DEV.co
Open-Source Databases · ts-safeql

safeql

SafeQL is an ESLint plugin that automatically infers and validates TypeScript types from raw PostgreSQL queries. It integrates with popular SQL libraries (Prisma, pg, Postgres.js, etc.) to catch type mismatches at lint time rather than runtime.

Source: GitHub — github.com/ts-safeql/safeql
1.6k
GitHub stars
33
Forks
TypeScript
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryts-safeql/safeql
Ownerts-safeql
Primary languageTypeScript
LicenseMIT — OSI-approved
Stars1.6k
Forks33
Open issues19
Latest release@ts-safeql/[email protected] (2026-06-30)
Last updated2026-06-30
Sourcehttps://github.com/ts-safeql/safeql

What safeql is

SafeQL uses libpg-query to parse PostgreSQL syntax and derive TypeScript types from query structure, exposing validation via an ESLint plugin. It operates as a static analysis tool integrated into the TypeScript/ESLint pipeline, supporting multiple PostgreSQL clients without ORM lock-in.

Quickstart

Get the safeql source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/ts-safeql/safeql.gitcd safeql# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Type-safe raw SQL in PostgreSQL applications

Teams writing raw SQL queries in TypeScript who need compile-time assurance that query results match expected types, avoiding runtime type errors.

Monorepo and microservice architectures

Organizations with multiple databases and services can configure SafeQL per project, maintaining consistent SQL type safety across a distributed codebase.

SQL-first development workflows

Projects preferring direct SQL over ORMs can leverage SafeQL to maintain type safety without sacrificing SQL expressiveness or performance.

Implementation considerations

  • Requires libpg-query as a peer dependency; verify availability and licensing compliance in your environment.
  • ESLint and typescript-eslint must be configured and working before SafeQL integration; setup burden varies by existing project maturity.
  • Database schema must be accessible to SafeQL for type inference; configure connection details or schema introspection paths in ESLint config.
  • Type inference accuracy depends on PostgreSQL query parsability; very complex or non-standard SQL may not infer types correctly.
  • Team must maintain SQL query discipline (avoid SQL injection vectors, parameterized queries) for the tool to be effective.

When to avoid it — and what to weigh

  • Non-PostgreSQL databases — SafeQL is PostgreSQL-specific; projects using MySQL, SQLite, or other databases require alternatives.
  • Minimal ESLint/TypeScript infrastructure — Requires pre-existing ESLint and typescript-eslint setup; adding this to a project without linting infrastructure introduces toolchain complexity.
  • Generated or parameterized queries at runtime — SafeQL performs static analysis; dynamic SQL construction at runtime cannot be type-checked, limiting utility for highly dynamic query builders.
  • Teams unfamiliar with raw SQL — The tool assumes SQL competency; teams primarily using query builders or ORMs may find raw SQL maintenance overhead unmanageable.

License & commercial use

Licensed under MIT (OSI-approved). Permissive open-source license allowing commercial and private use with attribution.

MIT license permits commercial use, modification, and distribution. No restrictions on proprietary applications. Include license text in distributions per MIT terms. No warranty provided; review dependency (libpg-query) licenses for production deployments.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

SafeQL performs static type checking and does not execute queries; it does not validate SQL injection prevention. Teams must independently ensure queries use parameterized statements. Database credentials for schema introspection should be managed securely in CI/CD and development environments. Review libpg-query for any known vulnerabilities.

Alternatives to consider

Prisma with type generation

ORM-based alternative that auto-generates TypeScript types from schema; trades raw SQL control for schema-driven safety and convenience.

sqlc

Similar static SQL type checker for multiple databases and languages; language-agnostic but requires separate code generation step.

Sequelize with TypeScript decorators

ORM with TypeScript support; enforces types at model level rather than query level, suitable for teams avoiding raw SQL.

Software development agency

Build on safeql with DEV.co software developers

If you write raw SQL in TypeScript and need compile-time type safety without ORM overhead, SafeQL is worth evaluating. Start with the Getting Started guide and assess schema introspection requirements for your infrastructure.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

safeql FAQ

Does SafeQL require a running PostgreSQL instance?
Unknown. Documentation excerpt does not clarify whether schema introspection requires a live connection or uses static schema files. Requires review of full documentation.
Can SafeQL work without Prisma or other ORMs?
Yes. SafeQL works with any PostgreSQL client (pg, Postgres.js, native drivers) and does not require an ORM. It is client-agnostic.
What happens if a query is invalid or unparseable?
Not clearly stated. SafeQL relies on libpg-query for parsing; malformed SQL likely fails gracefully with a lint error, but specific behavior requires review.
Does SafeQL check for SQL injection vulnerabilities?
No. SafeQL checks type safety, not security. Teams must independently use parameterized queries and input validation to prevent SQL injection.

Software development & web development with DEV.co

Adopting safeql is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source databases software in production.

Evaluate SafeQL for Your PostgreSQL TypeScript Projects

If you write raw SQL in TypeScript and need compile-time type safety without ORM overhead, SafeQL is worth evaluating. Start with the Getting Started guide and assess schema introspection requirements for your infrastructure.