Thanks for this library!
One suggestion: Maybe you could state in the README that this library is more like an additional layer of protection. Because some developers may think that they don't need todo any additional checking of the input. But of course, even with this library installed, you shouldn't do stuff like `SELECT * FROM foo WHERE bar=${req.query.baz}`.
There are ISec companies that maintain this kind of lists as part of their main business. They test against penetration tools and review against all CVEs. I worked in such a company, but unfortunately, I don't remember specific patterns and couldn't disclose any if I did.
I know I'm not being extremely useful. In any case, I think it is important to clearly state that companies with critical security requirements should probably not rely solely on this.
Thanks for this library! One suggestion: Maybe you could state in the README that this library is more like an additional layer of protection. Because some developers may think that they don't need todo any additional checking of the input. But of course, even with this library installed, you shouldn't do stuff like `SELECT * FROM foo WHERE bar=${req.query.baz}`.