While I love postgres, I take issue with coupling too much application logic to the DB. It’s much easier to update/rollback stateless containers/cloud functions/VMs than to recover a DB.
I agree that it seems very improbable. The only possible malicious scenario I can imagine is that the Github repo is clean, but npm creds have been compromised.
It's so hard to triage this when no justification has been provided for the advisory. Was the GHSA released in response to npm pulling the package, or vice versa?
Many suggestions for workarounds, but if the GHSA is indeed accurate (all versions affected) then that seems unwise.
No-code platforms are really DSLs wrapped in a nice UI. No-code platforms that are more open and developer focused typically let you actually dump out the app as a big bundle of config/DSL (e.g. a custom JSON format).
Maybe using LLMs to generate DSL code will produce better (and more maintainable) results than fully-fledged languages?
Also are you applying migrations with CREATE OR REPLACE etc? I find that much harder to collaborate on than just standard code.