[jmull]

I mean that node-posgres doesn't encourage anyone to include parameter values through string concatenation, at least no more than porsager or other SQL-based clients.

Not sure what ORMs have to do with it. They do include a safe parameter substitution mechanism, but so do typical SQL-based clients.

[porsager]

It doesn't explicitly encourage you to do it, but it's very much right there - waiting to happen because you always just pass a string to the query function? In Postgres.js you have to use a function that is specifically named `unsafe` to do that.