From 8c6c66c91e7c855ee55bf17bf3d70508c6d674b6 Mon Sep 17 00:00:00 2001
From: Mert Can Altin <mertgold60@gmail.com>
Date: Tue, 6 Jan 2026 21:31:23 +0300
Subject: [PATCH 01/22] sqlite: add limits property to DatabaseSync

---
 doc/api/sqlite.md                   |  41 +++++
 src/env_properties.h                |   2 +
 src/node_sqlite.cc                  | 270 ++++++++++++++++++++++++++++
 src/node_sqlite.h                   |  45 +++++
 test/parallel/test-sqlite-limits.js | 161 +++++++++++++++++
 5 files changed, 519 insertions(+)
 create mode 100644 test/parallel/test-sqlite-limits.js

diff --git a/doc/api/sqlite.md b/doc/api/sqlite.md
index 186e70784b94d0..d6959cf9eec7e0 100644
--- a/doc/api/sqlite.md
+++ b/doc/api/sqlite.md
@@ -155,6 +155,21 @@ changes:
     language features that allow ordinary SQL to deliberately corrupt the database file are disabled.
     The defensive flag can also be set using `enableDefensive()`.
     **Default:** `false`.
+  * `limits` {Object} Configuration for various SQLite limits. These limits
+    can be used to prevent excessive resource consumption when handling
+    potentially malicious input. See [Run-Time Limits][] in the SQLite
+    documentation for details. The following properties are supported:
+    * `length` {number} Maximum length of a string or BLOB.
+    * `sqlLength` {number} Maximum length of an SQL statement.
+    * `column` {number} Maximum number of columns.
+    * `exprDepth` {number} Maximum depth of expression tree.
+    * `compoundSelect` {number} Maximum number of terms in compound SELECT.
+    * `vdbeOp` {number} Maximum number of VDBE instructions.
+    * `functionArg` {number} Maximum number of function arguments.
+    * `attach` {number} Maximum number of attached databases.
+    * `likePatternLength` {number} Maximum length of LIKE pattern.
+    * `variableNumber` {number} Maximum number of SQL variables.
+    * `triggerDepth` {number} Maximum trigger recursion depth.
 
 Constructs a new `DatabaseSync` instance.
 
@@ -443,6 +458,31 @@ added:
 * Type: {boolean} Whether the database is currently within a transaction. This method
   is a wrapper around [`sqlite3_get_autocommit()`][].
 
+### `database.limits`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+* Type: {Object}
+
+An object for getting and setting SQLite database limits at runtime.
+Each property corresponds to an SQLite limit and can be read or written.
+
+```js
+const db = new DatabaseSync(':memory:');
+
+// Read current limit
+console.log(db.limits.length);
+
+// Set a new limit
+db.limits.sqlLength = 100000;
+```
+
+Available properties: `length`, `sqlLength`, `column`, `exprDepth`,
+`compoundSelect`, `vdbeOp`, `functionArg`, `attach`, `likePatternLength`,
+`variableNumber`, `triggerDepth`.
+
 ### `database.open()`
 
 <!-- YAML
@@ -1455,6 +1495,7 @@ callback function to indicate what type of operation is being authorized.
 [`ATTACH DATABASE`]: https://www.sqlite.org/lang_attach.html
 [`PRAGMA foreign_keys`]: https://www.sqlite.org/pragma.html#pragma_foreign_keys
 [`SQLITE_DBCONFIG_DEFENSIVE`]: https://www.sqlite.org/c3ref/c_dbconfig_defensive.html#sqlitedbconfigdefensive
+[Run-Time Limits]: https://www.sqlite.org/c3ref/limit.html
 [`SQLITE_DETERMINISTIC`]: https://www.sqlite.org/c3ref/c_deterministic.html
 [`SQLITE_DIRECTONLY`]: https://www.sqlite.org/c3ref/c_deterministic.html
 [`SQLITE_MAX_FUNCTION_ARG`]: https://www.sqlite.org/limits.html#max_function_arg
diff --git a/src/env_properties.h b/src/env_properties.h
index 903158ebbdc2b7..f0aa03a42a3012 100644
--- a/src/env_properties.h
+++ b/src/env_properties.h
@@ -235,6 +235,7 @@
   V(kill_signal_string, "killSignal")                                          \
   V(kind_string, "kind")                                                       \
   V(last_insert_rowid_string, "lastInsertRowid")                               \
+  V(limits_string, "limits")                                                   \
   V(length_string, "length")                                                   \
   V(library_string, "library")                                                 \
   V(loop_count, "loopCount")                                                   \
@@ -436,6 +437,7 @@
   V(sqlite_column_template, v8::DictionaryTemplate)                            \
   V(sqlite_statement_sync_constructor_template, v8::FunctionTemplate)          \
   V(sqlite_statement_sync_iterator_constructor_template, v8::FunctionTemplate) \
+  V(sqlite_limits_template, v8::ObjectTemplate)                                \
   V(sqlite_session_constructor_template, v8::FunctionTemplate)                 \
   V(srv_record_template, v8::DictionaryTemplate)                               \
   V(streambaseoutputstream_constructor_template, v8::ObjectTemplate)           \
diff --git a/src/node_sqlite.cc b/src/node_sqlite.cc
index 6d35236dce0f82..1c267238f59366 100644
--- a/src/node_sqlite.cc
+++ b/src/node_sqlite.cc
@@ -36,6 +36,7 @@ using v8::Global;
 using v8::HandleScope;
 using v8::Int32;
 using v8::Integer;
+using v8::Intercepted;
 using v8::Isolate;
 using v8::JustVoid;
 using v8::Local;
@@ -43,12 +44,16 @@ using v8::LocalVector;
 using v8::Maybe;
 using v8::MaybeLocal;
 using v8::Name;
+using v8::NamedPropertyHandlerConfiguration;
 using v8::NewStringType;
 using v8::Nothing;
 using v8::Null;
 using v8::Number;
 using v8::Object;
+using v8::ObjectTemplate;
 using v8::Promise;
+using v8::PropertyCallbackInfo;
+using v8::PropertyHandlerFlags;
 using v8::SideEffectType;
 using v8::String;
 using v8::TryCatch;
@@ -133,6 +138,38 @@ Local<DictionaryTemplate> getLazyIterTemplate(Environment* env) {
 }
 }  // namespace
 
+// Mapping from JavaScript property names to SQLite limit constants
+struct LimitInfo {
+  const char* js_name;
+  int sqlite_limit_id;
+};
+
+static constexpr LimitInfo kLimitMapping[] = {
+    {"length", SQLITE_LIMIT_LENGTH},
+    {"sqlLength", SQLITE_LIMIT_SQL_LENGTH},
+    {"column", SQLITE_LIMIT_COLUMN},
+    {"exprDepth", SQLITE_LIMIT_EXPR_DEPTH},
+    {"compoundSelect", SQLITE_LIMIT_COMPOUND_SELECT},
+    {"vdbeOp", SQLITE_LIMIT_VDBE_OP},
+    {"functionArg", SQLITE_LIMIT_FUNCTION_ARG},
+    {"attach", SQLITE_LIMIT_ATTACHED},
+    {"likePatternLength", SQLITE_LIMIT_LIKE_PATTERN_LENGTH},
+    {"variableNumber", SQLITE_LIMIT_VARIABLE_NUMBER},
+    {"triggerDepth", SQLITE_LIMIT_TRIGGER_DEPTH},
+};
+
+static constexpr size_t kLimitMappingCount = arraysize(kLimitMapping);
+
+// Helper function to find limit ID from JS property name
+static int GetLimitIdFromName(const std::string& name) {
+  for (size_t i = 0; i < kLimitMappingCount; ++i) {
+    if (name == kLimitMapping[i].js_name) {
+      return kLimitMapping[i].sqlite_limit_id;
+    }
+  }
+  return -1;  // Not found
+}
+
 inline MaybeLocal<Object> CreateSQLiteError(Isolate* isolate,
                                             const char* message) {
   Local<String> js_msg;
@@ -665,6 +702,163 @@ void UserDefinedFunction::xDestroy(void* self) {
   delete static_cast<UserDefinedFunction*>(self);
 }
 
+DatabaseSyncLimits::DatabaseSyncLimits(Environment* env,
+                                       Local<Object> object,
+                                       BaseObjectWeakPtr<DatabaseSync> database)
+    : BaseObject(env, object), database_(std::move(database)) {
+  MakeWeak();
+}
+
+DatabaseSyncLimits::~DatabaseSyncLimits() = default;
+
+void DatabaseSyncLimits::MemoryInfo(MemoryTracker* tracker) const {
+  tracker->TrackField("database", database_);
+}
+
+Local<ObjectTemplate> DatabaseSyncLimits::GetTemplate(Environment* env) {
+  Local<ObjectTemplate> tmpl = env->sqlite_limits_template();
+  if (!tmpl.IsEmpty()) return tmpl;
+
+  Isolate* isolate = env->isolate();
+  tmpl = ObjectTemplate::New(isolate);
+  tmpl->SetInternalFieldCount(DatabaseSyncLimits::kInternalFieldCount);
+  tmpl->SetHandler(NamedPropertyHandlerConfiguration(
+      LimitsGetter,
+      LimitsSetter,
+      LimitsQuery,
+      nullptr,  // deleter - not allowed
+      LimitsEnumerator,
+      nullptr,  // definer
+      nullptr,
+      Local<Value>(),
+      PropertyHandlerFlags::kHasNoSideEffect));
+
+  env->set_sqlite_limits_template(tmpl);
+  return tmpl;
+}
+
+Intercepted DatabaseSyncLimits::LimitsGetter(
+    Local<Name> property,
+    const PropertyCallbackInfo<Value>& info) {
+  // Skip symbols
+  if (!property->IsString()) {
+    return Intercepted::kNo;
+  }
+
+  DatabaseSyncLimits* limits;
+  ASSIGN_OR_RETURN_UNWRAP(&limits, info.This(), Intercepted::kNo);
+
+  Environment* env = limits->env();
+  Isolate* isolate = env->isolate();
+
+  Utf8Value prop_name(isolate, property);
+  int limit_id = GetLimitIdFromName(*prop_name);
+
+  if (limit_id < 0) {
+    return Intercepted::kNo;  // Unknown property, let default handling occur
+  }
+
+  if (!limits->database_->IsOpen()) {
+    THROW_ERR_INVALID_STATE(env, "database is not open");
+    return Intercepted::kYes;
+  }
+
+  int current_value =
+      sqlite3_limit(limits->database_->Connection(), limit_id, -1);
+  info.GetReturnValue().Set(Integer::New(isolate, current_value));
+  return Intercepted::kYes;
+}
+
+Intercepted DatabaseSyncLimits::LimitsSetter(
+    Local<Name> property,
+    Local<Value> value,
+    const PropertyCallbackInfo<void>& info) {
+  if (!property->IsString()) {
+    return Intercepted::kNo;
+  }
+
+  DatabaseSyncLimits* limits;
+  ASSIGN_OR_RETURN_UNWRAP(&limits, info.This(), Intercepted::kNo);
+
+  Environment* env = limits->env();
+  Isolate* isolate = env->isolate();
+
+  Utf8Value prop_name(isolate, property);
+  int limit_id = GetLimitIdFromName(*prop_name);
+
+  if (limit_id < 0) {
+    return Intercepted::kNo;
+  }
+
+  if (!limits->database_->IsOpen()) {
+    THROW_ERR_INVALID_STATE(env, "database is not open");
+    return Intercepted::kYes;
+  }
+
+  if (!value->IsInt32()) {
+    THROW_ERR_INVALID_ARG_TYPE(isolate, "Limit value must be an integer.");
+    return Intercepted::kYes;
+  }
+
+  int new_value = value.As<Int32>()->Value();
+
+  // Validate non-negative
+  if (new_value < 0) {
+    THROW_ERR_OUT_OF_RANGE(isolate, "Limit value must be non-negative.");
+    return Intercepted::kYes;
+  }
+
+  sqlite3_limit(limits->database_->Connection(), limit_id, new_value);
+  return Intercepted::kYes;
+}
+
+Intercepted DatabaseSyncLimits::LimitsQuery(
+    Local<Name> property,
+    const PropertyCallbackInfo<Integer>& info) {
+  if (!property->IsString()) {
+    return Intercepted::kNo;
+  }
+
+  Isolate* isolate = info.GetIsolate();
+  Utf8Value prop_name(isolate, property);
+  int limit_id = GetLimitIdFromName(*prop_name);
+
+  if (limit_id < 0) {
+    return Intercepted::kNo;
+  }
+
+  // Property exists and is writable
+  info.GetReturnValue().Set(
+      Integer::New(isolate, v8::PropertyAttribute::None));
+  return Intercepted::kYes;
+}
+
+void DatabaseSyncLimits::LimitsEnumerator(
+    const PropertyCallbackInfo<Array>& info) {
+  Isolate* isolate = info.GetIsolate();
+  LocalVector<Value> names(isolate);
+
+  for (size_t i = 0; i < kLimitMappingCount; ++i) {
+    Local<String> name;
+    if (String::NewFromUtf8(isolate, kLimitMapping[i].js_name).ToLocal(&name)) {
+      names.push_back(name);
+    }
+  }
+
+  info.GetReturnValue().Set(Array::New(isolate, names.data(), names.size()));
+}
+
+BaseObjectPtr<DatabaseSyncLimits> DatabaseSyncLimits::Create(
+    Environment* env,
+    BaseObjectWeakPtr<DatabaseSync> database) {
+  Local<Object> obj;
+  if (!GetTemplate(env)->NewInstance(env->context()).ToLocal(&obj)) {
+    return nullptr;
+  }
+
+  return MakeBaseObject<DatabaseSyncLimits>(env, obj, std::move(database));
+}
+
 DatabaseSync::DatabaseSync(Environment* env,
                            Local<Object> object,
                            DatabaseOpenConfiguration&& open_config,
@@ -763,6 +957,11 @@ bool DatabaseSync::Open() {
 
   sqlite3_busy_timeout(connection_, open_config_.get_timeout());
 
+  // Apply initial limits
+  for (const auto& [limit_id, limit_val] : open_config_.initial_limits()) {
+    sqlite3_limit(connection_, limit_id, limit_val);
+  }
+
   if (allow_load_extension_) {
     if (env()->permission()->enabled()) [[unlikely]] {
       THROW_ERR_LOAD_SQLITE_EXTENSION(env(),
@@ -1088,6 +1287,58 @@ void DatabaseSync::New(const FunctionCallbackInfo<Value>& args) {
       }
       open_config.set_enable_defensive(defensive_v.As<Boolean>()->Value());
     }
+
+    // Parse limits option
+    Local<Value> limits_v;
+    if (!options->Get(env->context(), env->limits_string()).ToLocal(&limits_v)) {
+      return;
+    }
+    if (!limits_v->IsUndefined()) {
+      if (!limits_v->IsObject()) {
+        THROW_ERR_INVALID_ARG_TYPE(
+            env->isolate(),
+            "The \"options.limits\" argument must be an object.");
+        return;
+      }
+
+      Local<Object> limits_obj = limits_v.As<Object>();
+
+      // Iterate through known limit names and extract values
+      for (size_t i = 0; i < kLimitMappingCount; ++i) {
+        Local<String> key;
+        if (!String::NewFromUtf8(env->isolate(), kLimitMapping[i].js_name)
+                 .ToLocal(&key)) {
+          return;
+        }
+
+        Local<Value> val;
+        if (!limits_obj->Get(env->context(), key).ToLocal(&val)) {
+          return;
+        }
+
+        if (!val->IsUndefined()) {
+          if (!val->IsInt32()) {
+            std::string msg = "The \"options.limits." +
+                              std::string(kLimitMapping[i].js_name) +
+                              "\" argument must be an integer.";
+            THROW_ERR_INVALID_ARG_TYPE(env->isolate(), msg.c_str());
+            return;
+          }
+
+          int limit_val = val.As<Int32>()->Value();
+          if (limit_val < 0) {
+            std::string msg = "The \"options.limits." +
+                              std::string(kLimitMapping[i].js_name) +
+                              "\" argument must be non-negative.";
+            THROW_ERR_OUT_OF_RANGE(env->isolate(), msg.c_str());
+            return;
+          }
+
+          open_config.set_initial_limit(kLimitMapping[i].sqlite_limit_id,
+                                        limit_val);
+        }
+      }
+    }
   }
 
   new DatabaseSync(
@@ -1115,6 +1366,21 @@ void DatabaseSync::IsTransactionGetter(
   args.GetReturnValue().Set(sqlite3_get_autocommit(db->connection_) == 0);
 }
 
+void DatabaseSync::LimitsGetter(const FunctionCallbackInfo<Value>& args) {
+  DatabaseSync* db;
+  ASSIGN_OR_RETURN_UNWRAP(&db, args.This());
+  Environment* env = Environment::GetCurrent(args);
+
+  if (!db->limits_object_) {
+    db->limits_object_ = DatabaseSyncLimits::Create(
+        env, BaseObjectWeakPtr<DatabaseSync>(db));
+  }
+
+  if (db->limits_object_) {
+    args.GetReturnValue().Set(db->limits_object_->object());
+  }
+}
+
 void DatabaseSync::Close(const FunctionCallbackInfo<Value>& args) {
   DatabaseSync* db;
   ASSIGN_OR_RETURN_UNWRAP(&db, args.This());
@@ -3372,6 +3638,10 @@ static void Initialize(Local<Object> target,
                           db_tmpl,
                           FIXED_ONE_BYTE_STRING(isolate, "isTransaction"),
                           DatabaseSync::IsTransactionGetter);
+  SetSideEffectFreeGetter(isolate,
+                          db_tmpl,
+                          FIXED_ONE_BYTE_STRING(isolate, "limits"),
+                          DatabaseSync::LimitsGetter);
   Local<String> sqlite_type_key = FIXED_ONE_BYTE_STRING(isolate, "sqlite-type");
   Local<v8::Symbol> sqlite_type_symbol =
       v8::Symbol::For(isolate, sqlite_type_key);
diff --git a/src/node_sqlite.h b/src/node_sqlite.h
index 2641c9d4f1e8c5..6c75aa517d1ac0 100644
--- a/src/node_sqlite.h
+++ b/src/node_sqlite.h
@@ -69,6 +69,14 @@ class DatabaseOpenConfiguration {
 
   inline bool get_enable_defensive() const { return defensive_; }
 
+  inline void set_initial_limit(int limit_id, int value) {
+    initial_limits_[limit_id] = value;
+  }
+
+  inline const std::map<int, int>& initial_limits() const {
+    return initial_limits_;
+  }
+
  private:
   std::string location_;
   bool read_only_ = false;
@@ -80,9 +88,11 @@ class DatabaseOpenConfiguration {
   bool allow_bare_named_params_ = true;
   bool allow_unknown_named_params_ = false;
   bool defensive_ = false;
+  std::map<int, int> initial_limits_;
 };
 
 class DatabaseSync;
+class DatabaseSyncLimits;
 class StatementSyncIterator;
 class StatementSync;
 class BackupJob;
@@ -146,6 +156,7 @@ class DatabaseSync : public BaseObject {
   static void EnableLoadExtension(
       const v8::FunctionCallbackInfo<v8::Value>& args);
   static void EnableDefensive(const v8::FunctionCallbackInfo<v8::Value>& args);
+  static void LimitsGetter(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void LoadExtension(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void SetAuthorizer(const v8::FunctionCallbackInfo<v8::Value>& args);
   static int AuthorizerCallback(void* user_data,
@@ -194,7 +205,9 @@ class DatabaseSync : public BaseObject {
   std::set<BackupJob*> backups_;
   std::set<sqlite3_session*> sessions_;
   std::unordered_set<StatementSync*> statements_;
+  BaseObjectPtr<DatabaseSyncLimits> limits_object_;
 
+  friend class DatabaseSyncLimits;
   friend class Session;
   friend class SQLTagStore;
   friend class StatementExecutionHelper;
@@ -350,6 +363,38 @@ class UserDefinedFunction {
   bool use_bigint_args_;
 };
 
+class DatabaseSyncLimits : public BaseObject {
+ public:
+  DatabaseSyncLimits(Environment* env,
+                     v8::Local<v8::Object> object,
+                     BaseObjectWeakPtr<DatabaseSync> database);
+  ~DatabaseSyncLimits() override;
+
+  void MemoryInfo(MemoryTracker* tracker) const override;
+  static v8::Local<v8::ObjectTemplate> GetTemplate(Environment* env);
+  static BaseObjectPtr<DatabaseSyncLimits> Create(
+      Environment* env,
+      BaseObjectWeakPtr<DatabaseSync> database);
+
+  static v8::Intercepted LimitsGetter(
+      v8::Local<v8::Name> property,
+      const v8::PropertyCallbackInfo<v8::Value>& info);
+  static v8::Intercepted LimitsSetter(
+      v8::Local<v8::Name> property,
+      v8::Local<v8::Value> value,
+      const v8::PropertyCallbackInfo<void>& info);
+  static v8::Intercepted LimitsQuery(
+      v8::Local<v8::Name> property,
+      const v8::PropertyCallbackInfo<v8::Integer>& info);
+  static void LimitsEnumerator(const v8::PropertyCallbackInfo<v8::Array>& info);
+
+  SET_MEMORY_INFO_NAME(DatabaseSyncLimits)
+  SET_SELF_SIZE(DatabaseSyncLimits)
+
+ private:
+  BaseObjectWeakPtr<DatabaseSync> database_;
+};
+
 }  // namespace sqlite
 }  // namespace node
 
diff --git a/test/parallel/test-sqlite-limits.js b/test/parallel/test-sqlite-limits.js
new file mode 100644
index 00000000000000..8fa9c7230549c5
--- /dev/null
+++ b/test/parallel/test-sqlite-limits.js
@@ -0,0 +1,161 @@
+'use strict';
+const { skipIfSQLiteMissing } = require('../common');
+skipIfSQLiteMissing();
+const { DatabaseSync } = require('node:sqlite');
+const { suite, test } = require('node:test');
+
+suite('DatabaseSync limits', () => {
+  test('constructor accepts limits option', (t) => {
+    const db = new DatabaseSync(':memory:', {
+      limits: {
+        length: 500000,
+        sqlLength: 50000,
+        column: 100,
+        exprDepth: 50,
+        compoundSelect: 10,
+        vdbeOp: 10000,
+        functionArg: 8,
+        attach: 5,
+        likePatternLength: 1000,
+        variableNumber: 100,
+        triggerDepth: 5,
+      }
+    });
+
+    t.assert.strictEqual(db.limits.length, 500000);
+    t.assert.strictEqual(db.limits.sqlLength, 50000);
+    t.assert.strictEqual(db.limits.column, 100);
+    t.assert.strictEqual(db.limits.exprDepth, 50);
+    t.assert.strictEqual(db.limits.compoundSelect, 10);
+    t.assert.strictEqual(db.limits.vdbeOp, 10000);
+    t.assert.strictEqual(db.limits.functionArg, 8);
+    t.assert.strictEqual(db.limits.attach, 5);
+    t.assert.strictEqual(db.limits.likePatternLength, 1000);
+    t.assert.strictEqual(db.limits.variableNumber, 100);
+    t.assert.strictEqual(db.limits.triggerDepth, 5);
+    db.close();
+  });
+
+  test('getter returns current limit value', (t) => {
+    const db = new DatabaseSync(':memory:');
+    t.assert.strictEqual(typeof db.limits.length, 'number');
+    t.assert.ok(db.limits.length > 0);
+    t.assert.strictEqual(typeof db.limits.sqlLength, 'number');
+    t.assert.ok(db.limits.sqlLength > 0);
+    db.close();
+  });
+
+  test('setter modifies limit value', (t) => {
+    const db = new DatabaseSync(':memory:');
+
+    db.limits.length = 100000;
+    t.assert.strictEqual(db.limits.length, 100000);
+
+    db.limits.sqlLength = 50000;
+    t.assert.strictEqual(db.limits.sqlLength, 50000);
+
+    db.limits.column = 50;
+    t.assert.strictEqual(db.limits.column, 50);
+
+    db.close();
+  });
+
+  test('throws on invalid argument type', (t) => {
+    const db = new DatabaseSync(':memory:');
+    t.assert.throws(() => {
+      db.limits.length = 'invalid';
+    }, {
+      name: 'TypeError',
+      message: /Limit value must be an integer/,
+    });
+    db.close();
+  });
+
+  test('throws on negative value', (t) => {
+    const db = new DatabaseSync(':memory:');
+    t.assert.throws(() => {
+      db.limits.length = -1;
+    }, {
+      name: 'RangeError',
+      message: /Limit value must be non-negative/,
+    });
+    db.close();
+  });
+
+  test('throws on getter access after close', (t) => {
+    const db = new DatabaseSync(':memory:');
+    db.close();
+    t.assert.throws(() => {
+      return db.limits.length;
+    }, {
+      code: 'ERR_INVALID_STATE',
+      message: /database is not open/,
+    });
+  });
+
+  test('throws on setter access after close', (t) => {
+    const db = new DatabaseSync(':memory:');
+    db.close();
+    t.assert.throws(() => {
+      db.limits.length = 100;
+    }, {
+      code: 'ERR_INVALID_STATE',
+      message: /database is not open/,
+    });
+  });
+
+  test('limits object is enumerable', (t) => {
+    const db = new DatabaseSync(':memory:');
+    const keys = Object.keys(db.limits);
+    t.assert.ok(keys.includes('length'));
+    t.assert.ok(keys.includes('sqlLength'));
+    t.assert.ok(keys.includes('column'));
+    t.assert.ok(keys.includes('exprDepth'));
+    t.assert.ok(keys.includes('compoundSelect'));
+    t.assert.ok(keys.includes('vdbeOp'));
+    t.assert.ok(keys.includes('functionArg'));
+    t.assert.ok(keys.includes('attach'));
+    t.assert.ok(keys.includes('likePatternLength'));
+    t.assert.ok(keys.includes('variableNumber'));
+    t.assert.ok(keys.includes('triggerDepth'));
+    db.close();
+  });
+
+  test('throws on invalid limits option type', (t) => {
+    t.assert.throws(() => {
+      new DatabaseSync(':memory:', { limits: 'invalid' });
+    }, {
+      name: 'TypeError',
+      message: /options\.limits.*must be an object/,
+    });
+  });
+
+  test('throws on invalid limit value type in constructor', (t) => {
+    t.assert.throws(() => {
+      new DatabaseSync(':memory:', { limits: { length: 'invalid' } });
+    }, {
+      name: 'TypeError',
+      message: /options\.limits\.length.*must be an integer/,
+    });
+  });
+
+  test('throws on negative limit value in constructor', (t) => {
+    t.assert.throws(() => {
+      new DatabaseSync(':memory:', { limits: { length: -100 } });
+    }, {
+      name: 'RangeError',
+      message: /options\.limits\.length.*must be non-negative/,
+    });
+  });
+
+  test('partial limits in constructor', (t) => {
+    const db = new DatabaseSync(':memory:', {
+      limits: {
+        length: 100000,
+      }
+    });
+    t.assert.strictEqual(db.limits.length, 100000);
+    t.assert.strictEqual(typeof db.limits.sqlLength, 'number');
+    db.close();
+  });
+});

From ffd7dd03c8b0e6dff2dbff4e7b80813b854949c4 Mon Sep 17 00:00:00 2001
From: Mert Can Altin <mertgold60@gmail.com>
Date: Tue, 6 Jan 2026 21:35:00 +0300
Subject: [PATCH 02/22] lint

---
 doc/api/sqlite.md  |  2 +-
 src/node_sqlite.cc | 19 ++++++++-----------
 src/node_sqlite.h  |  3 +--
 3 files changed, 10 insertions(+), 14 deletions(-)

diff --git a/doc/api/sqlite.md b/doc/api/sqlite.md
index d6959cf9eec7e0..a34834f9a6b5bb 100644
--- a/doc/api/sqlite.md
+++ b/doc/api/sqlite.md
@@ -1494,8 +1494,8 @@ callback function to indicate what type of operation is being authorized.
 [Type conversion between JavaScript and SQLite]: #type-conversion-between-javascript-and-sqlite
 [`ATTACH DATABASE`]: https://www.sqlite.org/lang_attach.html
 [`PRAGMA foreign_keys`]: https://www.sqlite.org/pragma.html#pragma_foreign_keys
-[`SQLITE_DBCONFIG_DEFENSIVE`]: https://www.sqlite.org/c3ref/c_dbconfig_defensive.html#sqlitedbconfigdefensive
 [Run-Time Limits]: https://www.sqlite.org/c3ref/limit.html
+[`SQLITE_DBCONFIG_DEFENSIVE`]: https://www.sqlite.org/c3ref/c_dbconfig_defensive.html#sqlitedbconfigdefensive
 [`SQLITE_DETERMINISTIC`]: https://www.sqlite.org/c3ref/c_deterministic.html
 [`SQLITE_DIRECTONLY`]: https://www.sqlite.org/c3ref/c_deterministic.html
 [`SQLITE_MAX_FUNCTION_ARG`]: https://www.sqlite.org/limits.html#max_function_arg
diff --git a/src/node_sqlite.cc b/src/node_sqlite.cc
index 1c267238f59366..6dd3761c294bf5 100644
--- a/src/node_sqlite.cc
+++ b/src/node_sqlite.cc
@@ -738,8 +738,7 @@ Local<ObjectTemplate> DatabaseSyncLimits::GetTemplate(Environment* env) {
 }
 
 Intercepted DatabaseSyncLimits::LimitsGetter(
-    Local<Name> property,
-    const PropertyCallbackInfo<Value>& info) {
+    Local<Name> property, const PropertyCallbackInfo<Value>& info) {
   // Skip symbols
   if (!property->IsString()) {
     return Intercepted::kNo;
@@ -813,8 +812,7 @@ Intercepted DatabaseSyncLimits::LimitsSetter(
 }
 
 Intercepted DatabaseSyncLimits::LimitsQuery(
-    Local<Name> property,
-    const PropertyCallbackInfo<Integer>& info) {
+    Local<Name> property, const PropertyCallbackInfo<Integer>& info) {
   if (!property->IsString()) {
     return Intercepted::kNo;
   }
@@ -828,8 +826,7 @@ Intercepted DatabaseSyncLimits::LimitsQuery(
   }
 
   // Property exists and is writable
-  info.GetReturnValue().Set(
-      Integer::New(isolate, v8::PropertyAttribute::None));
+  info.GetReturnValue().Set(Integer::New(isolate, v8::PropertyAttribute::None));
   return Intercepted::kYes;
 }
 
@@ -849,8 +846,7 @@ void DatabaseSyncLimits::LimitsEnumerator(
 }
 
 BaseObjectPtr<DatabaseSyncLimits> DatabaseSyncLimits::Create(
-    Environment* env,
-    BaseObjectWeakPtr<DatabaseSync> database) {
+    Environment* env, BaseObjectWeakPtr<DatabaseSync> database) {
   Local<Object> obj;
   if (!GetTemplate(env)->NewInstance(env->context()).ToLocal(&obj)) {
     return nullptr;
@@ -1290,7 +1286,8 @@ void DatabaseSync::New(const FunctionCallbackInfo<Value>& args) {
 
     // Parse limits option
     Local<Value> limits_v;
-    if (!options->Get(env->context(), env->limits_string()).ToLocal(&limits_v)) {
+    if (!options->Get(env->context(), env->limits_string())
+             .ToLocal(&limits_v)) {
       return;
     }
     if (!limits_v->IsUndefined()) {
@@ -1372,8 +1369,8 @@ void DatabaseSync::LimitsGetter(const FunctionCallbackInfo<Value>& args) {
   Environment* env = Environment::GetCurrent(args);
 
   if (!db->limits_object_) {
-    db->limits_object_ = DatabaseSyncLimits::Create(
-        env, BaseObjectWeakPtr<DatabaseSync>(db));
+    db->limits_object_ =
+        DatabaseSyncLimits::Create(env, BaseObjectWeakPtr<DatabaseSync>(db));
   }
 
   if (db->limits_object_) {
diff --git a/src/node_sqlite.h b/src/node_sqlite.h
index 6c75aa517d1ac0..b8363e081efa4f 100644
--- a/src/node_sqlite.h
+++ b/src/node_sqlite.h
@@ -373,8 +373,7 @@ class DatabaseSyncLimits : public BaseObject {
   void MemoryInfo(MemoryTracker* tracker) const override;
   static v8::Local<v8::ObjectTemplate> GetTemplate(Environment* env);
   static BaseObjectPtr<DatabaseSyncLimits> Create(
-      Environment* env,
-      BaseObjectWeakPtr<DatabaseSync> database);
+      Environment* env, BaseObjectWeakPtr<DatabaseSync> database);
 
   static v8::Intercepted LimitsGetter(
       v8::Local<v8::Name> property,

From 2ab490afc0bec05df33285dce370e73506537847 Mon Sep 17 00:00:00 2001
From: Mert Can Altin <mertgold60@gmail.com>
Date: Tue, 6 Jan 2026 23:30:06 +0300
Subject: [PATCH 03/22] fix reviews

---
 doc/api/sqlite.md                   | 19 ++++++++++---
 src/node_sqlite.cc                  | 13 +++++----
 test/parallel/test-sqlite-limits.js | 41 +++++++++++++++++++++++------
 3 files changed, 55 insertions(+), 18 deletions(-)

diff --git a/doc/api/sqlite.md b/doc/api/sqlite.md
index a34834f9a6b5bb..cc9f65669ece2c 100644
--- a/doc/api/sqlite.md
+++ b/doc/api/sqlite.md
@@ -157,19 +157,31 @@ changes:
     **Default:** `false`.
   * `limits` {Object} Configuration for various SQLite limits. These limits
     can be used to prevent excessive resource consumption when handling
-    potentially malicious input. See [Run-Time Limits][] in the SQLite
-    documentation for details. The following properties are supported:
+    potentially malicious input. See [Run-Time Limits][] and [Limit Constants][]
+    in the SQLite documentation for details. The following properties are
+    supported:
     * `length` {number} Maximum length of a string or BLOB.
+      **Default:** `1000000000`.
     * `sqlLength` {number} Maximum length of an SQL statement.
+      **Default:** `1000000000`.
     * `column` {number} Maximum number of columns.
+      **Default:** `2000`.
     * `exprDepth` {number} Maximum depth of expression tree.
+      **Default:** `1000`.
     * `compoundSelect` {number} Maximum number of terms in compound SELECT.
+      **Default:** `500`.
     * `vdbeOp` {number} Maximum number of VDBE instructions.
+      **Default:** `250000000`.
     * `functionArg` {number} Maximum number of function arguments.
+      **Default:** `1000`.
     * `attach` {number} Maximum number of attached databases.
+      **Default:** `10`.
     * `likePatternLength` {number} Maximum length of LIKE pattern.
+      **Default:** `50000`.
     * `variableNumber` {number} Maximum number of SQL variables.
+      **Default:** `32766`.
     * `triggerDepth` {number} Maximum trigger recursion depth.
+      **Default:** `1000`.
 
 Constructs a new `DatabaseSync` instance.
 
@@ -1490,11 +1502,12 @@ callback function to indicate what type of operation is being authorized.
 [Changesets and Patchsets]: https://www.sqlite.org/sessionintro.html#changesets_and_patchsets
 [Constants Passed To The Conflict Handler]: https://www.sqlite.org/session/c_changeset_conflict.html
 [Constants Returned From The Conflict Handler]: https://www.sqlite.org/session/c_changeset_abort.html
+[Limit Constants]: https://www.sqlite.org/c3ref/c_limit_attached.html
+[Run-Time Limits]: https://www.sqlite.org/c3ref/limit.html
 [SQL injection]: https://en.wikipedia.org/wiki/SQL_injection
 [Type conversion between JavaScript and SQLite]: #type-conversion-between-javascript-and-sqlite
 [`ATTACH DATABASE`]: https://www.sqlite.org/lang_attach.html
 [`PRAGMA foreign_keys`]: https://www.sqlite.org/pragma.html#pragma_foreign_keys
-[Run-Time Limits]: https://www.sqlite.org/c3ref/limit.html
 [`SQLITE_DBCONFIG_DEFENSIVE`]: https://www.sqlite.org/c3ref/c_dbconfig_defensive.html#sqlitedbconfigdefensive
 [`SQLITE_DETERMINISTIC`]: https://www.sqlite.org/c3ref/c_deterministic.html
 [`SQLITE_DIRECTONLY`]: https://www.sqlite.org/c3ref/c_deterministic.html
diff --git a/src/node_sqlite.cc b/src/node_sqlite.cc
index 6dd3761c294bf5..73aaba3d030df9 100644
--- a/src/node_sqlite.cc
+++ b/src/node_sqlite.cc
@@ -12,6 +12,7 @@
 #include "threadpoolwork-inl.h"
 #include "util-inl.h"
 
+#include <array>
 #include <cinttypes>
 
 namespace node {
@@ -144,7 +145,7 @@ struct LimitInfo {
   int sqlite_limit_id;
 };
 
-static constexpr LimitInfo kLimitMapping[] = {
+static constexpr std::array<LimitInfo, 11> kLimitMapping = {{
     {"length", SQLITE_LIMIT_LENGTH},
     {"sqlLength", SQLITE_LIMIT_SQL_LENGTH},
     {"column", SQLITE_LIMIT_COLUMN},
@@ -156,13 +157,11 @@ static constexpr LimitInfo kLimitMapping[] = {
     {"likePatternLength", SQLITE_LIMIT_LIKE_PATTERN_LENGTH},
     {"variableNumber", SQLITE_LIMIT_VARIABLE_NUMBER},
     {"triggerDepth", SQLITE_LIMIT_TRIGGER_DEPTH},
-};
-
-static constexpr size_t kLimitMappingCount = arraysize(kLimitMapping);
+}};
 
 // Helper function to find limit ID from JS property name
 static int GetLimitIdFromName(const std::string& name) {
-  for (size_t i = 0; i < kLimitMappingCount; ++i) {
+  for (size_t i = 0; i < kLimitMapping.size(); ++i) {
     if (name == kLimitMapping[i].js_name) {
       return kLimitMapping[i].sqlite_limit_id;
     }
@@ -835,7 +834,7 @@ void DatabaseSyncLimits::LimitsEnumerator(
   Isolate* isolate = info.GetIsolate();
   LocalVector<Value> names(isolate);
 
-  for (size_t i = 0; i < kLimitMappingCount; ++i) {
+  for (size_t i = 0; i < kLimitMapping.size(); ++i) {
     Local<String> name;
     if (String::NewFromUtf8(isolate, kLimitMapping[i].js_name).ToLocal(&name)) {
       names.push_back(name);
@@ -1301,7 +1300,7 @@ void DatabaseSync::New(const FunctionCallbackInfo<Value>& args) {
       Local<Object> limits_obj = limits_v.As<Object>();
 
       // Iterate through known limit names and extract values
-      for (size_t i = 0; i < kLimitMappingCount; ++i) {
+      for (size_t i = 0; i < kLimitMapping.size(); ++i) {
         Local<String> key;
         if (!String::NewFromUtf8(env->isolate(), kLimitMapping[i].js_name)
                  .ToLocal(&key)) {
diff --git a/test/parallel/test-sqlite-limits.js b/test/parallel/test-sqlite-limits.js
index 8fa9c7230549c5..b5338bad5cfc65 100644
--- a/test/parallel/test-sqlite-limits.js
+++ b/test/parallel/test-sqlite-limits.js
@@ -5,6 +5,23 @@ const { DatabaseSync } = require('node:sqlite');
 const { suite, test } = require('node:test');
 
 suite('DatabaseSync limits', () => {
+  test('default limits match expected SQLite defaults', (t) => {
+    const db = new DatabaseSync(':memory:');
+    t.assert.deepStrictEqual({ ...db.limits }, {
+      length: 1000000000,
+      sqlLength: 1000000000,
+      column: 2000,
+      exprDepth: 1000,
+      compoundSelect: 500,
+      vdbeOp: 250000000,
+      functionArg: 1000,
+      attach: 10,
+      likePatternLength: 50000,
+      variableNumber: 32766,
+      triggerDepth: 1000,
+    });
+  });
+
   test('constructor accepts limits option', (t) => {
     const db = new DatabaseSync(':memory:', {
       limits: {
@@ -33,7 +50,6 @@ suite('DatabaseSync limits', () => {
     t.assert.strictEqual(db.limits.likePatternLength, 1000);
     t.assert.strictEqual(db.limits.variableNumber, 100);
     t.assert.strictEqual(db.limits.triggerDepth, 5);
-    db.close();
   });
 
   test('getter returns current limit value', (t) => {
@@ -42,7 +58,6 @@ suite('DatabaseSync limits', () => {
     t.assert.ok(db.limits.length > 0);
     t.assert.strictEqual(typeof db.limits.sqlLength, 'number');
     t.assert.ok(db.limits.sqlLength > 0);
-    db.close();
   });
 
   test('setter modifies limit value', (t) => {
@@ -56,8 +71,6 @@ suite('DatabaseSync limits', () => {
 
     db.limits.column = 50;
     t.assert.strictEqual(db.limits.column, 50);
-
-    db.close();
   });
 
   test('throws on invalid argument type', (t) => {
@@ -68,7 +81,6 @@ suite('DatabaseSync limits', () => {
       name: 'TypeError',
       message: /Limit value must be an integer/,
     });
-    db.close();
   });
 
   test('throws on negative value', (t) => {
@@ -79,7 +91,6 @@ suite('DatabaseSync limits', () => {
       name: 'RangeError',
       message: /Limit value must be non-negative/,
     });
-    db.close();
   });
 
   test('throws on getter access after close', (t) => {
@@ -118,7 +129,6 @@ suite('DatabaseSync limits', () => {
     t.assert.ok(keys.includes('likePatternLength'));
     t.assert.ok(keys.includes('variableNumber'));
     t.assert.ok(keys.includes('triggerDepth'));
-    db.close();
   });
 
   test('throws on invalid limits option type', (t) => {
@@ -156,6 +166,21 @@ suite('DatabaseSync limits', () => {
     });
     t.assert.strictEqual(db.limits.length, 100000);
     t.assert.strictEqual(typeof db.limits.sqlLength, 'number');
-    db.close();
+  });
+
+  test('throws when exceeding column limit', (t) => {
+    const db = new DatabaseSync(':memory:', {
+      limits: {
+        column: 10,
+      }
+    });
+
+    db.exec('CREATE TABLE t1 (c1, c2, c3, c4, c5, c6, c7, c8, c9, c10)');
+
+    t.assert.throws(() => {
+      db.exec('CREATE TABLE t2 (c1, c2, c3, c4, c5, c6, c7, c8, c9, c10, c11)');
+    }, {
+      message: /too many columns/,
+    });
   });
 });

From 96f141083f0671f3b9a207d4db486f423bd0cde0 Mon Sep 17 00:00:00 2001
From: Mert Can Altin <mertgold60@gmail.com>
Date: Wed, 7 Jan 2026 00:39:59 +0300
Subject: [PATCH 04/22] Update node_sqlite.h

Co-authored-by: Anna Henningsen <github@addaleax.net>
---
 src/node_sqlite.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/node_sqlite.h b/src/node_sqlite.h
index b8363e081efa4f..3e0d6f8217348d 100644
--- a/src/node_sqlite.h
+++ b/src/node_sqlite.h
@@ -88,7 +88,7 @@ class DatabaseOpenConfiguration {
   bool allow_bare_named_params_ = true;
   bool allow_unknown_named_params_ = false;
   bool defensive_ = false;
-  std::map<int, int> initial_limits_;
+  std::array<std::optional<int>, SQLITE_LIMIT_TRIGGER_DEPTH + 1> initial_limits_;
 };
 
 class DatabaseSync;

From d9d722ee32ffb01de1672873e7359eb7e8704b9d Mon Sep 17 00:00:00 2001
From: Mert Can Altin <mertgold60@gmail.com>
Date: Wed, 7 Jan 2026 00:40:09 +0300
Subject: [PATCH 05/22] Update node_sqlite.cc

Co-authored-by: Anna Henningsen <github@addaleax.net>
---
 src/node_sqlite.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/node_sqlite.cc b/src/node_sqlite.cc
index 73aaba3d030df9..c21abbdc8f0cba 100644
--- a/src/node_sqlite.cc
+++ b/src/node_sqlite.cc
@@ -1317,7 +1317,7 @@ void DatabaseSync::New(const FunctionCallbackInfo<Value>& args) {
             std::string msg = "The \"options.limits." +
                               std::string(kLimitMapping[i].js_name) +
                               "\" argument must be an integer.";
-            THROW_ERR_INVALID_ARG_TYPE(env->isolate(), msg.c_str());
+            THROW_ERR_INVALID_ARG_TYPE(env->isolate(), msg);
             return;
           }
 

From 6f093f46807f00205bda94992404998562e18ce5 Mon Sep 17 00:00:00 2001
From: Mert Can Altin <mertgold60@gmail.com>
Date: Wed, 7 Jan 2026 00:40:17 +0300
Subject: [PATCH 06/22] Update node_sqlite.cc

Co-authored-by: Anna Henningsen <github@addaleax.net>
---
 src/node_sqlite.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/node_sqlite.cc b/src/node_sqlite.cc
index c21abbdc8f0cba..191366965a8e71 100644
--- a/src/node_sqlite.cc
+++ b/src/node_sqlite.cc
@@ -1326,7 +1326,7 @@ void DatabaseSync::New(const FunctionCallbackInfo<Value>& args) {
             std::string msg = "The \"options.limits." +
                               std::string(kLimitMapping[i].js_name) +
                               "\" argument must be non-negative.";
-            THROW_ERR_OUT_OF_RANGE(env->isolate(), msg.c_str());
+            THROW_ERR_OUT_OF_RANGE(env->isolate(), msg);
             return;
           }
 

From 3452324115bab9c8fa674dc8b0d80efa08294762 Mon Sep 17 00:00:00 2001
From: Mert Can Altin <mertgold60@gmail.com>
Date: Wed, 7 Jan 2026 00:40:25 +0300
Subject: [PATCH 07/22] Update node_sqlite.cc

Co-authored-by: Anna Henningsen <github@addaleax.net>
---
 src/node_sqlite.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/node_sqlite.cc b/src/node_sqlite.cc
index 191366965a8e71..c13935fc750db3 100644
--- a/src/node_sqlite.cc
+++ b/src/node_sqlite.cc
@@ -818,7 +818,7 @@ Intercepted DatabaseSyncLimits::LimitsQuery(
 
   Isolate* isolate = info.GetIsolate();
   Utf8Value prop_name(isolate, property);
-  int limit_id = GetLimitIdFromName(*prop_name);
+  int limit_id = GetLimitIdFromName(prop_name.ToStringView());
 
   if (limit_id < 0) {
     return Intercepted::kNo;

From d7ee60a6d615b3b6c76f3cc7387d033425edf724 Mon Sep 17 00:00:00 2001
From: Mert Can Altin <mertgold60@gmail.com>
Date: Wed, 7 Jan 2026 00:40:32 +0300
Subject: [PATCH 08/22] Update node_sqlite.cc

Co-authored-by: Anna Henningsen <github@addaleax.net>
---
 src/node_sqlite.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/node_sqlite.cc b/src/node_sqlite.cc
index c13935fc750db3..5439ee6af68d93 100644
--- a/src/node_sqlite.cc
+++ b/src/node_sqlite.cc
@@ -750,7 +750,7 @@ Intercepted DatabaseSyncLimits::LimitsGetter(
   Isolate* isolate = env->isolate();
 
   Utf8Value prop_name(isolate, property);
-  int limit_id = GetLimitIdFromName(*prop_name);
+  int limit_id = GetLimitIdFromName(prop_name.ToStringView());
 
   if (limit_id < 0) {
     return Intercepted::kNo;  // Unknown property, let default handling occur

From cdc1ac9fabe9fa6e61e84cc344796736a81f2afa Mon Sep 17 00:00:00 2001
From: Mert Can Altin <mertgold60@gmail.com>
Date: Wed, 7 Jan 2026 00:40:42 +0300
Subject: [PATCH 09/22] Update node_sqlite.cc

Co-authored-by: Anna Henningsen <github@addaleax.net>
---
 src/node_sqlite.cc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/node_sqlite.cc b/src/node_sqlite.cc
index 5439ee6af68d93..adbe7d7d0f9a48 100644
--- a/src/node_sqlite.cc
+++ b/src/node_sqlite.cc
@@ -161,9 +161,9 @@ static constexpr std::array<LimitInfo, 11> kLimitMapping = {{
 
 // Helper function to find limit ID from JS property name
 static int GetLimitIdFromName(const std::string& name) {
-  for (size_t i = 0; i < kLimitMapping.size(); ++i) {
-    if (name == kLimitMapping[i].js_name) {
-      return kLimitMapping[i].sqlite_limit_id;
+  for (const auto& [limit_name, id] : kLimitMapping) {
+    if (name == limit_name) {
+      return id;
     }
   }
   return -1;  // Not found

From 16b5720d1ad0d45ee7949e30e9ec8f5c285e70cb Mon Sep 17 00:00:00 2001
From: Mert Can Altin <mertgold60@gmail.com>
Date: Wed, 7 Jan 2026 00:41:01 +0300
Subject: [PATCH 10/22] Update node_sqlite.cc

Co-authored-by: Anna Henningsen <github@addaleax.net>
---
 src/node_sqlite.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/node_sqlite.cc b/src/node_sqlite.cc
index adbe7d7d0f9a48..be52bf39cf7378 100644
--- a/src/node_sqlite.cc
+++ b/src/node_sqlite.cc
@@ -160,7 +160,7 @@ static constexpr std::array<LimitInfo, 11> kLimitMapping = {{
 }};
 
 // Helper function to find limit ID from JS property name
-static int GetLimitIdFromName(const std::string& name) {
+static constexpr int GetLimitIdFromName(std::string_view name) {
   for (const auto& [limit_name, id] : kLimitMapping) {
     if (name == limit_name) {
       return id;

From e71e3111c090facd7b40552ed2710be10b3ec90c Mon Sep 17 00:00:00 2001
From: Mert Can Altin <mertgold60@gmail.com>
Date: Wed, 7 Jan 2026 00:41:09 +0300
Subject: [PATCH 11/22] Update node_sqlite.cc

Co-authored-by: Anna Henningsen <github@addaleax.net>
---
 src/node_sqlite.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/node_sqlite.cc b/src/node_sqlite.cc
index be52bf39cf7378..ca2658cf65b622 100644
--- a/src/node_sqlite.cc
+++ b/src/node_sqlite.cc
@@ -141,7 +141,7 @@ Local<DictionaryTemplate> getLazyIterTemplate(Environment* env) {
 
 // Mapping from JavaScript property names to SQLite limit constants
 struct LimitInfo {
-  const char* js_name;
+  std::string_view js_name;
   int sqlite_limit_id;
 };
 

From f3a7f1e1161daceda20eae54ce3dcb7790db2fc7 Mon Sep 17 00:00:00 2001
From: Mert Can Altin <mertgold60@gmail.com>
Date: Wed, 7 Jan 2026 00:56:54 +0300
Subject: [PATCH 12/22] reviews fixed

---
 src/node_sqlite.cc | 41 ++++++++++++++++++++++++++++-------------
 src/node_sqlite.h  |  8 +++++---
 2 files changed, 33 insertions(+), 16 deletions(-)

diff --git a/src/node_sqlite.cc b/src/node_sqlite.cc
index ca2658cf65b622..cdd133f73510ca 100644
--- a/src/node_sqlite.cc
+++ b/src/node_sqlite.cc
@@ -345,7 +345,7 @@ class CustomAggregate {
   static inline void xStepBase(sqlite3_context* ctx,
                                int argc,
                                sqlite3_value** argv,
-                               Global<Function> CustomAggregate::*mptr) {
+                               Global<Function> CustomAggregate::* mptr) {
     CustomAggregate* self =
         static_cast<CustomAggregate*>(sqlite3_user_data(ctx));
     Environment* env = self->env_;
@@ -756,7 +756,7 @@ Intercepted DatabaseSyncLimits::LimitsGetter(
     return Intercepted::kNo;  // Unknown property, let default handling occur
   }
 
-  if (!limits->database_->IsOpen()) {
+  if (!limits->database_ || !limits->database_->IsOpen()) {
     THROW_ERR_INVALID_STATE(env, "database is not open");
     return Intercepted::kYes;
   }
@@ -788,7 +788,7 @@ Intercepted DatabaseSyncLimits::LimitsSetter(
     return Intercepted::kNo;
   }
 
-  if (!limits->database_->IsOpen()) {
+  if (!limits->database_ || !limits->database_->IsOpen()) {
     THROW_ERR_INVALID_STATE(env, "database is not open");
     return Intercepted::kYes;
   }
@@ -836,7 +836,11 @@ void DatabaseSyncLimits::LimitsEnumerator(
 
   for (size_t i = 0; i < kLimitMapping.size(); ++i) {
     Local<String> name;
-    if (String::NewFromUtf8(isolate, kLimitMapping[i].js_name).ToLocal(&name)) {
+    if (String::NewFromUtf8(isolate,
+                            kLimitMapping[i].js_name.data(),
+                            NewStringType::kNormal,
+                            kLimitMapping[i].js_name.size())
+            .ToLocal(&name)) {
       names.push_back(name);
     }
   }
@@ -953,8 +957,11 @@ bool DatabaseSync::Open() {
   sqlite3_busy_timeout(connection_, open_config_.get_timeout());
 
   // Apply initial limits
-  for (const auto& [limit_id, limit_val] : open_config_.initial_limits()) {
-    sqlite3_limit(connection_, limit_id, limit_val);
+  const auto& limits = open_config_.initial_limits();
+  for (size_t i = 0; i < limits.size(); ++i) {
+    if (limits[i].has_value()) {
+      sqlite3_limit(connection_, static_cast<int>(i), limits[i].value());
+    }
   }
 
   if (allow_load_extension_) {
@@ -1302,7 +1309,10 @@ void DatabaseSync::New(const FunctionCallbackInfo<Value>& args) {
       // Iterate through known limit names and extract values
       for (size_t i = 0; i < kLimitMapping.size(); ++i) {
         Local<String> key;
-        if (!String::NewFromUtf8(env->isolate(), kLimitMapping[i].js_name)
+        if (!String::NewFromUtf8(env->isolate(),
+                                 kLimitMapping[i].js_name.data(),
+                                 NewStringType::kNormal,
+                                 kLimitMapping[i].js_name.size())
                  .ToLocal(&key)) {
           return;
         }
@@ -1367,13 +1377,18 @@ void DatabaseSync::LimitsGetter(const FunctionCallbackInfo<Value>& args) {
   ASSIGN_OR_RETURN_UNWRAP(&db, args.This());
   Environment* env = Environment::GetCurrent(args);
 
-  if (!db->limits_object_) {
-    db->limits_object_ =
-        DatabaseSyncLimits::Create(env, BaseObjectWeakPtr<DatabaseSync>(db));
-  }
+  Local<Value> limits_val =
+      db->object()->GetInternalField(kLimitsObject).template As<Value>();
 
-  if (db->limits_object_) {
-    args.GetReturnValue().Set(db->limits_object_->object());
+  if (limits_val->IsUndefined()) {
+    BaseObjectPtr<DatabaseSyncLimits> limits =
+        DatabaseSyncLimits::Create(env, BaseObjectWeakPtr<DatabaseSync>(db));
+    if (limits) {
+      db->object()->SetInternalField(kLimitsObject, limits->object());
+      args.GetReturnValue().Set(limits->object());
+    }
+  } else {
+    args.GetReturnValue().Set(limits_val);
   }
 }
 
diff --git a/src/node_sqlite.h b/src/node_sqlite.h
index 3e0d6f8217348d..d12179fc7847e1 100644
--- a/src/node_sqlite.h
+++ b/src/node_sqlite.h
@@ -73,7 +73,8 @@ class DatabaseOpenConfiguration {
     initial_limits_[limit_id] = value;
   }
 
-  inline const std::map<int, int>& initial_limits() const {
+  inline const std::array<std::optional<int>, SQLITE_LIMIT_TRIGGER_DEPTH + 1>&
+  initial_limits() const {
     return initial_limits_;
   }
 
@@ -88,7 +89,8 @@ class DatabaseOpenConfiguration {
   bool allow_bare_named_params_ = true;
   bool allow_unknown_named_params_ = false;
   bool defensive_ = false;
-  std::array<std::optional<int>, SQLITE_LIMIT_TRIGGER_DEPTH + 1> initial_limits_;
+  std::array<std::optional<int>, SQLITE_LIMIT_TRIGGER_DEPTH + 1>
+      initial_limits_;
 };
 
 class DatabaseSync;
@@ -128,6 +130,7 @@ class DatabaseSync : public BaseObject {
  public:
   enum InternalFields {
     kAuthorizerCallback = BaseObject::kInternalFieldCount,
+    kLimitsObject,
     kInternalFieldCount
   };
 
@@ -205,7 +208,6 @@ class DatabaseSync : public BaseObject {
   std::set<BackupJob*> backups_;
   std::set<sqlite3_session*> sessions_;
   std::unordered_set<StatementSync*> statements_;
-  BaseObjectPtr<DatabaseSyncLimits> limits_object_;
 
   friend class DatabaseSyncLimits;
   friend class Session;

From 2df2557e9fbb4cb02042515f3f8206d55d27ded8 Mon Sep 17 00:00:00 2001
From: Mert Can Altin <mertgold60@gmail.com>
Date: Wed, 7 Jan 2026 01:01:59 +0300
Subject: [PATCH 13/22] lint

---
 src/node_sqlite.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/node_sqlite.cc b/src/node_sqlite.cc
index cdd133f73510ca..a74195385753ba 100644
--- a/src/node_sqlite.cc
+++ b/src/node_sqlite.cc
@@ -345,7 +345,7 @@ class CustomAggregate {
   static inline void xStepBase(sqlite3_context* ctx,
                                int argc,
                                sqlite3_value** argv,
-                               Global<Function> CustomAggregate::* mptr) {
+                               Global<Function> CustomAggregate::*mptr) {
     CustomAggregate* self =
         static_cast<CustomAggregate*>(sqlite3_user_data(ctx));
     Environment* env = self->env_;

From 346d53cc9ff0e778415b97a487389af84a4e1f5f Mon Sep 17 00:00:00 2001
From: Mert Can Altin <mertgold60@gmail.com>
Date: Wed, 7 Jan 2026 02:16:04 +0300
Subject: [PATCH 14/22] added max value control

---
 src/node_sqlite.cc                  | 98 ++++++++++++++++++++++++-----
 test/parallel/test-sqlite-limits.js | 19 ++++++
 2 files changed, 102 insertions(+), 15 deletions(-)

diff --git a/src/node_sqlite.cc b/src/node_sqlite.cc
index a74195385753ba..5ce8563c24a9d1 100644
--- a/src/node_sqlite.cc
+++ b/src/node_sqlite.cc
@@ -140,30 +140,82 @@ Local<DictionaryTemplate> getLazyIterTemplate(Environment* env) {
 }  // namespace
 
 // Mapping from JavaScript property names to SQLite limit constants
+// Default compile-time maximums from SQLite (these match SQLite's defaults)
+#ifndef SQLITE_MAX_LENGTH
+#define SQLITE_MAX_LENGTH 1000000000
+#endif
+#ifndef SQLITE_MAX_SQL_LENGTH
+#define SQLITE_MAX_SQL_LENGTH 1000000000
+#endif
+#ifndef SQLITE_MAX_COLUMN
+#define SQLITE_MAX_COLUMN 2000
+#endif
+#ifndef SQLITE_MAX_EXPR_DEPTH
+#define SQLITE_MAX_EXPR_DEPTH 1000
+#endif
+#ifndef SQLITE_MAX_COMPOUND_SELECT
+#define SQLITE_MAX_COMPOUND_SELECT 500
+#endif
+#ifndef SQLITE_MAX_VDBE_OP
+#define SQLITE_MAX_VDBE_OP 250000000
+#endif
+#ifndef SQLITE_MAX_FUNCTION_ARG
+#define SQLITE_MAX_FUNCTION_ARG 1000
+#endif
+#ifndef SQLITE_MAX_ATTACHED
+#define SQLITE_MAX_ATTACHED 10
+#endif
+#ifndef SQLITE_MAX_LIKE_PATTERN_LENGTH
+#define SQLITE_MAX_LIKE_PATTERN_LENGTH 50000
+#endif
+#ifndef SQLITE_MAX_VARIABLE_NUMBER
+#define SQLITE_MAX_VARIABLE_NUMBER 32766
+#endif
+#ifndef SQLITE_MAX_TRIGGER_DEPTH
+#define SQLITE_MAX_TRIGGER_DEPTH 1000
+#endif
+
 struct LimitInfo {
   std::string_view js_name;
   int sqlite_limit_id;
+  int max_value;
 };
 
 static constexpr std::array<LimitInfo, 11> kLimitMapping = {{
-    {"length", SQLITE_LIMIT_LENGTH},
-    {"sqlLength", SQLITE_LIMIT_SQL_LENGTH},
-    {"column", SQLITE_LIMIT_COLUMN},
-    {"exprDepth", SQLITE_LIMIT_EXPR_DEPTH},
-    {"compoundSelect", SQLITE_LIMIT_COMPOUND_SELECT},
-    {"vdbeOp", SQLITE_LIMIT_VDBE_OP},
-    {"functionArg", SQLITE_LIMIT_FUNCTION_ARG},
-    {"attach", SQLITE_LIMIT_ATTACHED},
-    {"likePatternLength", SQLITE_LIMIT_LIKE_PATTERN_LENGTH},
-    {"variableNumber", SQLITE_LIMIT_VARIABLE_NUMBER},
-    {"triggerDepth", SQLITE_LIMIT_TRIGGER_DEPTH},
+    {"length", SQLITE_LIMIT_LENGTH, SQLITE_MAX_LENGTH},
+    {"sqlLength", SQLITE_LIMIT_SQL_LENGTH, SQLITE_MAX_SQL_LENGTH},
+    {"column", SQLITE_LIMIT_COLUMN, SQLITE_MAX_COLUMN},
+    {"exprDepth", SQLITE_LIMIT_EXPR_DEPTH, SQLITE_MAX_EXPR_DEPTH},
+    {"compoundSelect",
+     SQLITE_LIMIT_COMPOUND_SELECT,
+     SQLITE_MAX_COMPOUND_SELECT},
+    {"vdbeOp", SQLITE_LIMIT_VDBE_OP, SQLITE_MAX_VDBE_OP},
+    {"functionArg", SQLITE_LIMIT_FUNCTION_ARG, SQLITE_MAX_FUNCTION_ARG},
+    {"attach", SQLITE_LIMIT_ATTACHED, SQLITE_MAX_ATTACHED},
+    {"likePatternLength",
+     SQLITE_LIMIT_LIKE_PATTERN_LENGTH,
+     SQLITE_MAX_LIKE_PATTERN_LENGTH},
+    {"variableNumber",
+     SQLITE_LIMIT_VARIABLE_NUMBER,
+     SQLITE_MAX_VARIABLE_NUMBER},
+    {"triggerDepth", SQLITE_LIMIT_TRIGGER_DEPTH, SQLITE_MAX_TRIGGER_DEPTH},
 }};
 
 // Helper function to find limit ID from JS property name
 static constexpr int GetLimitIdFromName(std::string_view name) {
-  for (const auto& [limit_name, id] : kLimitMapping) {
-    if (name == limit_name) {
-      return id;
+  for (const auto& info : kLimitMapping) {
+    if (name == info.js_name) {
+      return info.sqlite_limit_id;
+    }
+  }
+  return -1;  // Not found
+}
+
+// Helper function to get max value for a limit ID
+static constexpr int GetMaxValueForLimitId(int limit_id) {
+  for (const auto& info : kLimitMapping) {
+    if (info.sqlite_limit_id == limit_id) {
+      return info.max_value;
     }
   }
   return -1;  // Not found
@@ -345,7 +397,7 @@ class CustomAggregate {
   static inline void xStepBase(sqlite3_context* ctx,
                                int argc,
                                sqlite3_value** argv,
-                               Global<Function> CustomAggregate::*mptr) {
+                               Global<Function> CustomAggregate::* mptr) {
     CustomAggregate* self =
         static_cast<CustomAggregate*>(sqlite3_user_data(ctx));
     Environment* env = self->env_;
@@ -806,6 +858,14 @@ Intercepted DatabaseSyncLimits::LimitsSetter(
     return Intercepted::kYes;
   }
 
+  // Validate against compile-time maximum
+  int max_value = GetMaxValueForLimitId(limit_id);
+  if (new_value > max_value) {
+    THROW_ERR_OUT_OF_RANGE(isolate,
+                           "Limit value exceeds compile-time maximum.");
+    return Intercepted::kYes;
+  }
+
   sqlite3_limit(limits->database_->Connection(), limit_id, new_value);
   return Intercepted::kYes;
 }
@@ -1340,6 +1400,14 @@ void DatabaseSync::New(const FunctionCallbackInfo<Value>& args) {
             return;
           }
 
+          if (limit_val > kLimitMapping[i].max_value) {
+            std::string msg = "The \"options.limits." +
+                              std::string(kLimitMapping[i].js_name) +
+                              "\" argument exceeds compile-time maximum.";
+            THROW_ERR_OUT_OF_RANGE(env->isolate(), msg);
+            return;
+          }
+
           open_config.set_initial_limit(kLimitMapping[i].sqlite_limit_id,
                                         limit_val);
         }
diff --git a/test/parallel/test-sqlite-limits.js b/test/parallel/test-sqlite-limits.js
index b5338bad5cfc65..4d46a044b607e5 100644
--- a/test/parallel/test-sqlite-limits.js
+++ b/test/parallel/test-sqlite-limits.js
@@ -158,6 +158,25 @@ suite('DatabaseSync limits', () => {
     });
   });
 
+  test('throws on value exceeding compile-time maximum via setter', (t) => {
+    const db = new DatabaseSync(':memory:');
+    t.assert.throws(() => {
+      db.limits.attach = 100;
+    }, {
+      name: 'RangeError',
+      message: /Limit value exceeds compile-time maximum/,
+    });
+  });
+
+  test('throws on value exceeding compile-time maximum in constructor', (t) => {
+    t.assert.throws(() => {
+      new DatabaseSync(':memory:', { limits: { attach: 100 } });
+    }, {
+      name: 'RangeError',
+      message: /options\.limits\.attach.*exceeds compile-time maximum/,
+    });
+  });
+
   test('partial limits in constructor', (t) => {
     const db = new DatabaseSync(':memory:', {
       limits: {

From 7164b3dd3e5c020178a7c3f9ca6e1fb0412559fa Mon Sep 17 00:00:00 2001
From: Mert Can Altin <mertgold60@gmail.com>
Date: Wed, 7 Jan 2026 02:20:01 +0300
Subject: [PATCH 15/22] used single cycle

---
 src/node_sqlite.cc | 43 +++++++++++++++++--------------------------
 1 file changed, 17 insertions(+), 26 deletions(-)

diff --git a/src/node_sqlite.cc b/src/node_sqlite.cc
index 5ce8563c24a9d1..12f9e78a8533ff 100644
--- a/src/node_sqlite.cc
+++ b/src/node_sqlite.cc
@@ -201,21 +201,11 @@ static constexpr std::array<LimitInfo, 11> kLimitMapping = {{
     {"triggerDepth", SQLITE_LIMIT_TRIGGER_DEPTH, SQLITE_MAX_TRIGGER_DEPTH},
 }};
 
-// Helper function to find limit ID from JS property name
-static constexpr int GetLimitIdFromName(std::string_view name) {
-  for (const auto& info : kLimitMapping) {
-    if (name == info.js_name) {
-      return info.sqlite_limit_id;
-    }
-  }
-  return -1;  // Not found
-}
-
-// Helper function to get max value for a limit ID
-static constexpr int GetMaxValueForLimitId(int limit_id) {
-  for (const auto& info : kLimitMapping) {
-    if (info.sqlite_limit_id == limit_id) {
-      return info.max_value;
+// Helper function to find limit index from JS property name
+static constexpr int GetLimitIndexFromName(std::string_view name) {
+  for (size_t i = 0; i < kLimitMapping.size(); ++i) {
+    if (name == kLimitMapping[i].js_name) {
+      return static_cast<int>(i);
     }
   }
   return -1;  // Not found
@@ -802,9 +792,9 @@ Intercepted DatabaseSyncLimits::LimitsGetter(
   Isolate* isolate = env->isolate();
 
   Utf8Value prop_name(isolate, property);
-  int limit_id = GetLimitIdFromName(prop_name.ToStringView());
+  int idx = GetLimitIndexFromName(prop_name.ToStringView());
 
-  if (limit_id < 0) {
+  if (idx < 0) {
     return Intercepted::kNo;  // Unknown property, let default handling occur
   }
 
@@ -813,8 +803,8 @@ Intercepted DatabaseSyncLimits::LimitsGetter(
     return Intercepted::kYes;
   }
 
-  int current_value =
-      sqlite3_limit(limits->database_->Connection(), limit_id, -1);
+  int current_value = sqlite3_limit(
+      limits->database_->Connection(), kLimitMapping[idx].sqlite_limit_id, -1);
   info.GetReturnValue().Set(Integer::New(isolate, current_value));
   return Intercepted::kYes;
 }
@@ -834,9 +824,9 @@ Intercepted DatabaseSyncLimits::LimitsSetter(
   Isolate* isolate = env->isolate();
 
   Utf8Value prop_name(isolate, property);
-  int limit_id = GetLimitIdFromName(*prop_name);
+  int idx = GetLimitIndexFromName(*prop_name);
 
-  if (limit_id < 0) {
+  if (idx < 0) {
     return Intercepted::kNo;
   }
 
@@ -859,14 +849,15 @@ Intercepted DatabaseSyncLimits::LimitsSetter(
   }
 
   // Validate against compile-time maximum
-  int max_value = GetMaxValueForLimitId(limit_id);
-  if (new_value > max_value) {
+  if (new_value > kLimitMapping[idx].max_value) {
     THROW_ERR_OUT_OF_RANGE(isolate,
                            "Limit value exceeds compile-time maximum.");
     return Intercepted::kYes;
   }
 
-  sqlite3_limit(limits->database_->Connection(), limit_id, new_value);
+  sqlite3_limit(limits->database_->Connection(),
+                kLimitMapping[idx].sqlite_limit_id,
+                new_value);
   return Intercepted::kYes;
 }
 
@@ -878,9 +869,9 @@ Intercepted DatabaseSyncLimits::LimitsQuery(
 
   Isolate* isolate = info.GetIsolate();
   Utf8Value prop_name(isolate, property);
-  int limit_id = GetLimitIdFromName(prop_name.ToStringView());
+  int idx = GetLimitIndexFromName(prop_name.ToStringView());
 
-  if (limit_id < 0) {
+  if (idx < 0) {
     return Intercepted::kNo;
   }
 

From fd2a144eaee2412c72b827df16495686c0cbdf72 Mon Sep 17 00:00:00 2001
From: Mert Can Altin <mertgold60@gmail.com>
Date: Wed, 7 Jan 2026 02:26:43 +0300
Subject: [PATCH 16/22] repair

---
 src/node_sqlite.cc | 33 ++++++++++++++++-----------------
 1 file changed, 16 insertions(+), 17 deletions(-)

diff --git a/src/node_sqlite.cc b/src/node_sqlite.cc
index 12f9e78a8533ff..5842a7d95a9c31 100644
--- a/src/node_sqlite.cc
+++ b/src/node_sqlite.cc
@@ -201,14 +201,14 @@ static constexpr std::array<LimitInfo, 11> kLimitMapping = {{
     {"triggerDepth", SQLITE_LIMIT_TRIGGER_DEPTH, SQLITE_MAX_TRIGGER_DEPTH},
 }};
 
-// Helper function to find limit index from JS property name
-static constexpr int GetLimitIndexFromName(std::string_view name) {
-  for (size_t i = 0; i < kLimitMapping.size(); ++i) {
-    if (name == kLimitMapping[i].js_name) {
-      return static_cast<int>(i);
+// Helper function to find limit info from JS property name
+static constexpr const LimitInfo* GetLimitInfoFromName(std::string_view name) {
+  for (const auto& info : kLimitMapping) {
+    if (name == info.js_name) {
+      return &info;
     }
   }
-  return -1;  // Not found
+  return nullptr;
 }
 
 inline MaybeLocal<Object> CreateSQLiteError(Isolate* isolate,
@@ -792,9 +792,9 @@ Intercepted DatabaseSyncLimits::LimitsGetter(
   Isolate* isolate = env->isolate();
 
   Utf8Value prop_name(isolate, property);
-  int idx = GetLimitIndexFromName(prop_name.ToStringView());
+  const LimitInfo* limit_info = GetLimitInfoFromName(prop_name.ToStringView());
 
-  if (idx < 0) {
+  if (!limit_info) {
     return Intercepted::kNo;  // Unknown property, let default handling occur
   }
 
@@ -804,7 +804,7 @@ Intercepted DatabaseSyncLimits::LimitsGetter(
   }
 
   int current_value = sqlite3_limit(
-      limits->database_->Connection(), kLimitMapping[idx].sqlite_limit_id, -1);
+      limits->database_->Connection(), limit_info->sqlite_limit_id, -1);
   info.GetReturnValue().Set(Integer::New(isolate, current_value));
   return Intercepted::kYes;
 }
@@ -824,9 +824,9 @@ Intercepted DatabaseSyncLimits::LimitsSetter(
   Isolate* isolate = env->isolate();
 
   Utf8Value prop_name(isolate, property);
-  int idx = GetLimitIndexFromName(*prop_name);
+  const LimitInfo* limit_info = GetLimitInfoFromName(*prop_name);
 
-  if (idx < 0) {
+  if (!limit_info) {
     return Intercepted::kNo;
   }
 
@@ -849,15 +849,14 @@ Intercepted DatabaseSyncLimits::LimitsSetter(
   }
 
   // Validate against compile-time maximum
-  if (new_value > kLimitMapping[idx].max_value) {
+  if (new_value > limit_info->max_value) {
     THROW_ERR_OUT_OF_RANGE(isolate,
                            "Limit value exceeds compile-time maximum.");
     return Intercepted::kYes;
   }
 
-  sqlite3_limit(limits->database_->Connection(),
-                kLimitMapping[idx].sqlite_limit_id,
-                new_value);
+  sqlite3_limit(
+      limits->database_->Connection(), limit_info->sqlite_limit_id, new_value);
   return Intercepted::kYes;
 }
 
@@ -869,9 +868,9 @@ Intercepted DatabaseSyncLimits::LimitsQuery(
 
   Isolate* isolate = info.GetIsolate();
   Utf8Value prop_name(isolate, property);
-  int idx = GetLimitIndexFromName(prop_name.ToStringView());
+  const LimitInfo* limit_info = GetLimitInfoFromName(prop_name.ToStringView());
 
-  if (idx < 0) {
+  if (!limit_info) {
     return Intercepted::kNo;
   }
 

From a45872b9b6d309271afcc8c3520d0c32d7bdd6c4 Mon Sep 17 00:00:00 2001
From: Mert Can Altin <mertgold60@gmail.com>
Date: Wed, 7 Jan 2026 02:34:02 +0300
Subject: [PATCH 17/22] lint

---
 src/node_sqlite.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/node_sqlite.cc b/src/node_sqlite.cc
index 5842a7d95a9c31..0c7b42b6342089 100644
--- a/src/node_sqlite.cc
+++ b/src/node_sqlite.cc
@@ -387,7 +387,7 @@ class CustomAggregate {
   static inline void xStepBase(sqlite3_context* ctx,
                                int argc,
                                sqlite3_value** argv,
-                               Global<Function> CustomAggregate::* mptr) {
+                               Global<Function> CustomAggregate::*mptr) {
     CustomAggregate* self =
         static_cast<CustomAggregate*>(sqlite3_user_data(ctx));
     Environment* env = self->env_;

From 44041d67f450b477d93c55b2ce8d4e3dda78882d Mon Sep 17 00:00:00 2001
From: Mert Can Altin <mertgold60@gmail.com>
Date: Wed, 7 Jan 2026 23:35:02 +0300
Subject: [PATCH 18/22] review fixed

---
 doc/api/sqlite.md                   | 16 ++----
 src/node_sqlite.cc                  | 81 +++++------------------------
 test/parallel/test-sqlite-limits.js | 54 ++++++++-----------
 3 files changed, 36 insertions(+), 115 deletions(-)

diff --git a/doc/api/sqlite.md b/doc/api/sqlite.md
index cc9f65669ece2c..beb18cdc26d3be 100644
--- a/doc/api/sqlite.md
+++ b/doc/api/sqlite.md
@@ -158,30 +158,20 @@ changes:
   * `limits` {Object} Configuration for various SQLite limits. These limits
     can be used to prevent excessive resource consumption when handling
     potentially malicious input. See [Run-Time Limits][] and [Limit Constants][]
-    in the SQLite documentation for details. The following properties are
-    supported:
+    in the SQLite documentation for details. Default values are determined by
+    SQLite's compile-time defaults and may vary depending on how SQLite was
+    built. The following properties are supported:
     * `length` {number} Maximum length of a string or BLOB.
-      **Default:** `1000000000`.
     * `sqlLength` {number} Maximum length of an SQL statement.
-      **Default:** `1000000000`.
     * `column` {number} Maximum number of columns.
-      **Default:** `2000`.
     * `exprDepth` {number} Maximum depth of expression tree.
-      **Default:** `1000`.
     * `compoundSelect` {number} Maximum number of terms in compound SELECT.
-      **Default:** `500`.
     * `vdbeOp` {number} Maximum number of VDBE instructions.
-      **Default:** `250000000`.
     * `functionArg` {number} Maximum number of function arguments.
-      **Default:** `1000`.
     * `attach` {number} Maximum number of attached databases.
-      **Default:** `10`.
     * `likePatternLength` {number} Maximum length of LIKE pattern.
-      **Default:** `50000`.
     * `variableNumber` {number} Maximum number of SQL variables.
-      **Default:** `32766`.
     * `triggerDepth` {number} Maximum trigger recursion depth.
-      **Default:** `1000`.
 
 Constructs a new `DatabaseSync` instance.
 
diff --git a/src/node_sqlite.cc b/src/node_sqlite.cc
index 0c7b42b6342089..486336ff61d8c7 100644
--- a/src/node_sqlite.cc
+++ b/src/node_sqlite.cc
@@ -140,65 +140,23 @@ Local<DictionaryTemplate> getLazyIterTemplate(Environment* env) {
 }  // namespace
 
 // Mapping from JavaScript property names to SQLite limit constants
-// Default compile-time maximums from SQLite (these match SQLite's defaults)
-#ifndef SQLITE_MAX_LENGTH
-#define SQLITE_MAX_LENGTH 1000000000
-#endif
-#ifndef SQLITE_MAX_SQL_LENGTH
-#define SQLITE_MAX_SQL_LENGTH 1000000000
-#endif
-#ifndef SQLITE_MAX_COLUMN
-#define SQLITE_MAX_COLUMN 2000
-#endif
-#ifndef SQLITE_MAX_EXPR_DEPTH
-#define SQLITE_MAX_EXPR_DEPTH 1000
-#endif
-#ifndef SQLITE_MAX_COMPOUND_SELECT
-#define SQLITE_MAX_COMPOUND_SELECT 500
-#endif
-#ifndef SQLITE_MAX_VDBE_OP
-#define SQLITE_MAX_VDBE_OP 250000000
-#endif
-#ifndef SQLITE_MAX_FUNCTION_ARG
-#define SQLITE_MAX_FUNCTION_ARG 1000
-#endif
-#ifndef SQLITE_MAX_ATTACHED
-#define SQLITE_MAX_ATTACHED 10
-#endif
-#ifndef SQLITE_MAX_LIKE_PATTERN_LENGTH
-#define SQLITE_MAX_LIKE_PATTERN_LENGTH 50000
-#endif
-#ifndef SQLITE_MAX_VARIABLE_NUMBER
-#define SQLITE_MAX_VARIABLE_NUMBER 32766
-#endif
-#ifndef SQLITE_MAX_TRIGGER_DEPTH
-#define SQLITE_MAX_TRIGGER_DEPTH 1000
-#endif
-
 struct LimitInfo {
   std::string_view js_name;
   int sqlite_limit_id;
-  int max_value;
 };
 
 static constexpr std::array<LimitInfo, 11> kLimitMapping = {{
-    {"length", SQLITE_LIMIT_LENGTH, SQLITE_MAX_LENGTH},
-    {"sqlLength", SQLITE_LIMIT_SQL_LENGTH, SQLITE_MAX_SQL_LENGTH},
-    {"column", SQLITE_LIMIT_COLUMN, SQLITE_MAX_COLUMN},
-    {"exprDepth", SQLITE_LIMIT_EXPR_DEPTH, SQLITE_MAX_EXPR_DEPTH},
-    {"compoundSelect",
-     SQLITE_LIMIT_COMPOUND_SELECT,
-     SQLITE_MAX_COMPOUND_SELECT},
-    {"vdbeOp", SQLITE_LIMIT_VDBE_OP, SQLITE_MAX_VDBE_OP},
-    {"functionArg", SQLITE_LIMIT_FUNCTION_ARG, SQLITE_MAX_FUNCTION_ARG},
-    {"attach", SQLITE_LIMIT_ATTACHED, SQLITE_MAX_ATTACHED},
-    {"likePatternLength",
-     SQLITE_LIMIT_LIKE_PATTERN_LENGTH,
-     SQLITE_MAX_LIKE_PATTERN_LENGTH},
-    {"variableNumber",
-     SQLITE_LIMIT_VARIABLE_NUMBER,
-     SQLITE_MAX_VARIABLE_NUMBER},
-    {"triggerDepth", SQLITE_LIMIT_TRIGGER_DEPTH, SQLITE_MAX_TRIGGER_DEPTH},
+    {"length", SQLITE_LIMIT_LENGTH},
+    {"sqlLength", SQLITE_LIMIT_SQL_LENGTH},
+    {"column", SQLITE_LIMIT_COLUMN},
+    {"exprDepth", SQLITE_LIMIT_EXPR_DEPTH},
+    {"compoundSelect", SQLITE_LIMIT_COMPOUND_SELECT},
+    {"vdbeOp", SQLITE_LIMIT_VDBE_OP},
+    {"functionArg", SQLITE_LIMIT_FUNCTION_ARG},
+    {"attach", SQLITE_LIMIT_ATTACHED},
+    {"likePatternLength", SQLITE_LIMIT_LIKE_PATTERN_LENGTH},
+    {"variableNumber", SQLITE_LIMIT_VARIABLE_NUMBER},
+    {"triggerDepth", SQLITE_LIMIT_TRIGGER_DEPTH},
 }};
 
 // Helper function to find limit info from JS property name
@@ -387,7 +345,7 @@ class CustomAggregate {
   static inline void xStepBase(sqlite3_context* ctx,
                                int argc,
                                sqlite3_value** argv,
-                               Global<Function> CustomAggregate::*mptr) {
+                               Global<Function> CustomAggregate::* mptr) {
     CustomAggregate* self =
         static_cast<CustomAggregate*>(sqlite3_user_data(ctx));
     Environment* env = self->env_;
@@ -848,13 +806,6 @@ Intercepted DatabaseSyncLimits::LimitsSetter(
     return Intercepted::kYes;
   }
 
-  // Validate against compile-time maximum
-  if (new_value > limit_info->max_value) {
-    THROW_ERR_OUT_OF_RANGE(isolate,
-                           "Limit value exceeds compile-time maximum.");
-    return Intercepted::kYes;
-  }
-
   sqlite3_limit(
       limits->database_->Connection(), limit_info->sqlite_limit_id, new_value);
   return Intercepted::kYes;
@@ -1390,14 +1341,6 @@ void DatabaseSync::New(const FunctionCallbackInfo<Value>& args) {
             return;
           }
 
-          if (limit_val > kLimitMapping[i].max_value) {
-            std::string msg = "The \"options.limits." +
-                              std::string(kLimitMapping[i].js_name) +
-                              "\" argument exceeds compile-time maximum.";
-            THROW_ERR_OUT_OF_RANGE(env->isolate(), msg);
-            return;
-          }
-
           open_config.set_initial_limit(kLimitMapping[i].sqlite_limit_id,
                                         limit_val);
         }
diff --git a/test/parallel/test-sqlite-limits.js b/test/parallel/test-sqlite-limits.js
index 4d46a044b607e5..ab834d584d1c5b 100644
--- a/test/parallel/test-sqlite-limits.js
+++ b/test/parallel/test-sqlite-limits.js
@@ -5,21 +5,28 @@ const { DatabaseSync } = require('node:sqlite');
 const { suite, test } = require('node:test');
 
 suite('DatabaseSync limits', () => {
-  test('default limits match expected SQLite defaults', (t) => {
+  test('limits object has expected properties with positive values', (t) => {
     const db = new DatabaseSync(':memory:');
-    t.assert.deepStrictEqual({ ...db.limits }, {
-      length: 1000000000,
-      sqlLength: 1000000000,
-      column: 2000,
-      exprDepth: 1000,
-      compoundSelect: 500,
-      vdbeOp: 250000000,
-      functionArg: 1000,
-      attach: 10,
-      likePatternLength: 50000,
-      variableNumber: 32766,
-      triggerDepth: 1000,
-    });
+    const expectedProperties = [
+      'length',
+      'sqlLength',
+      'column',
+      'exprDepth',
+      'compoundSelect',
+      'vdbeOp',
+      'functionArg',
+      'attach',
+      'likePatternLength',
+      'variableNumber',
+      'triggerDepth',
+    ];
+
+    for (const prop of expectedProperties) {
+      t.assert.strictEqual(typeof db.limits[prop], 'number',
+        `${prop} should be a number`);
+      t.assert.ok(db.limits[prop] > 0,
+        `${prop} should be positive`);
+    }
   });
 
   test('constructor accepts limits option', (t) => {
@@ -158,25 +165,6 @@ suite('DatabaseSync limits', () => {
     });
   });
 
-  test('throws on value exceeding compile-time maximum via setter', (t) => {
-    const db = new DatabaseSync(':memory:');
-    t.assert.throws(() => {
-      db.limits.attach = 100;
-    }, {
-      name: 'RangeError',
-      message: /Limit value exceeds compile-time maximum/,
-    });
-  });
-
-  test('throws on value exceeding compile-time maximum in constructor', (t) => {
-    t.assert.throws(() => {
-      new DatabaseSync(':memory:', { limits: { attach: 100 } });
-    }, {
-      name: 'RangeError',
-      message: /options\.limits\.attach.*exceeds compile-time maximum/,
-    });
-  });
-
   test('partial limits in constructor', (t) => {
     const db = new DatabaseSync(':memory:', {
       limits: {

From 5a16bdc16d0c13a56223ea8c75fd8e42ad27a22d Mon Sep 17 00:00:00 2001
From: Mert Can Altin <mertgold60@gmail.com>
Date: Wed, 7 Jan 2026 23:37:39 +0300
Subject: [PATCH 19/22] lint

---
 src/node_sqlite.cc                  | 2 +-
 test/parallel/test-sqlite-limits.js | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/node_sqlite.cc b/src/node_sqlite.cc
index 486336ff61d8c7..768f757ca6e6af 100644
--- a/src/node_sqlite.cc
+++ b/src/node_sqlite.cc
@@ -345,7 +345,7 @@ class CustomAggregate {
   static inline void xStepBase(sqlite3_context* ctx,
                                int argc,
                                sqlite3_value** argv,
-                               Global<Function> CustomAggregate::* mptr) {
+                               Global<Function> CustomAggregate::*mptr) {
     CustomAggregate* self =
         static_cast<CustomAggregate*>(sqlite3_user_data(ctx));
     Environment* env = self->env_;
diff --git a/test/parallel/test-sqlite-limits.js b/test/parallel/test-sqlite-limits.js
index ab834d584d1c5b..fd2fad8760dcd9 100644
--- a/test/parallel/test-sqlite-limits.js
+++ b/test/parallel/test-sqlite-limits.js
@@ -23,9 +23,9 @@ suite('DatabaseSync limits', () => {
 
     for (const prop of expectedProperties) {
       t.assert.strictEqual(typeof db.limits[prop], 'number',
-        `${prop} should be a number`);
+                           `${prop} should be a number`);
       t.assert.ok(db.limits[prop] > 0,
-        `${prop} should be positive`);
+                  `${prop} should be positive`);
     }
   });
 

From ee8f35627aec62648bcc1dc2820bbe6914406200 Mon Sep 17 00:00:00 2001
From: Mert Can Altin <mertgold60@gmail.com>
Date: Fri, 9 Jan 2026 01:15:17 +0300
Subject: [PATCH 20/22] update sqlite limits to allow null for resetting to
 compile-time maximum

---
 doc/api/sqlite.md                   |  5 +++++
 src/node_sqlite.cc                  | 24 +++++++++++++++---------
 test/parallel/test-sqlite-limits.js | 15 ++++++++++++++-
 3 files changed, 34 insertions(+), 10 deletions(-)

diff --git a/doc/api/sqlite.md b/doc/api/sqlite.md
index beb18cdc26d3be..c2e25b05f8b21e 100644
--- a/doc/api/sqlite.md
+++ b/doc/api/sqlite.md
@@ -479,12 +479,17 @@ console.log(db.limits.length);
 
 // Set a new limit
 db.limits.sqlLength = 100000;
+
+// Reset a limit to its compile-time maximum
+db.limits.sqlLength = null;
 ```
 
 Available properties: `length`, `sqlLength`, `column`, `exprDepth`,
 `compoundSelect`, `vdbeOp`, `functionArg`, `attach`, `likePatternLength`,
 `variableNumber`, `triggerDepth`.
 
+Setting a property to `null` resets the limit to its compile-time maximum value.
+
 ### `database.open()`
 
 <!-- YAML
diff --git a/src/node_sqlite.cc b/src/node_sqlite.cc
index 768f757ca6e6af..edaa6844ceb5fc 100644
--- a/src/node_sqlite.cc
+++ b/src/node_sqlite.cc
@@ -14,6 +14,7 @@
 
 #include <array>
 #include <cinttypes>
+#include <climits>
 
 namespace node {
 namespace sqlite {
@@ -793,16 +794,21 @@ Intercepted DatabaseSyncLimits::LimitsSetter(
     return Intercepted::kYes;
   }
 
-  if (!value->IsInt32()) {
-    THROW_ERR_INVALID_ARG_TYPE(isolate, "Limit value must be an integer.");
-    return Intercepted::kYes;
-  }
-
-  int new_value = value.As<Int32>()->Value();
+  int new_value;
 
-  // Validate non-negative
-  if (new_value < 0) {
-    THROW_ERR_OUT_OF_RANGE(isolate, "Limit value must be non-negative.");
+  if (value->IsNull()) {
+    // null resets the limit to the compile-time maximum
+    new_value = INT_MAX;
+  } else if (value->IsInt32()) {
+    new_value = value.As<Int32>()->Value();
+    // Validate non-negative
+    if (new_value < 0) {
+      THROW_ERR_OUT_OF_RANGE(isolate, "Limit value must be non-negative.");
+      return Intercepted::kYes;
+    }
+  } else {
+    THROW_ERR_INVALID_ARG_TYPE(
+        isolate, "Limit value must be an integer or null.");
     return Intercepted::kYes;
   }
 
diff --git a/test/parallel/test-sqlite-limits.js b/test/parallel/test-sqlite-limits.js
index fd2fad8760dcd9..5bf2c36c60fa0b 100644
--- a/test/parallel/test-sqlite-limits.js
+++ b/test/parallel/test-sqlite-limits.js
@@ -80,13 +80,26 @@ suite('DatabaseSync limits', () => {
     t.assert.strictEqual(db.limits.column, 50);
   });
 
+  test('null resets limit to maximum', (t) => {
+    const db = new DatabaseSync(':memory:');
+    const originalLength = db.limits.length;
+
+    // Set to a lower value
+    db.limits.length = 100;
+    t.assert.strictEqual(db.limits.length, 100);
+
+    // Reset to maximum using null
+    db.limits.length = null;
+    t.assert.strictEqual(db.limits.length, originalLength);
+  });
+
   test('throws on invalid argument type', (t) => {
     const db = new DatabaseSync(':memory:');
     t.assert.throws(() => {
       db.limits.length = 'invalid';
     }, {
       name: 'TypeError',
-      message: /Limit value must be an integer/,
+      message: /Limit value must be an integer or null/,
     });
   });
 

From 771ad11362cf38c176b38ebc32dae8d3865d8898 Mon Sep 17 00:00:00 2001
From: Mert Can Altin <mertgold60@gmail.com>
Date: Fri, 9 Jan 2026 01:23:35 +0300
Subject: [PATCH 21/22] lint

---
 src/node_sqlite.cc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/node_sqlite.cc b/src/node_sqlite.cc
index edaa6844ceb5fc..44545b19d2e211 100644
--- a/src/node_sqlite.cc
+++ b/src/node_sqlite.cc
@@ -807,8 +807,8 @@ Intercepted DatabaseSyncLimits::LimitsSetter(
       return Intercepted::kYes;
     }
   } else {
-    THROW_ERR_INVALID_ARG_TYPE(
-        isolate, "Limit value must be an integer or null.");
+    THROW_ERR_INVALID_ARG_TYPE(isolate,
+                               "Limit value must be an integer or null.");
     return Intercepted::kYes;
   }
 

From 2652ebc3d511cca63c05104f0ae112f043097512 Mon Sep 17 00:00:00 2001
From: Mert Can Altin <mertgold60@gmail.com>
Date: Sun, 11 Jan 2026 13:44:48 +0300
Subject: [PATCH 22/22] update sqlite limits to reset using Infinity instead of
 null

---
 doc/api/sqlite.md                   |  4 ++--
 src/node_sqlite.cc                  | 27 +++++++++++++++++----------
 test/parallel/test-sqlite-limits.js | 28 ++++++++++++++++++++++++----
 3 files changed, 43 insertions(+), 16 deletions(-)

diff --git a/doc/api/sqlite.md b/doc/api/sqlite.md
index c2e25b05f8b21e..7209badc9df43c 100644
--- a/doc/api/sqlite.md
+++ b/doc/api/sqlite.md
@@ -481,14 +481,14 @@ console.log(db.limits.length);
 db.limits.sqlLength = 100000;
 
 // Reset a limit to its compile-time maximum
-db.limits.sqlLength = null;
+db.limits.sqlLength = Infinity;
 ```
 
 Available properties: `length`, `sqlLength`, `column`, `exprDepth`,
 `compoundSelect`, `vdbeOp`, `functionArg`, `attach`, `likePatternLength`,
 `variableNumber`, `triggerDepth`.
 
-Setting a property to `null` resets the limit to its compile-time maximum value.
+Setting a property to `Infinity` resets the limit to its compile-time maximum value.
 
 ### `database.open()`
 
diff --git a/src/node_sqlite.cc b/src/node_sqlite.cc
index 44545b19d2e211..256108401b4c91 100644
--- a/src/node_sqlite.cc
+++ b/src/node_sqlite.cc
@@ -14,7 +14,8 @@
 
 #include <array>
 #include <cinttypes>
-#include <climits>
+#include <cmath>
+#include <limits>
 
 namespace node {
 namespace sqlite {
@@ -794,22 +795,28 @@ Intercepted DatabaseSyncLimits::LimitsSetter(
     return Intercepted::kYes;
   }
 
+  if (!value->IsNumber()) {
+    THROW_ERR_INVALID_ARG_TYPE(
+        isolate, "Limit value must be a non-negative integer or Infinity.");
+    return Intercepted::kYes;
+  }
+
+  const double num_value = value.As<Number>()->Value();
   int new_value;
 
-  if (value->IsNull()) {
-    // null resets the limit to the compile-time maximum
-    new_value = INT_MAX;
-  } else if (value->IsInt32()) {
+  if (std::isinf(num_value) && num_value > 0) {
+    // Positive Infinity resets the limit to the compile-time maximum
+    new_value = std::numeric_limits<int>::max();
+  } else if (!value->IsInt32()) {
+    THROW_ERR_INVALID_ARG_TYPE(
+        isolate, "Limit value must be a non-negative integer or Infinity.");
+    return Intercepted::kYes;
+  } else {
     new_value = value.As<Int32>()->Value();
-    // Validate non-negative
     if (new_value < 0) {
       THROW_ERR_OUT_OF_RANGE(isolate, "Limit value must be non-negative.");
       return Intercepted::kYes;
     }
-  } else {
-    THROW_ERR_INVALID_ARG_TYPE(isolate,
-                               "Limit value must be an integer or null.");
-    return Intercepted::kYes;
   }
 
   sqlite3_limit(
diff --git a/test/parallel/test-sqlite-limits.js b/test/parallel/test-sqlite-limits.js
index 5bf2c36c60fa0b..c52c9a7766f7e1 100644
--- a/test/parallel/test-sqlite-limits.js
+++ b/test/parallel/test-sqlite-limits.js
@@ -80,7 +80,7 @@ suite('DatabaseSync limits', () => {
     t.assert.strictEqual(db.limits.column, 50);
   });
 
-  test('null resets limit to maximum', (t) => {
+  test('Infinity resets limit to maximum', (t) => {
     const db = new DatabaseSync(':memory:');
     const originalLength = db.limits.length;
 
@@ -88,8 +88,8 @@ suite('DatabaseSync limits', () => {
     db.limits.length = 100;
     t.assert.strictEqual(db.limits.length, 100);
 
-    // Reset to maximum using null
-    db.limits.length = null;
+    // Reset to maximum using Infinity
+    db.limits.length = Infinity;
     t.assert.strictEqual(db.limits.length, originalLength);
   });
 
@@ -99,7 +99,7 @@ suite('DatabaseSync limits', () => {
       db.limits.length = 'invalid';
     }, {
       name: 'TypeError',
-      message: /Limit value must be an integer or null/,
+      message: /Limit value must be a non-negative integer or Infinity/,
     });
   });
 
@@ -113,6 +113,26 @@ suite('DatabaseSync limits', () => {
     });
   });
 
+  test('throws on null value', (t) => {
+    const db = new DatabaseSync(':memory:');
+    t.assert.throws(() => {
+      db.limits.length = null;
+    }, {
+      name: 'TypeError',
+      message: /Limit value must be a non-negative integer or Infinity/,
+    });
+  });
+
+  test('throws on negative Infinity', (t) => {
+    const db = new DatabaseSync(':memory:');
+    t.assert.throws(() => {
+      db.limits.length = -Infinity;
+    }, {
+      name: 'TypeError',
+      message: /Limit value must be a non-negative integer or Infinity/,
+    });
+  });
+
   test('throws on getter access after close', (t) => {
     const db = new DatabaseSync(':memory:');
     db.close();