Every Prisma developer has a silent risk in their codebase. A single deleteMany() with no where clause wipes an entire table. A findMany() with no limit dumps your entire database to the client. And there's a lesser known attack called operator injection, where an attacker sends { "not": "" } as a password value instead of a plain string, and Prisma accepts it as a valid query operator, bypassing authentication entirely. When tested, Prisma did not block it. prisma-firewall does.