chore(deps): bump @prisma/instrumentation from 6.6.0 to 6.18.0

[dependabot]

Bumps @prisma/instrumentation from 6.6.0 to 6.18.0.

Release notes

Sourced from @​prisma/instrumentation's releases.

6.18.0

Today, we are excited to share the 6.18.0 stable release 🎉

🌟 Star this repo for notifications about new releases, bug fixes & features — or follow us on X!

Prisma ORM

Prisma ORM is the most popular ORM in the TypeScript ecosystem. Today’s release brings a bunch of new bug fixes and overall improvements:

• prisma init now creates a prisma.config.ts automatically

When creating a new project with 6.18.0, prisma init will now create a prisma.config.ts file automatically. This prepares new applications for the future of Prisma 7. Some fields that have been historically set in the schema.prisma file are now able to be set in the prisma.config.ts, and we encourage people to migrate over to the new structure before the release of version 7, where this file will become a requirement.

• Support for defining your datasource in prisma.config.ts

If you’re adopting the new prisma.config.ts setup in your projects, version 6.18.0 brings the ability to set your datasource directly in your config file. Once this is in your config file, any datasource set in your schema.prisma will be ignored. To set the datasource, we also must include the new engine key which we can set to "classic" , which will be required for Prisma v7

import { defineConfig, env } from "prisma/config";
export default defineConfig({
    // The Rust-compiled schema engine 
    engine: "classic",
    datasource: {
        url: env('DATABASE_URL'),
    }
});

• prisma/prisma#28291 Support multiple Prisma instances with different providers
• prisma/prisma#28305 Add env helper function
• prisma/prisma#28266 Add support for js or classic as engine types in prisma.config
• prisma/prisma#28139 Map Bytes to Uint8Array depending on Typescript version

Preparing for Prisma v7

While it has been mentioned a few times already, many of the changes in this release are here to prepare folks for the upcoming release of Prisma v7. It’s worth repeating that these changes and the migration to prisma.config.ts will be required for Prisma v7, so we’re releasing this as opt-in features for developers. But come Prisma v7, they will be the new way of configuring your project.

Prisma Postgres

Prisma Postgres is our fully managed Postgres service designed with the same philosophy of great DX that has guided Prisma for close to a decade. With this release we are introducing the following improvements:

Database Metric in Console

Inside of your database console, you can now view metrics on your database usage and interactions. You can get insights into the follow:

• Total egress
• Average response size
• Average query duration

In addition, you can also get insights into how to improve your query caching and gain better performance.

... (truncated)

Commits

• c524934 chore: upgrade OpenTelemetry deps and refresh tracing setup in client (#28268)
• 423b585 fix: revert "chore: use pnpm catalog (#28236)" (#28271)
• 10fab6b chore: use pnpm catalog (#28236)
• 6169c92 chore(instrumentation): relax opentelemetry version range (#28199)
• 61a87a1 chore(deps): changed @​opentelemetry/instrumentation version (#27805)
• 3409815 chore: convert small packages to vitest (#28009)
• dd823f6 feat(client): drop deprecated middleware feature (#27799)
• 04ebf92 fix(instrumentation): emit missing dist/index.d.ts (#26986)
• 9a93b2b build(instrumentation): Emit ESM (#26918)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[comp-ai-code-review]

🔒 Comp AI - Security Review

🟡 Risk Level: MEDIUM

OSV npm scan found 3 vulnerabilities: xlsx@0.18.5 — Prototype Pollution (HIGH) and ReDoS (HIGH); ai@5.0.0 — filetype whitelist bypass (LOW, fixed in 5.0.52).

---

📦 Dependency Vulnerabilities

🟠 NPM Packages (HIGH)

Risk Score: 8/10 | Summary: 2 high, 1 low CVEs found

Package	Version	CVE	Severity	CVSS	Summary	Fixed In
xlsx	0.18.5	GHSA-4r6h-8v6p-xvw6	HIGH	N/A	Prototype Pollution in sheetJS	No fix yet
xlsx	0.18.5	GHSA-5pgg-2g8v-p4x9	HIGH	N/A	SheetJS Regular Expression Denial of Service (ReDoS)	No fix yet
ai	5.0.0	GHSA-rwvc-j5jr-mgvh	LOW	N/A	Vercel’s AI SDK's filetype whitelists can be bypassed when uploading files	5.0.52

---

🛡️ Code Security Analysis

✅ No security issues detected in code changes.

---

💡 Recommendations

View 3 recommendation(s)

1. Update ai in package.json to >=5.0.52 (ai 5.0.0 → 5.0.52+) to apply the documented fix (GHSA-rwvc-j5jr-mgvh).
2. Upgrade xlsx (currently 0.18.5) to a release that addresses GHSA-4r6h-8v6p-xvw6 (Prototype Pollution) and GHSA-5pgg-2g8v-p4x9 (ReDoS); change the dependency version in package.json to the fixed release indicated by the GHSA/OSV advisories.
3. Review all code locations that parse/consume Excel files (calls into xlsx read/parse). Add explicit input validation/rejection for unexpected file types or shapes, and run parsing in a restricted context (e.g., worker/timeout or otherwise limited execution) to reduce ReDoS/processing impact and limit exposure to prototype pollution.

---

Powered by Comp AI - AI that handles compliance for you. Reviewed Nov 20, 2025

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
app	Ready	Preview	Comment	Nov 20, 2025 11:22am

1 Skipped Deployment

Project	Deployment	Preview	Comments	Updated (UTC)
portal	Skipped			Nov 20, 2025 11:22am

[graphite-app]

Graphite Automations

"Auto-assign PRs to Author" took an action on this PR • (12/05/25)

1 assignee was added to this PR based on Mariano Fuentes's automation.