github zenstackhq/zenstack v2.13.0
ZenStack Release v2.13.0
on GitHub

9 days ago

Critical Bug Fixes

This release fixed a critical issue that may result in more entities getting updated/deleted with a nested updateMany/deleteMany. It happens when the 3 conditions below are all met:

  • Using updatedMany/deleteMany under a topl-evel update query.
  • The nested-updated model has access policies referencing its own fields, or is a polymorphic model.
  • The top-level update query uses non-id unique fields as a filter condition.

Here's an example: 

model User {
  ...
  id Int
  email String @unique
  posts Post[]
}

model Post {
  ...
  @@allow('all', published == false)
}
// note the top-level `update` call uses a unique field instead of primary key as filter
await db.user.update({ where: { email: ... }, data: { posts: { updateMany: { ... } } } });

The correct behavior should be only posts that have a relation to the user that matches the "email" filter should be affected by the update. However, in this case when all the 3 conditions above are met, the where: { email: ... } filter would be lost, which might cause posts not related to the user to be updated too.

Please note that if Post has access policies (e.g., controlling it can only be updated by the owner), the policies are NOT bypassed and will still filter out the updateMany operation. That is why it says might even if all 3 conditions are met.

Please consider upgrading to this version ASAP. Also, please consider turning on Prisma's strict undefined checks preview feature. It can serve as an extra safety guard for issues caused by transforming Prisma queries.

A special thanks to @iksemot who filed the bug that made us aware of the issue!

New Features

  • Prisma 6.5 support (since v2.12.3)
  • Support calling currentModel and currentOperation functions in access policy rules #1984

Fixes and Improvements

  • [zod] Fixed incorrect Zod schema for JSON fields with default values by @diesal11
  • Properly re-export model metadata types by @Gabrola
  • Make sure the Enhanced type helper is always generated regardless if a logical prisma schema is used
  • [delegate] Fixed an incorrect TS typing when delegate models have long names #1994
  • [cli] Fixed zenstack generate error when @default references an auth() field of boolean type #2038

Full Changelog: v2.12.3...v2.13.0

Check out latest releases or
releases around zenstackhq/zenstack v2.13.0

Don't miss a new zenstack release

NewReleases is sending notifications on new releases.

Get notifications