ZenStack Release v1.1.0

Features

• Server adapter for Nuxt V3! docs
• @zenstackhq/tanstack-query plugin now supports "vue" target. You can use it with the Nuxt server adapter for Vue.js-based full-stack development docs. Checkout the todo sample.
• Support configuring what models to include for zod and trpc plugins. Please beware that even with a list of models specified for the "zod" plugin, during generation it'll traverse and include all referenced models recursively. trpc-docs zod-docs #728

Fixes and Improvements

• Upgrading Zod dependency to the latest "3.22.4" release. Older Zod is vulnerable to ReDos attack. Please consider upgrading Zod dependency in your project as well.
• ZModel: added missing Max enum declaration and extra parameter to the @default attribute for MSSQL #724
• ZModel: allow models without field declarations #734
• ZModel: support using "view" and "import" as declarations names #735
• ZModel: support using string literal as keys in object expressions #744
• ZModel: report errors when member access is made on an array field #756
• OpenAPI: do not generate "id" field in create input if the field has default value #736
• TRPC: added "eslint ignore" comment generation for helper.ts #753
• Added "model-meta" and "policy" entries to "package.json" of the generated ".zenstack" package for better compatibility #755

New Contributors

• Welcome our new contributor @Lordfirespeed 👏👏👏

Full Changelog: v1.0.2...v1.1.0

ZenStack Release v1.0.2

What's Changed

• Fixing an incorrect version dependency from zenstack package to @zenstackhq/runtime.

Full Changelog: v1.0.1...v1.0.2

ZenStack Release v1.0.1

Yes, ZenStack is V1 now 🎉!

What's Changed

• Fixed policy generation error when using collection predicate expressions in field-level access policies #703
• Fixed wrong query injection when nesting a create inside update #714
• Support Postgres extensions #713
• Tighten up ZModel validation for comparing scalar values against array values (==, !=) #704
• Added missing package.json exports for "@zenstackhq/runtime/zod/objects" by @abdullahahmeda

This marks our first stable release 🎉! Thank everyone for the great support along the way!

What's next?

• ZenStack will start to follow semver
• We'll continue iterating minor and patch versions on the V1 track while avoiding breaking changes and major/risky changes
• We're working on a V2 roadmap and will share it with the community soon

Full Changelog: v1.0.0-beta.23...v1.0.1

ZenStack Release v1.0.0-beta.23

New Features

• @zenstackhq/tanstack-query and @zenstackhq/swr plugins now generate Infinite findMany queries for supporting easier pagination. See documentation for tanstack-query and swr.

Fixes and Improvements

• Upgraded Prisma V4 dependencies to address a security audit warning
• Fixed the issue that the generated trpc code is not properly processed by vite
• More precise Zod typing when refinement is applied by @tlancina #676
• Fixed code generation error when there're unused enums in ZModel #674
• Make sure fastify plugin always return a reply to avoid stalling requests by @NeoN0x #684
• Added missing exports to "@zenstackhq/tanstack-query" package
• Fixed incorrect count result when complex policy conditions and where filters are mixed #689
• Exception thrown by enhanced PrismaClient now carries raw ZodError if the failure is due to zod validation #682
• Added "noUncheckedInput" option to zod plugin to turn off generation of "Unchecked" Prisma input types #681
• zenstack generate command now gives a warning if ZenStack packages of mismatched versions are detected #547
• zenstack generate command now checks for newer versions and prompts #175
• New CLI command line options:
  • "-o, --output": set the default output directory for the built-in plugins
  • "--no-default-plugins": turns off automatic running of built-in plugins
  • "--no-compile": turns off automatic compilation of code generated by built-in plugins
• enhance API now has a new loadPath option to load model metadata, policies and zod schemas from a custom location.

New Contributors

• @tlancina made their first contribution in #678
• @NeoN0x made their first contribution in #685

A big ❤️ THANK YOU ❤️ for the great contribution from @tlancina and @NeoN0x !

Full Changelog: v1.0.0-beta.21...v1.0.0-beta.23

ZenStack Release v1.0.0-beta.21

New Features

• TRPC plugin now generates more flexible typings for routers and allows you to merge your own routers without breaking their typing - by @mateus-p , an example scenario here
• Zod plugin now exports detailed Prisma input object schemas through @zenstackhq/runtime/zod/objects #647 - by @abdullahahmeda
• Add support for Prisma's fluent API #401
• TRPC plugin now generates the (previously missing) count procedure #618
• ZModel schema now allows escaping characters in string literals with backslashes #416

Fixes and Improvements

• @zenstackhq/server how has explicit "exports" in package.json, making it more friendly to bundlers - by @krist7599555
• Fixed zod and openapi generation issue when Prisma's "fullTextSearch" preview feature is enabled #650
• Fixed the problem that very small float number literal is output as "e-notation" in generated Prisma schema #646 with help from @sitch
• Fixed incorrect zod schema generation when field-validation attributes (@gt etc.) are used on Decimal fields #657
• Auxiliary fields (zenstack_guard and zenstack_transaction) previously generated into Prisma schema are finally removed!
• Policy generation errors when this keyword is used in field-level policy rules #665

Breaking Changes

• Not really breaking, but may be surprising. The zenstack_guard and zenstack_transaction fields previously generated by ZenStack are not used anymore and have been removed. This will cause changes in the generated Prisma schema, and you can choose to create a new migration file to sync the changes to the database.
• ZenStack CLI now does more strict checking on "==" and "!=" operators in policy rules. If you compare incompatible fields (e.g., fields of relation to different models), the CLI will emit errors.

New Contributors

Big ❤️ THANK YOU ❤️ to our amazing new contributors! @mateus-p @abdullahahmeda @krist7599555

We're very close to a V1 release now!!!

---

Full Changelog: v1.0.0-beta.20...v1.0.0-beta.21

ZenStack Release v1.0.0-beta.20

New Features

1. Field-level access policies

You can now use @allow and @deny attributes to attach access policies to fields (for "read" and "update" operations" only). Non-readable fields will be omitted when returned, and non-updatable fields will cause rejection if they're included as part of an update.

E.g.:

model Post {
    id Int @id
    private Boolean @default(false)
    title String @allow("read", !private)
}

More details here.

2. Comparing fields in access policy rules

You can now compare fields (of the current model) in access policy rules. Such comparison is compiled down to Prisma's field reference.

E.g.:

model Foo {
    id Int @id
    x Int
    y Int
    @@allow("read", x > y)
}

3. Access policies support for Prisma Pulse

If you use an enhanced client to subscribe to Prisma Pulse events, the subscription will also be injected (with "read" policy rules) so that only readable events will be notified.

Fixes and Improvements

• Zode code generation issue when there're multiple fields of the same enum type #632
• Policy injection accidentally overwrites user-provided filters #634
• Incorrect typing of generated policy definitions #639
• Incorrect code generation for models not using Pascal casing

Btw, Prisma 5.2 has been released, and ZenStack now fully supports this version. If you're using Prisma 5, please make sure to upgrade.

Full Changelog: v1.0.0-beta.18...v1.0.0-beta.20

ZenStack Release v1.0.0-beta.18

What's Changed

• Fixed incorrect filter injection for nested reads #624
• Fixed incorrect injection to create call when policy rules reference foreign keys #627
• Added runtime check and throws error when creating enhanced PrismaClient with user context but the user object doesn't have id field(s) #599

Breaking Changes

Related to the fix to issue #599 , previously if you call enhance (or withPolicy) with a user context without id field like:

const db = enhance(prisma, { user: {} });

it worked as if you passed in undefined user, and the policy engine treated it like an anonymous user. This behavior caused some users to accidentally provide anonymous users without being aware of it.

With the fix, such a call will result in an error thrown, complaining that you must pass in id fields. To represent an anonymous user, you can pass undefined user or an undefined context:

const db = enhance(prisma);

Full Changelog: v1.0.0-beta.16...v1.0.0-beta.18

ZenStack Release v1.0.0-beta.16

What's Changed

• New enhance API

  Added a new enhance API as a replacement to withPresets, which includes all essential enhancements to PrismaClient. The withPresets API, found to have a confusing name by many, will be deprecated in a future release.

• Policy check refactor and performance improvement

  This release contains a major refactor to the access policy engine, bringing two significant improvements:

  • The new engine doesn't rely on the auxiliary fields (zenstack_guard & zenstack_transaction) for policy checks anymore. The aux fields are still generated in this release but will be removed in a future one.
  • Performance improvements, especially for the nested read of to-one relationships. Now read filtering is fully done with query injection and never does post-read checks.

• Fixed incorrect relation ownership analysis for self-relations. #609

Breaking Changes

• Requires Prisma minimum version 4.8.0

  The minimum supported Prisma version is increased to 4.8.0. This is mainly for being able to filter nullable to-one relations during query (so we don't need to do post-read filtering). A warning will be printed when you run CLI to create an enhanced PrismaClient at runtime if a lower Prisma version is detected.

• Policy check behavior changes when reading with an enhanced PrismaClient

  In the new release, read queries (findXXX, aggregate, count, groupBy) never throws rejection errors due to access policy violations. They behave as if the rows not satisfying "read" policies don't exist.

  Attention should be made to reading nested "to-one" relations since the behavior changes in this release.

  • Non-nullable to-one relations
    In previous releases, if you nested-read a non-nullable to-one relation, if that relation fails the policy check, the entire read will be rejected by throwing an error (with Prisma error code "P2004"). In the new release, it'll cause the top-level read to be filtered out. E.g.:

    const post = await db.post.findUnique({ where: id, include: { author: true } });
    // In previous releases, if `author` is not readable, the call results in an error thrown.
    // In the new release, it'll return null (as if the top-level `post` read is filtered) 

  • Nullable to-one relations
    In previous releases, if you nested-read a nullable to-one relation, if that relation fails the policy check, the entire read will be rejected by throwing an error (with Prisma error code "P2004"). In the new release, it'll cause the relation field to be set null. E.g.:

    const user = await db.user.findUnique({ where: id, include: { profile: true } });
    // In previous releases, if `profile` is not readable, the call results in an error thrown.
    // In the new release, the read will succeed (as long as `user` is readable`) and the `profile` field will be set null

Full Changelog: v1.0.0-beta.10...v1.0.0-beta.16

ZenStack Release v1.0.0-beta.10

Features and Improvements

• Prisma V5 is supported! #581
• ZModel now supports database views (read-only, updatable views are not supported). #258
• Instead of rejecting the query, enhanced clients now set field to null if a nested optional to-one relation is requested but not readable. #586
• API layer (both RESTful and RPC-style) always use superjson for serialization. More details: RESTful RPC.
• Fixed OpenAPI plugin issue with Bytes type. #573
• Fixed issue with incorrect path generated on Windows environments #582
• Stricter type checking for binary expressions in ZModel #292

Breaking Changes

• The RPC-style API handler now wraps the query result into a "data" field. In addition, there can be a "meta" field in the response body containing serialization metadata. Please find more details here: https://zenstack.dev/docs/reference/server-adapters/api-handlers/rpc.

Full Changelog: v1.0.0-beta.8...v1.0.0-beta.10

ZenStack Release v1.0.0-beta.8

Fixes and Improvements

• New option for ExpressJS server adapter to control whether the middleware should send a response or just compute it. Docs. #531
• Fixed invalid Prisma query generated when doing nested update for models with multiple ID fields #552
• Allow to use a custom fetch function when using SWR and TanStack Query hooks #542 #541
• Removed unnecessary peer dependencies to Prisma which caused Zod compilation issues when using pnpm #560
• Add type annotation to generated zod schemas to make tsc happy in pnpm workspace environment
• Add "interactiveTransactions" preview features flag when a low Prisma version (< 4.7.0) is detected #508
• Fixed problem that "_count" selection in find queries are not subject to "read" policy filtering

Breaking Changes

• When connecting two models (with create, update, etc. calls) with implicit many-to-many relationship, previously ZenStack didn't check if the model being connected passes "update" check. This is now tightened up. Please note that this only affects implicit many-to-many relationships.

Thanks @chemitaxis for the continuous contribution! 🙏🏻

Full Changelog: v1.0.0-beta.3...v1.0.0-beta.7