pg
PostgreSQL client - pure javascript & libpq with the same API
About
PostgreSQL client - pure javascript & libpq with the same API
What detecting pg tells you about a site
Finding pg in a bundle tells you the site ships a library tagged database, libpq, pg, postgre — a concrete, named piece of its JavaScript stack rather than a guess. It pulls in 6 direct dependencies and expects pg-native alongside it, each of which also rides into any bundle that ships pg — so spotting one often surfaces the rest. The current release is v8.21.0, the newest of 6+ major lines. Because regex-based detectors rarely pin the exact number, Sourcemap Explorer reads it straight from the bundled package.json so you know which pg a site actually runs.
Quick facts
npm install pgCommon pairings
Packages this one expects to find in the same project. Each is also a Sourcemap Explorer detection target.
What pg pulls in
pg declares 6 direct dependencies — each one also rides into any bundle that ships pg, so they are detection targets too. Reading them is a quick way to understand the package's real footprint .
How Sourcemap Explorer detects pg
pg ships as v8.21.0, published 2026-05-18 and carries 6 direct dependencies, 1 peer dependency (pg-native), 247 versions on the registry. Those exact numbers are the footprint Sourcemap Explorer matches when pg rides inside a deployed bundle — here is how the detection works.
We catch pg from two complementary signals: bundled source paths and the embedded package.json. Modern bundlers (webpack, Vite, esbuild, Rollup, Turbopack) preserve the original node_modules/pg/ paths inside the JavaScript sourcemap's sources[] array — that's the canonical signal. When the matching package.json is also captured in sourcesContent[], we read the exact version field — patch number included. No regex guessing, no version inference.
- 1
Confirm the site exposes sourcemaps
In DevTools Network, check the response headers of any application script for `SourceMap` or `X-SourceMap`. Failing that, fetch the script's last 4 KB and look for a `//# sourceMappingURL=` comment — that map is where the `pg` paths live.
- 2
Find the package in the bundle
Open DevTools → Network → reload. Click any application script and look at its sourcemap. Inside, search `sources[]` for entries matching `node_modules/pg/` — every match confirms the package is bundled. The matching `sourcesContent[i]` for `node_modules/pg/package.json` gives you the exact installed version.
- 3
Read the version directly from package.json
Run `jq -r '. as $m | $m.sources | to_entries[] | select(.value | endswith("node_modules/pg/package.json")) | $m.sourcesContent[.key] | fromjson | .version' bundle.js.map`. Sourcemap Explorer automates the same query in the popup.
Major releases of pg
When each major version first landed. Major bumps are where breaking changes live, so this timeline is the fastest way to date the pg version a site actually ships against the ecosystem.
Recent security advisories for pg
The 1 most recent advisories affecting some versions of pg, aggregated from OSV.dev (GitHub Advisory + CVE data). A listing here doesn't mean the version a given site ships is affected — each advisory applies to a specific version range. Sourcemap Explorer reads the exact bundled version so you can check it against these ranges.
Remote Code Execution in pg
Recent versions
pg README
Live mirror of the GitHub README, for reference. Updated whenever the repo's default branch changes.
node-postgres
Non-blocking PostgreSQL client for Node.js. Pure JavaScript and optional native libpq bindings.
Monorepo
This repo is a monorepo which contains the core pg module as well as a handful of related modules.
Install
npm install pg
Documentation
Each package in this repo should have its own readme more focused on how to develop/contribute. For overall documentation on the project and the related modules managed by this repo please see:
:star: Documentation :star:
The source repo for the documentation is available for contribution here.
Features
- Pure JavaScript client and native libpq bindings share the same API
- Connection pooling
- Extensible JS ↔ PostgreSQL data-type coercion
- Supported PostgreSQL features
- Parameterized queries
- Named statements with query plan caching
- Async notifications with
LISTEN/NOTIFY - Bulk import & export with
COPY TO/COPY FROM
Extras
node-postgres is by design pretty light on abstractions. These are some handy modules we've been using over the years to complete the picture. The entire list can be found on our wiki.
Support
node-postgres is free software. If you encounter a bug with the library please open an issue on the GitHub repo. If you have questions unanswered by the documentation please open an issue pointing out how the documentation was unclear & I will do my best to make it better!
When you open an issue please provide:
- version of Node
- version of Postgres
- smallest possible snippet of code to reproduce the problem
You can also follow me @brianc on bluesky if that's your thing for updates on node-postgres with nearly zero non node-postgres content. My old twitter/x account is no longer used.
Sponsorship :two_hearts:
node-postgres's continued development has been made possible in part by generous financial support from the community.
If you or your company are benefiting from node-postgres and would like to help keep the project financially sustainable please consider supporting its development.
Featured sponsor
Special thanks to medplum for their generous and thoughtful support of node-postgres!
Contributing
:heart: contributions!
I will happily accept your pull request if it:
- has tests
- looks reasonable
- does not break backwards compatibility
If your change involves breaking backwards compatibility please please point that out in the pull request & we can discuss & plan when and how to release it and what type of documentation or communication it will require.
Setting up for local development
- Clone the repo
- Ensure you have installed libpq-dev in your system (the native bindings are built in the test process)
- From your workspace root run
yarnand thenyarn lerna bootstrap - Ensure you have a PostgreSQL instance running with SSL enabled and an empty database for tests. note: you can skip the tests requring SSL by setting the environment variable
PGTESTNOSSL=1if you're not changing any SSL related code. - Ensure you have the proper environment variables configured for connecting to your postgres instance. Using the standard
PG*environment variables likePGUSERandPGPASSWORDetc... - Run
yarn testto run all the tests.
Troubleshooting and FAQ
The causes and solutions to common errors can be found among the Frequently Asked Questions (FAQ)
License
Copyright (c) 2010-2020 Brian Carlson (brian.m.carlson@gmail.com)
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
FAQ
What is pg used for?
PostgreSQL client - pure javascript & libpq with the same API
How can I tell if a website is using pg?
Open the page in Chrome with the Sourcemap Explorer extension installed and read the Stack tab. We catch `pg` from two complementary signals: `node_modules/pg/` paths inside the JavaScript sourcemap, and the embedded `package.json` we read for exact-version detection. Without the extension you can do the same lookup manually in DevTools — the steps are listed in the "How Sourcemap Explorer detects" section above.
How do I find out which version of pg a website is running?
Read it straight from the site's JavaScript sourcemap. When a build ships source maps, the bundled `pg/package.json` carries the exact `version` string — Sourcemap Explorer extracts it in one click on the Stack tab, and you can do it by hand in DevTools by opening the `.map` file and searching for `node_modules/pg/package.json`. That is far more reliable than inferring the version from an asset-hash or a `?ver=` query string, which is all surface-level detectors have to go on. The current npm release is 8.21.0, but real deployments frequently run an older pinned version — which is exactly why reading the bundled number matters.
What is the latest version of pg?
8.21.0, as published on the npm registry. The "Recent versions" table on this page lists the most recent 8 releases with their release dates. Sourcemap Explorer reports the version actually bundled into a site, which can lag the latest release by months on real-world deployments.
Is pg actively maintained?
Very actively maintained — the last release shipped within the past three months. The last published release was 2026-05-18. Source code: https://github.com/brianc/node-postgres.
Does pg have known security vulnerabilities?
1 recent advisory affecting some versions of pg is listed in the "Recent security advisories" section above, aggregated from OSV.dev (GitHub Advisory + CVE data). Whether a particular site is exposed depends entirely on the exact version it ships — each advisory applies to a specific version range, not to the package as a whole. That is why the precise bundled version matters: Sourcemap Explorer reads the version a site actually runs, so you can check it against the affected ranges instead of assuming the latest release is what's deployed.
Where can I read more?
Project homepage: https://github.com/brianc/node-postgres. Source code: https://github.com/brianc/node-postgres. Published on npm: https://www.npmjs.com/package/pg. Licensed as MIT.
Keep reading on Sourcemap Explorer
Practical guides
Detected by Sourcemap Explorer
When a bundle ships sourcemaps, we read the embedded package.json for pg and report the precise version (the registry's latest is v8.21.0, published 2026-05-18; the bundled copy is often older). Without sourcemaps, an import / require in the page's scripts is enough to flag it.