node-postgres (pg)
The most widely-used PostgreSQL client for Node.js. Provides both a simple Client for single connections and a Pool for connection pooling. Supports parameterized queries (preventing SQL injection), prepared statements, transactions, COPY operations, and PostgreSQL notifications (LISTEN/NOTIFY). Pure JavaScript with TypeScript typings. The foundational layer used by ORMs like Knex, Drizzle, and Sequelize.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Parameterized queries prevent SQL injection natively. SSL configurable. Database-level RBAC for fine-grained access. Minimal dependencies. Long history of security maintenance.
⚡ Reliability
Best When
You need direct SQL access to PostgreSQL from Node.js with full control over queries, or when building a custom abstraction layer on top of raw PostgreSQL.
Avoid When
You want type-safe queries and schema-first development — use an ORM like Drizzle or Prisma that provides compile-time safety.
Use Cases
- • Execute parameterized SQL queries against PostgreSQL from Node.js applications with automatic SQL injection prevention
- • Manage database connection pools for Node.js web servers handling concurrent requests efficiently
- • Run database transactions with proper BEGIN/COMMIT/ROLLBACK using pool.connect() and client.query()
- • Receive real-time PostgreSQL NOTIFY events for database-driven event triggers in Node.js applications
- • Execute raw SQL for complex queries that ORM query builders can't express, with pg as the escape hatch
Not For
- • Schema management and migrations — use Knex, Drizzle, or Flyway for database migrations
- • Type-safe query building — use Drizzle ORM, Prisma, or TypeORM for compile-time SQL type checking
- • Non-PostgreSQL databases — use mysql2 for MySQL, better-sqlite3 for SQLite
Interface
Authentication
PostgreSQL native auth: password in connection string or config object. SSL/TLS configured via ssl option. Database-level permissions control access. Use environment variables for connection strings — never hardcode credentials.
Pricing
Fully free, MIT licensed. Costs are from the PostgreSQL database hosting (Supabase, Neon, RDS, etc.).
Agent Metadata
Known Gotchas
- ⚠ Always use parameterized queries ($1, $2 syntax) — never interpolate user input into SQL strings directly; pg's query(text, values) format is the safe pattern
- ⚠ Pool clients must be released after use — pool.connect() returns a client that must be client.release() in finally block; leaked clients exhaust the connection pool
- ⚠ Connection pool size should match PostgreSQL max_connections — default pool max is 10; set based on (PostgreSQL max_connections / number of app instances)
- ⚠ Transactions require checking out a dedicated client — cannot use pool.query() for multi-statement transactions; must use pool.connect() → BEGIN → queries → COMMIT → release pattern
- ⚠ pg returns all values as strings by default for some types — JSON, numeric, timestamptz may need type casting; configure pg.types.setTypeParser() for custom type parsing
- ⚠ SSL is not enforced by default — in production, always set ssl: { rejectUnauthorized: true } to verify PostgreSQL server certificate
Alternatives
Full Evaluation Report
Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for node-postgres (pg).
Scores are editorial opinions as of 2026-03-06.