fix: bundle DB drivers as dependencies (fix Etherpad #7570)

[JohnMcLear]

Summary

• Moves all ten DB drivers (@elastic/elasticsearch, cassandra-driver, mongodb, mssql, mysql2, nano, pg, redis, rethinkdb, surrealdb) from peerDependencies + peerDependenciesMeta.optional back to dependencies.
• Deletes peerDependenciesMeta.
• Bumps version to 5.0.46.

Why

ueberdb2@5.0.45 declared the drivers as optional peer deps. Production installs (e.g., pnpm install --prod) skip optional peer deps, so consumers hit Error: Cannot find module 'mysql2' at first require of a driver.

Reported against Etherpad Docker: ether/etherpad#7570

Test plan

• CI green (vitest + testcontainers exercises every driver)
• Local smoke: npm install ueberdb2@next into a fresh project, then require() each of the ten driver modules — all resolve

[qodo-free-for-open-source-projects]

Review Summary by Qodo

Bundle database drivers as production dependencies

🐞 Bug fix

Walkthroughs

Description

• Moves ten DB drivers from optional peerDependencies to dependencies
• Ensures drivers install in production environments automatically
• Fixes "Cannot find module" errors in Etherpad Docker images
• Bumps version to 5.0.46

Diagram

flowchart LR
  A["Optional peerDependencies"] -->|"Move to dependencies"| B["Required dependencies"]
  B -->|"Production install"| C["Drivers available at runtime"]
  C -->|"Fixes"| D["Etherpad #7570"]

Loading

File Changes

1. package.json Dependencies +5/-39

Promote database drivers to required dependencies

• Moves all ten database drivers (@elastic/elasticsearch, cassandra-driver, mongodb, mssql, mysql2,
 nano, pg, redis, rethinkdb, surrealdb) from peerDependencies to dependencies section
• Removes entire peerDependenciesMeta object that marked drivers as optional
• Reorders dependencies alphabetically for consistency
• Increments version from 5.0.45 to 5.0.46

package.json

---

2. pnpm-lock.yaml Dependencies +69/-30

Update lock file for driver dependency changes

• Moves all ten database driver entries from devDependencies to dependencies section in lock file
• Updates dependency resolution to reflect drivers as production dependencies
• Adds libc metadata to various platform-specific bindings for oxfmt, oxlint, rolldown, and
 rusty-store-kv packages
• Maintains consistent version pinning across dependency tree

pnpm-lock.yaml

---

[qodo-free-for-open-source-projects]

Code Review by Qodo

🐞 Bugs (4) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. Node engine version mismatch 🐞 Bug ☼ Reliability

Description

package.json still declares Node ">=18.0.0" but the newly-required runtime drivers include packages
that require Node >=20.x (e.g., mongodb and nano), so installs can fail for Node 18 users
(especially with engine-strict) and the published engine range becomes inaccurate.

Code

package.json[R25-40]

  "dependencies": {
-    "async": "^3.2.6",
-    "dirty-ts": "^1.1.8",
-    "rusty-store-kv": "^1.3.1",
-    "simple-git": "^3.36.0"
-  },
-  "peerDependencies": {
    "@elastic/elasticsearch": "^9.3.4",
+    "async": "^3.2.6",
    "cassandra-driver": "^4.8.0",
+    "dirty-ts": "^1.1.8",
    "mongodb": "^7.1.1",
    "mssql": "^12.2.1",
    "mysql2": "^3.22.0",
    "nano": "^11.0.5",
    "pg": "^8.20.0",
    "redis": "^5.12.1",
    "rethinkdb": "^2.4.2",
+    "rusty-store-kv": "^1.3.1",
+    "simple-git": "^3.36.0",
    "surrealdb": "^2.0.3"
  },
-  "peerDependenciesMeta": {
-    "@elastic/elasticsearch": {
-      "optional": true
-    },
-    "cassandra-driver": {
-      "optional": true
-    },
-    "mongodb": {
-      "optional": true
-    },
-    "mssql": {
-      "optional": true
-    },
-    "mysql2": {
-      "optional": true
-    },
-    "nano": {
-      "optional": true
-    },
-    "pg": {
-      "optional": true
-    },
-    "redis": {
-      "optional": true
-    },
-    "rethinkdb": {
-      "optional": true
-    },
-    "surrealdb": {
-      "optional": true
-    }
-  },

Evidence

The PR makes drivers regular dependencies, so their engine requirements apply to all consumers. The
repo still claims Node >=18, but the lockfile shows multiple newly-required packages requiring Node
>=20.x.

package.json[25-40]
package.json[107-109]
pnpm-lock.yaml[1664-1667]
pnpm-lock.yaml[1712-1715]
pnpm-lock.yaml[195-198]
pnpm-lock.yaml[121-128]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`package.json` advertises Node >=18, but the PR makes DB drivers hard dependencies and several of those (or their transitives) require Node >=20.x. This can break installs for Node 18 users and misrepresents supported runtime versions.

## Issue Context
New dependencies include `mongodb`, `nano`, and `@elastic/elasticsearch` (via `@elastic/transport`) which have Node >=20 engine requirements according to the lockfile.

## Fix Focus Areas
- package.json[25-40]
- package.json[107-109]

## What to change
- Either bump `engines.node` to the highest required minimum (and consider whether this warrants a semver-minor/major rather than patch), OR
- Pin/adjust the specific driver package versions to ones that support Node 18, OR
- Reconsider making these particular drivers unconditional dependencies (e.g., keep Node20-only drivers optional/peer so Node18 installs remain possible).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Unmet driver peer dependencies 🐞 Bug ☼ Reliability

Description

By making drivers unconditional dependencies, ueberdb2 now forces installation of packages that
declare non-optional peerDependencies (notably surrealdb requires tslib and typescript; mysql2
requires @types/node), which can cause install failures under strict peer-dependency enforcement and
creates noisy warnings for all consumers.

Code

package.json[R25-40]

  "dependencies": {
-    "async": "^3.2.6",
-    "dirty-ts": "^1.1.8",
-    "rusty-store-kv": "^1.3.1",
-    "simple-git": "^3.36.0"
-  },
-  "peerDependencies": {
    "@elastic/elasticsearch": "^9.3.4",
+    "async": "^3.2.6",
    "cassandra-driver": "^4.8.0",
+    "dirty-ts": "^1.1.8",
    "mongodb": "^7.1.1",
    "mssql": "^12.2.1",
    "mysql2": "^3.22.0",
    "nano": "^11.0.5",
    "pg": "^8.20.0",
    "redis": "^5.12.1",
    "rethinkdb": "^2.4.2",
+    "rusty-store-kv": "^1.3.1",
+    "simple-git": "^3.36.0",
    "surrealdb": "^2.0.3"
  },
-  "peerDependenciesMeta": {
-    "@elastic/elasticsearch": {
-      "optional": true
-    },
-    "cassandra-driver": {
-      "optional": true
-    },
-    "mongodb": {
-      "optional": true
-    },
-    "mssql": {
-      "optional": true
-    },
-    "mysql2": {
-      "optional": true
-    },
-    "nano": {
-      "optional": true
-    },
-    "pg": {
-      "optional": true
-    },
-    "redis": {
-      "optional": true
-    },
-    "rethinkdb": {
-      "optional": true
-    },
-    "surrealdb": {
-      "optional": true
-    }
-  },

Evidence

The lockfile shows surrealdb and mysql2 declare peerDependencies, but ueberdb2 does not provide
tslib at all and keeps typescript/@types/node as devDependencies only (not present in
production installs).

pnpm-lock.yaml[2081-2086]
pnpm-lock.yaml[1699-1704]
package.json[25-40]
package.json[41-67]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
Making DB drivers unconditional dependencies forces all consumers to install packages that have non-optional peerDependencies (`surrealdb` needs `tslib` + `typescript`, `mysql2` needs `@types/node`). In production installs (no devDependencies) and/or strict peer enforcement, this can fail.

## Issue Context
- `surrealdb@2.0.3` peers: `tslib`, `typescript`
- `mysql2@3.22.0` peer: `@types/node`
- `tslib` is not present in ueberdb2 deps; `typescript` and `@types/node` are dev-only.

## Fix Focus Areas
- package.json[25-40]
- package.json[41-67]

## What to change
Choose one:
- Add the required peers to `dependencies` (or `peerDependencies` where appropriate) so production consumers satisfy them, OR
- Switch to driver versions that do not require these peers, OR
- Avoid forcing these drivers as unconditional dependencies (e.g., keep only the actually-needed driver install-time requirements on the consumer side).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

3. Duplicate dependency declarations 🐞 Bug ⚙ Maintainability

Description

Multiple DB drivers are now declared in both dependencies and devDependencies (same package/version
duplicated), which is easy to desynchronize and can lead to inconsistent behavior across package
managers and future upgrades.

Code

package.json[R25-40]

  "dependencies": {
-    "async": "^3.2.6",
-    "dirty-ts": "^1.1.8",
-    "rusty-store-kv": "^1.3.1",
-    "simple-git": "^3.36.0"
-  },
-  "peerDependencies": {
    "@elastic/elasticsearch": "^9.3.4",
+    "async": "^3.2.6",
    "cassandra-driver": "^4.8.0",
+    "dirty-ts": "^1.1.8",
    "mongodb": "^7.1.1",
    "mssql": "^12.2.1",
    "mysql2": "^3.22.0",
    "nano": "^11.0.5",
    "pg": "^8.20.0",
    "redis": "^5.12.1",
    "rethinkdb": "^2.4.2",
+    "rusty-store-kv": "^1.3.1",
+    "simple-git": "^3.36.0",
    "surrealdb": "^2.0.3"
  },
-  "peerDependenciesMeta": {
-    "@elastic/elasticsearch": {
-      "optional": true
-    },
-    "cassandra-driver": {
-      "optional": true
-    },
-    "mongodb": {
-      "optional": true
-    },
-    "mssql": {
-      "optional": true
-    },
-    "mysql2": {
-      "optional": true
-    },
-    "nano": {
-      "optional": true
-    },
-    "pg": {
-      "optional": true
-    },
-    "redis": {
-      "optional": true
-    },
-    "rethinkdb": {
-      "optional": true
-    },
-    "surrealdb": {
-      "optional": true
-    }
-  },

Evidence

package.json lists the same driver packages in dependencies and again in devDependencies (e.g.,
mongodb, mysql2, mssql, nano, etc.), creating two sources of truth.

package.json[25-40]
package.json[41-64]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
DB driver packages are listed in both `dependencies` and `devDependencies`, which is redundant and risks future version drift.

## Issue Context
Now that drivers are runtime `dependencies`, they do not need to be repeated in `devDependencies` for tests/build.

## Fix Focus Areas
- package.json[25-40]
- package.json[41-64]

## What to change
- Remove the duplicated driver entries from `devDependencies` (keep them only in `dependencies`), then regenerate the lockfile.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

4. Misleading driver-loading comment 🐞 Bug ⚙ Maintainability

Description

The comment in index.ts says lazy loading is used so only the selected backend’s dependencies need
to be installed and to avoid crashes when optional drivers are missing, but after this PR the
drivers are installed unconditionally as dependencies.

Code

package.json[R25-40]

  "dependencies": {
-    "async": "^3.2.6",
-    "dirty-ts": "^1.1.8",
-    "rusty-store-kv": "^1.3.1",
-    "simple-git": "^3.36.0"
-  },
-  "peerDependencies": {
    "@elastic/elasticsearch": "^9.3.4",
+    "async": "^3.2.6",
    "cassandra-driver": "^4.8.0",
+    "dirty-ts": "^1.1.8",
    "mongodb": "^7.1.1",
    "mssql": "^12.2.1",
    "mysql2": "^3.22.0",
    "nano": "^11.0.5",
    "pg": "^8.20.0",
    "redis": "^5.12.1",
    "rethinkdb": "^2.4.2",
+    "rusty-store-kv": "^1.3.1",
+    "simple-git": "^3.36.0",
    "surrealdb": "^2.0.3"
  },
-  "peerDependenciesMeta": {
-    "@elastic/elasticsearch": {
-      "optional": true
-    },
-    "cassandra-driver": {
-      "optional": true
-    },
-    "mongodb": {
-      "optional": true
-    },
-    "mssql": {
-      "optional": true
-    },
-    "mysql2": {
-      "optional": true
-    },
-    "nano": {
-      "optional": true
-    },
-    "pg": {
-      "optional": true
-    },
-    "redis": {
-      "optional": true
-    },
-    "rethinkdb": {
-      "optional": true
-    },
-    "surrealdb": {
-      "optional": true
-    }
-  },

Evidence

index.ts does lazy-load drivers via dynamic imports, but the stated motivation about install-time
optionality is no longer true once all drivers are in dependencies.

index.ts[24-27]
index.ts[123-161]
package.json[25-40]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
A comment claims lazy-loading avoids requiring optional drivers to be installed, but this PR makes drivers regular dependencies, so the comment is misleading.

## Issue Context
Lazy-loading still exists (dynamic imports), but it no longer reduces install-time dependency requirements.

## Fix Focus Areas
- index.ts[24-27]

## What to change
- Update the comment to reflect the current rationale (e.g., lazy-load to reduce startup cost / avoid initializing unused backends), and remove references to drivers being optionally installed.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[qodo-free-for-open-source-projects]

1. Node engine version mismatch 🐞 Bug ☼ Reliability

package.json still declares Node ">=18.0.0" but the newly-required runtime drivers include packages
that require Node >=20.x (e.g., mongodb and nano), so installs can fail for Node 18 users
(especially with engine-strict) and the published engine range becomes inaccurate.

Agent Prompt

## Issue description
`package.json` advertises Node >=18, but the PR makes DB drivers hard dependencies and several of those (or their transitives) require Node >=20.x. This can break installs for Node 18 users and misrepresents supported runtime versions.

## Issue Context
New dependencies include `mongodb`, `nano`, and `@elastic/elasticsearch` (via `@elastic/transport`) which have Node >=20 engine requirements according to the lockfile.

## Fix Focus Areas
- package.json[25-40]
- package.json[107-109]

## What to change
- Either bump `engines.node` to the highest required minimum (and consider whether this warrants a semver-minor/major rather than patch), OR
- Pin/adjust the specific driver package versions to ones that support Node 18, OR
- Reconsider making these particular drivers unconditional dependencies (e.g., keep Node20-only drivers optional/peer so Node18 installs remain possible).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[qodo-free-for-open-source-projects]

2. Unmet driver peer dependencies 🐞 Bug ☼ Reliability

By making drivers unconditional dependencies, ueberdb2 now forces installation of packages that
declare non-optional peerDependencies (notably surrealdb requires tslib and typescript; mysql2
requires @types/node), which can cause install failures under strict peer-dependency enforcement and
creates noisy warnings for all consumers.

Agent Prompt

## Issue description
Making DB drivers unconditional dependencies forces all consumers to install packages that have non-optional peerDependencies (`surrealdb` needs `tslib` + `typescript`, `mysql2` needs `@types/node`). In production installs (no devDependencies) and/or strict peer enforcement, this can fail.

## Issue Context
- `surrealdb@2.0.3` peers: `tslib`, `typescript`
- `mysql2@3.22.0` peer: `@types/node`
- `tslib` is not present in ueberdb2 deps; `typescript` and `@types/node` are dev-only.

## Fix Focus Areas
- package.json[25-40]
- package.json[41-67]

## What to change
Choose one:
- Add the required peers to `dependencies` (or `peerDependencies` where appropriate) so production consumers satisfy them, OR
- Switch to driver versions that do not require these peers, OR
- Avoid forcing these drivers as unconditional dependencies (e.g., keep only the actually-needed driver install-time requirements on the consumer side).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools