publisher release notes. The code diff is small and appears focused on a minor runtime logic tweak in SqlString.format, plus development tooling and CI configuration updates.
v2.3.1
Release v2.3.1 was published on 2018-02-24, but the publisher did not provide any release notes. Without documented changes, it is not possible to reliably identify new features, fixes, or breaking changes from the release documentation alone.
v2.3.0
v2.3.0 introduces new escape customization capabilities in SqlString, notably support for values that implement a toSqlString() method and a SqlString.raw() helper to mark trusted SQL fragments. Release notes were not provided by the publisher, so the behavioral and tooling changes reflected in the code are not documented in the official release notes.
BreakingFeaturesv2.2.0
Version v2.2.0 updates sqlstring's core escaping behavior around Date handling. The most notable code change is how invalid Date objects are escaped, plus a subtle change to what the public SqlString.dateToString function returns.
Breakingv2.1.0
Release notes were not provided for v2.1.0. The code diff shows a small set of escaping-related behavior changes in lib/SqlString.js, including safer handling of non-string inputs to escapeId and hardened buffer-to-string escaping.
v2.0.1
Release v2.0.1 updates the npm package metadata and publishing configuration. The only functional change indicated by the diff is ensuring the published package includes the missing `lib/` directory.
v2.0.0
Release v2.0.0 does not include any publisher release notes. The code changes show a major internal refactor of the sqlstring implementation (new lib/SqlString.js, old lib/sqlstring.js removed), along with substantial test and repo tooling updates.
v1.0.0
This release primarily updates project metadata, build/CI configuration, and documentation badges. There are no application logic or public API code changes shown in the provided diff, but the build process and Node.js support settings were modified.
Featuresv0.0.1
This release is version v0.0.1 and was published on 2014-02-25. No release notes were provided, so no specific changes, compatibility impacts, or fixes can be determined from the release description alone.