feat(pg-connection-string): warn if non-standard ssl options are used

In preparation for v3.0.0, we start warning users to be explicit about
the sslmode they want.

Author: hjr3

packages/pg-connection-string/.nyc_output/processinfo/index.json

@@ -1 +1 @@
-{"processes":{"417f2d4c-eaf2-4112-952c-a801df7fb93d":{"parent":null,"children":[]}},"files":{"/Users/bmc/src/node-postgres/packages/pg-connection-string/index.js":["417f2d4c-eaf2-4112-952c-a801df7fb93d"]},"externalIds":{}}
+{"processes":{"1bddb29d-b157-468d-a89e-00f3a50ed517":{"parent":null,"children":[]}},"files":{"/Users/herman/Code/node-postgres/packages/pg-connection-string/index.js":["1bddb29d-b157-468d-a89e-00f3a50ed517"]},"externalIds":{}}

packages/pg-connection-string/index.js

@@ -133,6 +133,16 @@ function parse(str, options = {}) {
       case 'require':
       case 'verify-ca':
       case 'verify-full': {
+        if (config.sslmode !== 'verify-full') {
+          console.warn(`SECURITY WARNING: The SSL modes 'prefer', 'require', and 'verify-ca' are treated as aliases for 'verify-full'.
+In the next major version (v3.0.0), these modes will adopt standard libpq semantics, which have weaker security guarantees.
+
+To prepare for this change:
+- If you want the current behavior, explicitly use 'sslmode=verify-full'
+- If you want libpq compatibility now, use 'uselibpqcompat=true&sslmode=${config.sslmode}'
+
+See https://www.postgresql.org/docs/current/libpq-ssl.html for libpq SSL mode definitions.`)
+        }
         break
       }
       case 'no-verify': {