From 2f9f27b47462786420bbdac25d2d4d326bbafabe Mon Sep 17 00:00:00 2001
From: sravan27 <24377016+sravan27@users.noreply.github.com>
Date: Tue, 9 Jun 2026 22:23:47 +0530
Subject: [PATCH] fix(gel-core): patch escapeName per GHSA-gpj5-g38j-94v9
 (incomplete fix in 0.45.2)

The 0.45.2 security release advertised the SQL identifier escaping fix
for the PostgreSQL, MySQL, SQLite, SingleStore, AND Gel dialects, but
the patch commit (273c780) only touched the first four. The Gel dialect
escapeName still does

  return `"${name}"`;

which leaves the same identifier-delimiter injection that the parent CVE
documented. This brings Gel in line with the other dialects:

  return `"${name.replace(/"/g, '""')}"`;
---
 drizzle-orm/src/gel-core/dialect.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drizzle-orm/src/gel-core/dialect.ts b/drizzle-orm/src/gel-core/dialect.ts
index 6c1541286b..768d47a333 100644
--- a/drizzle-orm/src/gel-core/dialect.ts
+++ b/drizzle-orm/src/gel-core/dialect.ts
@@ -101,7 +101,7 @@ export class GelDialect {
 	// }
 
 	escapeName(name: string): string {
-		return `"${name}"`;
+		return `"${name.replace(/"/g, '""')}"`;
 	}
 
 	escapeParam(num: number): string {