SQLite

The node:sqlite module facilitates working with SQLite databases. To access it:

import sqlite from 'node:sqlite';

This module is only available under the node: scheme.

The following example shows the basic usage of the node:sqlite module to open an in-memory database, write data to the database, and then read the data back.

import { DatabaseSync } from 'node:sqlite';
const database = new DatabaseSync(':memory:');

// Execute SQL statements from strings.
database.exec(`
  CREATE TABLE data(
    key INTEGER PRIMARY KEY,
    value TEXT
  ) STRICT
`);
// Create a prepared statement to insert data into the database.
const insert = database.prepare('INSERT INTO data (key, value) VALUES (?, ?)');
// Execute the prepared statement with bound values.
insert.run(1, 'hello');
insert.run(2, 'world');
// Create a prepared statement to read data from the database.
const query = database.prepare('SELECT * FROM data ORDER BY key');
// Execute the prepared statement and log the result set.
console.log(query.all());
// Prints: [ { key: 1, value: 'hello' }, { key: 2, value: 'world' } ]

This class represents a single connection to a SQLite database. All APIs exposed by this class execute synchronously.

new DatabaseSync(path, options?)

Constructs a new DatabaseSync instance.

database.aggregate(name, options)

Registers a new aggregate function with the SQLite database. This method is a wrapper around sqlite3_create_window_function().

When used as a window function, the result function will be called multiple times.

const { DatabaseSync } = require('node:sqlite');

const db = new DatabaseSync(':memory:');
db.exec(`
  CREATE TABLE t3(x, y);
  INSERT INTO t3 VALUES ('a', 4),
                        ('b', 5),
                        ('c', 3),
                        ('d', 8),
                        ('e', 1);
`);

db.aggregate('sumint', {
  start: 0,
  step: (acc, value) => acc + value,
});

db.prepare('SELECT sumint(y) as total FROM t3').get(); // { total: 21 }

database.close()

Closes the database connection. An exception is thrown if the database is not open. This method is a wrapper around sqlite3_close_v2().

database.loadExtension(path)

Loads a shared library into the database connection. This method is a wrapper around sqlite3_load_extension(). It is required to enable the allowExtension option when constructing the DatabaseSync instance.

database.enableLoadExtension(allow)

Enables or disables the loadExtension SQL function, and the loadExtension() method. When allowExtension is false when constructing, you cannot enable loading extensions for security reasons.

database.enableDefensive(active)

Enables or disables the defensive flag. When the defensive flag is active, language features that allow ordinary SQL to deliberately corrupt the database file are disabled. See SQLITE_DBCONFIG_DEFENSIVE in the SQLite documentation for details.

database.location(dbName?): string | null

This method is a wrapper around sqlite3_db_filename()

database.exec(sql)

This method allows one or more SQL statements to be executed without returning any results. This method is useful when executing SQL statements read from a file. This method is a wrapper around sqlite3_exec().

database.function(name, options?, fn)

This method is used to create SQLite user-defined functions. This method is a wrapper around sqlite3_create_function_v2().

database.setAuthorizer(callback)

Sets an authorizer callback that SQLite will invoke whenever it attempts to access data or modify the database schema through prepared statements. This can be used to implement security policies, audit access, or restrict certain operations. This method is a wrapper around sqlite3_set_authorizer().

When invoked, the callback receives five arguments:

The callback must return one of the following constants:

• SQLITE_OK - Allow the operation.
• SQLITE_DENY - Deny the operation (causes an error).
• SQLITE_IGNORE - Ignore the operation (silently skip).

const { DatabaseSync, constants } = require('node:sqlite');
const db = new DatabaseSync(':memory:');

// Set up an authorizer that denies all table creation
db.setAuthorizer((actionCode) => {
  if (actionCode === constants.SQLITE_CREATE_TABLE) {
    return constants.SQLITE_DENY;
  }
  return constants.SQLITE_OK;
});

// This will work
db.prepare('SELECT 1').get();

// This will throw an error due to authorization denial
try {
  db.exec('CREATE TABLE blocked (id INTEGER)');
} catch (err) {
  console.log('Operation blocked:', err.message);
}

An object for getting and setting SQLite database limits at runtime. Each property corresponds to an SQLite limit and can be read or written.

const db = new DatabaseSync(':memory:');

// Read current limit
console.log(db.limits.length);

// Set a new limit
db.limits.sqlLength = 100000;

// Reset a limit to its compile-time maximum
db.limits.sqlLength = Infinity;

Available properties: length, sqlLength, column, exprDepth, compoundSelect, vdbeOp, functionArg, attach, likePatternLength, variableNumber, triggerDepth.

Setting a property to Infinity resets the limit to its compile-time maximum value.

database.open()

Opens the database specified in the path argument of the DatabaseSync constructor. This method should only be used when the database is not opened via the constructor. An exception is thrown if the database is already open.

database.prepare(sql, options?): StatementSync

Compiles a SQL statement into a prepared statement. This method is a wrapper around sqlite3_prepare_v2().

database.createTagStore(maxSize?): SQLTagStore

Creates a new SQLTagStore, which is a Least Recently Used (LRU) cache for storing prepared statements. This allows for the efficient reuse of prepared statements by tagging them with a unique identifier.

When a tagged SQL literal is executed, the SQLTagStore checks if a prepared statement for the corresponding SQL query string already exists in the cache. If it does, the cached statement is used. If not, a new prepared statement is created, executed, and then stored in the cache for future use. This mechanism helps to avoid the overhead of repeatedly parsing and preparing the same SQL statements.

Tagged statements bind the placeholder values from the template literal as parameters to the underlying prepared statement. For example:

sqlTagStore.get`SELECT ${value}`;

is equivalent to:

db.prepare('SELECT ?').get(value);

However, in the first example, the tag store will cache the underlying prepared statement for future use.

Note: The ${value} syntax in tagged statements binds a parameter to the prepared statement. This differs from its behavior in untagged template literals, where it performs string interpolation.

// This a safe example of binding a parameter to a tagged statement.
sqlTagStore.run`INSERT INTO t1 (id) VALUES (${id})`;

// This is an *unsafe* example of an untagged template string.
// `id` is interpolated into the query text as a string.
// This can lead to SQL injection and data corruption.
db.run(`INSERT INTO t1 (id) VALUES (${id})`);

JavaScriptCopy to clipboard

The tag store will match a statement from the cache if the query strings (including the positions of any bound placeholders) are identical.

// The following statements will match in the cache:
sqlTagStore.get`SELECT * FROM t1 WHERE id = ${id} AND active = 1`;
sqlTagStore.get`SELECT * FROM t1 WHERE id = ${12345} AND active = 1`;

// The following statements will not match, as the query strings
// and bound placeholders differ:
sqlTagStore.get`SELECT * FROM t1 WHERE id = ${id} AND active = 1`;
sqlTagStore.get`SELECT * FROM t1 WHERE id = 12345 AND active = 1`;

// The following statements will not match, as matches are case-sensitive:
sqlTagStore.get`SELECT * FROM t1 WHERE id = ${id} AND active = 1`;
sqlTagStore.get`select * from t1 where id = ${id} and active = 1`;

The only way of binding parameters in tagged statements is with the ${value} syntax. Do not add parameter binding placeholders (? etc.) to the SQL query string itself.

import { DatabaseSync } from 'node:sqlite';

const db = new DatabaseSync(':memory:');
const sql = db.createTagStore();

db.exec('CREATE TABLE users (id INT, name TEXT)');

// Using the 'run' method to insert data.
// The tagged literal is used to identify the prepared statement.
sql.run`INSERT INTO users VALUES (1, 'Alice')`;
sql.run`INSERT INTO users VALUES (2, 'Bob')`;

// Using the 'get' method to retrieve a single row.
const name = 'Alice';
const user = sql.get`SELECT * FROM users WHERE name = ${name}`;
console.log(user); // { id: 1, name: 'Alice' }

// Using the 'all' method to retrieve all rows.
const allUsers = sql.all`SELECT * FROM users ORDER BY id`;
console.log(allUsers);
// [
//   { id: 1, name: 'Alice' },
//   { id: 2, name: 'Bob' }
// ]

database.createSession(options?): Session

Creates and attaches a session to the database. This method is a wrapper around sqlite3session_create() and sqlite3session_attach().

database.applyChangeset(changeset, options?): boolean

An exception is thrown if the database is not open. This method is a wrapper around sqlite3changeset_apply().

import { DatabaseSync } from 'node:sqlite';

const sourceDb = new DatabaseSync(':memory:');
const targetDb = new DatabaseSync(':memory:');

sourceDb.exec('CREATE TABLE data(key INTEGER PRIMARY KEY, value TEXT)');
targetDb.exec('CREATE TABLE data(key INTEGER PRIMARY KEY, value TEXT)');

const session = sourceDb.createSession();

const insert = sourceDb.prepare('INSERT INTO data (key, value) VALUES (?, ?)');
insert.run(1, 'hello');
insert.run(2, 'world');

const changeset = session.changeset();
targetDb.applyChangeset(changeset);
// Now that the changeset has been applied, targetDb contains the same data as sourceDb.

database[Symbol.dispose]()

Closes the database connection. If the database connection is already closed then this is a no-op.

session.changeset(): Uint8Array

Retrieves a changeset containing all changes since the changeset was created. Can be called multiple times. An exception is thrown if the database or the session is not open. This method is a wrapper around sqlite3session_changeset().

session.patchset(): Uint8Array

Similar to the method above, but generates a more compact patchset. See Changesets and Patchsets in the documentation of SQLite. An exception is thrown if the database or the session is not open. This method is a wrapper around sqlite3session_patchset().

session.close()

Closes the session. An exception is thrown if the database or the session is not open. This method is a wrapper around sqlite3session_delete().

session[Symbol.dispose]()

Closes the session. If the session is already closed, does nothing.

This class represents a single prepared statement. This class cannot be instantiated via its constructor. Instead, instances are created via the database.prepare() method. All APIs exposed by this class execute synchronously.

A prepared statement is an efficient binary representation of the SQL used to create it. Prepared statements are parameterizable, and can be invoked multiple times with different bound values. Parameters also offer protection against SQL injection attacks. For these reasons, prepared statements are preferred over hand-crafted SQL strings when handling user input.

statement.all(namedParameters?, ...anonymousParameters?): Array

This method executes a prepared statement and returns all results as an array of objects. If the prepared statement does not return any results, this method returns an empty array. The prepared statement parameters are bound using the values in namedParameters and anonymousParameters.

statement.columns(): Array

This method is used to retrieve information about the columns returned by the prepared statement.

The source SQL text of the prepared statement with parameter placeholders replaced by the values that were used during the most recent execution of this prepared statement. This property is a wrapper around sqlite3_expanded_sql().

statement.get(namedParameters?, ...anonymousParameters?): Object | undefined

This method executes a prepared statement and returns the first result as an object. If the prepared statement does not return any results, this method returns undefined. The prepared statement parameters are bound using the values in namedParameters and anonymousParameters.

statement.iterate(namedParameters?, ...anonymousParameters?): Iterator

This method executes a prepared statement and returns an iterator of objects. If the prepared statement does not return any results, this method returns an empty iterator. The prepared statement parameters are bound using the values in namedParameters and anonymousParameters.

statement.run(namedParameters?, ...anonymousParameters?): Object

This method executes a prepared statement and returns an object summarizing the resulting changes. The prepared statement parameters are bound using the values in namedParameters and anonymousParameters.

statement.setAllowBareNamedParameters(enabled)

The names of SQLite parameters begin with a prefix character. By default, node:sqlite requires that this prefix character is present when binding parameters. However, with the exception of dollar sign character, these prefix characters also require extra quoting when used in object keys.

To improve ergonomics, this method can be used to also allow bare named parameters, which do not require the prefix character in JavaScript code. There are several caveats to be aware of when enabling bare named parameters:

• The prefix character is still required in SQL.
• The prefix character is still allowed in JavaScript. In fact, prefixed names will have slightly better binding performance.
• Using ambiguous named parameters, such as $k and @k, in the same prepared statement will result in an exception as it cannot be determined how to bind a bare name.

statement.setAllowUnknownNamedParameters(enabled)

By default, if an unknown name is encountered while binding parameters, an exception is thrown. This method allows unknown named parameters to be ignored.

statement.setReturnArrays(enabled)

When enabled, query results returned by the all(), get(), and iterate() methods will be returned as arrays instead of objects.

statement.setReadBigInts(enabled)

When reading from the database, SQLite INTEGERs are mapped to JavaScript numbers by default. However, SQLite INTEGERs can store values larger than JavaScript numbers are capable of representing. In such cases, this method can be used to read INTEGER data using JavaScript BigInts. This method has no impact on database write operations where numbers and BigInts are both supported at all times.

The source SQL text of the prepared statement. This property is a wrapper around sqlite3_sql().

This class represents a single LRU (Least Recently Used) cache for storing prepared statements.

Instances of this class are created via the database.createTagStore() method, not by using a constructor. The store caches prepared statements based on the provided SQL query string. When the same query is seen again, the store retrieves the cached statement and safely applies the new values through parameter binding, thereby preventing attacks like SQL injection.

The cache has a maxSize that defaults to 1000 statements, but a custom size can be provided (e.g., database.createTagStore(100)). All APIs exposed by this class execute synchronously.

sqlTagStore.all(stringElements, ...boundParameters?): Array

Executes the given SQL query and returns all resulting rows as an array of objects.

This function is intended to be used as a template literal tag, not to be called directly.

sqlTagStore.get(stringElements, ...boundParameters?): Object | undefined

Executes the given SQL query and returns the first resulting row as an object.

This function is intended to be used as a template literal tag, not to be called directly.

sqlTagStore.iterate(stringElements, ...boundParameters?): Iterator

Executes the given SQL query and returns an iterator over the resulting rows.

This function is intended to be used as a template literal tag, not to be called directly.

sqlTagStore.run(stringElements, ...boundParameters?): Object

Executes the given SQL query, which is expected to not return any rows (e.g., INSERT, UPDATE, DELETE).

This function is intended to be used as a template literal tag, not to be called directly.

A read-only property that returns the number of prepared statements currently in the cache.

A read-only property that returns the maximum number of prepared statements the cache can hold.

A read-only property that returns the DatabaseSync object associated with this SQLTagStore.

sqlTagStore.clear()

Resets the LRU cache, clearing all stored prepared statements.

When Node.js writes to or reads from SQLite, it is necessary to convert between JavaScript data types and SQLite's data types. Because JavaScript supports more data types than SQLite, only a subset of JavaScript types are supported. Attempting to write an unsupported data type to SQLite will result in an exception.

APIs that read values from SQLite have a configuration option that determines whether INTEGER values are converted to number or bigint in JavaScript, such as the readBigInts option for statements and the useBigIntArguments option for user-defined functions. If Node.js reads an INTEGER value from SQLite that is outside the JavaScript safe integer range, and the option to read BigInts is not enabled, then an ERR_OUT_OF_RANGE error will be thrown.

sqlite.backup(sourceDb, path, options?): Promise

This method makes a database backup. This method abstracts the sqlite3_backup_init(), sqlite3_backup_step() and sqlite3_backup_finish() functions.

The backed-up database can be used normally during the backup process. Mutations coming from the same connection - same <DatabaseSync> - object will be reflected in the backup right away. However, mutations from other connections will cause the backup process to restart.

const { backup, DatabaseSync } = require('node:sqlite');

(async () => {
  const sourceDb = new DatabaseSync('source.db');
  const totalPagesTransferred = await backup(sourceDb, 'backup.db', {
    rate: 1, // Copy one page at a time.
    progress: ({ totalPages, remainingPages }) => {
      console.log('Backup in progress', { totalPages, remainingPages });
    },
  });

  console.log('Backup completed', totalPagesTransferred);
})();

An object containing commonly used constants for SQLite operations.

The following constants are exported by the sqlite.constants object.

One of the following constants is available as an argument to the onConflict conflict resolution handler passed to database.applyChangeset(). See also Constants Passed To The Conflict Handler in the SQLite documentation.

One of the following constants must be returned from the onConflict conflict resolution handler passed to database.applyChangeset(). See also Constants Returned From The Conflict Handler in the SQLite documentation.

The following constants are used with the database.setAuthorizer() method.

One of the following constants must be returned from the authorizer callback function passed to database.setAuthorizer().

The following constants are passed as the first argument to the authorizer callback function to indicate what type of operation is being authorized.