From d18cb97b5e802a70ffe57fc933e3d367193fda86 Mon Sep 17 00:00:00 2001
From: Mert Can Altin <mertgold60@gmail.com>
Date: Tue, 20 Jan 2026 21:23:34 +0300
Subject: [PATCH 01/14] sqlite: add limits property to DatabaseSync

---
 doc/api/sqlite.md                   |  49 +++++
 src/env_properties.h                |   2 +
 src/node_sqlite.cc                  | 276 ++++++++++++++++++++++++++++
 src/node_sqlite.h                   |  68 +++++++
 test/parallel/test-sqlite-limits.js | 226 +++++++++++++++++++++++
 5 files changed, 621 insertions(+)
 create mode 100644 test/parallel/test-sqlite-limits.js

diff --git a/doc/api/sqlite.md b/doc/api/sqlite.md
index bc834483c057a6..83a74d26eebd64 100644
--- a/doc/api/sqlite.md
+++ b/doc/api/sqlite.md
@@ -158,6 +158,23 @@ changes:
     language features that allow ordinary SQL to deliberately corrupt the database file are disabled.
     The defensive flag can also be set using `enableDefensive()`.
     **Default:** `true`.
+  * `limits` {Object} Configuration for various SQLite limits. These limits
+    can be used to prevent excessive resource consumption when handling
+    potentially malicious input. See [Run-Time Limits][] and [Limit Constants][]
+    in the SQLite documentation for details. Default values are determined by
+    SQLite's compile-time defaults and may vary depending on how SQLite was
+    built. The following properties are supported:
+    * `length` {number} Maximum length of a string or BLOB.
+    * `sqlLength` {number} Maximum length of an SQL statement.
+    * `column` {number} Maximum number of columns.
+    * `exprDepth` {number} Maximum depth of expression tree.
+    * `compoundSelect` {number} Maximum number of terms in compound SELECT.
+    * `vdbeOp` {number} Maximum number of VDBE instructions.
+    * `functionArg` {number} Maximum number of function arguments.
+    * `attach` {number} Maximum number of attached databases.
+    * `likePatternLength` {number} Maximum length of LIKE pattern.
+    * `variableNumber` {number} Maximum number of SQL variables.
+    * `triggerDepth` {number} Maximum trigger recursion depth.
 
 Constructs a new `DatabaseSync` instance.
 
@@ -446,6 +463,36 @@ added:
 * Type: {boolean} Whether the database is currently within a transaction. This method
   is a wrapper around [`sqlite3_get_autocommit()`][].
 
+### `database.limits`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+* Type: {Object}
+
+An object for getting and setting SQLite database limits at runtime.
+Each property corresponds to an SQLite limit and can be read or written.
+
+```js
+const db = new DatabaseSync(':memory:');
+
+// Read current limit
+console.log(db.limits.length);
+
+// Set a new limit
+db.limits.sqlLength = 100000;
+
+// Reset a limit to its compile-time maximum
+db.limits.sqlLength = Infinity;
+```
+
+Available properties: `length`, `sqlLength`, `column`, `exprDepth`,
+`compoundSelect`, `vdbeOp`, `functionArg`, `attach`, `likePatternLength`,
+`variableNumber`, `triggerDepth`.
+
+Setting a property to `Infinity` resets the limit to its compile-time maximum value.
+
 ### `database.open()`
 
 <!-- YAML
@@ -1471,6 +1518,8 @@ callback function to indicate what type of operation is being authorized.
 [Changesets and Patchsets]: https://www.sqlite.org/sessionintro.html#changesets_and_patchsets
 [Constants Passed To The Conflict Handler]: https://www.sqlite.org/session/c_changeset_conflict.html
 [Constants Returned From The Conflict Handler]: https://www.sqlite.org/session/c_changeset_abort.html
+[Limit Constants]: https://www.sqlite.org/c3ref/c_limit_attached.html
+[Run-Time Limits]: https://www.sqlite.org/c3ref/limit.html
 [SQL injection]: https://en.wikipedia.org/wiki/SQL_injection
 [Type conversion between JavaScript and SQLite]: #type-conversion-between-javascript-and-sqlite
 [`ATTACH DATABASE`]: https://www.sqlite.org/lang_attach.html
diff --git a/src/env_properties.h b/src/env_properties.h
index 903158ebbdc2b7..f0aa03a42a3012 100644
--- a/src/env_properties.h
+++ b/src/env_properties.h
@@ -235,6 +235,7 @@
   V(kill_signal_string, "killSignal")                                          \
   V(kind_string, "kind")                                                       \
   V(last_insert_rowid_string, "lastInsertRowid")                               \
+  V(limits_string, "limits")                                                   \
   V(length_string, "length")                                                   \
   V(library_string, "library")                                                 \
   V(loop_count, "loopCount")                                                   \
@@ -436,6 +437,7 @@
   V(sqlite_column_template, v8::DictionaryTemplate)                            \
   V(sqlite_statement_sync_constructor_template, v8::FunctionTemplate)          \
   V(sqlite_statement_sync_iterator_constructor_template, v8::FunctionTemplate) \
+  V(sqlite_limits_template, v8::ObjectTemplate)                                \
   V(sqlite_session_constructor_template, v8::FunctionTemplate)                 \
   V(srv_record_template, v8::DictionaryTemplate)                               \
   V(streambaseoutputstream_constructor_template, v8::ObjectTemplate)           \
diff --git a/src/node_sqlite.cc b/src/node_sqlite.cc
index 4fad22c618900d..e701af45d590dc 100644
--- a/src/node_sqlite.cc
+++ b/src/node_sqlite.cc
@@ -12,7 +12,10 @@
 #include "threadpoolwork-inl.h"
 #include "util-inl.h"
 
+#include <array>
 #include <cinttypes>
+#include <cmath>
+#include <limits>
 
 namespace node {
 namespace sqlite {
@@ -36,6 +39,7 @@ using v8::Global;
 using v8::HandleScope;
 using v8::Int32;
 using v8::Integer;
+using v8::Intercepted;
 using v8::Isolate;
 using v8::JustVoid;
 using v8::Local;
@@ -43,12 +47,16 @@ using v8::LocalVector;
 using v8::Maybe;
 using v8::MaybeLocal;
 using v8::Name;
+using v8::NamedPropertyHandlerConfiguration;
 using v8::NewStringType;
 using v8::Nothing;
 using v8::Null;
 using v8::Number;
 using v8::Object;
+using v8::ObjectTemplate;
 using v8::Promise;
+using v8::PropertyCallbackInfo;
+using v8::PropertyHandlerFlags;
 using v8::SideEffectType;
 using v8::String;
 using v8::TryCatch;
@@ -133,6 +141,16 @@ Local<DictionaryTemplate> getLazyIterTemplate(Environment* env) {
 }
 }  // namespace
 
+// Helper function to find limit info from JS property name
+static constexpr const LimitInfo* GetLimitInfoFromName(std::string_view name) {
+  for (const auto& info : kLimitMapping) {
+    if (name == info.js_name) {
+      return &info;
+    }
+  }
+  return nullptr;
+}
+
 inline MaybeLocal<Object> CreateSQLiteError(Isolate* isolate,
                                             const char* message) {
   Local<String> js_msg;
@@ -665,6 +683,176 @@ void UserDefinedFunction::xDestroy(void* self) {
   delete static_cast<UserDefinedFunction*>(self);
 }
 
+DatabaseSyncLimits::DatabaseSyncLimits(Environment* env,
+                                       Local<Object> object,
+                                       BaseObjectWeakPtr<DatabaseSync> database)
+    : BaseObject(env, object), database_(std::move(database)) {
+  MakeWeak();
+}
+
+DatabaseSyncLimits::~DatabaseSyncLimits() = default;
+
+void DatabaseSyncLimits::MemoryInfo(MemoryTracker* tracker) const {
+  tracker->TrackField("database", database_);
+}
+
+Local<ObjectTemplate> DatabaseSyncLimits::GetTemplate(Environment* env) {
+  Local<ObjectTemplate> tmpl = env->sqlite_limits_template();
+  if (!tmpl.IsEmpty()) return tmpl;
+
+  Isolate* isolate = env->isolate();
+  tmpl = ObjectTemplate::New(isolate);
+  tmpl->SetInternalFieldCount(DatabaseSyncLimits::kInternalFieldCount);
+  tmpl->SetHandler(NamedPropertyHandlerConfiguration(
+      LimitsGetter,
+      LimitsSetter,
+      LimitsQuery,
+      nullptr,  // deleter - not allowed
+      LimitsEnumerator,
+      nullptr,  // definer
+      nullptr,
+      Local<Value>(),
+      PropertyHandlerFlags::kHasNoSideEffect));
+
+  env->set_sqlite_limits_template(tmpl);
+  return tmpl;
+}
+
+Intercepted DatabaseSyncLimits::LimitsGetter(
+    Local<Name> property, const PropertyCallbackInfo<Value>& info) {
+  // Skip symbols
+  if (!property->IsString()) {
+    return Intercepted::kNo;
+  }
+
+  DatabaseSyncLimits* limits;
+  ASSIGN_OR_RETURN_UNWRAP(&limits, info.This(), Intercepted::kNo);
+
+  Environment* env = limits->env();
+  Isolate* isolate = env->isolate();
+
+  Utf8Value prop_name(isolate, property);
+  const LimitInfo* limit_info = GetLimitInfoFromName(prop_name.ToStringView());
+
+  if (limit_info == nullptr) {
+    return Intercepted::kNo;  // Unknown property, let default handling occur
+  }
+
+  if (!limits->database_ || !limits->database_->IsOpen()) {
+    THROW_ERR_INVALID_STATE(env, "database is not open");
+    return Intercepted::kYes;
+  }
+
+  int current_value = sqlite3_limit(
+      limits->database_->Connection(), limit_info->sqlite_limit_id, -1);
+  info.GetReturnValue().Set(Integer::New(isolate, current_value));
+  return Intercepted::kYes;
+}
+
+Intercepted DatabaseSyncLimits::LimitsSetter(
+    Local<Name> property,
+    Local<Value> value,
+    const PropertyCallbackInfo<void>& info) {
+  if (!property->IsString()) {
+    return Intercepted::kNo;
+  }
+
+  DatabaseSyncLimits* limits;
+  ASSIGN_OR_RETURN_UNWRAP(&limits, info.This(), Intercepted::kNo);
+
+  Environment* env = limits->env();
+  Isolate* isolate = env->isolate();
+
+  Utf8Value prop_name(isolate, property);
+  const LimitInfo* limit_info = GetLimitInfoFromName(*prop_name);
+
+  if (!limit_info) {
+    return Intercepted::kNo;
+  }
+
+  if (!limits->database_ || !limits->database_->IsOpen()) {
+    THROW_ERR_INVALID_STATE(env, "database is not open");
+    return Intercepted::kYes;
+  }
+
+  if (!value->IsNumber()) {
+    THROW_ERR_INVALID_ARG_TYPE(
+        isolate, "Limit value must be a non-negative integer or Infinity.");
+    return Intercepted::kYes;
+  }
+
+  const double num_value = value.As<Number>()->Value();
+  int new_value;
+
+  if (std::isinf(num_value) && num_value > 0) {
+    // Positive Infinity resets the limit to the compile-time maximum
+    new_value = std::numeric_limits<int>::max();
+  } else if (!value->IsInt32()) {
+    THROW_ERR_INVALID_ARG_TYPE(
+        isolate, "Limit value must be a non-negative integer or Infinity.");
+    return Intercepted::kYes;
+  } else {
+    new_value = value.As<Int32>()->Value();
+    if (new_value < 0) {
+      THROW_ERR_OUT_OF_RANGE(isolate, "Limit value must be non-negative.");
+      return Intercepted::kYes;
+    }
+  }
+
+  sqlite3_limit(
+      limits->database_->Connection(), limit_info->sqlite_limit_id, new_value);
+  return Intercepted::kYes;
+}
+
+Intercepted DatabaseSyncLimits::LimitsQuery(
+    Local<Name> property, const PropertyCallbackInfo<Integer>& info) {
+  if (!property->IsString()) {
+    return Intercepted::kNo;
+  }
+
+  Isolate* isolate = info.GetIsolate();
+  Utf8Value prop_name(isolate, property);
+  const LimitInfo* limit_info = GetLimitInfoFromName(prop_name.ToStringView());
+
+  if (!limit_info) {
+    return Intercepted::kNo;
+  }
+
+  // Property exists and is writable
+  info.GetReturnValue().Set(Integer::New(isolate, v8::PropertyAttribute::None));
+  return Intercepted::kYes;
+}
+
+void DatabaseSyncLimits::LimitsEnumerator(
+    const PropertyCallbackInfo<Array>& info) {
+  Isolate* isolate = info.GetIsolate();
+  LocalVector<Value> names(isolate);
+
+  for (const auto& [js_name, sqlite_limit_id] : kLimitMapping) {
+    Local<String> name;
+    if (!String::NewFromUtf8(isolate,
+                             js_name.data(),
+                             NewStringType::kNormal,
+                             js_name.size())
+             .ToLocal(&name)) {
+      return;
+    }
+    names.push_back(name);
+  }
+
+  info.GetReturnValue().Set(Array::New(isolate, names.data(), names.size()));
+}
+
+BaseObjectPtr<DatabaseSyncLimits> DatabaseSyncLimits::Create(
+    Environment* env, BaseObjectWeakPtr<DatabaseSync> database) {
+  Local<Object> obj;
+  if (!GetTemplate(env)->NewInstance(env->context()).ToLocal(&obj)) {
+    return nullptr;
+  }
+
+  return MakeBaseObject<DatabaseSyncLimits>(env, obj, std::move(database));
+}
+
 DatabaseSync::DatabaseSync(Environment* env,
                            Local<Object> object,
                            DatabaseOpenConfiguration&& open_config,
@@ -763,6 +951,15 @@ bool DatabaseSync::Open() {
 
   sqlite3_busy_timeout(connection_, open_config_.get_timeout());
 
+  // Apply initial limits
+  const auto& limits = open_config_.initial_limits();
+  for (size_t limit_id = 0; limit_id < limits.size(); ++limit_id) {
+    if (limits[limit_id].has_value()) {
+      sqlite3_limit(
+          connection_, static_cast<int>(limit_id), limits[limit_id].value());
+    }
+  }
+
   if (allow_load_extension_) {
     if (env()->permission()->enabled()) [[unlikely]] {
       THROW_ERR_LOAD_SQLITE_EXTENSION(env(),
@@ -1088,6 +1285,61 @@ void DatabaseSync::New(const FunctionCallbackInfo<Value>& args) {
       }
       open_config.set_enable_defensive(defensive_v.As<Boolean>()->Value());
     }
+
+    // Parse limits option
+    Local<Value> limits_v;
+    if (!options->Get(env->context(), env->limits_string())
+             .ToLocal(&limits_v)) {
+      return;
+    }
+    if (!limits_v->IsUndefined()) {
+      if (!limits_v->IsObject()) {
+        THROW_ERR_INVALID_ARG_TYPE(
+            env->isolate(),
+            "The \"options.limits\" argument must be an object.");
+        return;
+      }
+
+      Local<Object> limits_obj = limits_v.As<Object>();
+
+      // Iterate through known limit names and extract values
+      for (const auto& [js_name, sqlite_limit_id] : kLimitMapping) {
+        Local<String> key;
+        if (!String::NewFromUtf8(env->isolate(),
+                                 js_name.data(),
+                                 NewStringType::kNormal,
+                                 js_name.size())
+                 .ToLocal(&key)) {
+          return;
+        }
+
+        Local<Value> val;
+        if (!limits_obj->Get(env->context(), key).ToLocal(&val)) {
+          return;
+        }
+
+        if (!val->IsUndefined()) {
+          if (!val->IsInt32()) {
+            std::string msg = "The \"options.limits." +
+                              std::string(js_name) +
+                              "\" argument must be an integer.";
+            THROW_ERR_INVALID_ARG_TYPE(env->isolate(), msg);
+            return;
+          }
+
+          int limit_val = val.As<Int32>()->Value();
+          if (limit_val < 0) {
+            std::string msg = "The \"options.limits." +
+                              std::string(js_name) +
+                              "\" argument must be non-negative.";
+            THROW_ERR_OUT_OF_RANGE(env->isolate(), msg);
+            return;
+          }
+
+          open_config.set_initial_limit(sqlite_limit_id, limit_val);
+        }
+      }
+    }
   }
 
   new DatabaseSync(
@@ -1115,6 +1367,26 @@ void DatabaseSync::IsTransactionGetter(
   args.GetReturnValue().Set(sqlite3_get_autocommit(db->connection_) == 0);
 }
 
+void DatabaseSync::LimitsGetter(const FunctionCallbackInfo<Value>& args) {
+  DatabaseSync* db;
+  ASSIGN_OR_RETURN_UNWRAP(&db, args.This());
+  Environment* env = Environment::GetCurrent(args);
+
+  Local<Value> limits_val =
+      db->object()->GetInternalField(kLimitsObject).template As<Value>();
+
+  if (limits_val->IsUndefined()) {
+    BaseObjectPtr<DatabaseSyncLimits> limits =
+        DatabaseSyncLimits::Create(env, BaseObjectWeakPtr<DatabaseSync>(db));
+    if (limits) {
+      db->object()->SetInternalField(kLimitsObject, limits->object());
+      args.GetReturnValue().Set(limits->object());
+    }
+  } else {
+    args.GetReturnValue().Set(limits_val);
+  }
+}
+
 void DatabaseSync::Close(const FunctionCallbackInfo<Value>& args) {
   DatabaseSync* db;
   ASSIGN_OR_RETURN_UNWRAP(&db, args.This());
@@ -3472,6 +3744,10 @@ static void Initialize(Local<Object> target,
                           db_tmpl,
                           FIXED_ONE_BYTE_STRING(isolate, "isTransaction"),
                           DatabaseSync::IsTransactionGetter);
+  SetSideEffectFreeGetter(isolate,
+                          db_tmpl,
+                          FIXED_ONE_BYTE_STRING(isolate, "limits"),
+                          DatabaseSync::LimitsGetter);
   Local<String> sqlite_type_key = FIXED_ONE_BYTE_STRING(isolate, "sqlite-type");
   Local<v8::Symbol> sqlite_type_symbol =
       v8::Symbol::For(isolate, sqlite_type_key);
diff --git a/src/node_sqlite.h b/src/node_sqlite.h
index 515660bf98999b..8cc9e9c74c1189 100644
--- a/src/node_sqlite.h
+++ b/src/node_sqlite.h
@@ -9,13 +9,36 @@
 #include "sqlite3.h"
 #include "util.h"
 
+#include <array>
 #include <list>
 #include <map>
+#include <optional>
+#include <string_view>
 #include <unordered_set>
 
 namespace node {
 namespace sqlite {
 
+// Mapping from JavaScript property names to SQLite limit constants
+struct LimitInfo {
+  std::string_view js_name;
+  int sqlite_limit_id;
+};
+
+inline constexpr std::array<LimitInfo, 11> kLimitMapping = {{
+    {"length", SQLITE_LIMIT_LENGTH},
+    {"sqlLength", SQLITE_LIMIT_SQL_LENGTH},
+    {"column", SQLITE_LIMIT_COLUMN},
+    {"exprDepth", SQLITE_LIMIT_EXPR_DEPTH},
+    {"compoundSelect", SQLITE_LIMIT_COMPOUND_SELECT},
+    {"vdbeOp", SQLITE_LIMIT_VDBE_OP},
+    {"functionArg", SQLITE_LIMIT_FUNCTION_ARG},
+    {"attach", SQLITE_LIMIT_ATTACHED},
+    {"likePatternLength", SQLITE_LIMIT_LIKE_PATTERN_LENGTH},
+    {"variableNumber", SQLITE_LIMIT_VARIABLE_NUMBER},
+    {"triggerDepth", SQLITE_LIMIT_TRIGGER_DEPTH},
+}};
+
 class DatabaseOpenConfiguration {
  public:
   explicit DatabaseOpenConfiguration(std::string&& location)
@@ -69,6 +92,15 @@ class DatabaseOpenConfiguration {
 
   inline bool get_enable_defensive() const { return defensive_; }
 
+  inline void set_initial_limit(int limit_id, int value) {
+    initial_limits_.at(limit_id) = value;
+  }
+
+  inline const std::array<std::optional<int>, kLimitMapping.size()>&
+  initial_limits() const {
+    return initial_limits_;
+  }
+
  private:
   std::string location_;
   bool read_only_ = false;
@@ -80,9 +112,11 @@ class DatabaseOpenConfiguration {
   bool allow_bare_named_params_ = true;
   bool allow_unknown_named_params_ = false;
   bool defensive_ = true;
+  std::array<std::optional<int>, kLimitMapping.size()> initial_limits_;
 };
 
 class DatabaseSync;
+class DatabaseSyncLimits;
 class StatementSyncIterator;
 class StatementSync;
 class BackupJob;
@@ -118,6 +152,7 @@ class DatabaseSync : public BaseObject {
  public:
   enum InternalFields {
     kAuthorizerCallback = BaseObject::kInternalFieldCount,
+    kLimitsObject,
     kInternalFieldCount
   };
 
@@ -146,6 +181,7 @@ class DatabaseSync : public BaseObject {
   static void EnableLoadExtension(
       const v8::FunctionCallbackInfo<v8::Value>& args);
   static void EnableDefensive(const v8::FunctionCallbackInfo<v8::Value>& args);
+  static void LimitsGetter(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void LoadExtension(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void SetAuthorizer(const v8::FunctionCallbackInfo<v8::Value>& args);
   static int AuthorizerCallback(void* user_data,
@@ -195,6 +231,7 @@ class DatabaseSync : public BaseObject {
   std::set<sqlite3_session*> sessions_;
   std::unordered_set<StatementSync*> statements_;
 
+  friend class DatabaseSyncLimits;
   friend class Session;
   friend class SQLTagStore;
   friend class StatementExecutionHelper;
@@ -351,6 +388,37 @@ class UserDefinedFunction {
   bool use_bigint_args_;
 };
 
+class DatabaseSyncLimits : public BaseObject {
+ public:
+  DatabaseSyncLimits(Environment* env,
+                     v8::Local<v8::Object> object,
+                     BaseObjectWeakPtr<DatabaseSync> database);
+  ~DatabaseSyncLimits() override;
+
+  void MemoryInfo(MemoryTracker* tracker) const override;
+  static v8::Local<v8::ObjectTemplate> GetTemplate(Environment* env);
+  static BaseObjectPtr<DatabaseSyncLimits> Create(
+      Environment* env, BaseObjectWeakPtr<DatabaseSync> database);
+
+  static v8::Intercepted LimitsGetter(
+      v8::Local<v8::Name> property,
+      const v8::PropertyCallbackInfo<v8::Value>& info);
+  static v8::Intercepted LimitsSetter(
+      v8::Local<v8::Name> property,
+      v8::Local<v8::Value> value,
+      const v8::PropertyCallbackInfo<void>& info);
+  static v8::Intercepted LimitsQuery(
+      v8::Local<v8::Name> property,
+      const v8::PropertyCallbackInfo<v8::Integer>& info);
+  static void LimitsEnumerator(const v8::PropertyCallbackInfo<v8::Array>& info);
+
+  SET_MEMORY_INFO_NAME(DatabaseSyncLimits)
+  SET_SELF_SIZE(DatabaseSyncLimits)
+
+ private:
+  BaseObjectWeakPtr<DatabaseSync> database_;
+};
+
 }  // namespace sqlite
 }  // namespace node
 
diff --git a/test/parallel/test-sqlite-limits.js b/test/parallel/test-sqlite-limits.js
new file mode 100644
index 00000000000000..c52c9a7766f7e1
--- /dev/null
+++ b/test/parallel/test-sqlite-limits.js
@@ -0,0 +1,226 @@
+'use strict';
+const { skipIfSQLiteMissing } = require('../common');
+skipIfSQLiteMissing();
+const { DatabaseSync } = require('node:sqlite');
+const { suite, test } = require('node:test');
+
+suite('DatabaseSync limits', () => {
+  test('limits object has expected properties with positive values', (t) => {
+    const db = new DatabaseSync(':memory:');
+    const expectedProperties = [
+      'length',
+      'sqlLength',
+      'column',
+      'exprDepth',
+      'compoundSelect',
+      'vdbeOp',
+      'functionArg',
+      'attach',
+      'likePatternLength',
+      'variableNumber',
+      'triggerDepth',
+    ];
+
+    for (const prop of expectedProperties) {
+      t.assert.strictEqual(typeof db.limits[prop], 'number',
+                           `${prop} should be a number`);
+      t.assert.ok(db.limits[prop] > 0,
+                  `${prop} should be positive`);
+    }
+  });
+
+  test('constructor accepts limits option', (t) => {
+    const db = new DatabaseSync(':memory:', {
+      limits: {
+        length: 500000,
+        sqlLength: 50000,
+        column: 100,
+        exprDepth: 50,
+        compoundSelect: 10,
+        vdbeOp: 10000,
+        functionArg: 8,
+        attach: 5,
+        likePatternLength: 1000,
+        variableNumber: 100,
+        triggerDepth: 5,
+      }
+    });
+
+    t.assert.strictEqual(db.limits.length, 500000);
+    t.assert.strictEqual(db.limits.sqlLength, 50000);
+    t.assert.strictEqual(db.limits.column, 100);
+    t.assert.strictEqual(db.limits.exprDepth, 50);
+    t.assert.strictEqual(db.limits.compoundSelect, 10);
+    t.assert.strictEqual(db.limits.vdbeOp, 10000);
+    t.assert.strictEqual(db.limits.functionArg, 8);
+    t.assert.strictEqual(db.limits.attach, 5);
+    t.assert.strictEqual(db.limits.likePatternLength, 1000);
+    t.assert.strictEqual(db.limits.variableNumber, 100);
+    t.assert.strictEqual(db.limits.triggerDepth, 5);
+  });
+
+  test('getter returns current limit value', (t) => {
+    const db = new DatabaseSync(':memory:');
+    t.assert.strictEqual(typeof db.limits.length, 'number');
+    t.assert.ok(db.limits.length > 0);
+    t.assert.strictEqual(typeof db.limits.sqlLength, 'number');
+    t.assert.ok(db.limits.sqlLength > 0);
+  });
+
+  test('setter modifies limit value', (t) => {
+    const db = new DatabaseSync(':memory:');
+
+    db.limits.length = 100000;
+    t.assert.strictEqual(db.limits.length, 100000);
+
+    db.limits.sqlLength = 50000;
+    t.assert.strictEqual(db.limits.sqlLength, 50000);
+
+    db.limits.column = 50;
+    t.assert.strictEqual(db.limits.column, 50);
+  });
+
+  test('Infinity resets limit to maximum', (t) => {
+    const db = new DatabaseSync(':memory:');
+    const originalLength = db.limits.length;
+
+    // Set to a lower value
+    db.limits.length = 100;
+    t.assert.strictEqual(db.limits.length, 100);
+
+    // Reset to maximum using Infinity
+    db.limits.length = Infinity;
+    t.assert.strictEqual(db.limits.length, originalLength);
+  });
+
+  test('throws on invalid argument type', (t) => {
+    const db = new DatabaseSync(':memory:');
+    t.assert.throws(() => {
+      db.limits.length = 'invalid';
+    }, {
+      name: 'TypeError',
+      message: /Limit value must be a non-negative integer or Infinity/,
+    });
+  });
+
+  test('throws on negative value', (t) => {
+    const db = new DatabaseSync(':memory:');
+    t.assert.throws(() => {
+      db.limits.length = -1;
+    }, {
+      name: 'RangeError',
+      message: /Limit value must be non-negative/,
+    });
+  });
+
+  test('throws on null value', (t) => {
+    const db = new DatabaseSync(':memory:');
+    t.assert.throws(() => {
+      db.limits.length = null;
+    }, {
+      name: 'TypeError',
+      message: /Limit value must be a non-negative integer or Infinity/,
+    });
+  });
+
+  test('throws on negative Infinity', (t) => {
+    const db = new DatabaseSync(':memory:');
+    t.assert.throws(() => {
+      db.limits.length = -Infinity;
+    }, {
+      name: 'TypeError',
+      message: /Limit value must be a non-negative integer or Infinity/,
+    });
+  });
+
+  test('throws on getter access after close', (t) => {
+    const db = new DatabaseSync(':memory:');
+    db.close();
+    t.assert.throws(() => {
+      return db.limits.length;
+    }, {
+      code: 'ERR_INVALID_STATE',
+      message: /database is not open/,
+    });
+  });
+
+  test('throws on setter access after close', (t) => {
+    const db = new DatabaseSync(':memory:');
+    db.close();
+    t.assert.throws(() => {
+      db.limits.length = 100;
+    }, {
+      code: 'ERR_INVALID_STATE',
+      message: /database is not open/,
+    });
+  });
+
+  test('limits object is enumerable', (t) => {
+    const db = new DatabaseSync(':memory:');
+    const keys = Object.keys(db.limits);
+    t.assert.ok(keys.includes('length'));
+    t.assert.ok(keys.includes('sqlLength'));
+    t.assert.ok(keys.includes('column'));
+    t.assert.ok(keys.includes('exprDepth'));
+    t.assert.ok(keys.includes('compoundSelect'));
+    t.assert.ok(keys.includes('vdbeOp'));
+    t.assert.ok(keys.includes('functionArg'));
+    t.assert.ok(keys.includes('attach'));
+    t.assert.ok(keys.includes('likePatternLength'));
+    t.assert.ok(keys.includes('variableNumber'));
+    t.assert.ok(keys.includes('triggerDepth'));
+  });
+
+  test('throws on invalid limits option type', (t) => {
+    t.assert.throws(() => {
+      new DatabaseSync(':memory:', { limits: 'invalid' });
+    }, {
+      name: 'TypeError',
+      message: /options\.limits.*must be an object/,
+    });
+  });
+
+  test('throws on invalid limit value type in constructor', (t) => {
+    t.assert.throws(() => {
+      new DatabaseSync(':memory:', { limits: { length: 'invalid' } });
+    }, {
+      name: 'TypeError',
+      message: /options\.limits\.length.*must be an integer/,
+    });
+  });
+
+  test('throws on negative limit value in constructor', (t) => {
+    t.assert.throws(() => {
+      new DatabaseSync(':memory:', { limits: { length: -100 } });
+    }, {
+      name: 'RangeError',
+      message: /options\.limits\.length.*must be non-negative/,
+    });
+  });
+
+  test('partial limits in constructor', (t) => {
+    const db = new DatabaseSync(':memory:', {
+      limits: {
+        length: 100000,
+      }
+    });
+    t.assert.strictEqual(db.limits.length, 100000);
+    t.assert.strictEqual(typeof db.limits.sqlLength, 'number');
+  });
+
+  test('throws when exceeding column limit', (t) => {
+    const db = new DatabaseSync(':memory:', {
+      limits: {
+        column: 10,
+      }
+    });
+
+    db.exec('CREATE TABLE t1 (c1, c2, c3, c4, c5, c6, c7, c8, c9, c10)');
+
+    t.assert.throws(() => {
+      db.exec('CREATE TABLE t2 (c1, c2, c3, c4, c5, c6, c7, c8, c9, c10, c11)');
+    }, {
+      message: /too many columns/,
+    });
+  });
+});

From 3357fb502a9ac2b278fb9ed7d32d1b8eb5988b2c Mon Sep 17 00:00:00 2001
From: Mert Can Altin <mertgold60@gmail.com>
Date: Tue, 20 Jan 2026 21:30:37 +0300
Subject: [PATCH 02/14] lint

---
 src/node_sqlite.cc | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/src/node_sqlite.cc b/src/node_sqlite.cc
index e701af45d590dc..acc25f19c236d1 100644
--- a/src/node_sqlite.cc
+++ b/src/node_sqlite.cc
@@ -830,10 +830,8 @@ void DatabaseSyncLimits::LimitsEnumerator(
 
   for (const auto& [js_name, sqlite_limit_id] : kLimitMapping) {
     Local<String> name;
-    if (!String::NewFromUtf8(isolate,
-                             js_name.data(),
-                             NewStringType::kNormal,
-                             js_name.size())
+    if (!String::NewFromUtf8(
+             isolate, js_name.data(), NewStringType::kNormal, js_name.size())
              .ToLocal(&name)) {
       return;
     }
@@ -1320,8 +1318,7 @@ void DatabaseSync::New(const FunctionCallbackInfo<Value>& args) {
 
         if (!val->IsUndefined()) {
           if (!val->IsInt32()) {
-            std::string msg = "The \"options.limits." +
-                              std::string(js_name) +
+            std::string msg = "The \"options.limits." + std::string(js_name) +
                               "\" argument must be an integer.";
             THROW_ERR_INVALID_ARG_TYPE(env->isolate(), msg);
             return;
@@ -1329,8 +1326,7 @@ void DatabaseSync::New(const FunctionCallbackInfo<Value>& args) {
 
           int limit_val = val.As<Int32>()->Value();
           if (limit_val < 0) {
-            std::string msg = "The \"options.limits." +
-                              std::string(js_name) +
+            std::string msg = "The \"options.limits." + std::string(js_name) +
                               "\" argument must be non-negative.";
             THROW_ERR_OUT_OF_RANGE(env->isolate(), msg);
             return;

From cc691585d9b98d1ce9b99c2073d5ce5298d9d335 Mon Sep 17 00:00:00 2001
From: Mert Can Altin <mertgold60@gmail.com>
Date: Tue, 20 Jan 2026 22:09:36 +0300
Subject: [PATCH 03/14] Update sqlite.md

Co-authored-by: Bart Louwers <bart.louwers@gmail.com>
---
 doc/api/sqlite.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/api/sqlite.md b/doc/api/sqlite.md
index 83a74d26eebd64..442d3e0e565e0f 100644
--- a/doc/api/sqlite.md
+++ b/doc/api/sqlite.md
@@ -167,7 +167,7 @@ changes:
     * `length` {number} Maximum length of a string or BLOB.
     * `sqlLength` {number} Maximum length of an SQL statement.
     * `column` {number} Maximum number of columns.
-    * `exprDepth` {number} Maximum depth of expression tree.
+    * `exprDepth` {number} Maximum depth of an expression tree.
     * `compoundSelect` {number} Maximum number of terms in compound SELECT.
     * `vdbeOp` {number} Maximum number of VDBE instructions.
     * `functionArg` {number} Maximum number of function arguments.

From 9c6155270ee09696a59a5fb60db3493bf88c3b38 Mon Sep 17 00:00:00 2001
From: Mert Can Altin <mertgold60@gmail.com>
Date: Tue, 20 Jan 2026 22:09:45 +0300
Subject: [PATCH 04/14] Update sqlite.md

Co-authored-by: Bart Louwers <bart.louwers@gmail.com>
---
 doc/api/sqlite.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/api/sqlite.md b/doc/api/sqlite.md
index 442d3e0e565e0f..95ed4e865fbe15 100644
--- a/doc/api/sqlite.md
+++ b/doc/api/sqlite.md
@@ -168,7 +168,7 @@ changes:
     * `sqlLength` {number} Maximum length of an SQL statement.
     * `column` {number} Maximum number of columns.
     * `exprDepth` {number} Maximum depth of an expression tree.
-    * `compoundSelect` {number} Maximum number of terms in compound SELECT.
+    * `compoundSelect` {number} Maximum number of terms in a compound SELECT.
     * `vdbeOp` {number} Maximum number of VDBE instructions.
     * `functionArg` {number} Maximum number of function arguments.
     * `attach` {number} Maximum number of attached databases.

From 169500d64ffe2a0ba3f2668f27659ebad23b6a25 Mon Sep 17 00:00:00 2001
From: Mert Can Altin <mertgold60@gmail.com>
Date: Tue, 20 Jan 2026 23:09:01 +0300
Subject: [PATCH 05/14] Update env_properties.h
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: René <contact.9a5d6388@renegade334.me.uk>
---
 src/env_properties.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/env_properties.h b/src/env_properties.h
index f0aa03a42a3012..efaaec43ccd068 100644
--- a/src/env_properties.h
+++ b/src/env_properties.h
@@ -235,8 +235,8 @@
   V(kill_signal_string, "killSignal")                                          \
   V(kind_string, "kind")                                                       \
   V(last_insert_rowid_string, "lastInsertRowid")                               \
-  V(limits_string, "limits")                                                   \
   V(length_string, "length")                                                   \
+  V(limits_string, "limits")                                                   \
   V(library_string, "library")                                                 \
   V(loop_count, "loopCount")                                                   \
   V(max_buffer_string, "maxBuffer")                                            \

From e16bc863d93bcb575ebb5416ee722e2082032433 Mon Sep 17 00:00:00 2001
From: Mert Can Altin <mertgold60@gmail.com>
Date: Tue, 20 Jan 2026 23:09:17 +0300
Subject: [PATCH 06/14] Update env_properties.h
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: René <contact.9a5d6388@renegade334.me.uk>
---
 src/env_properties.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/env_properties.h b/src/env_properties.h
index efaaec43ccd068..968bb0638b0041 100644
--- a/src/env_properties.h
+++ b/src/env_properties.h
@@ -435,9 +435,9 @@
   V(socketaddress_constructor_template, v8::FunctionTemplate)                  \
   V(space_stats_template, v8::DictionaryTemplate)                              \
   V(sqlite_column_template, v8::DictionaryTemplate)                            \
+  V(sqlite_limits_template, v8::ObjectTemplate)                                \
   V(sqlite_statement_sync_constructor_template, v8::FunctionTemplate)          \
   V(sqlite_statement_sync_iterator_constructor_template, v8::FunctionTemplate) \
-  V(sqlite_limits_template, v8::ObjectTemplate)                                \
   V(sqlite_session_constructor_template, v8::FunctionTemplate)                 \
   V(srv_record_template, v8::DictionaryTemplate)                               \
   V(streambaseoutputstream_constructor_template, v8::ObjectTemplate)           \

From 0b89ed33c175aaed7ddb83d776795eeaa3d4a02c Mon Sep 17 00:00:00 2001
From: Mert Can Altin <mertgold60@gmail.com>
Date: Tue, 20 Jan 2026 23:09:25 +0300
Subject: [PATCH 07/14] Update node_sqlite.cc
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: René <contact.9a5d6388@renegade334.me.uk>
---
 src/node_sqlite.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/node_sqlite.cc b/src/node_sqlite.cc
index acc25f19c236d1..313a41a865155e 100644
--- a/src/node_sqlite.cc
+++ b/src/node_sqlite.cc
@@ -766,7 +766,7 @@ Intercepted DatabaseSyncLimits::LimitsSetter(
   Utf8Value prop_name(isolate, property);
   const LimitInfo* limit_info = GetLimitInfoFromName(*prop_name);
 
-  if (!limit_info) {
+  if (limit_info == nullptr) {
     return Intercepted::kNo;
   }
 

From 4a7f33b7a79e5384f9108e2ac98c05ab6bd5b960 Mon Sep 17 00:00:00 2001
From: Mert Can Altin <mertgold60@gmail.com>
Date: Tue, 20 Jan 2026 23:09:41 +0300
Subject: [PATCH 08/14] Update node_sqlite.cc
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: René <contact.9a5d6388@renegade334.me.uk>
---
 src/node_sqlite.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/node_sqlite.cc b/src/node_sqlite.cc
index 313a41a865155e..8104b3dd101ae1 100644
--- a/src/node_sqlite.cc
+++ b/src/node_sqlite.cc
@@ -819,7 +819,7 @@ Intercepted DatabaseSyncLimits::LimitsQuery(
   }
 
   // Property exists and is writable
-  info.GetReturnValue().Set(Integer::New(isolate, v8::PropertyAttribute::None));
+  info.GetReturnValue().Set(Integer::New(isolate, v8::PropertyAttribute::DontDelete));
   return Intercepted::kYes;
 }
 

From 660641495496f2048a3a90c9de7652f20de49bf2 Mon Sep 17 00:00:00 2001
From: Mert Can Altin <mertgold60@gmail.com>
Date: Tue, 20 Jan 2026 23:35:14 +0300
Subject: [PATCH 09/14] review fixed

---
 src/node_sqlite.cc | 11 ++++-------
 src/node_sqlite.h  |  7 +++----
 2 files changed, 7 insertions(+), 11 deletions(-)

diff --git a/src/node_sqlite.cc b/src/node_sqlite.cc
index 8104b3dd101ae1..7eb726362907fc 100644
--- a/src/node_sqlite.cc
+++ b/src/node_sqlite.cc
@@ -819,7 +819,8 @@ Intercepted DatabaseSyncLimits::LimitsQuery(
   }
 
   // Property exists and is writable
-  info.GetReturnValue().Set(Integer::New(isolate, v8::PropertyAttribute::DontDelete));
+  info.GetReturnValue().Set(
+      Integer::New(isolate, v8::PropertyAttribute::DontDelete));
   return Intercepted::kYes;
 }
 
@@ -950,12 +951,8 @@ bool DatabaseSync::Open() {
   sqlite3_busy_timeout(connection_, open_config_.get_timeout());
 
   // Apply initial limits
-  const auto& limits = open_config_.initial_limits();
-  for (size_t limit_id = 0; limit_id < limits.size(); ++limit_id) {
-    if (limits[limit_id].has_value()) {
-      sqlite3_limit(
-          connection_, static_cast<int>(limit_id), limits[limit_id].value());
-    }
+  for (const auto& [limit_id, limit_value] : open_config_.initial_limits()) {
+    sqlite3_limit(connection_, limit_id, limit_value);
   }
 
   if (allow_load_extension_) {
diff --git a/src/node_sqlite.h b/src/node_sqlite.h
index 8cc9e9c74c1189..56180db0bb5eac 100644
--- a/src/node_sqlite.h
+++ b/src/node_sqlite.h
@@ -93,11 +93,10 @@ class DatabaseOpenConfiguration {
   inline bool get_enable_defensive() const { return defensive_; }
 
   inline void set_initial_limit(int limit_id, int value) {
-    initial_limits_.at(limit_id) = value;
+    initial_limits_[limit_id] = value;
   }
 
-  inline const std::array<std::optional<int>, kLimitMapping.size()>&
-  initial_limits() const {
+  inline const std::map<int, int>& initial_limits() const {
     return initial_limits_;
   }
 
@@ -112,7 +111,7 @@ class DatabaseOpenConfiguration {
   bool allow_bare_named_params_ = true;
   bool allow_unknown_named_params_ = false;
   bool defensive_ = true;
-  std::array<std::optional<int>, kLimitMapping.size()> initial_limits_;
+  std::map<int, int> initial_limits_;
 };
 
 class DatabaseSync;

From e4c2bbbee974c47356719e7c80a6ad458f9c028e Mon Sep 17 00:00:00 2001
From: Mert Can Altin <mertgold60@gmail.com>
Date: Tue, 20 Jan 2026 23:38:48 +0300
Subject: [PATCH 10/14] Update doc/api/sqlite.md

Co-authored-by: Bart Louwers <bart.louwers@gmail.com>
---
 doc/api/sqlite.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/api/sqlite.md b/doc/api/sqlite.md
index 95ed4e865fbe15..223c3450a44a4c 100644
--- a/doc/api/sqlite.md
+++ b/doc/api/sqlite.md
@@ -172,7 +172,7 @@ changes:
     * `vdbeOp` {number} Maximum number of VDBE instructions.
     * `functionArg` {number} Maximum number of function arguments.
     * `attach` {number} Maximum number of attached databases.
-    * `likePatternLength` {number} Maximum length of LIKE pattern.
+    * `likePatternLength` {number} Maximum length of a LIKE pattern.
     * `variableNumber` {number} Maximum number of SQL variables.
     * `triggerDepth` {number} Maximum trigger recursion depth.
 

From ad6709596abc6c502eb70f51d10f3a4516752616 Mon Sep 17 00:00:00 2001
From: Mert Can Altin <mertgold60@gmail.com>
Date: Wed, 21 Jan 2026 00:17:02 +0300
Subject: [PATCH 11/14] review fixed

---
 src/node_sqlite.cc | 12 ++++++++----
 src/node_sqlite.h  |  9 +++++----
 2 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/src/node_sqlite.cc b/src/node_sqlite.cc
index 7eb726362907fc..43d8ed8956335c 100644
--- a/src/node_sqlite.cc
+++ b/src/node_sqlite.cc
@@ -951,8 +951,11 @@ bool DatabaseSync::Open() {
   sqlite3_busy_timeout(connection_, open_config_.get_timeout());
 
   // Apply initial limits
-  for (const auto& [limit_id, limit_value] : open_config_.initial_limits()) {
-    sqlite3_limit(connection_, limit_id, limit_value);
+  const auto& limits = open_config_.initial_limits();
+  for (size_t i = 0; i < kLimitMapping.size(); ++i) {
+    if (limits[i].has_value()) {
+      sqlite3_limit(connection_, kLimitMapping[i].sqlite_limit_id, *limits[i]);
+    }
   }
 
   if (allow_load_extension_) {
@@ -1298,7 +1301,8 @@ void DatabaseSync::New(const FunctionCallbackInfo<Value>& args) {
       Local<Object> limits_obj = limits_v.As<Object>();
 
       // Iterate through known limit names and extract values
-      for (const auto& [js_name, sqlite_limit_id] : kLimitMapping) {
+      for (size_t i = 0; i < kLimitMapping.size(); ++i) {
+        const auto& js_name = kLimitMapping[i].js_name;
         Local<String> key;
         if (!String::NewFromUtf8(env->isolate(),
                                  js_name.data(),
@@ -1329,7 +1333,7 @@ void DatabaseSync::New(const FunctionCallbackInfo<Value>& args) {
             return;
           }
 
-          open_config.set_initial_limit(sqlite_limit_id, limit_val);
+          open_config.set_initial_limit(i, limit_val);
         }
       }
     }
diff --git a/src/node_sqlite.h b/src/node_sqlite.h
index 56180db0bb5eac..5bc946509db48a 100644
--- a/src/node_sqlite.h
+++ b/src/node_sqlite.h
@@ -92,11 +92,12 @@ class DatabaseOpenConfiguration {
 
   inline bool get_enable_defensive() const { return defensive_; }
 
-  inline void set_initial_limit(int limit_id, int value) {
-    initial_limits_[limit_id] = value;
+  inline void set_initial_limit(size_t mapping_index, int value) {
+    initial_limits_[mapping_index] = value;
   }
 
-  inline const std::map<int, int>& initial_limits() const {
+  inline const std::array<std::optional<int>, kLimitMapping.size()>&
+  initial_limits() const {
     return initial_limits_;
   }
 
@@ -111,7 +112,7 @@ class DatabaseOpenConfiguration {
   bool allow_bare_named_params_ = true;
   bool allow_unknown_named_params_ = false;
   bool defensive_ = true;
-  std::map<int, int> initial_limits_;
+  std::array<std::optional<int>, kLimitMapping.size()> initial_limits_{};
 };
 
 class DatabaseSync;

From 77f401a5298410d60e6c8873452180dce6fc48d6 Mon Sep 17 00:00:00 2001
From: Mert Can Altin <mertgold60@gmail.com>
Date: Wed, 21 Jan 2026 09:10:00 +0300
Subject: [PATCH 12/14] used std array and range for loop

---
 src/node_sqlite.cc | 13 ++++++-------
 src/node_sqlite.h  | 23 +++++++++++++++++++----
 2 files changed, 25 insertions(+), 11 deletions(-)

diff --git a/src/node_sqlite.cc b/src/node_sqlite.cc
index 43d8ed8956335c..b58d2ec50cee38 100644
--- a/src/node_sqlite.cc
+++ b/src/node_sqlite.cc
@@ -951,10 +951,10 @@ bool DatabaseSync::Open() {
   sqlite3_busy_timeout(connection_, open_config_.get_timeout());
 
   // Apply initial limits
-  const auto& limits = open_config_.initial_limits();
-  for (size_t i = 0; i < kLimitMapping.size(); ++i) {
-    if (limits[i].has_value()) {
-      sqlite3_limit(connection_, kLimitMapping[i].sqlite_limit_id, *limits[i]);
+  for (const auto& [js_name, sqlite_limit_id] : kLimitMapping) {
+    const auto& limit_value = open_config_.initial_limits()[sqlite_limit_id];
+    if (limit_value.has_value()) {
+      sqlite3_limit(connection_, sqlite_limit_id, *limit_value);
     }
   }
 
@@ -1301,8 +1301,7 @@ void DatabaseSync::New(const FunctionCallbackInfo<Value>& args) {
       Local<Object> limits_obj = limits_v.As<Object>();
 
       // Iterate through known limit names and extract values
-      for (size_t i = 0; i < kLimitMapping.size(); ++i) {
-        const auto& js_name = kLimitMapping[i].js_name;
+      for (const auto& [js_name, sqlite_limit_id] : kLimitMapping) {
         Local<String> key;
         if (!String::NewFromUtf8(env->isolate(),
                                  js_name.data(),
@@ -1333,7 +1332,7 @@ void DatabaseSync::New(const FunctionCallbackInfo<Value>& args) {
             return;
           }
 
-          open_config.set_initial_limit(i, limit_val);
+          open_config.set_initial_limit(sqlite_limit_id, limit_val);
         }
       }
     }
diff --git a/src/node_sqlite.h b/src/node_sqlite.h
index 5bc946509db48a..7004728d81ef9a 100644
--- a/src/node_sqlite.h
+++ b/src/node_sqlite.h
@@ -39,6 +39,20 @@ inline constexpr std::array<LimitInfo, 11> kLimitMapping = {{
     {"triggerDepth", SQLITE_LIMIT_TRIGGER_DEPTH},
 }};
 
+// Static assertion to ensure all limit IDs fit in the array
+constexpr bool CheckLimitBounds() {
+  for (const auto& info : kLimitMapping) {
+    if (info.sqlite_limit_id < 0 ||
+        info.sqlite_limit_id > SQLITE_LIMIT_TRIGGER_DEPTH) {
+      return false;
+    }
+  }
+  return true;
+}
+static_assert(
+    CheckLimitBounds(),
+    "All kLimitMapping entries must be <= SQLITE_LIMIT_TRIGGER_DEPTH");
+
 class DatabaseOpenConfiguration {
  public:
   explicit DatabaseOpenConfiguration(std::string&& location)
@@ -92,11 +106,11 @@ class DatabaseOpenConfiguration {
 
   inline bool get_enable_defensive() const { return defensive_; }
 
-  inline void set_initial_limit(size_t mapping_index, int value) {
-    initial_limits_[mapping_index] = value;
+  inline void set_initial_limit(int sqlite_limit_id, int value) {
+    initial_limits_[sqlite_limit_id] = value;
   }
 
-  inline const std::array<std::optional<int>, kLimitMapping.size()>&
+  inline const std::array<std::optional<int>, SQLITE_LIMIT_TRIGGER_DEPTH + 1>&
   initial_limits() const {
     return initial_limits_;
   }
@@ -112,7 +126,8 @@ class DatabaseOpenConfiguration {
   bool allow_bare_named_params_ = true;
   bool allow_unknown_named_params_ = false;
   bool defensive_ = true;
-  std::array<std::optional<int>, kLimitMapping.size()> initial_limits_{};
+  std::array<std::optional<int>, SQLITE_LIMIT_TRIGGER_DEPTH + 1>
+      initial_limits_{};
 };
 
 class DatabaseSync;

From 61eb04bc5da1eed623edc0a0b4dbbd855cda0556 Mon Sep 17 00:00:00 2001
From: Mert Can Altin <mertgold60@gmail.com>
Date: Wed, 21 Jan 2026 20:42:00 +0300
Subject: [PATCH 13/14] added  static assertion

---
 src/node_sqlite.h | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/node_sqlite.h b/src/node_sqlite.h
index 7004728d81ef9a..ea6e6f33acb0a4 100644
--- a/src/node_sqlite.h
+++ b/src/node_sqlite.h
@@ -39,7 +39,10 @@ inline constexpr std::array<LimitInfo, 11> kLimitMapping = {{
     {"triggerDepth", SQLITE_LIMIT_TRIGGER_DEPTH},
 }};
 
-// Static assertion to ensure all limit IDs fit in the array
+// Static assertions to ensure limit mapping is complete and valid
+static_assert(kLimitMapping.size() == SQLITE_LIMIT_TRIGGER_DEPTH + 1,
+              "kLimitMapping must cover all SQLite limits");
+
 constexpr bool CheckLimitBounds() {
   for (const auto& info : kLimitMapping) {
     if (info.sqlite_limit_id < 0 ||

From 4cc029d2ac3dffad2f6758b26e70d779d7dc2bc1 Mon Sep 17 00:00:00 2001
From: Mert Can Altin <mertgold60@gmail.com>
Date: Thu, 22 Jan 2026 10:09:16 +0300
Subject: [PATCH 14/14] Update node_sqlite.h

Co-authored-by: Bart Louwers <bart.louwers@gmail.com>
---
 src/node_sqlite.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/node_sqlite.h b/src/node_sqlite.h
index ea6e6f33acb0a4..bbf0642a2f5163 100644
--- a/src/node_sqlite.h
+++ b/src/node_sqlite.h
@@ -110,7 +110,7 @@ class DatabaseOpenConfiguration {
   inline bool get_enable_defensive() const { return defensive_; }
 
   inline void set_initial_limit(int sqlite_limit_id, int value) {
-    initial_limits_[sqlite_limit_id] = value;
+    initial_limits_.at(sqlite_limit_id) = value;
   }
 
   inline const std::array<std::optional<int>, SQLITE_LIMIT_TRIGGER_DEPTH + 1>&