Update Rust crate sqlx to 0.8.1 [SECURITY]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
sqlx	dependencies	minor	0.6.3 → 0.8.1

GitHub Vulnerability Alerts

GHSA-xmrp-424f-vfpx

The following presentation at this year's DEF CON was brought to our attention on the SQLx Discord:

SQL Injection isn't Dead: Smuggling Queries at the Protocol Level
http://web.archive.org/web/20240812130923/https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Paul%20Gerste%20-%20SQL%20Injection%20Isn't%20Dead%20Smuggling%20Queries%20at%20the%20Protocol%20Level.pdf
(Archive link for posterity.)

Essentially, encoding a value larger than 4GiB can cause the length prefix in the protocol to overflow,
causing the server to interpret the rest of the string as binary protocol commands or other data.

It appears SQLx does perform truncating casts in a way that could be problematic,
for example: https://github.com/launchbadge/sqlx/blob/6f2905695b9606b5f51b40ce10af63ac9e696bb8/sqlx-postgres/src/arguments.rs#L163

This code has existed essentially since the beginning,
so it is reasonable to assume that all published versions <= 0.8.0 are affected.

Mitigation

As always, you should make sure your application is validating untrustworthy user input.
Reject any input over 4 GiB, or any input that could encode to a string longer than 4 GiB.
Dynamically built queries are also potentially problematic if it pushes the message size over this 4 GiB bound.

Encode::size_hint()
can be used for sanity checks, but do not assume that the size returned is accurate.
For example, the Json<T> and Text<T> adapters have no reasonable way to predict or estimate the final encoded size,
so they just return size_of::<T>() instead.

For web application backends, consider adding some middleware that limits the size of request bodies by default.

Resolution

Work has started on a branch to add #[deny] directives for the following Clippy lints:

• cast_possible_truncation
• cast_possible_wrap
• cast_sign_loss

and to manually audit the code that they flag.

A fix is expected to be included in the 0.8.1 release (still WIP as of writing).

---

Release Notes

launchbadge/sqlx (sqlx)

v0.8.1

Compare Source

16 pull requests were merged this release cycle.

This release contains a fix for RUSTSEC-2024-0363.

Postgres users are advised to upgrade ASAP as a possible exploit has been demonstrated:
#​3440 (comment)

MySQL and SQLite do not appear to be exploitable, but upgrading is recommended nonetheless.

Added

• [#​3421]: correct spelling of MySqlConnectOptions::no_engine_substitution() [[@​kolinfluence]]
  • Deprecates MySqlConnectOptions::no_engine_subsitution() (oops) in favor of the correctly spelled version.

Changed

• [#​3376]: doc: hide spec_error module [[@​abonander]]
  • This is a helper module for the macros and was not meant to be exposed.
  • It is not expected to receive any breaking changes for the 0.8.x release, but is not designed as a public API.
    Use at your own risk.
• [#​3382]: feat: bumped to libsqlite3-sys=0.30.1 to support sqlite 3.46 [[@​CommanderStorm]]
• [#​3385]: chore(examples):Migrated the pg-chat example to ratatui [[@​CommanderStorm]]
• [#​3399]: Upgrade to rustls 0.23 [[@​djc]]
  • RusTLS now has pluggable cryptography providers: ring (the existing implementation),
    and aws-lc-rs which has optional FIPS certification.
  • The existing features activating RusTLS (runtime-tokio-rustls, runtime-async-std-rustls, tls-rustls)
    enable the ring provider of RusTLS to match the existing behavior so this should not be a breaking change.
  • Switch to the tls-rustls-aws-lc-rs feature to use the aws-lc-rs provider.
    • If using runtime-tokio-rustls or runtime-async-std-rustls,
      this will necessitate switching to the appropriate non-legacy runtime feature:
      runtime-tokio or runtime-async-std
  • See the RusTLS README for more details: https://github.com/rustls/rustls?tab=readme-ov-file#cryptography-providers

Fixed

• [#​2786]: fix(sqlx-cli): do not clean sqlx during prepare [[@​cycraig]]
• [#​3354]: sqlite: fix inconsistent read-after-write [[@​ckampfe]]
• [#​3371]: Fix encoding and decoding of MySQL enums in sqlx::Type [[@​alu]]
• [#​3374]: fix: usage of node12 in SQLx action [[@​hamirmahal]]
• [#​3380]: chore: replace structopt with clap in examples [[@​tottoto]]
• [#​3381]: Fix CI after Rust 1.80, remove dead feature references [[@​abonander]]
• [#​3384]: chore(tests): fixed deprecation warnings [[@​CommanderStorm]]
• [#​3386]: fix(dependencys):bumped cargo_metadata to v0.18.1 to avoid yanked v0.14.3 [[@​CommanderStorm]]
• [#​3389]: fix(cli): typo in error for required DB URL [[@​ods]]
• [#​3417]: Update version to 0.8 in README [[@​soucosmo]]
• [#​3441]: fix: audit protocol handling [[@​abonander]]
  • This addresses RUSTSEC-2024-0363 and includes regression tests for MySQL, Postgres and SQLite.

v0.8.0

Compare Source

70 pull requests were merged this release cycle.

#​2697 was merged the same day as release 0.7.4 and so was missed by the automatic CHANGELOG generation.

Breaking

• [#​2697]: fix(macros): only enable chrono when time is disabled [[@​saiintbrisson]]
• [#​2973]: Generic Associated Types in Database, replacing HasValueRef, HasArguments, HasStatement [[@​nitn3lav]]
• [#​2482]: chore: bump syn to 2.0 [[@​saiintbrisson]]
  • Deprecated type ascription syntax in the query macros was removed.
• [#​2736]: Fix describe on PostgreSQL views with rules [[@​tsing]]
  • Potentially breaking: nullability inference changes for Postgres.
• [#​2869]: Implement PgHasArrayType for all references [[@​tylerhawkes]]
  • Conflicts with existing manual implementations.
• [#​2940]: fix: Decode and Encode derives (#​1031) [[@​benluelo]]
  • Changes lifetime obligations for field types.
• [#​3064]: Sqlite explain graph [[@​tyrelr]]
  • Potentially breaking: nullability inference changes for SQLite.
• [#​3123]: Reorder attrs in sqlx::test macro [[@​bobozaur]]
  • Potentially breaking: attributes on #[sqlx::test] usages are applied in the correct order now.
• [#​3126]: Make Encode return a result [[@​FSMaxB]]
• [#​3130]: Add version information for failed cli migration (#​3129) [[@​FlakM]]
  • Breaking changes to MigrateError.
• [#​3181]: feat: no tx migration [[@​cleverjam]]
  • (Postgres only) migrations that should not run in a transaction can be flagged by adding -- no-transaction to the beginning.
  • Breaking change: added field to Migration
• [#​3184]: [BREAKING} fix(sqlite): always use i64 as intermediate when decoding [[@​abonander]]
  • integer decoding will now loudly error on overflow instead of silently truncating.
  • some usages of the query!() macros might change an i32 to an i64.
• [#​3252]: fix #[derive(sqlx::Type)] in Postgres [[@​abonander]]
  • Manual implementations of PgHasArrayType for enums will conflict with the generated one. Delete the manual impl or add #[sqlx(no_pg_array)] where conflicts occur.
  • Type equality for PgTypeInfo is now schema-aware.
• [#​3329]: fix: correct handling of arrays of custom types in Postgres [[@​abonander]]
  • Potential breaking change: PgTypeInfo::with_name() infers types that start with _ to be arrays of the un-prefixed type. Wrap type names in quotes to bypass this behavior.
• [#​3356]: breaking: fix name collision in FromRow, return Error::ColumnDecode for TryFrom errors [[@​abonander]]
  • Breaking behavior change: errors with #[sqlx(try_from = "T")] now return Error::ColumnDecode instead of Error::ColumnNotFound.
  • Breaking because #[sqlx(default)] on an individual field or the struct itself would have previously suppressed the error.
    This doesn't seem like good behavior as it could result in some potentially very difficult bugs.
    • Instead, create a wrapper implementing From and apply the default explicitly.
• [#​3337]: allow rename with rename_all (close #​2896) [[@​DirectorX]]
  • Changes the precedence of #[sqlx(rename)] and #[sqlx(rename_all)] to match the expected behavior (rename wins).
• [#​3285]: fix: use correct names for sslmode options [[@​lily-mosquitoes]]
  • Changes the output of ConnectOptions::to_url_lossy() to match what parsing expects.

Added

• [#​2917]: Add Debug impl for PgRow [[@​g-bartoszek]]
• [#​3113]: feat: new derive feature flag [[@​saiintbrisson]]
• [#​3154]: feat: add MySqlTime, audit mysql::types for panics [[@​abonander]]
• [#​3188]: feat(cube): support postgres cube [[@​jayy-lmao]]
• [#​3244]: feat: support NonZero* scalar types [[@​AlphaKeks]]
• [#​3260]: feat: Add set_update_hook on SqliteConnection [[@​gridbox]]
• [#​3291]: feat: support the Postgres Bool type for the Any driver [[@​etorreborre]]
• [#​3293]: Add LICENSE-* files to crates [[@​LecrisUT]]
• [#​3303]: add array support for NonZeroI* in postgres [[@​JohannesIBK]]
• [#​3311]: Add example on how to use Transaction as Executor [[@​Lachstec]]
• [#​3343]: Add support for PostgreSQL HSTORE data type [[@​KobusEllis]]

Changed

• [#​2652]: MySQL: Remove collation compatibility check for strings [[@​alu]]
• [#​2960]: Removed Send trait bound from argument binding [[@​bobozaur]]
• [#​2970]: refactor: lift type mappings into driver crates [[@​abonander]]
• [#​3148]: Bump libsqlite3-sys to v0.28 [[@​NfNitLoop]]
  • Note: version bumps to libsqlite3-sys are not considered breaking changes as per our semver guarantees.
• [#​3265]: perf: box MySqlConnection to reduce sizes of futures [[@​stepantubanov]]
• [#​3352]: chore:added a testcase for sqlx migrate add ... [[@​CommanderStorm]]
• [#​3340]: ci: Add job to check that sqlx builds with its declared minimum dependencies [[@​iamjpotts]]

Fixed

• [#​2702]: Constrain cyclic associated types to themselves [[@​BadBastion]]
• [#​2954]: Fix several inter doc links [[@​ralpha]]
• [#​3073]: feat(logging): Log slow acquires from connection pool [[@​iamjpotts]]
• [#​3137]: SqliteConnectOptions::filename() memory fix (#​3136) [[@​hoxxep]]
• [#​3138]: PostgreSQL Bugfix: Ensure connection is usable after failed COPY inside a transaction [[@​feikesteenbergen]]
• [#​3146]: fix(sqlite): delete unused ConnectionHandleRaw type [[@​abonander]]
• [#​3162]: Drop urlencoding dependency [[@​paolobarbolini]]
• [#​3165]: Bump deps that do not need code changes [[@​GnomedDev]]
• [#​3167]: fix(ci): use docker compose instead of docker-compose [[@​abonander]]
• [#​3172]: fix: Option decoding in any driver [[@​pxp9]]
• [#​3173]: fix(postgres) : int type conversion while decoding [[@​RaghavRox]]
• [#​3190]: Update time to 0.3.36 [[@​BlackSoulHub]]
• [#​3191]: Fix unclean TLS shutdown [[@​levkk]]
• [#​3194]: Fix leaking connections in fetch_optional (#​2647) [[@​danjpgriffin]]
• [#​3216]: security: bump rustls to 0.21.11 [[@​toxeus]]
• [#​3230]: fix: sqlite pragma order for auto_vacuum [[@​jasonish]]
• [#​3233]: fix: get_filename should not consume self [[@​jasonish]]
• [#​3234]: fix(ci): pin Rust version, ditch unmaintained actions [[@​abonander]]
• [#​3236]: fix: resolve path ownership problems when using sqlx_macros_unstable [[@​lily-mosquitoes]]
• [#​3254]: fix: hide sqlx_postgres::any [[@​Zarathustra2]]
• [#​3266]: ci: MariaDB - add back 11.4 and add 11.5 [[@​grooverdan]]
• [#​3267]: ci: syntax fix [[@​grooverdan]]
• [#​3271]: docs(sqlite): fix typo - unixtime() -> unixepoch() [[@​joelkoen]]
• [#​3276]: Invert boolean for migrate error message. (#​3275) [[@​nk9]]
• [#​3279]: fix Clippy errors [[@​abonander]]
• [#​3288]: fix: sqlite update_hook char types [[@​jasonish]]
• [#​3297]: Pass the persistent query setting when preparing queries with the Any driver [[@​etorreborre]]
• [#​3298]: Track null arguments in order to provide the appropriate type when converting them. [[@​etorreborre]]
• [#​3312]: doc: Minor rust docs fixes [[@​SrGesus]]
• [#​3327]: chore: fixed one usage of select_input_type!() being unhygenic [[@​CommanderStorm]]
• [#​3328]: fix(ci): comment not separated from other characters [[@​hamirmahal]]
• [#​3341]: refactor: Resolve cargo check warnings in postgres examples [[@​iamjpotts]]
• [#​3346]: fix(postgres): don't panic if M or C Notice fields are not UTF-8 [[@​YgorSouza]]
• [#​3350]: fix:the json-feature should activate sqlx-postgres?/json as well [[@​CommanderStorm]]
• [#​3353]: fix: build script new line at eof [[@​Zarthus]]
• (no PR): activate clock and std features of workspace.dependencies.chrono.

v0.7.4

Compare Source

38 pull requests were merged this release cycle.

This is officially the last release of the 0.7.x release cycle.

As of this release, development of 0.8.0 has begun on main and only high-priority bugfixes may be backported.

Added

• [#​2891]: feat: expose getters for connect options fields [[@​saiintbrisson]]
• [#​2902]: feat: add to_url_lossy to connect options [[@​lily-mosquitoes]]
• [#​2927]: Support query! for cargo-free systems [[@​kshramt]]
• [#​2997]: doc(FAQ): add entry explaining prepared statements [[@​abonander]]
• [#​3001]: Update README to clarify MariaDB support [[@​iangilfillan]]
• [#​3004]: feat(logging): Add numeric elapsed time field elapsed_secs [[@​iamjpotts]]
• [#​3007]: feat: add raw_sql API [[@​abonander]]
  • This hopefully makes it easier to find how to execute statements which are not supported by the default
    prepared statement interfaces query*() and query!().
  • Improved documentation across the board for the query*() functions.
  • Deprecated: execute_many() and fetch_many() on interfaces that use prepared statements.
    • Multiple SQL statements in one query string were only supported by SQLite because its prepared statement
      interface is the only way to execute SQL. All other database flavors forbid multiple statements in
      one prepared statement string as an extra defense against SQL injection.
    • The new raw_sql API retains this functionality because it explicitly does not use prepared statements.
      Raw or text-mode query interfaces generally allow multiple statements in one query string, and this is
      supported by all current databases. Due to their nature, however, one cannot use bind parameters with them.
    • If this change affects you, an issue is open for discussion: #​3108
• [#​3011]: Added support to IpAddr with MySQL/MariaDB. [[@​Icerath]]
• [#​3013]: Add default implementation for PgInterval [[@​pawurb]]
• [#​3018]: Add default implementation for PgMoney [[@​pawurb]]
• [#​3026]: Update docs to reflect support for MariaDB data types [[@​iangilfillan]]
• [#​3037]: feat(mysql): allow to connect with mysql driver without default behavor [[@​darkecho731]]

Changed

• [#​2900]: Show latest url to docs for macro.migrate [[@​Vrajs16]]
• [#​2914]: Use create_new instead of atomic-file-write [[@​mattfbacon]]
• [#​2926]: docs: update example for PgConnectOptions [[@​Fyko]]
• [#​2989]: sqlx-core: Remove dotenvy dependency [[@​joshtriplett]]
• [#​2996]: chore: Update ahash to 0.8.7 [[@​takenoko-gohan]]
• [#​3006]: chore(deps): Replace unmaintained tempdir crate with tempfile [[@​iamjpotts]]
• [#​3008]: chore: Ignore .sqlx folder created by running ci steps locally [[@​iamjpotts]]
• [#​3009]: chore(dev-deps): Upgrade env_logger from 0.9 to 0.11 [[@​iamjpotts]]
• [#​3010]: chore(deps): Upgrade criterion to 0.5.1 [[@​iamjpotts]]
• [#​3050]: Optimize SASL auth in sqlx-postgres [[@​mirek26]]
• [#​3055]: Set TCP_NODELAY option on TCP sockets [[@​mirek26]]
• [#​3065]: Improve max_lifetime handling [[@​mirek26]]
• [#​3072]: Change the name of "inner" function generated by #[sqlx::test] [[@​ciffelia]]
• [#​3083]: Remove sha1 because it's not being used in postgres [[@​rafaelGuerreiro]]

Fixed

• [#​2898]: Fixed docs [[@​Vrajs16]]
• [#​2905]: fix(mysql): Close prepared statement if persistence is disabled [[@​larsschumacher]]
• [#​2913]: Fix handling of deferred constraints [[@​Thomasdezeeuw]]
• [#​2919]: fix duplicate "`" in FromRow "default" attribute doc comment [[@​shengsheng]]
• [#​2932]: fix(postgres): avoid unnecessary flush in PgCopyIn::read_from [[@​tsing]]
• [#​2955]: Minor fixes [[@​Dawsoncodes]]
• [#​2963]: Fixed ReadMe badge styling [[@​tadghh]]
• [#​2976]: fix: AnyRow not support PgType::Varchar [[@​holicc]]
• [#​3053]: fix: do not panic when binding a large BigDecimal [[@​Ekleog]]
• [#​3056]: fix: spans in sqlite tracing (#​2876) [[@​zoomiti]]
• [#​3089]: fix(migrate): improve error message when parsing version from filename [[@​abonander]]
• [#​3098]: Migrations fixes [[@​abonander]]
  • Unhides sqlx::migrate::Migrator.
  • Improves I/O error message when failing to read a file in migrate!().

v0.7.3

Compare Source

38 pull requests were merged this release cycle.

Added

• [#​2478]: feat(citext): support postgres citext [[@​hgranthorner]]
• [#​2545]: Add fixtures_path in sqlx::test args [[@​ripa1995]]
• [#​2665]: feat(mysql): support packet splitting [[@​tk2217]]
• [#​2752]: Enhancement #​2747 Provide fn PgConnectOptions::get_host(&self) [[@​boris-lok]]
• [#​2769]: Customize the macro error message based on the metadata [[@​Nemo157]]
• [#​2793]: derived Hash trait for PgInterval [[@​yasamoka]]
• [#​2801]: derive FromRow: sqlx(default) for all fields [[@​grgi]]
• [#​2827]: Add impl FromRow for the unit type [[@​nanoqsh]]
• [#​2871]: Add MySqlConnectOptions::get_database() [[@​shiftrightonce]]
• [#​2873]: Sqlx Cli: Added force flag to drop database for postgres [[@​Vrajs16]]
• [#​2894]: feat: Text adapter [[@​abonander]]

Changed

• [#​2701]: Remove documentation on offline feature [[@​Baptistemontan]]
• [#​2713]: Add additional info regarding using Transaction and PoolConnection as… [[@​satwanjyu]]
• [#​2770]: Update README.md [[@​snspinn]]
• [#​2797]: doc(mysql): document behavior regarding BOOLEAN and the query macros [[@​abonander]]
• [#​2803]: Don't use separate temp dir for query jsons (2) [[@​mattfbacon]]
• [#​2819]: postgres begin cancel safe [[@​conradludgate]]
• [#​2832]: Update extra_float_digits default to 2 instead of 3 [[@​brianheineman]]
• [#​2865]: Update Faq - Bulk upsert with optional fields [[@​Vrajs16]]
• [#​2880]: feat: use specific message for slow query logs [[@​abonander]]
• [#​2882]: Do not require db url for prepare [[@​tamasfe]]
• [#​2890]: doc(sqlite): cover lack of NUMERIC support [[@​abonander]]
• [No PR]: Upgraded libsqlite3-sys to 0.27.0
  • Note: linkage to libsqlite3-sys is considered semver-exempt;
    see the release notes for 0.7.0 below for details.

Fixed

• [#​2640]: fix: sqlx::macro db cleanup race condition by adding a margin to current timestamp [[@​fhsgoncalves]]
• [#​2655]: [fix] Urlencode when passing filenames to sqlite3 [[@​uttarayan21]]
• [#​2684]: Make PgListener recover from UnexpectedEof [[@​hamiltop]]
• [#​2688]: fix: Make rust_decimal and bigdecimal decoding more lenient [[@​cameronbraid]]
• [#​2754]: Is tests/x.py maintained? And I tried fix it. [[@​qwerty2501]]
• [#​2784]: fix: decode postgres time without subsecond [[@​granddaifuku]]
• [#​2806]: Depend on version of async-std with non-private spawn-blocking [[@​A248]]
• [#​2820]: fix: correct decoding of rust_decimal::Decimal for high-precision values [[@​abonander]]
• [#​2822]: issue #​2821 Update error handling logic when opening a TCP connection [[@​anupj]]
• [#​2826]: chore: bump some sqlx-core dependencies [[@​djc]]
• [#​2838]: Fixes rust_decimal scale for Postgres [[@​jkleinknox]]
• [#​2847]: Fix comment in sqlx migrate add help text [[@​cryeprecision]]
• [#​2850]: fix(core): avoid unncessary wakeups in try_stream!() [[@​abonander]]
• [#​2856]: Prevent warnings running cargo build [[@​nyurik]]
• [#​2864]: fix(sqlite): use AtomicUsize for thread IDs [[@​abonander]]
• [#​2892]: Fixed force dropping bug [[@​Vrajs16]]

v0.7.2

Compare Source

23 pull requests were merged this release cycle.

Added

• [#​2121]: Add JSON support to FromRow derive [[@​95ulisse]]
• [#​2533]: Implement mysql_clear_password [[@​ldanilek]]
• [#​2538]: cli: add --target-version CLI flags for migrate run/revert [[@​inahga]]
• [#​2577]: supplement Postgres listen example with a small chat example [[@​JockeM]]
• [#​2602]: Support naming migrations sequentially [[@​vmax]]
• [#​2634]: Adding PgHasArrayType for &[u8;N] [[@​snf]]
• [#​2646]: Support for setting client certificate and key from bytes [[@​wyhaya]]
• [#​2664]: Automatically infer migration type [[@​vmax]]
• [#​2712]: Add impl for Type, Decode, and Encode for Box<str> and Box<[u8]> [[@​grant0417]]

Changed

• [#​2650]: Cleanup format arguments [[@​nyurik]]
• [#​2695]: remove &mut PoolConnection from Executor docs [[@​olback]]
  • This impl was removed in 0.7.0 because of coherence issues.
• [#​2706]: Clarify where optional features should be enabled [[@​kryptan]]
• [#​2717]: Update README.md [[@​fermanjj]]
• [#​2739]: Bump mariadb CI images + mysql unpin [[@​grooverdan]]
• [#​2742]: Implemented poll_flush for Box<S:Socket> [[@​bobozaur]]
• [#​2740]: Remove sealed trait comments from documentation [[@​bobozaur]]
• [#​2750]: Fix #​2384, bump flume to v0.11.0 [[@​madadam]]
• [#​2757]: Remove unused remove_dir_all crate from sqlx-cli, fixes RUSTSEC-2023-0018 [[@​aldur]]

Fixed

• [#​2624]: Documentation typo: BYTE -> BINARY [[@​sebastianv89]]
• [#​2628]: docs: 0.7 is stable in the entire README [[@​marcusirgens]]
• [#​2630]: fix(postgres): fix buffer management in PgCopyIn::read_from [[@​tsing]]
• [#​2651]: Chore: Fix few build warnings, and make CI fail on warn [[@​nyurik]]
• [#​2670]: fix: ignore extra fields in Postgres describe parsing [[@​abonander]]
• [#​2687]: docs: Fix description of min_connections [[@​hakoerber]]

v0.7.1

Compare Source

This release mainly addresses issues reported with the 0.7.0 release.

16 pull requests were merged this release cycle.

Added

• [#​2551]: Introduce build_query_scalar for QueryBuilder [[@​iamquang95]]
• [#​2605]: Implement Default for QueryBuilder [[@​Xydez]]
• [#​2616]: feat(sqlx-core): add table function to database error [[@​saiintbrisson]]
• [#​2619]: feat: allow opt-out of PgHasArrayType with #[derive(sqlx::Type)] [[@​abonander]]
  • TL;DR: if you're getting errors from #[derive(sqlx::Type)] with #[sqlx(transparent)]
    regarding PgHasArrayType not being implemented, add #[sqlx(no_pg_array)] to fix.

Changed

• [#​2566]: improve docs about migration files [[@​jnnnnn]]
• [#​2576]: Major Version Update clap to 4.0 [[@​titaniumtraveler]]
• [#​2597]: Bump webpki-roots to v0.24 [[@​paolobarbolini]]
• [#​2603]: docs(changelog): be more verbose about offline mode breaking change [[@​mrl5]]

Fixed

• [#​2553]: Implement Clone for PoolOptions manually (#​2548) [[@​alilleybrinker]]
• [#​2580]: Update README.md now that 0.7.0 is no longer in alpha [[@​saolof]]
• [#​2585]: Fix for Issue #​2549 - cannot use feature "rust_decimal" without also using "bigdecimal" [[@​deneut]]
• [#​2586]: Fix optional dependency on sqlx-macros [[@​kitterion]]
• [#​2593]: Correct mention of the tls-native-tls in the documentation. [[@​denschub]]
• [#​2599]: Remove incorrect CAST in test database cleanup for MySQL. [[@​fd]]
• [#​2613]: Fix readme.md to reduce confusion about optional features (decimal->rust_decimal) [[@​vabka]]
• [#​2620]: fix(sqlite/any): encode bool as integer [[@​saiintbrisson]]

v0.7.0

Compare Source

At least 70 pull requests were merged this release cycle! (The exact count is muddied with pull requests for alpha
releases and such.) And we gained 43 new contributors! Thank you to everyone who helped make this release a reality.

Breaking

Many revisions were made to query analysis in the SQLite driver; these are all potentially breaking changes
as they can change the output of sqlx::query!() et al. We'd like to thank [[@​tyrelr]] for their numerous PRs to
this area.

The MSSQL driver has been removed as it was not nearly at the same maturity level as the other drivers.
[As previously announced][sqlx-pro], we have plans to introduce a fully featured replacement as a premium offering,
alongside drivers for other proprietary databases, with the goal to support full-time development on SQLx.

If interested, please email your inquiry to sqlx@launchbadge.com.

The offline mode for the queries has been changed to use a separate file per query!() invocation,
which is intended to reduce the number of conflicts when merging branches in a project that both modified queries.
This means that CLI flag --merged is no longer supported. See [[#​2363]] for details and make sure that your
sqlx-cli version is in sync with the sqlx version in your project.

The type ascription override syntax for the query macros has been deprecated,
as parse support for it has been removed in syn 2.0, which we'll be upgrading to in the next breaking release.
This can be replaced with type overrides using casting syntax (as).
See [[#​2483]] for details.

• [[#​1946]]: Fix compile time verification performance regression for sqlite [[@​liningpan]]
• [[#​1960]]: Fix sqlite update return and order by type inference [[@​tyrelr]]
• [[#​1984]]: Sqlite EXPLAIN type inference improvements [[@​rongcuid]]
• [[#​2039]]: Break drivers out into separate crates, clean up some technical debt [[@​abonander]]
  • All deprecated items have been removed.
  • The mssql feature and associated database driver has been deleted from the source tree. It will return as part of our planned SQLx Pro offering as a from-scratch rewrite with extra features (such as TLS) and type integrations that were previously missing.
  • The runtime-actix-* features have been deleted. They were previously changed to be aliases of their runtime-tokio-* counterparts for backwards compatibility reasons, but their continued existence is misleading as SQLx has no special knowledge of Actix anymore.
    • To fix, simply replace the runtime-actix-* feature with its runtime-tokio-* equivalent.
  • The git2 feature has been removed. This was a requested integration from a while ago that over time made less and less sense to be part of SQLx itself. We have to be careful with the crates we add to our public API as each one introduces yet another semver hazard. The expected replacement is to make #[derive(sqlx::Type)] useful enough that users can write wrapper types for whatever they want to use without SQLx needing to be specifically aware of it.
  • The Executor impls for Transaction and PoolConnection have been deleted because they cannot exist in the new crate architecture without rewriting the Executor trait entirely.
    • To fix this breakage, simply add a dereference where an impl Executor is expected, as they both dereference to the inner connection type which will still implement it:
      • &mut transaction -> &mut *transaction
      • &mut connection -> &mut *connection
    • These cannot be blanket impls as it triggers an overflow in the compiler due to the lack of lazy normalization, and
      the driver crates cannot provide their own impls due to the orphan rule.
    • We're expecting to do another major refactor of traits to incorporate generic associated types (GAT).
      This will mean another major release of SQLx but ideally most API usage will not need to change significantly, if at all.
  • The fields of Migrator are now #[doc(hidden)] and semver-exempt; they weren't meant to be public.
  • The offline feature has been removed from the sqlx facade crate and is enabled unconditionally as most users are expected to have enabled it anyway and disabling it doesn't seem to appreciably affect compile times.
  • The decimal feature has been renamed to rust_decimal to match the

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.