diff --git a/api/src/contribution/repository.ts b/api/src/contribution/repository.ts
index 816f9e2e..598b4931 100644
--- a/api/src/contribution/repository.ts
+++ b/api/src/contribution/repository.ts
@@ -15,6 +15,7 @@ export class ContributionRepository {
   constructor(private readonly postgresService: PostgresService) {}
 
   public async findTitle(contributionId: string) {
+    // todo-ZM: guard against SQL injections in all sql`` statements
     const statement = sql`
     SELECT
       ${contributionsTable.title}