In October 2025, Kùzu Inc. archived KuzuDB — the embedded graph database — with a one-line note: "Kuzu is working on something new." The npm package was deprecated, and its transitive dependencies (tar@6.2.1, npmlog, gauge) carried 5 high-severity vulnerabilities with no fix coming.
EngramGraph runs on an embedded graph database. That database was Kuzu.
EngramGraph 0.3.0 is the migration release — and the migration turned out to be far cheaper than expected. Here's why, and what we learned.
The fix: ryugraph
The community responded to KuzuDB's abandonment with several forks. We evaluated them and picked ryugraph (Predictable Labs):
- MIT licensed, actively maintained, published on npm
- Designed as a drop-in Kuzu replacement — and in our experience, it actually is
- Same storage format lineage: existing
.engram/graph.dbfiles keep working
The core API — prepare(), execute(), query(), getAll() — is signature-identical to kuzu. Our entire test suite (69 tests) passed on the first run after the swap.
Why the migration was 6 lines
One architectural decision from day one paid for itself here: every raw database call goes through a single thin wrapper (GraphConnection, ~80 lines). The other 20+ call sites in the codebase only ever see the wrapper.
So the migration was:
-
package.json:kuzu→ryugraph -
connection.ts: one import line - Two type-only imports (
KuzuValue→RyuValue)
That's it. If your project wraps its native dependencies behind one interface, an upstream abandonment becomes an afternoon, not a quarter.
The leftover CVEs (and the override trick)
Swapping kuzu killed the deprecated-toolchain CVEs, but ryugraph itself pins cmake-js@^7.3.0, whose tar@6.2.1 carries known path-traversal CVEs. The fix exists upstream (cmake-js@8 uses a patched tar) — ryugraph just hasn't bumped yet.
npm overrides to the rescue:
"overrides":{"cmake-js":"^8.0.0"}npm audit: 5 high → 0.
One caveat worth knowing: npm overrides don't propagate to downstream consumers. If you depend on engramgraph (or anything that depends on ryugraph), add the same override to your own package.json until ryugraph bumps cmake-js upstream.
Upgrading
npm install engramgraph@0.3.0
One breaking change: the KuzuValue type is now RyuValue. If you imported it, update the import — everything else is unchanged.
MIT · Node ≥ 22 · github.com/AsiaOstrich/EngramGraph