node-pg-format

Node.js implementation of PostgreSQL's format() function for safely constructing dynamic SQL queries. Version 1.3.5 is stable and actively maintained, with TypeScript type definitions included. It escapes SQL identifiers (%I) and literals (%L) to prevent SQL injection, supports argument position reordering (n$ syntax), Node Buffers, arrays, and objects. Unlike template literal concatenation (which is unsafe), this library mirrors PostgreSQL's own format() behavior exactly, making it ideal for tools that generate SQL dynamically. The release cadence is low (occasional patches), but the library is mature and reliable.