Update Rust crate diesel to v2 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
diesel (source)	dependencies	major	1.4 → 2.0

---

Diesel vulnerable to Binary Protocol Misinterpretation caused by Truncating or Overflowing Casts

GHSA-wq9x-qwcq-mmgf

More information

Details

The following presentation at this year's DEF CON was brought to our attention on the Diesel Gitter Channel:

SQL Injection isn't Dead: Smuggling Queries at the Protocol Level
http://web.archive.org/web/20240812130923/https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Paul%20Gerste%20-%20SQL%20Injection%20Isn't%20Dead%20Smuggling%20Queries%20at%20the%20Protocol%20Level.pdf
(Archive link for posterity.)
Essentially, encoding a value larger than 4GiB can cause the length prefix in the protocol to overflow,
causing the server to interpret the rest of the string as binary protocol commands or other data.

It appears Diesel does perform truncating casts in a way that could be problematic,
for example: https://github.com/diesel-rs/diesel/blob/ae82c4a5a133db65612b7436356f549bfecda1c7/diesel/src/pg/connection/stmt/mod.rs#L36

This code has existed essentially since the beginning,
so it is reasonable to assume that all published versions <= 2.2.2 are affected.

Mitigation

The prefered migration to the outlined problem is to update to a Diesel version newer than 2.2.2, which includes
fixes for the problem.

As always, you should make sure your application is validating untrustworthy user input.
Reject any input over 4 GiB, or any input that could encode to a string longer than 4 GiB.
Dynamically built queries are also potentially problematic if it pushes the message size over this 4 GiB bound.

For web application backends, consider adding some middleware that limits the size of request bodies by default.

Resolution

Diesel now uses #[deny] directives for the following Clippy lints:

• cast_possible_truncation
• cast_possible_wrap
• cast_sign_loss

to prevent casts that will lead to precision loss or other trunctations. Additionally we performed an
audit of the relevant code.

A fix is included in the 2.2.3 release.

Severity

• CVSS Score: 8.9 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References

• https://github.com/diesel-rs/diesel/pull/4170
• https://github.com/diesel-rs/diesel/commit/9eccd7d6d705ac53618bfd478152e32ec3b4536c
• https://github.com/diesel-rs/diesel/blob/ae82c4a5a133db65612b7436356f549bfecda1c7/diesel/src/pg/connection/stmt/mod.rs#L36
• https://rustsec.org/advisories/RUSTSEC-2024-0365.html
• https://github.com/advisories/GHSA-wq9x-qwcq-mmgf

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Diesel's SQLite backend has possible UTF-8 corruption

GHSA-h5x4-m2qf-r4f2

More information

Details

Diesel uses the sqlite3_value_text function to receive strings from SQLite while deserializing query results. We misinterpreted the corresponding SQLite documentation that this function always returns a UTF-8 encoded string values as *const c_char. Based on that we used str::from_utf8_unchecked to construct a Rust string slice without any additional UTF-8 checks in place. It turned out that this function doesn't always return correct UTF-8 strings. For field of the SQLite side storage type BLOB this pointer can contain arbitrary bytes, which makes the usage of str::from_utf8_unchecked unsound as this violates the safety contract of str to only contain valid UTF-8 encoded Strings.

Mitigation

The preferred mitigation to the outlined problem is to update to a Diesel version 2.3.8 or newer, which includes fixes for the problem.

Resolution

Diesel now correctly checks whether the provides byte buffer is actually valid UTF-8, instead of relying on SQLite's documentation. This fix is included in the 2.3.8 release.

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/diesel-rs/diesel/pull/5042
• https://rustsec.org/advisories/RUSTSEC-2026-0111.html
• https://github.com/advisories/GHSA-h5x4-m2qf-r4f2

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

diesel-rs/diesel (diesel)

v2.3.8

Compare Source

• Added support for libsqlite3-sys 0.37.0
• Raise a compile-time error when mixing aggregate and non-aggregate expressions in an ORDER BY clause without a GROUP BY clause
• Calling .count() or .select(aggregate_expr) on a query that already has a non-aggregate .order_by() clause now raises a compile-time error instead of generating invalid SQL that would be rejected by the database at runtime (fixes #​3815)
• Added documentation for migration transaction behaviour at the crate root
• Improved compile time error messages for #[derive(AsChangeset)]
• Allow to use generic types in infix_operator!()
• Fixes for several instances of unsound, unspecified or otherwise dangerous behaviour:
  • Unsound string construction in SqliteValue::read_text/FromSql<Text, Sqlite> for String
  • Invalid alignment for over aligned data in SqliteConnection::register_function for aggregate functions
  • Potential memory leaks in SqliteConnection::register_function
  • Access to padding bytes while serializing Date/time types in the Mysql backend
  • SQL Option Injection in PostgreSQL COPY FROM/TO
  • Unspecified pointer cast in Debug/Display implementation of batch INSERT statements for SQLite
  • Invalid call order of SQLite API functions in SqliteValue::read_text/FromSql<Text, Sqlite> for String/SqliteValue::read_blob()/FromSql<Binary, Sqlite> for Vec<u8>
  • Potential unsound pointer access for FromSql<Binary, _> for Vec<u8> and FromSql<Text, _> for String for third party backends (requires changes to the third party backend as well)

v2.3.7

Compare Source

• Add support for libsqlite3-sys 0.36
• Fix a potential resource leak if establishing a SqliteConnection fails.

v2.3.6

Compare Source

• Added support for mysqlclient-sys 0.5.0
• Fix generating valid schema if a column is named table
• Fixed a regression with #[derive(Insertable)] if the same field type is used with different lifetime values

v2.3.5

Compare Source

• Fix another libmariadb related issue with time types
• Improve compile time error messages for #[derive(Insertable)]
• Bump supported version of sqlite-wasm-rs to 0.5.0
• Minor documentation fixes
• Make the returning_clauses_for_sqlite_3_35 feature enable the sqlite feature by default
• Include a fix for a nightly rust name resolution ambiguity

v2.3.4

Compare Source

• Fix an issue with breaking changes in libmariadb
• Fix documentation links for helper types
• Fix using #[diesel(embed)] with Option<Inner> types
• Fix documentation for concurrent migration runs

v2.3.3

Compare Source

Fixed

• Fix displaying binds in instrumentations for #[derive(MultiConnection)]
• Support artifact attestation for binaries build for releases
• Stop using absolute paths in generated diesel.toml
• Explicitly qualify Ok in code generated by derives to avoid naming conflicts

v2.3.2

Fixed

• Fixed an incompatibility with libmariadb versions shipped by debian
• Fixed docs.rs builds
• Fixed applying patch file schema.rs file with formatting
• Allow to compare DatabaseErrorKind values

v2.3.1

This version did not contain any changes, but only a version bump to retrigger the docs.rs build

v2.3.0

Compare Source

Added

• Added limit() and offset() DSL to combination clauses such as UNION
• Fixed #[derive(Identifiable)] ignoring attribute #[diesel(serialize_as)] on primary keys
• Added embedded struct support for AsChangeset via #[diesel(embed)]
• Added a #[diesel(skip_update)] attribute for the AsChangeset derive to skip updating a field present in the struct
• Support for libsqlite3-sys 0.35.0
• Add support for built-in PostgreSQL range operators and functions
• Support for postgres multirange type
• Added diesel::r2d2::TestCustomizer, which allows users to customize their diesel::r2d2::Pools
  in a way that makes the pools suitable for use in parallel tests.
• Added support for built-in PostgreSQL range operators and functions
• Added support for various built-in PostgreSQL array functions
• Added Json and Jsonb support for the SQLite backend.
• Added a #[diesel::declare_sql_function] attribute macro to easily define support for
  multiple sql functions at once via an extern "SQL" block
• Support [print_schema] allow_tables_to_appear_in_same_query_config = "fk_related_tables" to generate separate allow_tables_to_appear_in_same_query! calls containing only tables that are related through foreign keys. (Default: "all_tables".) It is not possible to build queries using two tables that don't appear in the same allow_tables_to_appear_in_same_query! call, but that macro generates O(n²) rust code, so this option may be useful to reduce compilation time. (#​4333)
• Added wasm32-unknown-unknown target support for sqlite backend.
• Add support for the CAST operator
• Support [print_schema] allow_tables_to_appear_in_same_query_config = "none" to generate no allow_tables_to_appear_in_same_query! calls. (Default: "all_tables".). (#​4333)
• Add [print_schema] pg_domains_as_custom_types parameter to generate custom types for PostgreSQL domains that matches any of the regexes in the given list. (Default: [].) This option allows an application to selectively give special meaning for the serialization/deserialization of these types, avoiding the default behavior of treating the domain as the underlying type. (#​4592)
• Add support for batch insert and upsert statements with returning for SQLite
• Add support for window functions and aggregate expressions.

Fixed

• Fixed diesel thinking a.eq_any(b) was non-nullable even if a and b were nullable.
• Generate InstrumentationEvent::BeginTransaction for immediate and exclusive transactions in SQLite
• Use a single space instead of two spaces between DELETE FROM.
• Diesel CLI now ensures that migration versions are always unique. If it fails to generate a unique version, it will return an error. The new version format remains compatible with older Diesel versions.
• Updated ipnetwork to allow version 0.21.

Changed

• Use distinct DIESEL_LOG logging filter env variable instead of the default RUST_LOG one (#​4575)
• The minimal supported Rust version is now 1.86.0

v2.2.12

Compare Source

v2.2.11

Compare Source

v2.2.10

Compare Source

v2.2.9

Compare Source

Fixed

• Fix an issue where diesel migration generate --diff-schema incorrectly uses the primary key of table B as the referenced column rather than the primary key of table A when B has a foreign key pointing to table A.
• Bump maximal supported libsqlite3-sys version to 0.32.0 and add explicit feature entries for the uuid and serde_json feature.
• Fixed an issue where diesel generated unnamed prepared statements would fail with an unanmed prepared statement not found error with pgbouncer.
• Fix an issue with converting ipnet::Ipnet values with an subnet to SQL values

v2.2.8

Compare Source

Fixed

• Allow #[diesel(check_for_backend(_))] to check fields with #[diesel(embed)] annotations
• Improve custom compile error message around CompatibleType
• Fix a bug that restricted the number of allowed columns in COPY FROM statements to 12
• Expose some SqliteValue helper functions
• Use consistent whitespace in ASC/DESC, DISTINCT ON, and DELETE FROM clauses

v2.2.7

Compare Source

Fixed

• Fixed diesel thinking a.eq_any(b) was non-nullable even if a and b were nullable.
• Generate InstrumentationEvent::BeginTransaction for immediate and exclusive transactions in SQLite
• Minimize the amount of duplicated code generated for diesel::debug_query
• Updated ipnetwork to allow version 0.21.
• Updated libsqlite3-sys to allow version 0.31.0
• Updated pq-sys to allow version 0.7.0
• Add support for numeric operators (+-*/) in #[diesel::auto_type]
• Add support for joins to sub-jons to aliases

v2.2.6

Compare Source

Fixed

• Remove more mentions of gitter from the documentation

v2.2.5

Compare Source

Fixed

• Add a typedef for Returning and Count so that #[auto_type] works with such queries
• Fixed an issue that allowed to pass non-boolean expressions to .and() and .or() which would
  result in queries failing at runtime
• Officially deprecating the gitter room

Removed

• Do not mention the gitter channel in our docs anymore

v2.2.4

Compare Source

Fixed

• Fix an issue where empty queries could trigger undefined behaviour in the sqlite backend

v2.2.3

Compare Source

Fixed

• Support for libsqlite3-sys 0.30.0
• Fixed a possible vulnerability in how Diesel handled protocol level bind parameters.
  See the SQL Injection isn't Dead: Smuggling Queries at Protocol Level presentation from DEF CON for details
• Fixed an issue with a possibly ambiguous trait resolution in #[derive(QueryableByName)]

v2.2.2

Compare Source

Fixed

• Support for libsqlite3-sys 0.29.0
• Fixed a potential panic in the sqlite cursor implementation
• Fixed support for rust numeric operators with columns of the type Numeric
• Removed the SerializedDatabase::new function due to unsoundness

v2.2.1

Compare Source

v2.2.0

Compare Source

Added

• Support [print_schema] except_custom_type_definitions = ["Vector"]. If a custom type matches one element on the list it's skipped.
• Added automatic usage of all sqlite rowid aliases when no explicit primary key is defined for print-schema
• Added a #[dsl::auto_type] attribute macro, allowing to infer type of query fragment functions
• Added the same type inference on Selectable derives, which allows skipping specifying select_expression_type most of the time, in turn enabling most queries to be written using just a Selectable derive.
• Added an optional #[diesel(skip_insertion)] field attribute to the Insertable derive macro, allowing fields which map to generated columns to be skipped during insertion.
• Support for connection instrumentation. This allows to inspect any query run by your application
• Logging in diesel-cli
• Support for libsqlite3-sys 0.28
• Add sqlite-integer-primary-key-is-bigint configuration option, usable with SQLite 3.37 or above, allowing to use BigInt for INTEGER PRIMARY KEY columns in SQLite for tables without the WITHOUT ROWID attribute (SQLite doc).
• Support for multiple print_schema entry in diesel.toml (e.g. [print_schema.user1]), which allows generating multiple schema.rs files
• Add support for COPY TO and COPY FROM statements
• Add support for mapping chrono::Duration to postgresql's INTERVAL sql type
• Added serialize_database_to_buffer and deserialize_readonly_database_from_buffer methods in SqliteConnection to support serialization/deserialization of SQLite databases to and from byte buffers.
• Added SerializedDatabase wrapper type for a serialized database that is dynamically allocated by calling serialize_database_to_buffer. This RAII wrapper deallocates the memory when it goes out of scope with sqlite3_free.

Changed

• The minimal officially supported rustc version is now 1.78.0
• Deprecated sql_function! in favour of define_sql_function! which provides compatibility with #[dsl::auto_type]
• Deserialization error messages now contain information about the field that failed to deserialize

v2.1.6

Compare Source

• Fix using BoxableExpression with having clauses
• Fix using numeric expressions with aliased fields
• Minor documentation fixes

v2.1.5

Compare Source

• Fix impl SqlOrd postgres > postgres_backend feature flag.
• Allow Queryable to be used with multiple table names.
• Fix an inconsistent unit test
• Fix a clippy lint
• Fix ./bin/test feature flag calls.
• Update libsqlite3-sys to allow version 0.28 as well

v2.1.4

Compare Source

• Update libsqlite3-sys to allow version 0.27 as well

v2.1.3

Compare Source

• Increased accidentally decreased limit around element count in DISTINCT ON and ORDER BY clauses again as that broke existing code

v2.1.2

Compare Source

v2.1.1

Compare Source

v2.1.0

Compare Source

Changed

• The minimal officially supported rustc version is now 1.65.0

Added

• Added the custom_type_derives config option to customize the derives for SQL
  type definitions automatically generated by Diesel CLI.
• Add a #[derive(MultiConnection)] proc-macro that lets you easily implement diesel::Connection
  for an enum of connections to different database backends.
• Added a --diff-schema flag to the diesel migration generate command that generates a migration based
  on the difference between your database and the provided schema.rs file
• Add a ON CONFLICT (...) DO UPDATE ... [WHERE ...] conditional clause support for PostgreSQL.
• Add support for MySQL's ON DUPLICATE KEY DO UPDATE syntax through the existing upsert functions.
• Add ability to define multiple columns in a single distinct_on for PostgreSQL,
  like: .distinct_on((column_a, column_b)).
• Added column size restrictions to the generated schema.rs file

v2.0.4

Compare Source

v2.0.3

Compare Source

v2.0.2

Compare Source

v2.0.1

Compare Source

Fixed

• Fixed an issue with diesel_cli generating incompatible type names for the generate_missing_sql_type_definitions feature on PostgreSQL
• Fixed an issue how diesel_cli handles sqlite urls while checking if a given database exists
• Fixed an issue with PgConnection becoming unusable after hitting a database error in certain situations
• Fixed an issue with diesel generating invalid SQL for certain INSERT … ON CONFLICT queries
• Fixed diesel_derives generating code that triggers the disabled by default unused_qualifications lint

v2.0.0

Compare Source

Added

• MysqlConnection::establish is able to initiate an SSL connection while specifying certificate roots. The database URL should contain an ssl_ca parameter with a path pointing to the certificate roots. See docs if desired.

• MysqlConnection::establish is able to initiate an SSL connection. The database URL should contain ssl_mode parameter with a value of the MySQL client command option --ssl-mode if desired.

• Connection and SimpleConnection traits are implemented for a broader range
  of r2d2::PooledConnection<M> types when the r2d2 feature is enabled.

• Added DatabaseErrorKind::ReadOnlyTransaction to allow applications to
  handle errors caused by writing when only allowed to read.

• All expression methods can now be called on expressions of nullable types.

• Added BoxedSqlQuery. This allows users to do a variable amount of .sql or
  .bind calls without changing the underlying type.

• Added .sql to SqlQuery and UncheckedBind to allow appending SQL code to
  an existing query.

• The MacAddr SQL type can now be used without enabling the network-address
  feature.

• Added support for SQLite's UPSERT.
  You can use this feature above SQLite version 3.24.0.

• Added ability to create custom aggregate functions in SQLite.

• Multiple aggregate expressions can now appear together in the same select
  clause. See the upgrade notes for details.

• ValidGrouping has been added to represent whether an expression is valid for
  a given group by clause, and whether or not it's aggregate. It replaces the
  functionality of NonAggregate. See the upgrade
  notes for details.

• It is now possible to inspect the type of values returned from the database
  in such a way to support constructing a dynamic value depending on this type.

• Added a without-deprecated feature that unconditionally disables deprecated items.
  Use this feature flag to verify that none of your dependencies is setting
  the with-deprecated flag internally.

• Added support for PostgreSQL's SIMILAR TO and NOT SIMILAR TO.

• Added #[diesel(serialize_as)] analogous to #[diesel(deserialize_as)]. This allows
  customization of the serialization behaviour of Insertable and AsChangeset structs.

• Added support for GROUP BY clauses

• Added support for UNION, UNION ALL, INTERSECT, INTERSECT ALL, EXCEPT, EXCEPT ALL clauses

• Added the error position for PostgreSQL errors

• Added ability to create custom collation functions in SQLite.

• Added support for SQLite's IS and IS NOT.

• Add support for HAVING clauses.

• Added support for SQL functions without arguments for SQLite.

• Diesel CLI will now generate SQL type definitions for SQL types that are not supported by diesel out of the box. It's possible to disable this behavior via the generate_missing_sql_type_definitions config option.

• Added an option to #[derive(Insertable)] that let you insert NULL values instead of DEFAULT values for Option<T>

• Added support for all the derive attributes being inside #[diesel(...)]

• Added support for RETURNING expressions for Sqlite via the returning_clauses_for_sqlite_3_35 feature

• Added support for table aliasing via the alias! macro

• Added support for the usage of slices of references with belonging_to from BelongingToDsl

• Added support for updating individual array elements UPDATE table SET array_column[1] = true

• Adds an ipnet-address feature flag, allowing support (de)serializing IP
  values from the database using types provided by ipnet. This feature
  may be enabled concurrently with the previously existing network-address
  feature.

• We've added support for loading values using libpq's row-by-row mode via
  the new iterator interface

• Adds Timestamp, Timestamptz support for appropriate types for time v0.3.9.
  This feature enables using the time crate as an alternative to chrono.

Removed

• All previously deprecated items have been removed.
• Support for uuid version < 0.7.0 has been removed.
• Support for bigdecimal < 0.0.13 has been removed.
• Support for pq-sys < 0.4.0 has been removed.
• Support for mysqlclient-sys < 0.2.5 has been removed.
• Support for time (0.1) types has been removed.
• Support for chrono < 0.4.19 has been removed.
• The minimal supported version of libsqlite3-sys is now 0.17.2.
• The NonNull trait for sql types has been removed in favour of the new SqlType trait.
• no_arg_sql_function! has been deprecated without replacement.
  [sql_function!][sql-function-2-0-0] can now be used for functions with zero
  arguments. See the migration guide for more details.
• Support for barrel based migrations has been removed for now. We are happy to
  add this support back as soon as barrel integrates with our new migration framework.
• The deprecated bash completions command (diesel bash-completions) has been removed.
  Use diesel completions <shell> instead.

Changed

• The minimal officially supported rustc version is now 1.56.0

• Interacting with a database requires a mutable connection.

• The way the Backend trait handles its RawValue type has
  been changed to allow non-references. Users of this type (e.g. code written
  &DB::RawValue or &<DB as Backend>::RawValue>) should use
  backend::RawValue<DB> instead. Implementors of Backend
  should check the relevant section of the migration guide.

• The type metadata for MySQL has been changed to include sign information. If
  you are implementing HasSqlType for Mysql manually, you may need to adjust
  your implementation to fully use the new unsigned variants in MysqlType

• The RawValue types for the Mysql and Postgresql backend where changed
  from [u8] to distinct opaque types. If you used the concrete RawValue type
  somewhere you need to change it to mysql::MysqlValue or pg::PgValue.

• The uuidv07 feature was renamed to uuid, due to the removal of support for older uuid versions

• Boxed queries (constructed from .into_boxed()) are now Send.

• The handling of mixed aggregate values is more robust. Invalid queries such as
  .select(max(id) + other_column) are now correctly rejected, and valid
  queries such as .select((count_star(), max(other_column))) are now correctly
  accepted. For more details, see the migration guide.

• NonAggregate is now a trait alias for ValidGrouping<()> for expressions
  that are not aggregate. On stable this is a normal trait with a blanket impl,
  but it should never be implemented directly. With the unstable feature, it
  will use trait aliases which prevent manual implementations.

  Due to language limitations, we cannot make the new trait alias by itself
  represent everything it used to, so in some rare cases code changes may be
  required. See the migration guide for details.

• Various __NonExhaustive variants in different (error-) enums are replaced with
  #[non_exhaustive]. If you matched on one of those variants explicitly you need to
  introduce a wild card match instead.

• FromSql::from_sql is changed to construct value from non nullable database values.
  To construct a rust value for nullable values use the new FromSql::from_nullable_sql
  method instead.

• Custom sql types are now required to implement the new SqlType trait. Diesel will
  automatically create implementations of that trait for all types having a #[derive(SqlType)]

• The workflow for manually implementing support custom types has changed. Implementing
  FromSqlRow<ST, DB> is not required anymore, as this is now implied by implementing
  FromSql<ST, DB>. The requirement of implementing Queryable<ST, DB> remains
  unchanged. For types using #[derive(FromSqlRow)] no changes are required as the
  derive automatically generates the correct code

• The structure of our deserialization trait has changed. Loading values from the database
  requires now that the result type implements FromSqlRow<ST, DB>. Diesel provides wild
  card implementations for types implementing Queryable<ST, DB> or QueryableByName<DB>
  so non generic code does not require any change. For generic code you likely need to
  replace a trait bound on Queryable<ST, DB> with a trait bound on FromSqlRow<ST, DB>
  and a bound to QueryableByName<DB> with FromSqlRow<Untyped, DB>.

• CLI flags of only-tables and except-tables are now interpreted as regular expressions.
  Similarly, only_tables and except_tables in diesel.toml are treated as regular expressions.

• Now you can sort column fields by name with the column-sorting option.
  It can be set to either ordinal_position (default) or name.
  This ensures stable sorting even if columns are removed and re-added.

• The Queryable<ST,DB> trait was updated to be made faillible, in order to properly handle
  cases where you detect a data inconsistency between fields on deserialization
  (that e.g. was supposed to be made impossible by DB CHECKs). The build function now
  returns a
  diesel::deserialize::Result<Self>
  instead of a Self.

• TypeMetadata::MetadataLookup is now ?Sized.

• Multiple implementations of Connection<Backend=Pg> are now possible
  because of the new PgMetadataLookup trait.

• For the Pg backend, TypeMetadata::MetadataLookup has changed to dyn PgMetadataLookup.

• Diesel's migration framework was rewritten from the ground. Existing migrations continue to
  be compatible with the rewrite, but code calling into diesel_migrations requires an update.
  See the migration guide for details.

• eq_any() now emits a = ANY() expression for the postgresql backend instead of IN()

• ne_all() now emits a != ALL() expression for the postgresql backend instead of NOT IN()

• The sqlite backend now uses a single batch insert statement if there are now default values present
  in the values clause

• The MySQL connection is using the CLIENT_FOUND_ROWS from now on. This means that updating rows without changing any values will return the number of matched rows (like most other SQL servers do), as opposed to the number of changed rows.

• The definition of ToSql::to_sql and QueryFragment::walk_ast has changed to allow serializing values without
  copying the value itself. This is useful for database backends like sqlite where you can directly share a buffer
  with the database. Beside of the changed signature, existing impls of this trait should remain unchanged in almost
  all cases.

• The PIPES_AS_CONCAT sql_mode is no longer set
  by default. This setting requires a modification to MySQL query parsing that is
  not supported by certain systems (such as Vitess). If you are using MySQL and
  executing raw queries with the || operator, you will need to rewrite your
  queries or set PIPES_AS_CONCAT manually.

Fixed

• Many types were incorrectly considered non-aggregate when they should not
  have been. All types in Diesel are now correctly only considered
  non-aggregate if their parts are.

• Offset clauses without limit clauses resulted into invalid sql using the mysql or
  sqlite backend. Both do not support such clauses without a preceding limit clause.
  For those backend Diesel does now generate a fake limit clause in case no explicit
  limit clause was given. As consequence of this change generic query code may
  require additional trait bounds as requested from the compiler. Third party
  backends are required to explicitly provide QueryFragment impls for
  LimitOffsetClause<L, O> now.

• Nullability requirements are now properly enforced for nested joins.
  Previously, only the rules for the outer-most join were considered. For
  example, users.left_join(posts).left_join(comments) would allow selecting
  any columns from posts. That will now fail to compile, and any selections
  from posts will need to be made explicitly nullable.

• Diesel CLI will now look for diesel.toml to determine the project root
  before looking for Cargo.toml.

• Any relative paths in diesel.toml will now be treated as relative to the
  project root (the directory containing either diesel.toml or Cargo.toml).
  They are no longer dependent on the current working directory (for all
  directories in the same project)

• The SQLite backend is now configured to interpret URIs.
  See the SQLite URI documentation for additional details.

• We've refactored our type translation layer for Mysql to handle more types now.

• We've refactored our type level representation of nullable values. This allowed us to
  fix multiple long standing bugs regarding the correct handling of nullable values in some
  corner cases (#​104, #​2274)

• Parenthesis are now inserted around all infix operations provided by diesel's ExpressionMethods traits

• Queries containing a distinct on clause check now on compile time that a compatible order clause was set.

• Implementations of custom SQLite SQL functions now check for panics

• diesel print-schema now generates Array<Nullable<ST>> rather than Array<ST> for Postgres Array types. Existence of
  NULL values in database arrays would previously result in deserialization errors. Non-nullable arrays are now opt
  in (by schema patching).

Deprecated

• All the diesel derive attributes that are not inside #[diesel(...)]

• diesel_(prefix|postfix|infix)_operator! have been deprecated. These macros
  are now available without the diesel_ prefix. With Rust 2018 they can be
  invoked as diesel::infix_operator! instead.

• diesel::pg::upsert has been deprecated to support upsert queries on more than one backend.
  Please use diesel::upsert instead.

• diesel::dsl::any and diesel::dsl::all are now deprecated in
  favour of ExpressionMethods::eq_any() and ExpressionMethods::ne_all()

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.