Database queries should not be vulnerable to injection attacks

Version: 9.3.0.51899 (Developer Edition)
Vulnerability: jssecurity:S3649

Scan does not catch instances of SQL injection vulnerabilities.

async function updateFilter(req) {
    try {
        let { id, name, label, filter } = req.body;
        const q = `UPDATE filters SET name = '${name}', label = '${label}', filter = '${filter}', WHERE id = '${id}';`;
        const pgr = await pool.query(q);
        pool.end();
        return pgr.rows;
    } catch (e) {
        ...
    }
}