Does pg (node-postgres) automatically sanitize data

It basically depends on how you execute your queries as @vitaly-t described

Suppose you will define query in a string and execute as follows:

var query = `SELECT * FROM table where username='${username}' and password='${password}`;
        
pool.query(query, (error, results) => {
});

This case if i would pass username=' 'or 1=1; -- and password=' 'or 1=1; --

Then it will return all records from the table (means SQL injection works)

But if I would execute the following query

pool.query('SELECT * FROM table where username=$1 and password=$2', [username, password], (error, results) => {
});

Then SQL injection will never work because pg will sanitize the data.

So it's depends on how you execute the queries.

Absolutely! The parameterized query support in node-postgres is first class. All escaping is done by the postgresql server ensuring proper behavior across dialects, encodings, etc... For example, this will not inject sql:

client.query("INSERT INTO user(name) VALUES($1)", ["'; DROP TABLE user;"], function (err, result) {
  // ...
});

This is from their documentation.