Looking at test coverage suggested some more tests.

I hadn't tested comment-based concatenation hazards and
there was a non-operational branch in the interpolation loop.

Author: mikesamuel

lib/es6/Lexer.js

@@ -25,8 +25,11 @@ const PREFIX_BEFORE_DELIMITER = new RegExp(
       // Comment
       // https://dev.mysql.com/doc/refman/5.7/en/comments.html
       // https://dev.mysql.com/doc/refman/5.7/en/ansi-diff-comments.html
-      '--(?=' + WS + ')[^\\r\\n]*' +
-      '|#[^\\r\\n]*' +
+      // If we do not see a newline at the end of a comment, then it is
+      // a concatenation hazard; a fragment concatened at the end would
+      // start in a comment context.
+      '--(?=' + WS + ')[^\\r\\n]*[\r\n]' +
+      '|#[^\\r\\n]*[\r\n]' +
       '|/[*][\\s\\S]*?[*]/'
     ) +
     '|' +

lib/es6/Template.js

@@ -66,14 +66,13 @@ function interpolateSqlIntoFragment (
     const chunk = chunks[i];
     // The count of values must be 1 less than the surrounding
     // chunks of literal text.
-    if (i !== 0) {
-      const delimiter = delimiters[i - 1];
-      const value = values[i - 1];
-      if (delimiter) {
-        result += escapeDelimitedValue(value, delimiter, timeZone);
-      } else {
-        result += SqlString.escape(value, stringifyObjects, timeZone);
-      }
+    const delimiter = delimiters[i - 1];
+    const value = values[i - 1];
+
+    if (delimiter) {
+      result += escapeDelimitedValue(value, delimiter, timeZone);
+    } else {
+      result += SqlString.escape(value, stringifyObjects, timeZone);
     }
 
     result += chunk;

test/unit/es6/Template.js

@@ -124,5 +124,19 @@ test('template tag', {
     runTagTest(
       "SELECT X FROM T WHERE X IN (123, 'foo', `foo`, 1 + 1)",
       () => sql`SELECT X FROM T WHERE X IN (${values})`);
+  },
+  'unclosed-sq': function () {
+    assert.throws(() => sql`SELECT '${'foo'}`);
+  },
+  'unclosed-dq': function () {
+    assert.throws(() => sql`SELECT "foo`);
+  },
+  'unclosed-bq': function () {
+    assert.throws(() => sql`SELECT \`${'foo'}`);
+  },
+  'unclosed-comment': function () {
+    // Ending in a comment is a concatenation hazard.
+    // See comments in lib/es6/Lexer.js.
+    assert.throws(() => sql`SELECT (${0}) -- comment`);
   }
 });

test/unit/test-SqlString.js

@@ -260,8 +260,7 @@ test('SqlString.format', {
   'double quest marks passes pre-escaped id': function () {
     var sql = SqlString.format(
       'SELECT ?? FROM ?? WHERE id = ?',
-      [SqlString.identifier('table.id'),
-       SqlString.identifier('table'), 42]);
+      [SqlString.identifier('table.id'), SqlString.identifier('table'), 42]);
     assert.equal(sql, 'SELECT `table`.`id` FROM `table` WHERE id = 42');
   },