chore(deps): bump @neondatabase/serverless from 0.9.5 to 1.0.2

[dependabot]

Bumps @neondatabase/serverless from 0.9.5 to 1.0.2.

Changelog

Sourced from @​neondatabase/serverless's changelog.

1.0.2 (2025-09-30)

Update neon.tech references to neon.com domain.

1.0.1 (2025-06-06)

The package now prints a security warning to the console when a connection is made in a web browser. This behaviour can be suppressed with a new configuration option: disableWarningInBrowsers. There are a few other very minor fixes.

1.0.0 (2025-03-25)

Breaking change: the HTTP query template function can now only be called as a template function, not as a conventional function. This improves safety from accidental SQL-injection vulnerabilities. For example:

import { neon } from '@neondatabase/serverless';
const sql = neon(process.env.DATABASE_URL);
const id = 1;
// this is safe and convenient, as before
const result = await sqlSELECT * FROM table WHERE id = ${id};
// this looks very similar and was previously allowed, but was open to SQL
// injection attacks because it uses ordinary string interpolation -- it's now
// both a TypeScript type error and a runtime error
const throws = await sql(SELECT * FROM table WHERE id = ${id});

To fill the gap left by this change, the template function has two new properties: a query() function that allows manually parameterized queries, and an unsafe() function that lets you interpolate trusted arbitrary string values. For example:

// this was previously allowed, and was safe, but is now also an error so as to
// prevent the vulnerability seen above
const throws = await sql('SELECT * FROM table WHERE id = $1', [id]);
// the query() function is the new way to manually specify placeholders and
// values (the same way it's done by client.query() and pool.query())
const result = await sql.query('SELECT * FROM table WHERE id = $1', [id]);
// to interpolate strings like column or table names, only if you know
// they're safe, use the unsafe() function
const table = condition ? 'table1' : 'table2'; // known-safe string values
const result = await sqlSELECT * FROM ${sql.unsafe(table)} WHERE id = ${id};
// but in the above case, you might prefer to do this instead
const table = condition ? sqltable1 : sqltable2;
const result = await sqlSELECT * FROM ${table} WHERE id = ${id};

In addition, HTTP template queries are now fully composable, including those with parameters. For example:

</tr></table> 

... (truncated)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by pffigueiredo, a new releaser for @​neondatabase/serverless since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)