feat(pg-connection-string): warn if non-standard ssl options are used

hjr3 · hjr3 · commit 5af779f7a332 · 2025-05-26T07:27:50.000-04:00
In preparation for v3.0.0, we start warning users to be explicit about
the sslmode they want.
diff --git a/packages/pg-connection-string/index.js b/packages/pg-connection-string/index.js
@@ -133,6 +133,16 @@ function parse(str, options = {}) {
       case 'require':
       case 'verify-ca':
       case 'verify-full': {
+        if (config.sslmode !== 'verify-full') {
+          console.warn(`SECURITY WARNING: The SSL modes 'prefer', 'require', and 'verify-ca' are treated as aliases for 'verify-full'.
+In the next major version (v3.0.0), these modes will adopt standard libpq semantics, which have weaker security guarantees.
+
+To prepare for this change:
+- If you want the current behavior, explicitly use 'sslmode=verify-full'
+- If you want libpq compatibility now, use 'uselibpqcompat=true&sslmode=${config.sslmode}'
+
+See https://www.postgresql.org/docs/current/libpq-ssl.html for libpq SSL mode definitions.`)
+        }
         break
       }
       case 'no-verify': {
