SequelPG v0.1.7: modern SwiftUI, native Table grid, and a comprehensive security audit

Today we are releasing SequelPG v0.1.7. This update, together with v0.1.6, represents a significant step forward in code quality, security, and performance. Version 0.1.6 delivered a comprehensive audit across 36 files, while 0.1.7 modernizes the entire codebase to macOS 14+ with native SwiftUI patterns.

Here is everything that changed across versions 0.1.6 and 0.1.7.

Native Table grid replaces custom grid

The most visible change in v0.1.7 is the data grid. The previous implementation used a custom ScrollView + LazyVStack layout to render table rows. This worked, but it required manual column sizing, custom selection handling, and could struggle with wide tables.

The new implementation uses SwiftUI's native Table with TableColumnForEach for dynamic columns. This gives us built-in cell reuse, proper column resizing, and native sort indicators in the column headers. Click any column header to sort by that column — the sort direction toggles automatically and uses a custom ColumnSortComparator for correct ordering.

Modern @Observable replaces ObservableObject

All five ViewModels have been migrated from the older ObservableObject/@Published pattern to the new @Observable macro introduced in macOS 14. This is more than a syntax change — it enables per-property tracking, which means SwiftUI only re-renders the views that actually depend on the specific property that changed.

Along with this migration:

  • @EnvironmentObject is replaced with @Environment(Type.self) across 12 views.
  • @StateObject is replaced with @State in the app entry point.
  • @Bindable is used where view bindings are needed.
  • All onChange(of:) calls use the non-deprecated two-parameter form.
  • The Combine dependency has been completely removed — no more objectWillChange forwarding or AnyCancellable.

The minimum deployment target has been raised from macOS 13 to macOS 14.4 to support these APIs.

Comprehensive security audit

Version 0.1.6 ran four parallel audits (security, PostgreSQL correctness, UI performance, and code quality) and addressed findings across 36 files. Here are the security highlights:

  • SSH password handling — passwords are now delivered to the ssh process via a FIFO (named pipe) instead of a temporary file on disk, preventing exposure to other processes.
  • SSH host key verification — changed from accept-new to strict verification, matching standard SSH security practices.
  • Keychain protection — items now use kSecAttrAccessibleWhenUnlockedThisDeviceOnly, preventing access from backups or other devices.
  • SQL injection prevention quoteLiteral uses PostgreSQL's E'...' escape syntax with backslash safety, and DML operations use typed casts for non-text columns.
  • Connection loss detection — SQL states starting with 08 are now detected and surfaced to the user immediately.
  • Password cache — cleared on disconnect so credentials are not held in memory longer than needed.

PostgreSQL correctness fixes

The same audit identified and fixed several PostgreSQL-specific issues:

  • float4 values are now decoded as Double to prevent precision loss on round-trip.
  • When reltuples = -1 (table never analyzed), SequelPG falls back to COUNT(*) instead of showing an incorrect count.
  • Server-side statement_timeout is now set per query, so the PostgreSQL server enforces timeouts directly.
  • Schema listing excludes internal pg_toast and pg_temp schemas.
  • SSH tunnel is preserved when switching databases, avoiding unnecessary teardown and rebuild.
  • NOT NULL validation runs before attempting to insert a new row.
  • parseTableFromQuery supports Unicode identifiers in table names.

New SSL modes

In addition to the existing Disable, Allow, Prefer, and Require modes, SequelPG now supports Verify-CA and Verify-Full SSL modes. Verify-CA checks that the server certificate is signed by a trusted CA, while Verify-Full also verifies that the server hostname matches the certificate.

Performance improvements

Beyond the @Observable migration, v0.1.6 included targeted performance fixes:

  • Sorted query results are memoized with a lazy cache and O(1) row index lookups via an index map.
  • Re-selecting the same object in the navigator is now a no-op, avoiding 12 state mutations and 2 database queries.
  • The SQL editor skips updateNSView when metadata has not changed, reducing unnecessary AppKit work.
  • Cell value truncation is done at decode time with static DateFormatter instances instead of creating formatters on each render.

What is next

With the codebase modernized and the security audit complete, we are well positioned for the features ahead:

  • Query history and saved queries
  • Table data export (CSV, JSON)
  • Schema visualization
  • Multi-tab query editor
  • Improved filtering and search in Content view

SequelPG is open source on GitHub. Download the latest release from the releases page, report issues, or contribute directly. We would love your feedback.