npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@voight8/voight

v0.2.0

Published

TypeScript SQL compiler and policy engine for a restricted SELECT subset of MySQL.

Downloads

935

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

lukaskratzellukaskratzel

Keywords

compilermysqlpolicysqlwasm

Readme

@voight8/voight

@voight8/voight is a TypeScript SQL compiler and policy engine for a restricted MySQL SELECT subset.

It is designed for untrusted SQL input: parse, rewrite, bind against a catalog, enforce policies, and emit canonical SQL plus parameter metadata.

Install

npm install @voight8/voight

Runtime

  • Node.js >=20
  • ESM-only package

What It Supports

The current package focuses on a constrained SELECT surface:

  • WITH and SELECT
  • Derived tables, CROSS JOIN, INNER JOIN, and LEFT JOIN
  • WHERE, GROUP BY, HAVING, ORDER BY, LIMIT, and OFFSET
  • Scalar subqueries, EXISTS, IN (...), and IN (subquery)
  • Arithmetic and boolean expressions
  • CASE, CAST, interval expressions, and CURRENT_*
  • Positional parameters using ?

Unsupported SQL is expected to fail with diagnostics rather than being passed through.

Example

import {
    InMemoryCatalog,
    compile,
    createTableSchema,
    maxLimitPolicy,
    tenantScopingPolicy,
} from "@voight8/voight";

const catalog = new InMemoryCatalog([
    createTableSchema({
        path: ["tracking", "time_series_stats"],
        columns: ["id", "tenant_id", "metric", "created_at"],
    }),
]);

const result = compile(
    "SELECT ts.metric FROM tracking.time_series_stats AS ts WHERE ts.created_at >= ? ORDER BY ts.created_at DESC",
    {
        catalog,
        policies: [
            maxLimitPolicy({ maxLimit: 100, defaultLimit: 25 }),
            tenantScopingPolicy({
                tables: ["tracking.time_series_stats"],
                scopeColumn: "tenant_id",
                contextKey: "tenantId",
                scopeValueType: "string",
            }),
        ],
        policyContext: {
            tenantId: "tenant-123",
        },
    },
);

if (result.ok) {
    console.log(result.emitted.sql);
    console.log(result.emitted.parameters);
}

Public API

The main exported entrypoints are:

  • compile(source, options)
  • InMemoryCatalog
  • AliasCatalog
  • createTableSchema(...)
  • createCatalogAlias(...)
  • allowedFunctionsPolicy(...)
  • maxLimitPolicy(...)
  • supportedOperatorsPolicy()
  • tenantScopingPolicy(...)

compile(...) runs the query through parse, rewrite, bind, enforce, and emit.

By default, the result is sanitized for public use:

  • Success returns emitted SQL and parameter ordering metadata.
  • Failure returns public-safe diagnostics and hides internal compiler state.

If you pass debug: true, the result also includes the parsed AST, rewritten AST, bound query, per-stage outputs, and internal diagnostics.

For LLM-facing error text, keep the structured diagnostics from compile(...) and format them at the boundary:

import { compile, formatDiagnostics } from "@voight8/voight";

const result = compile("SELECT id FROM missing", { catalog });

if (!result.ok) {
    const errorMessage = formatDiagnostics(result);
    console.log(errorMessage);
}

Catalogs

Catalogs are explicit and case-insensitive:

import { InMemoryCatalog, createTableSchema } from "@voight8/voight";

const catalog = new InMemoryCatalog([
    createTableSchema({
        path: ["users"],
        columns: [
            "id",
            "email",
            { name: "tenant_id", selectable: false },
        ],
    }),
]);

Non-selectable columns are preserved in the schema, excluded from wildcard expansion, and rejected when queried directly.

Use AliasCatalog and createCatalogAlias(...) if your public logical table names should resolve to different physical tables.

Built-in Policies

  • tenantScopingPolicy(...) injects tenant predicates during rewrite and verifies them during enforcement.
  • maxLimitPolicy(...) caps the outer LIMIT, can cap the outer OFFSET, and can add a default outer LIMIT.
  • allowedFunctionsPolicy(...) allowlists function calls and CURRENT_* keywords.
  • supportedOperatorsPolicy() rejects operators outside the supported policy surface.

maxLimitPolicy(...) constrains the final result set by default, so nested selects are not limited unless recursive: true is configured.

tenantScopingPolicy(...) requires scopeValueType on every scope rule and enforces that type at runtime. Use scopeValueType: "string" for string scope columns, or configure the matching numeric or boolean type, for example scopeValueType: "bigint" for a BIGINT project_id.

String tenant scopes require careful database configuration. MySQL in particular has many string comparison gotchas around implicit casts, collations, charsets, padding, and case/accent equivalence. Avoid string tenant identifiers unless those semantics are deliberate; if you use them, choose binary or otherwise case-sensitive comparison semantics so values such as project-alpha and PROJECT-ALPHA cannot share a scope unintentionally.

Repository

The source repository lives at github.com/lukaskratzel/voight. The workspace README has more detail on the parser stack, development workflow, and release process.