safeql
SafeQL is an ESLint plugin that automatically infers and validates TypeScript types from raw PostgreSQL queries. It integrates with popular SQL libraries (Prisma, pg, Postgres.js, etc.) to catch type mismatches at lint time rather than runtime.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | ts-safeql/safeql |
| Owner | ts-safeql |
| Primary language | TypeScript |
| License | MIT — OSI-approved |
| Stars | 1.6k |
| Forks | 33 |
| Open issues | 19 |
| Latest release | @ts-safeql/[email protected] (2026-06-30) |
| Last updated | 2026-06-30 |
| Source | https://github.com/ts-safeql/safeql |
What safeql is
SafeQL uses libpg-query to parse PostgreSQL syntax and derive TypeScript types from query structure, exposing validation via an ESLint plugin. It operates as a static analysis tool integrated into the TypeScript/ESLint pipeline, supporting multiple PostgreSQL clients without ORM lock-in.
Get the safeql source
Clone the repository and explore it locally.
git clone https://github.com/ts-safeql/safeql.gitcd safeql# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires libpg-query as a peer dependency; verify availability and licensing compliance in your environment.
- ESLint and typescript-eslint must be configured and working before SafeQL integration; setup burden varies by existing project maturity.
- Database schema must be accessible to SafeQL for type inference; configure connection details or schema introspection paths in ESLint config.
- Type inference accuracy depends on PostgreSQL query parsability; very complex or non-standard SQL may not infer types correctly.
- Team must maintain SQL query discipline (avoid SQL injection vectors, parameterized queries) for the tool to be effective.
When to avoid it — and what to weigh
- Non-PostgreSQL databases — SafeQL is PostgreSQL-specific; projects using MySQL, SQLite, or other databases require alternatives.
- Minimal ESLint/TypeScript infrastructure — Requires pre-existing ESLint and typescript-eslint setup; adding this to a project without linting infrastructure introduces toolchain complexity.
- Generated or parameterized queries at runtime — SafeQL performs static analysis; dynamic SQL construction at runtime cannot be type-checked, limiting utility for highly dynamic query builders.
- Teams unfamiliar with raw SQL — The tool assumes SQL competency; teams primarily using query builders or ORMs may find raw SQL maintenance overhead unmanageable.
License & commercial use
Licensed under MIT (OSI-approved). Permissive open-source license allowing commercial and private use with attribution.
MIT license permits commercial use, modification, and distribution. No restrictions on proprietary applications. Include license text in distributions per MIT terms. No warranty provided; review dependency (libpg-query) licenses for production deployments.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Good |
| Assessment confidence | High |
SafeQL performs static type checking and does not execute queries; it does not validate SQL injection prevention. Teams must independently ensure queries use parameterized statements. Database credentials for schema introspection should be managed securely in CI/CD and development environments. Review libpg-query for any known vulnerabilities.
Alternatives to consider
Prisma with type generation
ORM-based alternative that auto-generates TypeScript types from schema; trades raw SQL control for schema-driven safety and convenience.
sqlc
Similar static SQL type checker for multiple databases and languages; language-agnostic but requires separate code generation step.
Sequelize with TypeScript decorators
ORM with TypeScript support; enforces types at model level rather than query level, suitable for teams avoiding raw SQL.
Build on safeql with DEV.co software developers
If you write raw SQL in TypeScript and need compile-time type safety without ORM overhead, SafeQL is worth evaluating. Start with the Getting Started guide and assess schema introspection requirements for your infrastructure.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
safeql FAQ
Does SafeQL require a running PostgreSQL instance?
Can SafeQL work without Prisma or other ORMs?
What happens if a query is invalid or unparseable?
Does SafeQL check for SQL injection vulnerabilities?
Software development & web development with DEV.co
Adopting safeql is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source databases software in production.
Evaluate SafeQL for Your PostgreSQL TypeScript Projects
If you write raw SQL in TypeScript and need compile-time type safety without ORM overhead, SafeQL is worth evaluating. Start with the Getting Started guide and assess schema introspection requirements for your infrastructure.