zenstack

What's Changed

• Fixed an issue that transactions may not be properly rolled back due to nesting.
• Marked several APIs deprecated: withPolicy, withPassword, withOmit, withPreset. They'll be removed in V2.

Full Changelog: https://github.com/zenstackhq/zenstack/compare/v1.6.1...v1.6.2

What's Changed

• Added support for the new nanoid() attribute function supported by Prisma #923 by @dikyarga
• Policy generation error when auth() is accessed with multi-level member access #921
• Incorrect resolution when references are resolved inside collection predicate expressions #925
• Updated several vulnerable npm dependencies

New Contributors

• Welcome @dikyarga as our new contributor!

Full Changelog: https://github.com/zenstackhq/zenstack/compare/v1.6.0...v1.6.1

🎈 Happy New Year 🎈

New Features

• First release of JetBrains plugin! Search for "ZenStack Language Tools" in WebStorm or install it from here #519
• Plugin package for integrating with RedwoodJS docs

Improvements and Fixes

• [openapi] make sure optional fields are generated as nullable types
• [zmodel] fixed crash caused by missing opposite side of relation field when model inheritance is used
• [zmodel] stricter type checking for disallowing comparison between fields of different models #901
• [zod] fields with default values are generated into zod schema with ".default" #886

Full Changelog: https://github.com/zenstackhq/zenstack/compare/v1.5.0...v1.6.0

New Features

• You can now specify the location of ZModel file in "package.json" in your project. #878

  {
      ...
      "zenstack": { "schema": "./db/schema.zmodel" }
  }
  

  The zenstack CLI recognizes this setting and will use it as default if it's set.

• Field-level access policies can be configured to override model-level ones #809 docs

Fixes and Improvements

• Upgraded "prettier" dependency to V3! By @sitch
• [swr] Marked the generated legacy mutation functions as deprecated. New code should use mutation hooks instead.
• [swr/tanstack] Fixed ESLint issue when calling the generated mutation hooks
• [zod] Generated "Create" schemas now require foreign key fields if the relation is non-optional.
• [zod] Fixed exports in "package.json" to make it compatible with Next.js 13+ bundler #861
• [swr] Runtime modules are not compiled to both CJS and ESM
• [cli] Removed --config option from CLI docs since it doesn't do anything today.

Welcome @sitch as our new contributor ❤️!

Full Changelog: https://github.com/zenstackhq/zenstack/compare/v1.4.0...v1.5.0

New Features

• SWR plugin now generates mutation as hooks (they were plain async functions in the previous versions) and supports automatic optimistic update docs

  Old mutation usage:

  const { createPost } = useMutatePost();
  async function onCreate() {
      await createPost(...);
  }
  

  New mutation hooks:

  const { trigger: create, isMutating } = useCreatePost();
  function onCreate() {
      create(...);
  }
  

• New zenstack format CLI command for formatting ZModel files. Useful for people who are using non-VSCode IDE.

Breaking Changes

• Field-level access policy for "update" and "all" kinds are not allowed on relation fields anymore. It wasn't clear if the rule guards updates to the relation or the entity linked by the relation. To guard the update of a relation, put rules on the foreign key fields instead. I.e., change:

  model Post {
      ...
      author User @relation(fields: [authorId], references: [id]) @allow('update', ...)
      authorId String
  }
  

  to:

  model Post {
      ...
      author User @relation(fields: [authorId], references: [id])
      authorId String @allow('update', ...)
  }
  

Fixes and Improvements

• Support for multi-level model inheritance #540
• Zod plugin now generates foreign key fields into the schemas #828
• Stricter type compatibility check to binary operations in policy rules #804
• Cosmetic updates to REPL, and fixed compatibility with pnpm environment #854
• Fixed compatibility with Prisma Client Extensions that add new methods to models #852
• Fixed a query injection problem when a create is nested inside of an update in array form #864
• Fixed tanstack-query plugin's runtime compatibility with tanstack v5
• Fixed the problem that auth() cannot be resolved when User model is marked @@ignore #840

Full Changelog: https://github.com/zenstackhq/zenstack/compare/v1.3.2...v1.4.0

What's Changed

• Fixed the issue that enhanced PrismaClient broke the usage of Prisma Client Extensions that add new methods to models.

Full Changelog: https://github.com/zenstackhq/zenstack/compare/v1.3.1...v1.3.2

What's Changed

• Adding a utility for converting ZModel AST to source string in the SDK package for easier plugin development.
• Allow CLI to load plugin using a relative path to a JS module.

Full Changelog: https://github.com/zenstackhq/zenstack/compare/v1.3.0...v1.3.1

New Features

• The new zenstack repl command. Use it to interactively call PrismaClient methods, with or without ZenStack enhancement. doc.
• [Preview] Automatic optimistic update for tanstack-query hooks. You can now pass a flag to let mutations automatically update related queries optimistically. doc.
• You can use collection predicate with auth() expression now. E.g.: @@allow('update', auth().roles?[permission == ADMIN]). Note that you still need to make sure the user context object you passed to enhance() include all fields (recursively) used in the expression. #803

Improvements and Fixes

• Field-level policy: fixed the issue that when a field only has deny rules, access is rejected even if the rules don't satisfy #811
• Field-level policy: fixed the issue that policies don't cover relations by @tlancina #814
• Field-level policy: entire "update" policy check is postponed to post-update stage if there's any "post-update" rules. #825
• Fixed validation rules for @db.TinyInt attribute by @elsantoalcielo in #821

New Contributors

• Welcome @elsantoalcielo as our new CONTRIBUTOR! Thank you all for making ZenStack a better product ❤️ @tlancina @jasonmacdonald @elsantoalcielo !

Full Changelog: https://github.com/zenstackhq/zenstack/compare/v1.2.2...v1.3.0

What's Changed

• Fixed the issue that post-update rules incorrectly reject updates

Fixes

• Query injection problem when dealing with nested one-to-many relations. #811

Thanks @jasonmacdonald for filing the bug and creating the initial fix!

Full Changelog: https://github.com/zenstackhq/zenstack/compare/v1.2.0...v1.2.1

Features

• TanStack Query V5 support! In the plugin configuration, set the "version" field to "v5" to generate targeting V5. #780
• Support for using a custom model (marked with @@auth attribute) to resolve auth() function in access policies. Previously it was required to have a model named "User". #774

Improvements and Fixes

• VSCode extension: make ZModel's syntax highlighting more consistent with Prisma extension #791

• Improved automatic query invalidation for TanStack Query and SWR hooks. #698

  • Upon mutation, queries with nested read will also be invalidated if the nested reading part is potentially affected by the mutation.

    E.g., creating a Post will invalidate queries like useFindUniqueUser({ where: { id }, include: { posts: true } }).

  • Upon deletion, "cascade" relation settings will be respected, and queries involving models that're indirectly deleted due to cascade will also be invalidated.

    E.g., creating a User will invalidate queries like useFindManyPost() if the User <-> Post relation specifies cascade deletion.

• A getQueryKey helper function is generated together with TanStack/SWR hooks for computing the query key given a query operation and args. #697

New Contributors

• A big ❤️THANK YOU❤️ to @jasonmacdonald for the contribution to this release. Welcome to the contributors family!

Full Changelog: https://github.com/zenstackhq/zenstack/compare/v1.1.1...v1.2.0

Fixes and Improvements

• Fixed incorrect policy injection for certain nested create/update/upsert #764
• Fixed runtime exception when an update payload contains fields with undefined values

Full Changelog: https://github.com/zenstackhq/zenstack/compare/v1.1.0...v1.1.1

Features

• Server adapter for Nuxt V3! docs
• @zenstackhq/tanstack-query plugin now supports "vue" target. You can use it with the Nuxt server adapter for Vue.js-based full-stack development docs. Checkout the todo sample.
• Support configuring what models to include for zod and trpc plugins. Please beware that even with a list of models specified for the "zod" plugin, during generation it'll traverse and include all referenced models recursively. trpc-docs zod-docs #728

Fixes and Improvements

• Upgrading Zod dependency to the latest "3.22.4" release. Older Zod is vulnerable to ReDos attack. Please consider upgrading Zod dependency in your project as well.
• ZModel: added missing Max enum declaration and extra parameter to the @default attribute for MSSQL #724
• ZModel: allow models without field declarations #734
• ZModel: support using "view" and "import" as declarations names #735
• ZModel: support using string literal as keys in object expressions #744
• ZModel: report errors when member access is made on an array field #756
• OpenAPI: do not generate "id" field in create input if the field has default value #736
• TRPC: added "eslint ignore" comment generation for helper.ts #753
• Added "model-meta" and "policy" entries to "package.json" of the generated ".zenstack" package for better compatibility #755

New Contributors

• Welcome our new contributor @Lordfirespeed 👏👏👏

Full Changelog: https://github.com/zenstackhq/zenstack/compare/v1.0.2...v1.1.0

What's Changed

• Fixing an incorrect version dependency from zenstack package to @zenstackhq/runtime.

Full Changelog: https://github.com/zenstackhq/zenstack/compare/v1.0.1...v1.0.2

Yes, ZenStack is V1 now 🎉!

What's Changed

• Fixed policy generation error when using collection predicate expressions in field-level access policies #703
• Fixed wrong query injection when nesting a create inside update #714
• Support Postgres extensions #713
• Tighten up ZModel validation for comparing scalar values against array values (==, !=) #704
• Added missing package.json exports for "@zenstackhq/runtime/zod/objects" by @abdullahahmeda

This marks our first stable release 🎉! Thank everyone for the great support along the way!

What's next?

• ZenStack will start to follow semver
• We'll continue iterating minor and patch versions on the V1 track while avoiding breaking changes and major/risky changes
• We're working on a V2 roadmap and will share it with the community soon

Full Changelog: https://github.com/zenstackhq/zenstack/compare/v1.0.0-beta.23...v1.0.1

New Features

• @zenstackhq/tanstack-query and @zenstackhq/swr plugins now generate Infinite findMany queries for supporting easier pagination. See documentation for tanstack-query and swr.

Fixes and Improvements

• Upgraded Prisma V4 dependencies to address a security audit warning
• Fixed the issue that the generated trpc code is not properly processed by vite
• More precise Zod typing when refinement is applied by @tlancina #676
• Fixed code generation error when there're unused enums in ZModel #674
• Make sure fastify plugin always return a reply to avoid stalling requests by @NeoN0x #684
• Added missing exports to "@zenstackhq/tanstack-query" package
• Fixed incorrect count result when complex policy conditions and where filters are mixed #689
• Exception thrown by enhanced PrismaClient now carries raw ZodError if the failure is due to zod validation #682
• Added "noUncheckedInput" option to zod plugin to turn off generation of "Unchecked" Prisma input types #681
• zenstack generate command now gives a warning if ZenStack packages of mismatched versions are detected #547
• zenstack generate command now checks for newer versions and prompts #175
• New CLI command line options:
  • "-o, --output": set the default output directory for the built-in plugins
  • "--no-default-plugins": turns off automatic running of built-in plugins
  • "--no-compile": turns off automatic compilation of code generated by built-in plugins
• enhance API now has a new loadPath option to load model metadata, policies and zod schemas from a custom location.

New Contributors

• @tlancina made their first contribution in https://github.com/zenstackhq/zenstack/pull/678
• @NeoN0x made their first contribution in https://github.com/zenstackhq/zenstack/pull/685

A big ❤️ THANK YOU ❤️ for the great contribution from @tlancina and @NeoN0x !

Full Changelog: https://github.com/zenstackhq/zenstack/compare/v1.0.0-beta.21...v1.0.0-beta.23

New Features

• TRPC plugin now generates more flexible typings for routers and allows you to merge your own routers without breaking their typing - by @mateus-p
• Zod plugin now exports detailed Prisma input object schemas through @zenstackhq/runtime/zod/objects #647 - by @abdullahahmeda
• Add support for Prisma's fluent API #401
• TRPC plugin now generates the (previously missing) count procedure #618
• ZModel schema now allows escaping characters in string literals with backslashes #416

Fixes and Improvements

• @zenstackhq/server how has explicit "exports" in package.json, making it more friendly to bundlers - by @krist7599555
• Fixed zod and openapi generation issue when Prisma's "fullTextSearch" preview feature is enabled #650
• Fixed the problem that very small float number literal is output as "e-notation" in generated Prisma schema #646 with help from @sitch
• Fixed incorrect zod schema generation when field-validation attributes (@gt etc.) are used on Decimal fields #657
• Auxiliary fields (zenstack_guard and zenstack_transaction) previously generated into Prisma schema are finally removed!
• Policy generation errors when this keyword is used in field-level policy rules #665

New Contributors

Big ❤️ THANK YOU ❤️ to our amazing new contributors! @mateus-p @abdullahahmeda @krist7599555

We're very close to a V1 release now!!!

Full Changelog: https://github.com/zenstackhq/zenstack/compare/v1.0.0-beta.20...v1.0.0-beta.21

New Features

1. Field-level access policies

You can now use @allow and @deny attributes to attach access policies to fields (for "read" and "update" operations" only). Non-readable fields will be omitted when returned, and non-updatable fields will cause rejection if they're included as part of an update.

E.g.:

model Post {
    id Int @id
    private Boolean @default(false)
    title String @allow("read", !private)
}

More details here.

2. Comparing fields in access policy rules

You can now compare fields (of the current model) in access policy rules. Such comparison is compiled down to Prisma's field reference.

E.g.:

model Foo {
    id Int @id
    x Int
    y Int
    @@allow("read", x > y)
}

3. Access policies support for Prisma Pulse

If you use an enhanced client to subscribe to Prisma Pulse events, the subscription will also be injected (with "read" policy rules) so that only readable events will be notified.

Fixes and Improvements

• Zode code generation issue when there're multiple fields of the same enum type #632
• Policy injection accidentally overwrites user-provided filters #634
• Incorrect typing of generated policy definitions #639
• Incorrect code generation for models not using Pascal casing

Btw, Prisma 5.2 has been released, and ZenStack now fully supports this version. If you're using Prisma 5, please make sure to upgrade.

Full Changelog: https://github.com/zenstackhq/zenstack/compare/v1.0.0-beta.18...v1.0.0-beta.20

What's Changed

• Fixed incorrect filter injection for nested reads #624
• Fixed incorrect injection to create call when policy rules reference foreign keys #627
• Added runtime check and throws error when creating enhanced PrismaClient with user context but the user object doesn't have id field(s) #599

Breaking Changes

Related to the fix to issue #599 , previously if you call enhance (or withPolicy) with a user context without id field like:

const db = enhance(prisma, { user: {} });

it worked as if you passed in undefined user, and the policy engine treated it like an anonymous user. This behavior caused some users to accidentally provide anonymous users without being aware of it.

With the fix, such a call will result in an error thrown, complaining that you must pass in id fields. To represent an anonymous user, you can pass undefined user or an undefined context:

const db = enhance(prisma);

Full Changelog: https://github.com/zenstackhq/zenstack/compare/v1.0.0-beta.16...v1.0.0-beta.18

What's Changed

• New enhance API

  Added a new enhance API as a replacement to withPresets, which includes all essential enhancements to PrismaClient. The withPresets API, found to have a confusing name by many, will be deprecated in a future release.

• Policy check refactor and performance improvement

  This release contains a major refactor to the access policy engine, bringing two significant improvements:

  • The new engine doesn't rely on the auxiliary fields (zenstack_guard & zenstack_transaction) for policy checks anymore. The aux fields are still generated in this release but will be removed in a future one.
  • Performance improvements, especially for the nested read of to-one relationships. Now read filtering is fully done with query injection and never does post-read checks.

• Fixed incorrect relation ownership analysis for self-relations. #609

Breaking Changes

• Requires Prisma minimum version 4.8.0

  The minimum supported Prisma version is increased to 4.8.0. This is mainly for being able to filter nullable to-one relations during query (so we don't need to do post-read filtering). A warning will be printed when you run CLI to create an enhanced PrismaClient at runtime if a lower Prisma version is detected.

• Policy check behavior changes when reading with an enhanced PrismaClient

  In the new release, read queries (findXXX, aggregate, count, groupBy) never throws rejection errors due to access policy violations. They behave as if the rows not satisfying "read" policies don't exist.

  Attention should be made to reading nested "to-one" relations since the behavior changes in this release.

  • Non-nullable to-one relations
    In previous releases, if you nested-read a non-nullable to-one relation, if that relation fails the policy check, the entire read will be rejected by throwing an error (with Prisma error code "P2004"). In the new release, it'll cause the top-level read to be filtered out. E.g.:

    const post = await db.post.findUnique({ where: id, include: { author: true } });
    // In previous releases, if `author` is not readable, the call results in an error thrown.
    // In the new release, it'll return null (as if the top-level `post` read is filtered) 
    

  • Nullable to-one relations
    In previous releases, if you nested-read a nullable to-one relation, if that relation fails the policy check, the entire read will be rejected by throwing an error (with Prisma error code "P2004"). In the new release, it'll cause the relation field to be set null. E.g.:

    const user = await db.user.findUnique({ where: id, include: { profile: true } });
    // In previous releases, if `profile` is not readable, the call results in an error thrown.
    // In the new release, the read will succeed (as long as `user` is readable`) and the `profile` field will be set null
    

Full Changelog: https://github.com/zenstackhq/zenstack/compare/v1.0.0-beta.10...v1.0.0-beta.16