chore: production deploy by supabase-cli-releaser[bot] · Pull Request #5567 · supabase/cli

supabase-cli-releaser · 2026-06-12T14:46:23Z

fix(deps): bump @typescript/native-preview from 7.0.0-dev.20260603.1 to 7.0.0-dev.20260604.1 in the npm-major group (fix(deps): bump @typescript/native-preview from 7.0.0-dev.20260603.1 to 7.0.0-dev.20260604.1 in the npm-major group #5545)
feat(cli): port supabase test db and test new (feat(cli): port supabase test db and test new #5522)
chore: sync API types from infrastructure (chore: sync API types from infrastructure #5549)
fix(functions): add apikey compatibility header (fix(functions): add apikey compatibility header #5509)
fix(deps): bump the npm-major group with 3 updates (fix(deps): bump the npm-major group with 3 updates #5557)
fix(docker): bump supabase/logflare from 1.44.1 to 1.44.3 in /apps/cli-go/pkg/config/templates in the docker-minor group (fix(docker): bump supabase/logflare from 1.44.1 to 1.44.3 in /apps/cli-go/pkg/config/templates in the docker-minor group #5558)
test(cli): stabilize domains parity e2e (test(cli): stabilize domains parity e2e #5548)
fix(cli): auto-retry db dump/pull via the IPv4 pooler on IPv6-only networks (fix(cli): auto-retry db dump/pull via the IPv4 pooler on IPv6-only networks #5493)
fix(cli): avoid auth for local typegen and services (fix(cli): avoid auth for local typegen and services #5553)
chore(api): sync Management API OpenAPI spec (chore(api): sync Management API OpenAPI spec #5564)
feat(cli): port supabase inspect db to native TypeScript (feat(cli): port supabase inspect db to native TypeScript #5554)
chore: sync API types from infrastructure (chore: sync API types from infrastructure #5562)
chore(cli): organize lazy platform API factory (chore(cli): organize lazy platform API factory #5563)
feat(cli): enable pg-delta by default for new projects (feat(cli): enable pg-delta by default for new projects #5511)
fix(cli): handle custom domain response variants (fix(cli): handle custom domain response variants #5552)
fix(cli): Upload symlinked files when seeding storage buckets (fix(cli): Upload symlinked files when seeding storage buckets #5499)

…to 7.0.0-dev.20260604.1 in the npm-major group (#5545) Bumps the npm-major group with 1 update: [@typescript/native-preview](https://github.com/microsoft/typescript-go). Updates `@typescript/native-preview` from 7.0.0-dev.20260603.1 to 7.0.0-dev.20260604.1 <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/microsoft/typescript-go/commits">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@typescript/native-preview&package-manager=npm_and_yarn&previous-version=7.0.0-dev.20260603.1&new-version=7.0.0-dev.20260604.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

## What changed Native TypeScript port of `supabase test db` and `supabase test new` into the legacy shell (stable channel), replacing the Phase-0 Go proxies. - **`test new`** — writes `supabase/tests/<name>_test.sql` from the embedded pgtap template; matches Go's relative-path success message, file location, and exit codes. `--template` (pgtap). - **`test db`** — `--db-url` / `--local` / `--linked` + variadic paths. Connects via `@effect/sql-pg` to enable/disable the pgTAP extension, then runs `supabase/pg_prove:3.36` through `docker run` (read-only volume mounts, `--security-opt label:disable`, local docker network or host networking). Honors `--network-id`, and the `db-url`/`linked`/`local` mutual-exclusivity is byte-for-byte identical to Go's cobra error. ## New shared infrastructure (for upcoming `db reset` / `db dump` ports) - `LegacyDbConnection` — Postgres connection seam (single swap point for the driver). - `LegacyDbConfigResolver` — `--db-url` / `--local` / `--linked` resolution, including the linked sub-flow (temp login-role via `V1CreateLoginRole`, pooler fallback with a public-suffix MITM domain check, network-ban unban, backoff). Ports Go's `flags.ParseDatabaseConfig` + `NewDbConfigWithPassword`. - `LegacyDockerRun` — one-shot `docker run` runner. The Management API stack is built lazily on the `--linked` branch only, so `--local` / `--db-url` never resolve an access token (auth-free, matching Go). ## Reviewer notes - **Driver choice:** added `@effect/sql-pg` (4.0.0-beta.75, pure-JS `pg`); verified it bundles and round-trips under `bun build --compile`. - **pgTAP drop-skip:** `PgClient` exposes no `OnNotice` hook, so "already installed" is detected with a `pg_extension` pre-check before enabling — equivalent observable behavior to Go's notice-code 42710 callback. - **Credentials** are kept out of all error output (docker spawn failure, db-url parse failure). - **Documented divergences** (see `SIDE_EFFECTS.md`): `test db` has no `--output-format` machine envelope (Go has none; TAP streams to stdout in all modes); the `[images] pgprove` config override is not modeled by the TS config schema. ## Known follow-up The `--linked` sub-flow (login-role / pooler / unban / backoff) is implemented and type-checked but lacks a dedicated integration test — it requires the real management runtime with a mocked HTTP transport and a real linked project to verify faithfully. The local/db-url resolver paths and `toml` parsing are covered. Closes CLI-1318

This PR was automatically created to sync API types from the infrastructure repository. Changes were detected in the generated API code after syncing with the latest spec from infrastructure. Co-authored-by: supabase-cli-releaser[bot] <246109035+supabase-cli-releaser[bot]@users.noreply.github.com>

## What kind of change does this PR introduce? Bug fix ## What is the current behavior? Currently, the API proxy is overwriting the `Authorization` header when forwarding to `/functions` ## What is the new behavior? Uses a custom `sb-api-key` header to handle the minted jwt ## Additional context Towards FUNC-681

Bumps the npm-major group with 3 updates: [@anthropic-ai/claude-agent-sdk](https://github.com/anthropics/claude-agent-sdk-typescript), [posthog-node](https://github.com/PostHog/posthog-js/tree/HEAD/packages/node) and [tldts](https://github.com/remusao/tldts). Updates `@anthropic-ai/claude-agent-sdk` from 0.3.162 to 0.3.163 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/anthropics/claude-agent-sdk-typescript/releases">@anthropic-ai/claude-agent-sdk's releases</a>.</em></p> <blockquote> <h2>v0.3.163</h2> <h2>What's changed</h2> <ul> <li><code>stop_task</code> control requests now return success when the target task is already gone (<code>not_found</code> or <code>not_running</code>), so SDK clients can reliably prune stale task chips</li> <li>Fixed SDK hosts being unable to add builtin MCP servers (e.g. <code>claude-in-chrome</code>) via <code>setMcpServers</code> when the CLI was launched without them</li> <li>Stop and SubagentStop hook events now support <code>additionalContext</code> in <code>hookSpecificOutput</code>, enabling non-error feedback that continues the turn</li> </ul> <h2>Update</h2> <pre lang="sh"><code>npm install @anthropic-ai/claude-agent-sdk@0.3.163 # or yarn add @anthropic-ai/claude-agent-sdk@0.3.163 # or pnpm add @anthropic-ai/claude-agent-sdk@0.3.163 # or bun add @anthropic-ai/claude-agent-sdk@0.3.163 </code></pre> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/anthropics/claude-agent-sdk-typescript/blob/main/CHANGELOG.md">@anthropic-ai/claude-agent-sdk's changelog</a>.</em></p> <blockquote> <h2>0.3.163</h2> <ul> <li><code>stop_task</code> control requests now return success when the target task is already gone (<code>not_found</code> or <code>not_running</code>), so SDK clients can reliably prune stale task chips</li> <li>Fixed SDK hosts being unable to add builtin MCP servers (e.g. <code>claude-in-chrome</code>) via <code>setMcpServers</code> when the CLI was launched without them</li> <li>Stop and SubagentStop hook events now support <code>additionalContext</code> in <code>hookSpecificOutput</code>, enabling non-error feedback that continues the turn</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/anthropics/claude-agent-sdk-typescript/commit/9f0a1ce68bf17cebfec58f161d79edd0bcaee633"><code>9f0a1ce</code></a> chore: Update CHANGELOG.md</li> <li>See full diff in <a href="https://github.com/anthropics/claude-agent-sdk-typescript/compare/v0.3.162...v0.3.163">compare view</a></li> </ul> </details> <br /> Updates `posthog-node` from 5.35.14 to 5.36.1 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/PostHog/posthog-js/blob/main/packages/node/CHANGELOG.md">posthog-node's changelog</a>.</em></p> <blockquote> <h2>5.36.17</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies []: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.32.3</li> </ul> </li> </ul> <h2>5.36.16</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [<a href="https://github.com/PostHog/posthog-js/commit/25822acc0d16f9f1d6fbbd65da57b3e060c6c558"><code>25822ac</code></a>]: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.32.2</li> </ul> </li> </ul> <h2>5.36.15</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies []: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.32.1</li> </ul> </li> </ul> <h2>5.36.14</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [<a href="https://github.com/PostHog/posthog-js/commit/612f97adebd3d863602533180ac4bee3f3ed731d"><code>612f97a</code></a>]: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.32.0</li> </ul> </li> </ul> <h2>5.36.13</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies []: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.31.4</li> </ul> </li> </ul> <h2>5.36.12</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies []: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.31.3</li> </ul> </li> </ul> <h2>5.36.11</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies []: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.31.2</li> </ul> </li> </ul> <h2>5.36.10</h2>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/PostHog/posthog-js/commit/287ad9fcbb0990f770ab8e0a4311e8fcde6855be"><code>287ad9f</code></a> chore: update versions and lockfile [version bump]</li> <li><a href="https://github.com/PostHog/posthog-js/commit/dc1e1935b1e9e6f26b184e6adb19d68f44a5682e"><code>dc1e193</code></a> chore: update versions and lockfile [version bump]</li> <li><a href="https://github.com/PostHog/posthog-js/commit/9287c87b7d4cf00160269d0cc648074f27c0847a"><code>9287c87</code></a> feat: emit $is_server property on captured events (<a href="https://github.com/PostHog/posthog-js/tree/HEAD/packages/node/issues/3728">#3728</a>)</li> <li><a href="https://github.com/PostHog/posthog-js/commit/b539fcbe64515945a18190b6c973a1bd727b75f1"><code>b539fcb</code></a> chore: update versions and lockfile [version bump]</li> <li>See full diff in <a href="https://github.com/PostHog/posthog-js/commits/posthog-node@5.36.1/packages/node">compare view</a></li> </ul> </details> <br /> Updates `tldts` from 6.1.86 to 7.4.2 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/remusao/tldts/releases">tldts's releases</a>.</em></p> <blockquote> <h2>v7.4.2</h2> <h4>:scroll: Update Public Suffix List</h4> <ul> <li><code>tldts-experimental</code>, <code>tldts</code> <ul> <li>Update upstream public suffix list <a href="https://redirect.github.com/remusao/tldts/pull/2597">#2597</a> (<a href="https://github.com/remusao"><code>@remusao</code></a>)</li> </ul> </li> </ul> <h4>:nut_and_bolt: Dependencies</h4> <ul> <li>Bump eslint-plugin-prettier from 5.5.5 to 5.5.6 <a href="https://redirect.github.com/remusao/tldts/pull/2598">#2598</a> (<a href="https://github.com/dependabot%5Bbot%5D"><code>@dependabot[bot]</code></a>)</li> </ul> <h4>Authors: 2</h4> <ul> <li><a href="https://github.com/dependabot%5Bbot%5D"><code>@dependabot[bot]</code></a></li> <li>Rémi (<a href="https://github.com/remusao"><code>@remusao</code></a>)</li> </ul> <h2>v7.4.1</h2> <h4>:scroll: Update Public Suffix List</h4> <ul> <li><code>tldts-experimental</code>, <code>tldts-icann</code>, <code>tldts</code> <ul> <li>Update upstream public suffix list <a href="https://redirect.github.com/remusao/tldts/pull/2595">#2595</a> (<a href="https://github.com/remusao"><code>@remusao</code></a>)</li> </ul> </li> </ul> <h4>:memo: Documentation</h4> <ul> <li>docs: add a benchmark throughput chart to the README <a href="https://redirect.github.com/remusao/tldts/pull/2593">#2593</a> (<a href="https://github.com/remusao"><code>@remusao</code></a>)</li> </ul> <h4>:nut_and_bolt: Dependencies</h4> <ul> <li>Bump tmp from 0.2.5 to 0.2.7 <a href="https://redirect.github.com/remusao/tldts/pull/2596">#2596</a> (<a href="https://github.com/dependabot%5Bbot%5D"><code>@dependabot[bot]</code></a>)</li> <li>Bump typescript-eslint from 8.59.4 to 8.60.0 <a href="https://redirect.github.com/remusao/tldts/pull/2594">#2594</a> (<a href="https://github.com/dependabot%5Bbot%5D"><code>@dependabot[bot]</code></a>)</li> </ul> <h4>Authors: 2</h4> <ul> <li><a href="https://github.com/dependabot%5Bbot%5D"><code>@dependabot[bot]</code></a></li> <li>Rémi (<a href="https://github.com/remusao"><code>@remusao</code></a>)</li> </ul> <h2>v7.4.0</h2> <h4>:rocket: New Feature</h4> <ul> <li><code>tldts-experimental</code>, <code>tldts-icann</code>, <code>tldts-tests</code>, <code>tldts</code> <ul> <li>feat: add getFullDomain to return the full hostname incl. subdomain (<a href="https://redirect.github.com/remusao/tldts/issues/2322">#2322</a>) <a href="https://redirect.github.com/remusao/tldts/pull/2592">#2592</a> (<a href="https://github.com/remusao"><code>@remusao</code></a>)</li> </ul> </li> </ul> <h4>Authors: 1</h4> <ul> <li>Rémi (<a href="https://github.com/remusao"><code>@remusao</code></a>)</li> </ul> <h2>v7.3.1</h2> <h4>:bug: Bug Fix</h4> <ul> <li><code>tldts-core</code>, <code>tldts-tests</code> <ul> <li>fix: reject hostname labels that begin with a hyphen (<a href="https://redirect.github.com/remusao/tldts/issues/2395">#2395</a>) <a href="https://redirect.github.com/remusao/tldts/pull/2591">#2591</a> (<a href="https://github.com/remusao"><code>@remusao</code></a>)</li> </ul> </li> </ul>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/remusao/tldts/blob/master/CHANGELOG.md">tldts's changelog</a>.</em></p> <blockquote> <h1>v7.4.2 (Sat May 30 2026)</h1> <h4>:scroll: Update Public Suffix List</h4> <ul> <li><code>tldts-experimental</code>, <code>tldts</code> <ul> <li>Update upstream public suffix list <a href="https://redirect.github.com/remusao/tldts/pull/2597">#2597</a> (<a href="https://github.com/remusao"><code>@remusao</code></a>)</li> </ul> </li> </ul> <h4>:nut_and_bolt: Dependencies</h4> <ul> <li>Bump eslint-plugin-prettier from 5.5.5 to 5.5.6 <a href="https://redirect.github.com/remusao/tldts/pull/2598">#2598</a> (<a href="https://github.com/dependabot%5Bbot%5D"><code>@dependabot[bot]</code></a>)</li> </ul> <h4>Authors: 2</h4> <ul> <li><a href="https://github.com/dependabot%5Bbot%5D"><code>@dependabot[bot]</code></a></li> <li>Rémi (<a href="https://github.com/remusao"><code>@remusao</code></a>)</li> </ul> <hr /> <h1>v7.4.1 (Sat May 30 2026)</h1> <h4>:scroll: Update Public Suffix List</h4> <ul> <li><code>tldts-experimental</code>, <code>tldts-icann</code>, <code>tldts</code> <ul> <li>Update upstream public suffix list <a href="https://redirect.github.com/remusao/tldts/pull/2595">#2595</a> (<a href="https://github.com/remusao"><code>@remusao</code></a>)</li> </ul> </li> </ul> <h4>:memo: Documentation</h4> <ul> <li>docs: add a benchmark throughput chart to the README <a href="https://redirect.github.com/remusao/tldts/pull/2593">#2593</a> (<a href="https://github.com/remusao"><code>@remusao</code></a>)</li> </ul> <h4>:nut_and_bolt: Dependencies</h4> <ul> <li>Bump tmp from 0.2.5 to 0.2.7 <a href="https://redirect.github.com/remusao/tldts/pull/2596">#2596</a> (<a href="https://github.com/dependabot%5Bbot%5D"><code>@dependabot[bot]</code></a>)</li> <li>Bump typescript-eslint from 8.59.4 to 8.60.0 <a href="https://redirect.github.com/remusao/tldts/pull/2594">#2594</a> (<a href="https://github.com/dependabot%5Bbot%5D"><code>@dependabot[bot]</code></a>)</li> </ul> <h4>Authors: 2</h4> <ul> <li><a href="https://github.com/dependabot%5Bbot%5D"><code>@dependabot[bot]</code></a></li> <li>Rémi (<a href="https://github.com/remusao"><code>@remusao</code></a>)</li> </ul> <hr /> <h1>v7.4.0 (Mon May 25 2026)</h1> <h4>:rocket: New Feature</h4> <ul> <li><code>tldts-experimental</code>, <code>tldts-icann</code>, <code>tldts-tests</code>, <code>tldts</code> <ul> <li>feat: add getFullDomain to return the full hostname incl. subdomain (<a href="https://redirect.github.com/remusao/tldts/issues/2322">#2322</a>) <a href="https://redirect.github.com/remusao/tldts/pull/2592">#2592</a> (<a href="https://github.com/remusao"><code>@remusao</code></a>)</li> </ul> </li> </ul> <h4>Authors: 1</h4>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/remusao/tldts/commit/4c41bb21f1d20fd8f71716c3fc7abd97a5e2f2a6"><code>4c41bb2</code></a> Bump version to: v7.4.2 [skip ci]</li> <li><a href="https://github.com/remusao/tldts/commit/b32840736ed13d26956a4ed24b314c3d7a86cb8d"><code>b328407</code></a> Update CHANGELOG.md [skip ci]</li> <li><a href="https://github.com/remusao/tldts/commit/468ae228a41545990f5c64da4c4a318647d8a8e3"><code>468ae22</code></a> Update upstream public suffix list (<a href="https://redirect.github.com/remusao/tldts/issues/2597">#2597</a>)</li> <li><a href="https://github.com/remusao/tldts/commit/f91813f03826a30ca8bdb3bc8617a706f980a0c4"><code>f91813f</code></a> Bump eslint-plugin-prettier from 5.5.5 to 5.5.6 (<a href="https://redirect.github.com/remusao/tldts/issues/2598">#2598</a>)</li> <li><a href="https://github.com/remusao/tldts/commit/e23f896fbbea39d50e008d235db118539e1db5d9"><code>e23f896</code></a> Bump version to: v7.4.1 [skip ci]</li> <li><a href="https://github.com/remusao/tldts/commit/131cf988373d738b17ebfcd8310573497589f6e3"><code>131cf98</code></a> Update CHANGELOG.md [skip ci]</li> <li><a href="https://github.com/remusao/tldts/commit/619d2f8edc6baa3dfe7b6a0e06b9ef500952e97a"><code>619d2f8</code></a> Update upstream public suffix list (<a href="https://redirect.github.com/remusao/tldts/issues/2595">#2595</a>)</li> <li><a href="https://github.com/remusao/tldts/commit/f9aea520941facec6bc4c407a705f32707380a16"><code>f9aea52</code></a> Bump tmp from 0.2.5 to 0.2.7 (<a href="https://redirect.github.com/remusao/tldts/issues/2596">#2596</a>)</li> <li><a href="https://github.com/remusao/tldts/commit/f047015e4b5d15ff4b03794135557510e14a02c6"><code>f047015</code></a> Bump typescript-eslint from 8.59.4 to 8.60.0 (<a href="https://redirect.github.com/remusao/tldts/issues/2594">#2594</a>)</li> <li><a href="https://github.com/remusao/tldts/commit/d6ec38590e4b6eb794147c917e2be57adb27fec9"><code>d6ec385</code></a> docs: add a benchmark throughput chart to the README (<a href="https://redirect.github.com/remusao/tldts/issues/2593">#2593</a>)</li> <li>Additional commits viewable in <a href="https://github.com/remusao/tldts/compare/v6.1.86...v7.4.2">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~GitHub%20Actions">GitHub Actions</a>, a new releaser for tldts since your current version.</p> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…i-go/pkg/config/templates in the docker-minor group (#5558) Bumps the docker-minor group in /apps/cli-go/pkg/config/templates with 1 update: supabase/logflare. Updates `supabase/logflare` from 1.44.1 to 1.44.3 [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=supabase/logflare&package-manager=docker&previous-version=1.44.1&new-version=1.44.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

This fixes a domains parity failure seen in the merge queue: https://github.com/supabase/cli/actions/runs/27341219425/job/80778254211 The failing domains case compared `domains get --project-ref ... --output json`. The Go CLI still writes the custom-hostname status line to stderr in machine-output mode, and because that status has no trailing newline it was sometimes hidden only when Go also printed an upgrade notice that the parity normalizer stripped. When that upgrade-check side effect was absent, the same command produced a stderr mismatch. This makes the domains parity expectation explicit by adding a generic, channel-aware normalization hook and keeping the Go custom-hostname patterns local to the domains e2e test. The strip only applies to stderr, so parity will still fail if a command pollutes structured stdout with human status text. This also fixes a later functions-dev e2e failure from CI: https://github.com/supabase/cli/actions/runs/27352417825/job/80817569233. The test edited function source and immediately asserted the updated response without waiting for the file watcher restart corresponding to that edit. It now waits for the next function-file restart before polling the function endpoint. While exercising the e2e suite locally, CLI subprocesses were also inheriting agent-detection environment variables from the developer shell, which changed output rendering and made local e2e behavior differ from CI. The e2e helpers now sanitize inherited agent-detection env by default while still allowing tests to opt in through explicit per-test env overrides.

…tworks (#5493) Closes [CLI-1593](https://linear.app/supabase/issue/CLI-1593/improve-db-dump-ipv6-error-guidance) ## What `supabase db dump` and `db pull` run `pg_dump` inside a Docker container. Supabase direct database hosts (`db.<ref>.supabase.co:5432`) are **IPv6-only** unless the IPv4 add-on is enabled, so on environments without working IPv6 in the container (very common on Docker Desktop for macOS) the operation failed with an opaque `error running container: exit 1`. This PR makes that path **self-healing**: when a remote dump/pull fails because the direct host is unreachable over IPv6, the CLI transparently resolves the project's **IPv4 transaction pooler**, warns the user, and retries once. If no pooler is available it falls back to an actionable error message pointing at `--db-url`. ## Why The host running the CLI often *does* have IPv6 (so the pre-flight dial succeeds and the direct config is selected), but the `pg_dump` **container** does not — so the failure only surfaces deep inside the container as a libpq/getaddrinfo error, hidden behind the generic container exit code. Users were left stuck with no hint, even though a working IPv4 pooler existed for their project. ## Behavior ```mermaid flowchart TD A["db dump / db pull (remote)"] --> B["Run pg_dump in Docker container<br/>(tee stderr for classification)"] B --> C{Succeeded?} C -->|yes| OK["Write dump ✓"] C -->|no| D{"stderr is an<br/>IPv6 connectivity error?"} D -->|no| SUG["Classify error → actionable suggestion"] D -->|yes| E{"Host is a direct<br/>db.<ref>.supabase.co?"} E -->|no| SUG E -->|yes| F{"IPv4 pooler<br/>config resolvable?"} F -->|no| SUG2["Suggest --db-url with the<br/>transaction pooler URL"] F -->|yes| G["Warn user · reset output ·<br/>retry once via IPv4 pooler"] G --> H{Retry succeeded?} H -->|yes| OK2["Write dump ✓<br/>(transparent recovery)"] H -->|no| SUG3["Classify retry error → suggestion"] ``` Happy-path auto-recovery (linked project, host has IPv6, container does not): ```mermaid sequenceDiagram actor U as User participant CLI as supabase db dump participant C as pg_dump container participant API as link cache / Management API U->>CLI: db dump (linked → direct host) CLI->>C: pg_dump → db.ref.supabase.co:5432 (IPv6) C-->>CLI: error: "No address associated with hostname"<br/>/ "Network is unreachable" (no IPv6 in container) Note over CLI: classify captured stderr → IPv6 connectivity error CLI->>API: resolve IPv4 transaction pooler + login role API-->>CLI: pooler config (port 5432) CLI-->>U: ⚠ Warning: retrying via the IPv4 connection pooler CLI->>C: pg_dump → aws-0-…pooler.supabase.com (IPv4) C-->>CLI: dump output CLI-->>U: dump written ✓ ``` ## How - **`internal/db/dump/pooler_fallback.go` — `RunWithPoolerFallback`** wraps the Docker-backed `pg_dump` operations. It runs the closure with an stderr-capturing exec; on failure it classifies the captured stderr and, if it's an IPv6 error against a direct host with a resolvable pooler, warns, resets the output, and retries once via the pooler. `resetOutput` rewinds the destination between attempts (`bytes.Buffer.Reset`, file `Truncate`+`Seek`, stdout ignored) so a partial first attempt isn't left behind. `--dry-run` skips the wrapper entirely. - **`internal/db/dump/dump.go` + `internal/db/pull/pull.go`** route their remote dump paths through `RunWithPoolerFallback` (dump data/role/schema; pull's experimental role+schema dump and `dumpRemoteSchema`). - **`internal/utils/flags/db_url.go` — `ResolvePoolerConfigForFallback`** returns an authenticated IPv4 transaction-pooler config: it prefers the pooler URL persisted at `supabase link` time, otherwise fetches it from the Management API, forces the transaction port, and authenticates via `SUPABASE_DB_PASSWORD` or a temporary login role. It's injected through a package variable so tests can stub the network call. - **`internal/utils/connect.go`** — detection (`isIPv6ConnectivityError`) covers `Address family for hostname not supported`, `No address associated with hostname`, `Network is unreachable`, and (gated on an IPv6 literal so genuine project-not-found / tenant errors keep their own hint) `No route to host` / `Cannot assign requested address`. The IPv6-literal regex matches both Go's bracketed `[…]` and libpq's parenthesised `(…)` forms. `ProjectRefFromDirectDbHost`, `WarnIPv6PoolerFallback`, and the existing `SetConnectSuggestion` / `SuggestIPv6Pooler` provide ref extraction, the retry warning, and the non-recoverable suggestion. ## Non-recoverable fallback (message only) When auto-retry isn't possible (not an IPv6 error, not a direct host, or no pooler), the command still fails — but with guidance instead of a bare exit code: ``` Your network does not support IPv6, which is required for direct connections to the database. Retry through the IPv4 transaction pooler by passing it to --db-url "postgres://postgres.<ref>:[YOUR-PASSWORD]@aws-0-<region>.pooler.supabase.com:6543/postgres" ``` ## Tests - `dump_test.go`: auto-retry succeeds via the pooler (asserts warning, output truncation/rewrite, no leftover suggestion); IPv6 failure with no pooler still surfaces the suggestion; `Cannot assign requested address` classification. - `connect_test.go`: detection matrix incl. the new signatures and `ProjectRefFromDirectDbHost`; `SuggestIPv6Pooler` enrichment. - `db_url_test.go`: `ResolvePoolerConfigForFallback` (persisted-URL vs Management API resolution). ## Notes - These `db` commands are still proxied to the bundled Go binary, so the fix lives in `apps/cli-go`. - The auto-retry only triggers for **direct Supabase hosts** — explicit `--db-url`/`--local` targets are never silently rerouted. https://claude.ai/code/session_01UaPk7dGPmiCqoKJHyV7SLz --------- Co-authored-by: Claude <noreply@anthropic.com>

Fixes CLI-1619. This removes eager Management API client construction from command paths that have tokenless behavior: - `gen types --local` and `--db-url` now use a lean runtime and lazily construct the platform API client only for linked/project-id generation. - `services` now uses a lean runtime so it can always print local service versions, while keeping the linked-version lookup optional when a token is available. - Command-wiring regression coverage exercises tokenless `gen types --local` and `services` invocations through the actual CLI command layers.

This PR was automatically created to sync the generated `@supabase/api` package with the latest Management API OpenAPI document. Changes were detected in the upstream OpenAPI document exposed by `https://api.supabase.com/api/v1-json`. Co-authored-by: jgoux <1443499+jgoux@users.noreply.github.com>

## What changed Ports all of `supabase inspect db` (CLI-1316) from Phase 0 Go proxies to native TypeScript in the legacy shell. The 13 active subcommands (`db-stats`, `replication-slots`, `locks`, `blocking`, `outliers`, `calls`, `index-stats`, `long-running-queries`, `bloat`, `role-stats`, `vacuum-stats`, `table-stats`, `traffic-profile`) and their 12 deprecated aliases now connect to Postgres directly via the already-ported `LegacyDbConnection`, run the embedded query, and render Go-parity Glamour tables — no more shelling out to the Go binary. ### Highlights - **`LegacyDbSession.query`** added to the connection service + `@effect/sql-pg` layer (positional `client.unsafe(sql, params)` binding); the one other object-literal consumer (`test db` mock) updated. - **Shared infra at `inspect/db/`**: `LegacyInspectQuerySpec` + the `legacyRunInspectQuery` runner, pure cell formatters (`%s`/`%t`/`%d`/`%.1f`/whitespace-collapsed stmt), the 29-entry internal-schema list + `legacyLikeEscapeSchema`, `legacyInspectDbRuntimeLayer`, command boilerplate (`LEGACY_INSPECT_DB_FLAGS` + handler pipe), and the deprecation-notice builder. - **One verbatim `<name>.query.ts` spec per active subcommand**; deprecated aliases route to the active spec — including preserving Go's quirk where `table-record-counts` warns "table-stats" but runs the index-stats query. ### Go parity preserved - `--db-url` / `--linked` / `--local` selector flags (mutually exclusive; `--linked` default-true derived from absence), no `--project-ref`. **One deliberate divergence — see below.** - "Connecting to local/remote database..." diagnostic on stderr (matching `ConnectByConfig`). - Statement cells collapse whitespace using Go's RE2 `\s` set (`[\t\n\f\r ]` + individual `\v`), not JS `\s`. - `vacuum-stats` renders 9 of 11 columns with the one-shot `-1` → `No stats`; `bloat` uses the clean 4-column header. - Deprecated aliases print `Command "<name>" is deprecated, use "<target>" instead.` to stderr. - `json` / `stream-json` modes emit `{ rows }` (additive — Go has no machine output for inspect). ### Behavioral change vs Go ⚠️ (release note) **Explicit `--linked=false` no longer triggers the mutual-exclusion error.** Go uses cobra's `MarkFlagsMutuallyExclusive`, which keys off whether a flag was *explicitly provided* (cobra's `Changed`), counting even `--linked=false` as set. So in the Go CLI, `supabase inspect db locks --linked=false --local` fails flag validation. This port checks the parsed boolean value instead, so an explicit `--linked=false` is indistinguishable from the default and the command proceeds to connect using `--local` (or `--db-url`). We're keeping the TS behavior intentionally — treating `--linked=false` as "not selecting linked" rather than as a hard conflict is the more sensible interpretation, and the realistic conflict cases (two *positive* selectors set, e.g. `--linked --local` or `--db-url … --local`) are still rejected exactly as in Go. Calling it out here so it lands in the release notes as a deliberate, user-observable difference. ### Docs / tracking - 25 per-subcommand proxy `SIDE_EFFECTS.md` consolidated into one shared family doc. - All 25 `inspect db` rows in `go-cli-porting-status.md` flipped `wrapped` → `ported`. Closes CLI-1316

This PR was automatically created to sync API types from the infrastructure repository. Changes were detected in the generated API code after syncing with the latest spec from infrastructure. Co-authored-by: supabase-cli-releaser[bot] <246109035+supabase-cli-releaser[bot]@users.noreply.github.com>

## Summary Extracts the lazy Management API client factory into auth-owned service and layer modules so command runtimes can share the same wiring instead of rebuilding it locally. The lean `gen types` runtime now consumes the shared lazy factory, while eager Management API runtimes adapt their already-built `LegacyPlatformApi` into the factory shape for project-ref resolution. This keeps tokenless command paths lazy without duplicating platform API construction in commands that intentionally authenticate up front.

First non-breaking step of CLI-1586 toward making pg-delta the default diff engine. New projects opt into pg-delta, and `db pull` now lets the configured engine drive its shadow diff. Existing projects are unaffected. ## New projects default to pg-delta (CLI-1587) `supabase init` now scaffolds `config.toml` with `[experimental.pgdelta] enabled = true`. The global default for an absent/undefined section stays migra, so existing projects are untouched and `enabled = false` remains a one-line rollback. The Go config template doubles as the source of programmatic defaults via `mergeDefaultValues` (it ejects the same template), so literally enabling pg-delta in the template would have flipped the default for **every** existing config. To keep this non-breaking, the `enabled` value is templated from an init-only flag `PgDeltaInitEnabled`: - `InitConfig` sets it from `InitParams.UsePgDelta`, which is opted in only by the `supabase init` command and `bootstrap`. Other `InitConfig` callers — including the `WriteConfig` test helper — leave it `false`, so they keep producing migra-default configs. - It is `false` when `Eject` feeds `mergeDefaultValues`, so configs without the section keep resolving to migra. Scoping the opt-in to the command (rather than unconditionally inside `InitConfig`) keeps the generated default from leaking into the global `utils.Config` during tests that scaffold a config, which would otherwise change unrelated `db start` behavior. The TS init template (`project-init.templates.ts`) writes `enabled = true` directly and stays byte-aligned with the Go scaffold (enforced by the existing parity test). ## `db pull` engine resolution When pg-delta is enabled (config or `EXPERIMENTAL_PG_DELTA`), `supabase db pull` keeps its **migration-file** workflow but defaults the shadow diff engine to pg-delta instead of migra. Specifically: - The migration-file workflow is preserved; enabling pg-delta in config does not switch `db pull` to declarative output. - The shadow diff engine default follows whether pg-delta is active, via the extracted, unit-tested helper `resolvePullDiffEngine`. - An explicit `--diff-engine migra` (or `enabled = false`) is an authoritative rollback that overrides the config default. - Declarative schema export remains opt-in via the `--declarative` flag; `--use-pg-delta` is kept as a deprecated alias whose message guides users to `--declarative` with `[experimental.pgdelta] enabled = true`. ## `db diff` engine resolution `resolveDiffEngine` (unit-tested) centralizes the decision: the config default applies unless an explicit non-pg-delta engine flag (`--use-migra`, `--use-pgadmin`, `--use-pg-schema`) is selected, which clears pg-delta mode so `diff.Run` skips pg-delta-specific declarative shadow setup and the `PGDELTA_DEBUG` path. The deprecated `db remote commit` is intentionally left unchanged. ## Notes for reviewers - `PgDeltaInitEnabled` is `toml:"-" json:"-"`, so it is never parsed from or serialized to config files — it only feeds template rendering. - The TS `--diff-engine` flag is optional and only forwarded when set, so the Go config-driven default applies when omitted; no TS behavior change was needed. - `--declarative` / `--use-pg-delta` are mutually exclusive with `--diff-engine`. - Restored the `auto_expose_new_tables` template comment to the develop wording after a rebase had reverted it. - Docs updated: `db diff` / `db pull` reference pages and the pull `SIDE_EFFECTS.md`. Closes CLI-1587 https://claude.ai/code/session_014k7CJwuyg5BBeQxTHHWWJY --------- Co-authored-by: Claude <noreply@anthropic.com>

## Summary Updates the checked-in OpenAPI override set for custom-domain responses so the generated API client accepts the response shapes observed in production. The custom hostname response can omit `ssl.validation_records`, nested `ownership_verification`, and the top-level `status` / `custom_hostname` envelope fields while domain setup is still processing. The generated Effect contracts now reflect those fields as optional across the custom-hostname operations that reuse this response schema. The CLI keeps Go-compatible structured output by backfilling zero values for omitted fields, while text output continues to render the custom hostname status from the raw response. Human status output is newline-terminated so interactive shell prompts do not redraw over the final ACME TXT record line.

## What kind of change does this PR introduce? Bug fix ## What is the current behavior? Symlinks are silently skipped in `supabase seed buckets`. ## What is the new behavior? This change considers symlinks as well for uploads instead of silently skipping them. Emits stderr warnings when a path is not a regular file. ## Additional context Closes #5498 --------- Co-authored-by: Julien Goux <hi@jgoux.dev>

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c66add07bf

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

chatgpt-codex-connector · 2026-06-12T14:59:23Z

+  if (flags.linked) setFlags.push("linked");
+  if (flags.local) setFlags.push("local");


Track selector flag presence instead of value

This uses the parsed boolean value to emulate Cobra's Changed semantics, so explicit false boolean selectors are treated as absent. Effect CLI boolean flags elsewhere in this repo accept forms like --backup=false; with inspect db, a call such as supabase inspect db locks --local=false should still count local as the selected/changed connection flag like Go does, but this falls through to the linked default on line 193, and combinations such as --local=false --db-url ... are not rejected as mutually exclusive.

Useful? React with 👍 / 👎.

chatgpt-codex-connector · 2026-06-12T14:59:23Z

+    .replace(/(:\/\/[^:@/?#]*:).*(@)(?=[^@/?#]*(?:[/?#]|$))/, "$1[REDACTED]$2")
+    .replace(/(\bpassword\s*=\s*)('(?:[^'\\]|\\.)*'|'.*$|\S+)/i, "$1[REDACTED]");


Redact every password occurrence before echoing DSNs

When a malformed libpq DSN contains more than one password= token, this non-global replacement masks only the first one before the parse error echoes the supplied connection string. For example, an input like password=old bad password=secret fails parsing at bad, but the returned error message still includes the later password=secret, which defeats the CWE-209 redaction this helper is meant to provide.

Useful? React with 👍 / 👎.

chatgpt-codex-connector · 2026-06-12T14:59:23Z

+	matches := ProjectHostPattern.FindStringSubmatch(host)
+	if len(matches) < 3 {
+		return "", false


Extract refs from the active profile host

The new IPv6 pooler fallback only works when this helper recognizes the direct database host, but it delegates to ProjectHostPattern, which is hard-coded to db.<ref>.supabase.(co|red). Linked projects on other supported profiles, such as the built-in snap profile with ProjectHost: "snapcloud.dev" in internal/utils/profile.go, produce hosts like db.<ref>.snapcloud.dev; when a Docker dump/pull hits the same IPv6 failure there, PoolerFallbackConfig returns false and never retries through the project's IPv4 pooler.

Useful? React with 👍 / 👎.

Adds support for creating projects with high availability from the TypeScript CLI path. The Management API runtime already accepts `high_availability`, but the published OpenAPI spec has not exposed it yet. This adds the field through the OpenAPI override system so the generated API types include it, then wires `supabase projects create --high-availability` through the shared project creation flow. Supersedes #5383, which was still draft and conflicted after the TypeScript project creation refactor.

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ccd052e11a

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

chatgpt-codex-connector · 2026-06-12T15:29:42Z

+    // surface, so a `true` value means it was explicitly passed — matching
+    // cobra's `Changed` semantics.
+    const setFlags: Array<string> = [];


Track selector flag presence instead of truthiness

For test db, this uses the parsed boolean values to emulate Cobra's changed-flag exclusivity, so explicit false selectors are treated as absent. Effect CLI accepts boolean forms such as --backup=false (see apps/cli/src/shared/cli/hidden-flag.unit.test.ts), while the Go command marks db-url, linked, and local mutually exclusive based on Cobra Changed semantics (apps/cli-go/cmd/db.go registers the test db selector group). As a result, supabase test db --local=false --db-url ... or --local=false --linked is not rejected and can run against a different target than the Go CLI would.

Useful? React with 👍 / 👎.

chatgpt-codex-connector · 2026-06-12T15:29:42Z

-  const authHeader = req.headers.get("authorization");
-  if (!authHeader?.startsWith("Bearer ")) {
+  const bearerToken = req.headers.get("authorization")?.slice("Bearer ".length);
+  const sbApiKeyCompatibilityToken = req.headers.get("sb-api-key")?.replace("Bearer", "")?.trim();


Strip the internal sb-api-key before invoking functions

When the API proxy uses this new compatibility header for /functions/v1 auth, the same Request object is later passed to worker.fetch(req), so user function code can observe the internal sb-api-key header minted by the proxy. The Go edge-runtime template explicitly removes this header in prepareUserRequest before invoking the worker, so local functions that inspect or forward request headers now see a TS-stack-only credential-bearing header.

Useful? React with 👍 / 👎.

…emplates with 2 updates (#5570) Bumps the docker-minor group in /apps/cli-go/pkg/config/templates with 2 updates: supabase/realtime and supabase/storage-api. Updates `supabase/realtime` from v2.106.0 to v2.107.1 Updates `supabase/storage-api` from v1.60.15 to v1.60.17 Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…/apps/cli-go/pkg/config/templates (#5571) Bumps supabase/postgres from 17.6.1.134 to 17.6.1.135. [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=supabase/postgres&package-manager=docker&previous-version=17.6.1.134&new-version=17.6.1.135)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps the npm-major group with 7 updates: | Package | From | To | | --- | --- | --- | | [@anthropic-ai/claude-agent-sdk](https://github.com/anthropics/claude-agent-sdk-typescript) | `0.3.163` | `0.3.166` | | [@anthropic-ai/sdk](https://github.com/anthropics/anthropic-sdk-typescript) | `0.100.1` | `0.101.0` | | [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react) | `19.2.16` | `19.2.17` | | [posthog-node](https://github.com/PostHog/posthog-js/tree/HEAD/packages/node) | `5.36.1` | `5.36.3` | | [fumadocs-mdx](https://github.com/fuma-nama/fumadocs) | `15.0.10` | `15.0.11` | | [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `25.9.1` | `25.9.2` | | [@typescript/native-preview](https://github.com/microsoft/typescript-go) | `7.0.0-dev.20260604.1` | `7.0.0-dev.20260605.1` | Updates `@anthropic-ai/claude-agent-sdk` from 0.3.163 to 0.3.166 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/anthropics/claude-agent-sdk-typescript/releases">@anthropic-ai/claude-agent-sdk's releases</a>.</em></p> <blockquote> <h2>v0.3.166</h2> <h2>What's changed</h2> <ul> <li>Fixed MCP resource tools not being injected for servers added at runtime via the <code>mcp_set_servers</code> control request</li> </ul> <h2>Update</h2> <pre lang="sh"><code>npm install @anthropic-ai/claude-agent-sdk@0.3.166 # or yarn add @anthropic-ai/claude-agent-sdk@0.3.166 # or pnpm add @anthropic-ai/claude-agent-sdk@0.3.166 # or bun add @anthropic-ai/claude-agent-sdk@0.3.166 </code></pre> <h2>v0.3.165</h2> <h2>What's changed</h2> <ul> <li>Updated to parity with Claude Code v2.1.165</li> </ul> <h2>Update</h2> <pre lang="sh"><code>npm install @anthropic-ai/claude-agent-sdk@0.3.165 # or yarn add @anthropic-ai/claude-agent-sdk@0.3.165 # or pnpm add @anthropic-ai/claude-agent-sdk@0.3.165 # or bun add @anthropic-ai/claude-agent-sdk@0.3.165 </code></pre> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/anthropics/claude-agent-sdk-typescript/blob/main/CHANGELOG.md">@anthropic-ai/claude-agent-sdk's changelog</a>.</em></p> <blockquote> <h2>0.3.166</h2> <ul> <li>Fixed MCP resource tools not being injected for servers added at runtime via the <code>mcp_set_servers</code> control request</li> </ul> <h2>0.3.165</h2> <ul> <li>Updated to parity with Claude Code v2.1.165</li> </ul> <h2>0.3.164</h2> <ul> <li>Updated to parity with Claude Code v2.1.164</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/anthropics/claude-agent-sdk-typescript/commit/bc853fcd68b762af5ad5b18c0d4d6c7e8be72c4f"><code>bc853fc</code></a> chore: Update CHANGELOG.md</li> <li><a href="https://github.com/anthropics/claude-agent-sdk-typescript/commit/3bdcdcb343015c1aa08f138bf8cffd6b6e1f8aec"><code>3bdcdcb</code></a> chore: Update CHANGELOG.md</li> <li>See full diff in <a href="https://github.com/anthropics/claude-agent-sdk-typescript/compare/v0.3.163...v0.3.166">compare view</a></li> </ul> </details> <br /> Updates `@anthropic-ai/sdk` from 0.100.1 to 0.101.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/anthropics/anthropic-sdk-typescript/releases">@anthropic-ai/sdk's releases</a>.</em></p> <blockquote> <h2>sdk: v0.101.0</h2> <h2>0.101.0 (2026-06-05)</h2> <p>Full Changelog: <a href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.100.1...sdk-v0.101.0">sdk-v0.100.1...sdk-v0.101.0</a></p> <h3>Features</h3> <ul> <li><strong>client:</strong> add support for middleware (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/9b011207965540211cefb19d44d758b7942aedab">9b01120</a>)</li> </ul> <h3>Bug Fixes</h3> <ul> <li>apply request timeout to inner fetch only, not middleware chain (<a href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/40">#40</a>) (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/25c13f6183391f006396f16a9bd9a2c2f710d52c">25c13f6</a>)</li> <li><strong>streaming:</strong> carry stop_details through beta message_delta accumulation (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/ed3fec7ace406fe4b0ca3494439061695dabf475">ed3fec7</a>)</li> <li><strong>streaming:</strong> correctly parse json numbers with scientific notation (<a href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/9">#9</a>) (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/7d5e6422dc5b58bc991c1587c4f1a0e8e753f2a5">7d5e642</a>)</li> </ul> <h3>Chores</h3> <ul> <li><strong>internal:</strong> fix artifact url (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/925ec276fa97baf63d3643f24430bd2a8302c5dc">925ec27</a>)</li> <li><strong>internal:</strong> fix branch names (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/fa3cf2c491f0ed274dc7839779f7fd91c15b5dbf">fa3cf2c</a>)</li> <li><strong>internal:</strong> update private repo name (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/a8ac213b8ce0955bd66f0b2f5bcecc2976867fb2">a8ac213</a>)</li> </ul> <h3>Documentation</h3> <ul> <li>point security reports to Anthropic's HackerOne program (<a href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/16">#16</a>) (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/5c7912c36e0210c6cbc773a32a7ba983aaf611df">5c7912c</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/anthropics/anthropic-sdk-typescript/blob/main/CHANGELOG.md">@anthropic-ai/sdk's changelog</a>.</em></p> <blockquote> <h2>0.101.0 (2026-06-05)</h2> <p>Full Changelog: <a href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.100.1...sdk-v0.101.0">sdk-v0.100.1...sdk-v0.101.0</a></p> <h3>Features</h3> <ul> <li><strong>client:</strong> add support for middleware (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/9b011207965540211cefb19d44d758b7942aedab">9b01120</a>)</li> </ul> <h3>Bug Fixes</h3> <ul> <li>apply request timeout to inner fetch only, not middleware chain (<a href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/40">#40</a>) (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/25c13f6183391f006396f16a9bd9a2c2f710d52c">25c13f6</a>)</li> <li><strong>streaming:</strong> carry stop_details through beta message_delta accumulation (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/ed3fec7ace406fe4b0ca3494439061695dabf475">ed3fec7</a>)</li> <li><strong>streaming:</strong> correctly parse json numbers with scientific notation (<a href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/9">#9</a>) (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/7d5e6422dc5b58bc991c1587c4f1a0e8e753f2a5">7d5e642</a>)</li> </ul> <h3>Chores</h3> <ul> <li><strong>internal:</strong> fix artifact url (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/925ec276fa97baf63d3643f24430bd2a8302c5dc">925ec27</a>)</li> <li><strong>internal:</strong> fix branch names (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/fa3cf2c491f0ed274dc7839779f7fd91c15b5dbf">fa3cf2c</a>)</li> <li><strong>internal:</strong> update private repo name (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/a8ac213b8ce0955bd66f0b2f5bcecc2976867fb2">a8ac213</a>)</li> </ul> <h3>Documentation</h3> <ul> <li>point security reports to Anthropic's HackerOne program (<a href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/16">#16</a>) (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/5c7912c36e0210c6cbc773a32a7ba983aaf611df">5c7912c</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/185ec061cfe8cccd1af6fd118142ebd72e350379"><code>185ec06</code></a> chore: release main</li> <li><a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/fab891069a2d78e31f92098b0b9c8f81f925998f"><code>fab8910</code></a> codegen metadata</li> <li><a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/7ff4036756df6cf3b3ff69b6fee95c7d0dff8b9d"><code>7ff4036</code></a> fix: apply request timeout to inner fetch only, not middleware chain (<a href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/40">#40</a>)</li> <li><a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/257bc1f56bb391c03bc30c4e16f61e22a3eba762"><code>257bc1f</code></a> feat(client): add support for middleware</li> <li><a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/5b3ace5ec52d91780e78e0b64a199c57c5fdcfea"><code>5b3ace5</code></a> chore(internal): fix artifact url</li> <li><a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/70966be8fc07edbe6129eadc011c7b5ee8dbe131"><code>70966be</code></a> fix(streaming): correctly parse json numbers with scientific notation (<a href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/9">#9</a>)</li> <li><a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/7e22f205524aeb63324b9f1c6f433a82392c520a"><code>7e22f20</code></a> docs: point security reports to Anthropic's HackerOne program (<a href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/16">#16</a>)</li> <li><a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/e569db5e38c4714ba40c4dacedadf0e25941871e"><code>e569db5</code></a> chore(internal): fix branch names</li> <li><a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/4725328d9acdc2a2191932152ac5747eb1f6a1cd"><code>4725328</code></a> fix(streaming): carry stop_details through beta message_delta accumulation</li> <li><a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/f90eb81687606cc484fed6866ed5868cafac2f7a"><code>f90eb81</code></a> chore(internal): update private repo name</li> <li>See full diff in <a href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.100.1...sdk-v0.101.0">compare view</a></li> </ul> </details> <br /> Updates `@types/react` from 19.2.16 to 19.2.17 <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react">compare view</a></li> </ul> </details> <br /> Updates `posthog-node` from 5.36.1 to 5.36.3 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/PostHog/posthog-js/blob/main/packages/node/CHANGELOG.md">posthog-node's changelog</a>.</em></p> <blockquote> <h2>5.36.17</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies []: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.32.3</li> </ul> </li> </ul> <h2>5.36.16</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [<a href="https://github.com/PostHog/posthog-js/commit/25822acc0d16f9f1d6fbbd65da57b3e060c6c558"><code>25822ac</code></a>]: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.32.2</li> </ul> </li> </ul> <h2>5.36.15</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies []: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.32.1</li> </ul> </li> </ul> <h2>5.36.14</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [<a href="https://github.com/PostHog/posthog-js/commit/612f97adebd3d863602533180ac4bee3f3ed731d"><code>612f97a</code></a>]: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.32.0</li> </ul> </li> </ul> <h2>5.36.13</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies []: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.31.4</li> </ul> </li> </ul> <h2>5.36.12</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies []: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.31.3</li> </ul> </li> </ul> <h2>5.36.11</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies []: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.31.2</li> </ul> </li> </ul> <h2>5.36.10</h2>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/PostHog/posthog-js/commit/e0ebad51a12ea6276f9fda7ecd6cb57a6ff8f3a1"><code>e0ebad5</code></a> chore: update versions and lockfile [version bump]</li> <li><a href="https://github.com/PostHog/posthog-js/commit/a8fd22825d9e9203ed88084d2c07b7b31e585f2f"><code>a8fd228</code></a> chore: update versions and lockfile [version bump]</li> <li>See full diff in <a href="https://github.com/PostHog/posthog-js/commits/posthog-node@5.36.3/packages/node">compare view</a></li> </ul> </details> <br /> Updates `fumadocs-mdx` from 15.0.10 to 15.0.11 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/fuma-nama/fumadocs/releases">fumadocs-mdx's releases</a>.</em></p> <blockquote> <h2>fumadocs-mdx@15.0.11</h2> <h3>Patch Changes</h3> <ul> <li>2d65ceb: Support hot reload in <code>source.config.ts</code> with Vite plugin</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/fuma-nama/fumadocs/commit/2ea0ed0aa8ce11d09b3c02a4e39f76624f05e23c"><code>2ea0ed0</code></a> Version Packages (<a href="https://redirect.github.com/fuma-nama/fumadocs/issues/3339">#3339</a>)</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/6dc8812030222c1d1939a1ba0d9bb588560c09ad"><code>6dc8812</code></a> feat(preview): use waku beta 2</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/e714fff621ce6dc201311768dd32c8f4f1e84bc9"><code>e714fff</code></a> Merge pull request <a href="https://redirect.github.com/fuma-nama/fumadocs/issues/3338">#3338</a> from fuma-nama/changeset-release/dev</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/00e3be44926a6604c6c35652e318f2082362c20e"><code>00e3be4</code></a> update editor settings</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/a62a45de0b1128bdfe05dca0cccd75385321c3c2"><code>a62a45d</code></a> chore: bump deps</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/2d65ceb343e6770befea742f3ab41b847e4091a8"><code>2d65ceb</code></a> feat(mdx): support hot reload in <code>source.config.ts</code> with Vite plugin</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/0155ff608f5ce9656bd5a5fc8c7dfd0a523aeb23"><code>0155ff6</code></a> fix lint</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/fef7a73cd5d530ebd5a6c4f314b4af52058a2d0b"><code>fef7a73</code></a> chore: fix warning</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/6cb229cc4cc27eb95540483ed3910d08f28de707"><code>6cb229c</code></a> Version Packages (<a href="https://redirect.github.com/fuma-nama/fumadocs/issues/3336">#3336</a>)</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/9a6ac875c6a0332c5a1f5a3a21a474ffc8136330"><code>9a6ac87</code></a> docs: add sections to landing page</li> <li>Additional commits viewable in <a href="https://github.com/fuma-nama/fumadocs/compare/fumadocs-mdx@15.0.10...fumadocs-mdx@15.0.11">compare view</a></li> </ul> </details> <br /> Updates `@types/node` from 25.9.1 to 25.9.2 <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare view</a></li> </ul> </details> <br /> Updates `@typescript/native-preview` from 7.0.0-dev.20260604.1 to 7.0.0-dev.20260605.1 <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/microsoft/typescript-go/commits">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 20c4c86b14

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

chatgpt-codex-connector · 2026-06-13T00:34:06Z

-  const authHeader = req.headers.get("authorization");
-  if (!authHeader?.startsWith("Bearer ")) {
+  const bearerToken = req.headers.get("authorization")?.slice("Bearer ".length);
+  const sbApiKeyCompatibilityToken = req.headers.get("sb-api-key")?.replace("Bearer", "")?.trim();


Only strip a Bearer prefix from the compatibility token

When /functions/v1 auth is transformed by the API proxy, sb-api-key carries the raw anon/service JWT. This replace("Bearer", "") removes the first Bearer substring anywhere in that JWT, so a locally generated key whose base64url payload or signature happens to contain those six characters is corrupted before verification and valid requests fail with Invalid JWT. Strip only a leading Bearer prefix, or leave the raw header unchanged otherwise.

Useful? React with 👍 / 👎.

chatgpt-codex-connector · 2026-06-13T00:34:06Z

+export function prepareUserRequest(req: Request): Request {
+  const clonedURL = new URL(req.url)
+  const forwardedHost = req.headers.get('x-forwarded-host')
+  clonedURL.hostname = forwardedHost ?? clonedURL.hostname


Preserve the forwarded host and port for function requests

When Kong supplies x-forwarded-host with the public API host (commonly including the port, e.g. 127.0.0.1:54321), assigning it to URL.hostname either ignores the value because it contains : or keeps the edge-runtime port from the original URL. In those local function invocations, user code that reads req.url still sees the internal edge-runtime host/port instead of the API URL, breaking redirects or absolute callback URLs; assign to clonedURL.host (or split host/port) instead.

Useful? React with 👍 / 👎.

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ff83937102

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

chatgpt-codex-connector · 2026-06-14T00:33:54Z

+      );
+    }
+    db = asRecord(doc?.["db"]);
+    projectId = nonEmptyString(doc?.["project_id"]);


Apply env-backed project_id before deriving the Docker network

When local test db reads a config whose project_id comes from env(...) or from SUPABASE_PROJECT_ID, this stores the literal TOML value (or none) instead of the value Go's LoadEnvHook/viper resolves. The handler then builds supabase_network_<project_id> from that value, so setups that rely on env-backed project IDs try to join the wrong Docker network and cannot reach the local database even though supabase start created the network from the resolved project ID.

Useful? React with 👍 / 👎.

…to 7.0.0-dev.20260607.1 in the npm-major group (#5574) Bumps the npm-major group with 1 update: [@typescript/native-preview](https://github.com/microsoft/typescript-go). Updates `@typescript/native-preview` from 7.0.0-dev.20260606.1 to 7.0.0-dev.20260607.1 <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/microsoft/typescript-go/commits">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@typescript/native-preview&package-manager=npm_and_yarn&previous-version=7.0.0-dev.20260606.1&new-version=7.0.0-dev.20260607.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

depthfirst-app · 2026-06-15T00:22:57Z

+	if info.Type().IsDir() {
+		return false
+	}
+	if info.Type()&fs.ModeSymlink != 0 {


🟡 Severity: MEDIUM

The isUploadableEntry function allows resolving and uploading symlinked files. If a user runs the seeding command on a cloned repository containing a malicious symlink pointing to sensitive host files (e.g., ~/.ssh/id_rsa), those files will be read and uploaded to the storage bucket.
Helpful? Add 👍 / 👎

💡 Fix Suggestion

Suggestion: Remove symlink-following logic from isUploadableEntry and instead unconditionally skip symlinks. The current code opens and stats the symlink target, which allows traversal to arbitrary host files outside the seed directory. Replace the entire symlink-handling block with a simple rejection so symlinks are never uploaded.

⚠️ Experimental Feature: This code suggestion is automatically generated. Please review carefully.

Suggested change

if info.Type()&fs.ModeSymlink != 0 {

if info.Type()&fs.ModeSymlink != 0 {

fmt.Fprintln(os.Stderr, "Skipping symlink:", filePath)

return false

}

…s/cli-go/pkg/config/templates in the docker-minor group (#5575) Bumps the docker-minor group in /apps/cli-go/pkg/config/templates with 1 update: supabase/realtime. Updates `supabase/realtime` from v2.107.1 to v2.107.2 [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=supabase/realtime&package-manager=docker&previous-version=v2.107.1&new-version=v2.107.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

## Summary Escapes backslashes when building SQL LIKE patterns for legacy `inspect db` internal schema filters. ## Context Code scanning flagged the previous sanitizer because it escaped underscores without escaping existing backslashes, which could let a backslash alter the meaning of the following pattern character. ## Impact Backslash-containing schema names now produce literal LIKE patterns while existing internal schema wildcard behavior stays unchanged.

Fixes the interactive password prompt path used by `projects create` when the user leaves the database password blank. `@clack/prompts` can return no string value for that blank password entry. The output adapter was calling `.trim()` directly, which crashed before the project creation flow could generate the fallback password. The adapter now normalizes non-string prompt results to an empty string so existing command-level fallback behavior can run.

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d6648d7701

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

chatgpt-codex-connector · 2026-06-15T08:45:52Z

  const proxy = yield* LegacyGoProxy;
  const args: string[] = ["db", "pull"];
  if (Option.isSome(flags.name)) args.push(flags.name.value);
+  if (flags.declarative) args.push("--declarative");


Preserve explicit --declarative=false when proxying

When db pull is invoked as --declarative=false --diff-engine migra, Effect CLI parses the boolean as false and this line drops the flag before shelling out, so the Go command never sees Cobra's changed flag and does not enforce the new MarkFlagsMutuallyExclusive("declarative", "diff-engine") wiring in apps/cli-go/cmd/db.go. This lets an invocation that the Go CLI rejects run with different semantics; proxy explicit boolean forms such as --declarative=false instead of keying only on truthiness.

Useful? React with 👍 / 👎.

chatgpt-codex-connector · 2026-06-15T08:45:52Z

+        // Checked by extension name only, regardless of schema: Go's duplicate-object
+        // notice fires for any pre-existing pgTAP, so a pgTAP the user installed in
+        // e.g. `public` must also be detected and left untouched.
+        const alreadyExists = yield* session.extensionExists("pgtap");


Avoid dropping pgTAP installed after the pre-check

If another session creates the pgtap extension after this pre-check but before CREATE EXTENSION IF NOT EXISTS runs, alreadyExists stays false and the finalizer drops an extension this command did not create. The Go implementation keys cleanup off the duplicate-object notice emitted by the CREATE statement itself, so it does not remove a pgTAP installation that appears during the race window; this port needs an equally creation-scoped signal before registering the drop finalizer.

Useful? React with 👍 / 👎.

chatgpt-codex-connector · 2026-06-15T08:45:53Z

+              legacyManagementApiRuntimeLayer(["test", "db"]).pipe(Layer.provide(ambientLayer)),
+            ),
+          );
+          return { conn, isLocal: false };


Preserve linked refs for telemetry cache writes

When the linked/default path resolves a project ref, this return drops it and the native callers only flush telemetry, so linked test db and default/linked inspect db no longer write supabase/.temp/linked-project.json. The Go path sets flags.ProjectRef during ParseDatabaseConfig and Execute() then calls ensureProjectGroupsCached, which kept PostHog org/project groups attached; return/cache the ref here or have callers ensure the cache before leaving the native path.

Useful? React with 👍 / 👎.

chatgpt-codex-connector · 2026-06-15T08:45:53Z

 				}
 			}
-			useDelta := shouldUsePgDelta()
+			useDelta := resolveDiffEngine(cmd.Flags().Changed("use-migra"), usePgAdmin, usePgSchema, shouldUsePgDelta())


Honor false --use-migra values

When pg-delta is enabled in config, --use-migra=false should not select the legacy migra path, but this passes only Cobra's Changed bit into resolveDiffEngine. Since boolean flags can be explicitly set to false, cmd.Flags().Changed("use-migra") is true for that invocation and the helper returns false for useDelta, so db diff --use-migra=false silently runs migra instead of the configured pg-delta engine.

Useful? React with 👍 / 👎.

Promotes `inspect report` — the last `inspect` leaf still on the Phase 0 Go proxy — to a native TypeScript port in the legacy shell (CLI-1317). All 13 active `inspect db` subcommands + 12 deprecated aliases were already native (#5554); this finishes the `inspect` tree. ## What it does Runs every inspect query against the target Postgres database via server-side `COPY (<query>) TO STDOUT WITH CSV HEADER`, writes one CSV per query into `<output-dir>/<YYYY-MM-DD>/` (14 files), then renders a Go-parity Glamour `RULE | STATUS | MATCHES` summary table validating those CSVs. ## How it's built - **`copyToCsv` on the shared driver** (`legacy-db-connection.sql-pg.layer.ts`): `@effect/sql-pg` doesn't expose the COPY protocol, so the session opens **one** raw `pg` connection (via `pg-copy-streams`) lazily on the first copy and reuses it for all queries — against the same dial target the primary connection won (TLS/fallback/DoH/step-down parity preserved), and closed by a scope finalizer. This mirrors Go running every copy on a single `pgconn`. CSVs are byte-identical by construction (the server serializes the values, never the TS side). - **Bounded csvq-subset evaluator** (`report.csvq.ts`): there is no JS port of csvq and neither DuckDB nor alasql accept its dialect, so the rule queries are evaluated by a hand-written tokenizer + recursive-descent parser + RFC4180 CSV reader that replicates csvq's value/type-comparison semantics (numeric-vs-string promotion, three-valued logic, `LISTAGG`, aggregates). Unsupported grammar / unknown column → the rule's STATUS cell, not a command failure (matching Go). - **Custom rules**: `[experimental.inspect.rules]` from `config.toml` (with `env(VAR)` expansion) replace the 7 embedded defaults when present. - Hoists the shared inspect base layer into `inspect/inspect.layers.ts` (now used by both `db` leaves and `report`); adds `legacy/output/legacy-bold.ts` for lipgloss `Bold` parity. ## Reviewer context - **Strict Go parity** is the deciding standard: the default rule "No large tables waiting on autovacuum" references `s.tbl`, which `vacuum_stats` emits as `name` — a pre-existing quirk in Go's `rules.toml` that surfaces as an unknown-column STATUS cell. It's preserved verbatim (documented in `report.rules.ts` + `SIDE_EFFECTS.md`); tests assert this Go-faithful behavior rather than "fixing" it. - The `$2` database literal is not escaped, matching Go's `fmt.Sprintf("'%s'", database)`. - `json`/`stream-json` output modes are a TS-only addition (Go is text-only); CSVs are still written. - New direct deps `pg` + `pg-copy-streams` are needed for the COPY protocol; verified to bundle under `bun build --compile`. - The issue listed a `--project-ref` flag that does not exist on the Go `inspect` tree — the surface is `--db-url` / `--linked` / `--local` / `--output-dir`, matching Go. Closes CLI-1317

depthfirst-app · 2026-06-15T09:12:44Z

+  const forwardedHost = req.headers.get('x-forwarded-host')
+  clonedURL.hostname = forwardedHost ?? clonedURL.hostname


⚪ Severity: LOW

The prepareUserRequest function trusts and assigns the client-controlled x-forwarded-host header to the cloned request's hostname. In local/exposed environments, this enables Host header spoofing, potentially leading to Server-Side Request Forgery (SSRF) if edge functions resolve relative paths against the request URL.
Helpful? Add 👍 / 👎

💡 Fix Suggestion

Suggestion: Validate the x-forwarded-host header value before assigning it to the cloned URL's hostname. Use a regex allowlist that only permits well-formed hostname characters (alphanumeric, hyphens, dots) with an optional port, and strip any port before setting clonedURL.hostname. This prevents an attacker from injecting arbitrary hosts, paths, or protocol schemes via the header. Optionally, compare the validated host against an environment-based allowlist (e.g., ALLOWED_HOSTS) for stricter control in production-like local environments.

⚠️ Experimental Feature: This code suggestion is automatically generated. Please review carefully.

Suggested change

const forwardedHost = req.headers.get('x-forwarded-host')

clonedURL.hostname = forwardedHost ?? clonedURL.hostname

const forwardedHost = req.headers.get('x-forwarded-host')

// Validate x-forwarded-host to prevent SSRF via host header spoofing

const sanitizedHost = forwardedHost?.match(/^[a-zA-Z0-9\-.]+(?::\d+)?$/)?.[0]?.split(':')[0]

clonedURL.hostname = sanitizedHost ?? clonedURL.hostname

## TL;DR fixes nullable function import map paths ## prob - While testing the ported `functions deploy` flow here: #5561 I found that `functions list` could fall back to `request_failed` because the management api can return `import_map_path: null` Go already accepted that null shape, but the generated ts contract only accepted a string basically this updates the generated function response contracts to accept `null` for `import_map_path` and adds a integration coverage around it! ## ref - smol regression of: (#5185)

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2815a695c9

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

chatgpt-codex-connector · 2026-06-15T11:58:40Z

+    result.status === "pending" ||
+    result.ssl.status === "initializing" ||
+    result.ssl.validation_records !== undefined ||
+    result.ownership_verification !== undefined


Don’t infer verification from ownership data alone

When the API omits the top-level status for a hostname that is already active, ownership_verification can still be present in data.result, so this condition classifies the response as 2_initiated. The formatter then takes the verification-record path and, for an active SSL payload with no validation records, prints the misleading expected a single SSL verification record message instead of the completed/empty status. Please gate the inference on pending/initializing/validation-record state rather than the mere presence of ownership metadata.

Useful? React with 👍 / 👎.

## What changed Replaces GitHub artifact upload/download handoffs with per-run `actions/cache` save/restore handoffs for CLI preview artifacts, release artifacts on Blacksmith consumers, and CLI Go coverage output. The release workflow now keeps the fast Blacksmith build/cache path on the critical smoke-test path. A GitHub-hosted build is still created only for real npm publishes, because npm provenance requires a GitHub-hosted runner. Homebrew and Scoop publishing run on Blacksmith and restore the Blacksmith cache. Also updates actionlint configuration and removes unsupported event path filters so workflow validation passes across the repo. ## Why Artifact download was slow for these cross-job handoffs. Using upstream `actions/cache` lets Blacksmith-backed jobs use Blacksmith cache, while avoiding duplicate release build work on dry runs and avoiding a GitHub-hosted build gate before smoke tests. ## Reviewer context Speed is the priority here. The GitHub-hosted release build exists only for npm provenance, and it is kept off the smoke-test critical path.

## Summary - run macOS release smoke on GitHub-hosted macOS so it restores the GitHub-hosted build cache - keep Linux and Windows smoke tests on Blacksmith using the Blacksmith build cache - make the GitHub-hosted build available for dry-run release smoke as well as real publishes ## Context The release run after #5550 saved the Blacksmith build cache successfully, and Linux/Windows smoke restored it, but Blacksmith macOS missed the same key. The macOS smoke job now uses the cache backend produced by the GitHub-hosted build instead of relying on cross-backend visibility.

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 75827499ca

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

chatgpt-codex-connector · 2026-06-15T18:08:03Z

+          path: |
+            packages/cli-*/bin/
+            dist/
+          key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}-v1


Use the published artifact cache for checksums

When publish_brew_scoop is enabled, this restores the Blacksmith build cache (...-v1) even though the publish job uploads the GitHub-hosted artifacts from the ...-github-v1 cache. The Homebrew/Scoop update scripts read dist/checksums.txt from the restored cache, so release archives built independently on Blacksmith (tar/zip entries include build-time metadata) can produce checksums that do not match the GitHub release assets users download. Restore the same -github cache here and in publish-scoop, or derive checksums from the uploaded artifacts.

Useful? React with 👍 / 👎.

chatgpt-codex-connector · 2026-06-15T18:08:03Z

+  if (flags.linked) setFlags.push("linked");
+  if (flags.local) setFlags.push("local");


Track report selector presence, not truthiness

For inspect report, explicit false selector forms are parsed as false and then dropped here, but the Go path checks Flag.Changed first in apps/cli-go/internal/utils/flags/db_url.go before looking at default values. In cases like supabase inspect report --local=false --db-url ..., TS does not reject the mutually exclusive selectors, and --local=false by itself falls through to the default linked target instead of the changed local selector. Track raw flag presence rather than boolean truthiness.

Useful? React with 👍 / 👎.

#5582) Bumps the go-minor group with 3 updates in the /apps/cli-go directory: [github.com/posthog/posthog-go](https://github.com/posthog/posthog-go), [golang.org/x/mod](https://github.com/golang/mod) and [golang.org/x/term](https://github.com/golang/term). Bumps the go-minor group with 1 update in the /apps/cli-go/pkg directory: [golang.org/x/mod](https://github.com/golang/mod). Updates `github.com/posthog/posthog-go` from 1.14.0 to 1.15.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/posthog/posthog-go/releases">github.com/posthog/posthog-go's releases</a>.</em></p> <blockquote> <h2>1.15.0</h2> <h2>Unreleased</h2> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/PostHog/posthog-go/blob/main/CHANGELOG.md">github.com/posthog/posthog-go's changelog</a>.</em></p> <blockquote> <h2>1.15.0</h2> <h3>Minor Changes</h3> <ul> <li>64ad172: Support the <code>early_exit</code> flag filter in local evaluation. When a flag's <code>filters.early_exit</code> is <code>true</code> and a condition group's property filters match (or there are none) but the rollout percentage excludes the user, evaluation now stops and returns <code>false</code> immediately instead of falling through to later groups. Mirrors the server-side (Rust) evaluation engine. A property-filter mismatch still falls through as before, and behaviour is unchanged when <code>early_exit</code> is unset or <code>false</code>.</li> </ul> <h3>Minor Changes</h3> <ul> <li>Support the <code>early_exit</code> option on feature flag filters during local evaluation. When a flag has <code>filters.early_exit</code> set to <code>true</code> and a condition group matches its property filters (or has none) but the rollout percentage excludes the user, local evaluation now returns a definitive disabled result immediately instead of falling through to later condition groups, mirroring the server-side evaluation engine. Property-filter mismatches continue to fall through as before, and behaviour is unchanged when <code>early_exit</code> is absent or <code>false</code>.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/PostHog/posthog-go/commit/1a54557979edc2366499d35c628d5261cab73822"><code>1a54557</code></a> chore: release v1.15.0 [version bump] [skip ci]</li> <li><a href="https://github.com/PostHog/posthog-go/commit/64ad17275f033c5ec8a45d3aad9ca139a3c759cf"><code>64ad172</code></a> feat(feature-flags): support early_exit in local evaluation (<a href="https://redirect.github.com/posthog/posthog-go/issues/217">#217</a>)</li> <li>See full diff in <a href="https://github.com/posthog/posthog-go/compare/v1.14.0...v1.15.0">compare view</a></li> </ul> </details> <br /> Updates `golang.org/x/mod` from 0.36.0 to 0.37.0 <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/golang/mod/commit/deb1dfcdb7c7fd98fb5afddc3e95dd36d5880874"><code>deb1dfc</code></a> go.mod: update golang.org/x dependencies</li> <li><a href="https://github.com/golang/mod/commit/087f6515dd3ba3e8b06918fa425ffe7732321a7a"><code>087f651</code></a> modfile: use slices.Backward</li> <li><a href="https://github.com/golang/mod/commit/343ee60345a1f2ff0692be9dd068c0778dba985c"><code>343ee60</code></a> x/mod: allow for aggressively conslidating requires</li> <li>See full diff in <a href="https://github.com/golang/mod/compare/v0.36.0...v0.37.0">compare view</a></li> </ul> </details> <br /> Updates `golang.org/x/term` from 0.43.0 to 0.44.0 <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/golang/term/commit/3b43943a9e7de876a5d5e1f5e7da7cdeae0f542a"><code>3b43943</code></a> go.mod: update golang.org/x dependencies</li> <li>See full diff in <a href="https://github.com/golang/term/compare/v0.43.0...v0.44.0">compare view</a></li> </ul> </details> <br /> Updates `golang.org/x/mod` from 0.36.0 to 0.37.0 <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/golang/mod/commit/deb1dfcdb7c7fd98fb5afddc3e95dd36d5880874"><code>deb1dfc</code></a> go.mod: update golang.org/x dependencies</li> <li><a href="https://github.com/golang/mod/commit/087f6515dd3ba3e8b06918fa425ffe7732321a7a"><code>087f651</code></a> modfile: use slices.Backward</li> <li><a href="https://github.com/golang/mod/commit/343ee60345a1f2ff0692be9dd068c0778dba985c"><code>343ee60</code></a> x/mod: allow for aggressively conslidating requires</li> <li>See full diff in <a href="https://github.com/golang/mod/compare/v0.36.0...v0.37.0">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps the npm-major group with 6 updates: | Package | From | To | | --- | --- | --- | | [undici](https://github.com/nodejs/undici) | `8.4.0` | `8.4.1` | | [@supabase/supabase-js](https://github.com/supabase/supabase-js/tree/HEAD/packages/core/supabase-js) | `2.107.0` | `2.108.0` | | [@anthropic-ai/claude-agent-sdk](https://github.com/anthropics/claude-agent-sdk-typescript) | `0.3.168` | `0.3.169` | | [posthog-node](https://github.com/PostHog/posthog-js/tree/HEAD/packages/node) | `5.36.4` | `5.36.6` | | [@typescript/native-preview](https://github.com/microsoft/typescript-go) | `7.0.0-dev.20260607.1` | `7.0.0-dev.20260608.1` | | [oxfmt](https://github.com/oxc-project/oxc/tree/HEAD/npm/oxfmt) | `0.53.0` | `0.54.0` | Updates `undici` from 8.4.0 to 8.4.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/nodejs/undici/releases">undici's releases</a>.</em></p> <blockquote> <h2>v8.4.1</h2> <h2>What's Changed</h2> <ul> <li>test: avoid localhost lookup in fetch cookies tests by <a href="https://github.com/mcollina"><code>@mcollina</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/5363">nodejs/undici#5363</a></li> <li>fix: prevent race condition between onEnd and onTrailers in HTTP/2 client (<a href="https://redirect.github.com/nodejs/undici/issues/5216">#5216</a>) by <a href="https://github.com/mcollina"><code>@mcollina</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/5343">nodejs/undici#5343</a></li> <li>fix(dns): skip requests without origin by <a href="https://github.com/marko1olo"><code>@marko1olo</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/5376">nodejs/undici#5376</a></li> <li>docs: add Getting Started guide by <a href="https://github.com/AliMahmoudDev"><code>@AliMahmoudDev</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/5371">nodejs/undici#5371</a></li> <li>docs: fix code examples that crash at runtime and other inaccuracies by <a href="https://github.com/AliMahmoudDev"><code>@AliMahmoudDev</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/5386">nodejs/undici#5386</a></li> <li>fix: handle paused parser on socket end (issue <a href="https://redirect.github.com/nodejs/undici/issues/5360">#5360</a>) by <a href="https://github.com/mcollina"><code>@mcollina</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/5389">nodejs/undici#5389</a></li> <li>fix(client): reject pipelined TLS altname errors by <a href="https://github.com/marko1olo"><code>@marko1olo</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/5373">nodejs/undici#5373</a></li> <li>docs: fix multiple inaccuracies in API documentation by <a href="https://github.com/AliMahmoudDev"><code>@AliMahmoudDev</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/5384">nodejs/undici#5384</a></li> <li>docs: fix remaining broken links in API documentation by <a href="https://github.com/AliMahmoudDev"><code>@AliMahmoudDev</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/5342">nodejs/undici#5342</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/marko1olo"><code>@marko1olo</code></a> made their first contribution in <a href="https://redirect.github.com/nodejs/undici/pull/5376">nodejs/undici#5376</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/nodejs/undici/compare/v8.4.0...v8.4.1">https://github.com/nodejs/undici/compare/v8.4.0...v8.4.1</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/nodejs/undici/commit/04ebc715813ce68663c12a0fadb22b872818fe29"><code>04ebc71</code></a> Bumped v8.4.1 (<a href="https://redirect.github.com/nodejs/undici/issues/5392">#5392</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/89017ab4be184c2fc26e4a3d62e991805858289e"><code>89017ab</code></a> docs: fix remaining broken links in API documentation (<a href="https://redirect.github.com/nodejs/undici/issues/5342">#5342</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/cae3940b861706e9be1331a1b3bd921f3817622e"><code>cae3940</code></a> docs: fix multiple inaccuracies in API documentation (<a href="https://redirect.github.com/nodejs/undici/issues/5384">#5384</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/01e89e95e9f4fa7d0d98ccf7b524f977111f3735"><code>01e89e9</code></a> fix(client): reject pipelined TLS altname errors (<a href="https://redirect.github.com/nodejs/undici/issues/5373">#5373</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/d03fb2441fefbb603ed454a31b0cce93a2112651"><code>d03fb24</code></a> fix: handle paused parser on socket end (issue <a href="https://redirect.github.com/nodejs/undici/issues/5360">#5360</a>) (<a href="https://redirect.github.com/nodejs/undici/issues/5389">#5389</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/ee59da37759632cd9bfdb2c95707797c598f12d8"><code>ee59da3</code></a> docs: fix code examples that crash at runtime and other inaccuracies (<a href="https://redirect.github.com/nodejs/undici/issues/5386">#5386</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/8464ab7f36743e00330d1a7fbc722fd1c814c5da"><code>8464ab7</code></a> docs: add Getting Started guide (<a href="https://redirect.github.com/nodejs/undici/issues/5371">#5371</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/ba12bb189a5c4d1b1b0bb9a939f337ddaa15d4c2"><code>ba12bb1</code></a> fix(dns): skip requests without origin (<a href="https://redirect.github.com/nodejs/undici/issues/5376">#5376</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/c07a438defe4dfbc530c0a1b0fd41ea731e97aaf"><code>c07a438</code></a> fix: prevent race condition between onEnd and onTrailers in HTTP/2 client (<a href="https://redirect.github.com/nodejs/undici/issues/5">#5</a>...</li> <li><a href="https://github.com/nodejs/undici/commit/a8ea6f285a92d2daf42defec629303c67d8df4ce"><code>a8ea6f2</code></a> test: avoid localhost lookup in fetch cookies tests (<a href="https://redirect.github.com/nodejs/undici/issues/5363">#5363</a>)</li> <li>See full diff in <a href="https://github.com/nodejs/undici/compare/v8.4.0...v8.4.1">compare view</a></li> </ul> </details> <br /> Updates `@supabase/supabase-js` from 2.107.0 to 2.108.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/supabase/supabase-js/releases">@supabase/supabase-js's releases</a>.</em></p> <blockquote> <h2>v2.108.0</h2> <h2>2.108.0 (2026-06-08)</h2> <h3>🚀 Features</h3> <ul> <li><strong>auth:</strong> auth.resend() consistent confirmation flow (<a href="https://redirect.github.com/supabase/supabase-js/pull/2144">#2144</a>)</li> </ul> <h3>🩹 Fixes</h3> <ul> <li><strong>auth:</strong> do not console.error AuthApiError already returned through contract (<a href="https://redirect.github.com/supabase/supabase-js/pull/2428">#2428</a>)</li> <li><strong>postgrest:</strong> pass request headers as plain object for RN/custom-fetch compatibility (<a href="https://redirect.github.com/supabase/supabase-js/pull/2414">#2414</a>)</li> </ul> <h3>❤️ Thank You</h3> <ul> <li>Katerina Skroumpelou <a href="https://github.com/mandarini"><code>@mandarini</code></a></li> <li>Lawrence Li <a href="https://github.com/weilirs"><code>@weilirs</code></a></li> <li>MaitreyeeDeshmukh</li> </ul> <h2>v2.108.0-canary.0</h2> <h2>2.108.0-canary.0 (2026-06-04)</h2> <h3>🚀 Features</h3> <ul> <li><strong>auth:</strong> auth.resend() consistent confirmation flow (<a href="https://redirect.github.com/supabase/supabase-js/pull/2144">#2144</a>)</li> </ul> <h3>🩹 Fixes</h3> <ul> <li><strong>auth:</strong> do not console.error AuthApiError already returned through contract (<a href="https://redirect.github.com/supabase/supabase-js/pull/2428">#2428</a>)</li> <li><strong>postgrest:</strong> pass request headers as plain object for RN/custom-fetch compatibility (<a href="https://redirect.github.com/supabase/supabase-js/pull/2414">#2414</a>)</li> </ul> <h3>❤️ Thank You</h3> <ul> <li>Katerina Skroumpelou <a href="https://github.com/mandarini"><code>@mandarini</code></a></li> <li>Lawrence Li <a href="https://github.com/weilirs"><code>@weilirs</code></a></li> <li>MaitreyeeDeshmukh</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/supabase/supabase-js/blob/master/packages/core/supabase-js/CHANGELOG.md">@supabase/supabase-js's changelog</a>.</em></p> <blockquote> <h2>2.108.0 (2026-06-08)</h2> <p>This was a version bump only for <code>@supabase/supabase-js</code> to align it with other projects, there were no code changes.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/supabase/supabase-js/commit/57014e167626211b68ead69e0d4e24766619e933"><code>57014e1</code></a> chore(release): version 2.107.0 changelogs (<a href="https://github.com/supabase/supabase-js/tree/HEAD/packages/core/supabase-js/issues/2421">#2421</a>)</li> <li>See full diff in <a href="https://github.com/supabase/supabase-js/commits/v2.108.0/packages/core/supabase-js">compare view</a></li> </ul> </details> <br /> Updates `@anthropic-ai/claude-agent-sdk` from 0.3.168 to 0.3.169 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/anthropics/claude-agent-sdk-typescript/releases">@anthropic-ai/claude-agent-sdk's releases</a>.</em></p> <blockquote> <h2>v0.3.169</h2> <h2>What's changed</h2> <ul> <li>Added an experimental <code>usage_EXPERIMENTAL_MAY_CHANGE_DO_NOT_RELY_ON_THIS_API_YET()</code> method on <code>Query</code> returning structured session cost, plan rate-limit, and local usage-behaviors data</li> <li>Added an <code>sse</code> option (<code>SSEOptions</code>) to <code>BrowserQueryOptions</code> as an alternative to <code>websocket</code>, for browser SDK consumers who prefer Server-Sent Events</li> </ul> <h2>Update</h2> <pre lang="sh"><code>npm install @anthropic-ai/claude-agent-sdk@0.3.169 # or yarn add @anthropic-ai/claude-agent-sdk@0.3.169 # or pnpm add @anthropic-ai/claude-agent-sdk@0.3.169 # or bun add @anthropic-ai/claude-agent-sdk@0.3.169 </code></pre> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/anthropics/claude-agent-sdk-typescript/blob/main/CHANGELOG.md">@anthropic-ai/claude-agent-sdk's changelog</a>.</em></p> <blockquote> <h2>0.3.169</h2> <ul> <li>Added an experimental <code>usage_EXPERIMENTAL_MAY_CHANGE_DO_NOT_RELY_ON_THIS_API_YET()</code> method on <code>Query</code> returning structured session cost, plan rate-limit, and local usage-behaviors data</li> <li>Added an <code>sse</code> option (<code>SSEOptions</code>) to <code>BrowserQueryOptions</code> as an alternative to <code>websocket</code>, for browser SDK consumers who prefer Server-Sent Events</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/anthropics/claude-agent-sdk-typescript/commit/f59a1f4b1c2bcd7dad90bfd2976e0ee15dbf5ac1"><code>f59a1f4</code></a> chore: Update CHANGELOG.md</li> <li>See full diff in <a href="https://github.com/anthropics/claude-agent-sdk-typescript/compare/v0.3.168...v0.3.169">compare view</a></li> </ul> </details> <br /> Updates `posthog-node` from 5.36.4 to 5.36.6 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/PostHog/posthog-js/blob/main/packages/node/CHANGELOG.md">posthog-node's changelog</a>.</em></p> <blockquote> <h2>5.36.6</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies []: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.30.12</li> </ul> </li> </ul> <h2>5.36.5</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies []: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.30.11</li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/PostHog/posthog-js/commit/98e248be0c23e95d42066113d2ee1e8cf8b36e35"><code>98e248b</code></a> chore: update versions and lockfile [version bump]</li> <li><a href="https://github.com/PostHog/posthog-js/commit/fce860d5ad9c0b90de21bead109207d78ae5dd36"><code>fce860d</code></a> chore: update versions and lockfile [version bump]</li> <li><a href="https://github.com/PostHog/posthog-js/commit/227c9b03c19dcb93d9a15abb1ee6b9523d366767"><code>227c9b0</code></a> chore(release): restore changesets after failed release (<a href="https://github.com/PostHog/posthog-js/tree/HEAD/packages/node/issues/3771">#3771</a>)</li> <li><a href="https://github.com/PostHog/posthog-js/commit/8cb1e41d13f943565e54f90829b525bbb62e3899"><code>8cb1e41</code></a> chore: update versions and lockfile [version bump]</li> <li>See full diff in <a href="https://github.com/PostHog/posthog-js/commits/posthog-node@5.36.6/packages/node">compare view</a></li> </ul> </details> <br /> Updates `@typescript/native-preview` from 7.0.0-dev.20260607.1 to 7.0.0-dev.20260608.1 <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/microsoft/typescript-go/commits">compare view</a></li> </ul> </details> <br /> Updates `oxfmt` from 0.53.0 to 0.54.0 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/oxc-project/oxc/blob/main/npm/oxfmt/CHANGELOG.md">oxfmt's changelog</a>.</em></p> <blockquote> <h2>[0.54.0] - 2026-06-08</h2> <h3>📚 Documentation</h3> <ul> <li>dadafe3 oxlint, oxfmt: Mention migrate skills in npm READMEs (<a href="https://github.com/oxc-project/oxc/tree/HEAD/npm/oxfmt/issues/22965">#22965</a>) (Boshen)</li> <li>f88961a oxfmt: Annotate each config option with supported languages (<a href="https://github.com/oxc-project/oxc/tree/HEAD/npm/oxfmt/issues/22953">#22953</a>) (leaysgur)</li> </ul> <h2>[0.52.0] - 2026-05-26</h2> <h3>🚀 Features</h3> <ul> <li>16b8058 oxfmt: Support <code>vite-plus/resolveConfig</code> for vite.config.ts (<a href="https://github.com/oxc-project/oxc/tree/HEAD/npm/oxfmt/issues/22454">#22454</a>) (leaysgur)</li> </ul> <h2>[0.50.0] - 2026-05-15</h2> <h3>🐛 Bug Fixes</h3> <ul> <li>43b9978 formatter/sort_imports: Treat subpath imports as internal (<a href="https://github.com/oxc-project/oxc/tree/HEAD/npm/oxfmt/issues/22440">#22440</a>) (leaysgur)</li> </ul> <h2>[0.49.0] - 2026-05-11</h2> <h3>🚀 Features</h3> <ul> <li>6e8e818 oxfmt: Experimental .svelte support (<a href="https://github.com/oxc-project/oxc/tree/HEAD/npm/oxfmt/issues/21700">#21700</a>) (leaysgur)</li> </ul> <h2>[0.45.0] - 2026-04-13</h2> <h3>🐛 Bug Fixes</h3> <ul> <li>50c389b oxfmt: Support <code>.editorconfig</code> <code>quote_type</code> (<a href="https://github.com/oxc-project/oxc/tree/HEAD/npm/oxfmt/issues/20989">#20989</a>) (leaysgur)</li> </ul> <h2>[0.44.0] - 2026-04-06</h2> <h3>🐛 Bug Fixes</h3> <ul> <li>dd2df87 npm: Export package.json for oxlint and oxfmt (<a href="https://github.com/oxc-project/oxc/tree/HEAD/npm/oxfmt/issues/20784">#20784</a>) (kazuya kawaguchi)</li> <li>4216380 oxfmt: Support <code>.editorconfig</code> <code>tab_width</code> fallback (<a href="https://github.com/oxc-project/oxc/tree/HEAD/npm/oxfmt/issues/20988">#20988</a>) (leaysgur)</li> </ul> <h2>[0.43.0] - 2026-03-30</h2> <h3>🚀 Features</h3> <ul> <li>6ef440a oxfmt: Support bool for object style options (<a href="https://github.com/oxc-project/oxc/tree/HEAD/npm/oxfmt/issues/20853">#20853</a>) (leaysgur)</li> </ul> <h2>[0.42.0] - 2026-03-24</h2> <h3>🚀 Features</h3> <ul> <li>416865a formatter,oxfmt: Add doc comments for <code>JsdocConfig</code> (<a href="https://github.com/oxc-project/oxc/tree/HEAD/npm/oxfmt/issues/20644">#20644</a>) (leaysgur)</li> <li>4fec907 formatter: Add JSDoc comment formatting support (<a href="https://github.com/oxc-project/oxc/tree/HEAD/npm/oxfmt/issues/19828">#19828</a>) (Dunqing)</li> </ul>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/oxc-project/oxc/commit/44ae845fe19d3700128e50e7e61d98c7a85f3f47"><code>44ae845</code></a> release(apps): oxlint v1.69.0 && oxfmt v0.54.0 (<a href="https://github.com/oxc-project/oxc/tree/HEAD/npm/oxfmt/issues/23116">#23116</a>)</li> <li><a href="https://github.com/oxc-project/oxc/commit/dadafe3e0874b2b75775d265b24d19d7f446e2bf"><code>dadafe3</code></a> docs(oxlint, oxfmt): mention migrate skills in npm READMEs (<a href="https://github.com/oxc-project/oxc/tree/HEAD/npm/oxfmt/issues/22965">#22965</a>)</li> <li><a href="https://github.com/oxc-project/oxc/commit/f88961ae2968ae2a12035111d07c72797812d2fd"><code>f88961a</code></a> docs(oxfmt): annotate each config option with supported languages (<a href="https://github.com/oxc-project/oxc/tree/HEAD/npm/oxfmt/issues/22953">#22953</a>)</li> <li>See full diff in <a href="https://github.com/oxc-project/oxc/commits/oxfmt_v0.54.0/npm/oxfmt">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…emplates with 3 updates (#5584) Bumps the docker-minor group in /apps/cli-go/pkg/config/templates with 3 updates: supabase/studio, supabase/gotrue and supabase/storage-api. Updates `supabase/studio` from 2026.06.08-sha-8af2bb0 to 2026.06.15-sha-a412298 Updates `supabase/gotrue` from v2.189.0 to v2.190.0 Updates `supabase/storage-api` from v1.60.17 to v1.60.18 Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…/apps/cli-go/pkg/config/templates (#5585) Bumps supabase/postgres from 17.6.1.135 to 17.6.1.136. [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=supabase/postgres&package-manager=docker&previous-version=17.6.1.135&new-version=17.6.1.136)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: dcc2a16754

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

chatgpt-codex-connector · 2026-06-16T00:54:04Z

+    const caCert =
+      rootcertPath !== undefined && rootcertPath.length > 0 && !isLocal && anyTcpTarget
+        ? yield* Effect.try({
+            try: () => readFileSync(rootcertPath, "utf8"),


Resolve sslrootcert relative to the legacy workdir

When a native DB command is run from outside the project with --workdir/SUPABASE_WORKDIR and the connection string or PGSSLROOTCERT uses a relative sslrootcert path, this reads relative to the process cwd instead of the resolved legacy workdir. The Go CLI changes into the workdir before database config parsing, so the same relative certificate path works there; the TS port now fails unless the user happens to invoke it from the project directory or uses an absolute path.

Useful? React with 👍 / 👎.

chatgpt-codex-connector · 2026-06-16T00:54:04Z

+  const sbApiKeyCompatibilityToken = req.headers.get("sb-api-key")
+
+  // NOTE:(kallebysantos) Kong on legacy CLI stack pass it down as 'Bearer Token' format
+  const cleanSbApiKeyCompatibilityToken = sbApiKeyCompatibilityToken?.replace('Bearer', '')?.trim()


Strip only a leading Bearer prefix

When Kong supplies sb-api-key as a raw JWT, this removes the first Bearer substring anywhere in the token, so a valid locally generated JWT whose base64url payload or signature happens to contain those bytes is mutated before verification and rejected as Invalid JWT. Only strip a leading Bearer compatibility prefix; otherwise leave the header value unchanged.

Useful? React with 👍 / 👎.

chatgpt-codex-connector · 2026-06-16T00:54:04Z

+/** Whether a resolved sslmode is present and not one pgconn accepts. */
+function isInvalidSslmode(sslmode: string | null | undefined): boolean {
+  return (
+    sslmode !== null && sslmode !== undefined && sslmode.length > 0 && !VALID_SSLMODES.has(sslmode)


Reject explicitly empty sslmode values

When a user or service file explicitly sets sslmode= / ?sslmode= to the empty string, pgconn treats that present value as an invalid sslmode and rejects the connection string, but this check skips empty strings and the returned config omits sslmode, so the TS path proceeds with the default TLS behavior instead of reporting the malformed DB URL/config. Remove the length > 0 exemption so present-but-empty connection-string and service values fail like Go while empty PGSSLMODE remains ignored by libpqEnv.

Useful? React with 👍 / 👎.

chatgpt-codex-connector · 2026-06-16T00:54:04Z

+      return { k: "isnull", e: left, negated };
+    }
+    const opTok = this.peek();
+    if (opTok.t === "op" && ["=", "<>", "!=", "<", ">", "<=", ">="].includes(opTok.v)) {


Preserve valid custom csvq report rules

When users define [experimental.inspect.rules] with valid csvq outside this hand-written subset, such as WHERE name LIKE 'public.%' or adding ORDER BY/LIMIT, Go evaluates the configured query directly with the csvq driver, but this parser only accepts the listed comparison operators and turns the rule into an expected a comparison operator or trailing-token STATUS instead of a pass/fail result. That breaks existing custom report rules even though inspect report still exits successfully.

Useful? React with 👍 / 👎.

…o in the go-minor group across 1 directory (#5590) Bumps the go-minor group with 1 update in the /apps/cli-go directory: [golang.org/x/net](https://github.com/golang/net). Updates `golang.org/x/net` from 0.55.0 to 0.56.0 <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/golang/net/commit/9e7fdbfadb32b0cc7524100014c5cf9b6adc7729"><code>9e7fdbf</code></a> internal/http3: fix wrong argument being given when validating header value</li> <li><a href="https://github.com/golang/net/commit/b686e5f3573e5f55120d664fc283ed7e80c1af3c"><code>b686e5f</code></a> internal/http3: add gzip support to transport</li> <li><a href="https://github.com/golang/net/commit/8a348850ed6818306667722af2b42a6fc63473e0"><code>8a34885</code></a> go.mod: update golang.org/x dependencies</li> <li><a href="https://github.com/golang/net/commit/72eaf98743302f6e0ad10883163dfc46dc8e8183"><code>72eaf98</code></a> dns/dnsmessage: correctly validate SVCB record parameter order</li> <li><a href="https://github.com/golang/net/commit/82e7868a02167540748b74780b0bf825985256f7"><code>82e7868</code></a> dns/dnsmessage: avoid panic when parsing SVCB record with truncated data</li> <li><a href="https://github.com/golang/net/commit/b64f1fa4c615965246e5b9e5c9d614916fa8967d"><code>b64f1fa</code></a> internal/http3: add server support for "Trailer:" magic prefix</li> <li><a href="https://github.com/golang/net/commit/2707ee21efea70599446dd35979b1d1aedf44ada"><code>2707ee2</code></a> internal/http3: implement HTTP/3 clientConn methods</li> <li><a href="https://github.com/golang/net/commit/31358cc259a764905194e3d6c597375b0ff366c1"><code>31358cc</code></a> internal/http3: snapshot response headers at WriteHeader time</li> <li><a href="https://github.com/golang/net/commit/8ecbaa95fea823c19fa74c5c3b53e0bccd473828"><code>8ecbaa9</code></a> html: don't adjust xml:base</li> <li><a href="https://github.com/golang/net/commit/8ae811abe5c2daa55c68d51a101af1c5751a4d55"><code>8ae811a</code></a> html: properly handle end script tag in fragment mode</li> <li>Additional commits viewable in <a href="https://github.com/golang/net/compare/v0.55.0...v0.56.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=golang.org/x/net&package-manager=go_modules&previous-version=0.55.0&new-version=0.56.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

@latest

Bumps the npm-major group with 8 updates: | Package | From | To | | --- | --- | --- | | [@supabase/supabase-js](https://github.com/supabase/supabase-js/tree/HEAD/packages/core/supabase-js) | `2.108.0` | `2.108.1` | | [@anthropic-ai/claude-agent-sdk](https://github.com/anthropics/claude-agent-sdk-typescript) | `0.3.169` | `0.3.170` | | [@anthropic-ai/sdk](https://github.com/anthropics/anthropic-sdk-typescript) | `0.102.0` | `0.104.1` | | [posthog-node](https://github.com/PostHog/posthog-js/tree/HEAD/packages/node) | `5.36.6` | `5.36.8` | | [semantic-release](https://github.com/semantic-release/semantic-release) | `25.0.3` | `25.0.5` | | [next](https://github.com/vercel/next.js) | `16.2.7` | `16.2.9` | | [@swc/core](https://github.com/swc-project/swc/tree/HEAD/packages/core) | `1.15.40` | `1.15.41` | | [@typescript/native-preview](https://github.com/microsoft/typescript-go) | `7.0.0-dev.20260608.1` | `7.0.0-dev.20260609.1` | Updates `@supabase/supabase-js` from 2.108.0 to 2.108.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/supabase/supabase-js/releases">@supabase/supabase-js's releases</a>.</em></p> <blockquote> <h2>v2.108.1</h2> <h2>2.108.1 (2026-06-09)</h2> <h3>🩹 Fixes</h3> <ul> <li><strong>ci:</strong> forward DOGFOOD_APP_CLIENT_ID to dogfood workflow (<a href="https://redirect.github.com/supabase/supabase-js/pull/2434">#2434</a>)</li> <li><strong>postgrest:</strong> then typing (<a href="https://redirect.github.com/supabase/supabase-js/pull/2349">#2349</a>)</li> </ul> <h3>❤️ Thank You</h3> <ul> <li>Katerina Skroumpelou <a href="https://github.com/mandarini"><code>@mandarini</code></a></li> <li>Vaibhav <a href="https://github.com/7ttp"><code>@7ttp</code></a></li> </ul> <h2>v2.108.1-canary.2</h2> <h2>2.108.1-canary.2 (2026-06-09)</h2> <p>This was a version bump only, there were no code changes.</p> <h2>v2.108.1-canary.1</h2> <h2>2.108.1-canary.1 (2026-06-08)</h2> <h3>🩹 Fixes</h3> <ul> <li><strong>postgrest:</strong> then typing (<a href="https://redirect.github.com/supabase/supabase-js/pull/2349">#2349</a>)</li> </ul> <h3>❤️ Thank You</h3> <ul> <li>Vaibhav <a href="https://github.com/7ttp"><code>@7ttp</code></a></li> </ul> <h2>v2.108.1-canary.0</h2> <h2>2.108.1-canary.0 (2026-06-08)</h2> <h3>🩹 Fixes</h3> <ul> <li><strong>ci:</strong> forward DOGFOOD_APP_CLIENT_ID to dogfood workflow (<a href="https://redirect.github.com/supabase/supabase-js/pull/2434">#2434</a>)</li> </ul> <h3>❤️ Thank You</h3> <ul> <li>Katerina Skroumpelou <a href="https://github.com/mandarini"><code>@mandarini</code></a></li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/supabase/supabase-js/blob/master/packages/core/supabase-js/CHANGELOG.md">@supabase/supabase-js's changelog</a>.</em></p> <blockquote> <h2>2.108.2 (2026-06-15)</h2> <p>This was a version bump only for <code>@supabase/supabase-js</code> to align it with other projects, there were no code changes.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/supabase/supabase-js/commit/65fafe5ccc124ecc616d031b1d3fa0a1703340ff"><code>65fafe5</code></a> chore(release): version 2.108.0 changelogs (<a href="https://github.com/supabase/supabase-js/tree/HEAD/packages/core/supabase-js/issues/2433">#2433</a>)</li> <li>See full diff in <a href="https://github.com/supabase/supabase-js/commits/v2.108.1/packages/core/supabase-js">compare view</a></li> </ul> </details> <br /> Updates `@anthropic-ai/claude-agent-sdk` from 0.3.169 to 0.3.170 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/anthropics/claude-agent-sdk-typescript/releases">@anthropic-ai/claude-agent-sdk's releases</a>.</em></p> <blockquote> <h2>v0.3.170</h2> <h2>What's changed</h2> <ul> <li>Added claude-fable-5 model and the fable alias to SDK model types. <a href="https://www.anthropic.com/news/claude-fable-5-mythos-5">https://www.anthropic.com/news/claude-fable-5-mythos-5</a></li> <li>Updated to parity with Claude Code v2.1.170</li> </ul> <h2>Update</h2> <pre lang="sh"><code>npm install @anthropic-ai/claude-agent-sdk@0.3.170 # or yarn add @anthropic-ai/claude-agent-sdk@0.3.170 # or pnpm add @anthropic-ai/claude-agent-sdk@0.3.170 # or bun add @anthropic-ai/claude-agent-sdk@0.3.170 </code></pre> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/anthropics/claude-agent-sdk-typescript/blob/main/CHANGELOG.md">@anthropic-ai/claude-agent-sdk's changelog</a>.</em></p> <blockquote> <h2>0.3.170</h2> <ul> <li>Added claude-fable-5 model and the fable alias to SDK model types. <a href="https://www.anthropic.com/news/claude-fable-5-mythos-5">https://www.anthropic.com/news/claude-fable-5-mythos-5</a></li> <li>Updated to parity with Claude Code v2.1.170</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/anthropics/claude-agent-sdk-typescript/commit/dbe0c96f78033ccc8d569bf5ebd93c1dc6d68681"><code>dbe0c96</code></a> chore: Update CHANGELOG.md</li> <li>See full diff in <a href="https://github.com/anthropics/claude-agent-sdk-typescript/compare/v0.3.169...v0.3.170">compare view</a></li> </ul> </details> <br /> Updates `@anthropic-ai/sdk` from 0.102.0 to 0.104.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/anthropics/anthropic-sdk-typescript/releases">@anthropic-ai/sdk's releases</a>.</em></p> <blockquote> <h2>sdk: v0.104.1</h2> <h2>0.104.1 (2026-06-09)</h2> <p>Full Changelog: <a href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.104.0...sdk-v0.104.1">sdk-v0.104.0...sdk-v0.104.1</a></p> <h3>Bug Fixes</h3> <ul> <li><strong>api:</strong> add <code>frontier_llm</code> refusal category (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/465e6866d66952c0a0a9eb2c465b2e4389da58f1">465e686</a>)</li> </ul> <h2>sdk: v0.104.0</h2> <h2>0.104.0 (2026-06-09)</h2> <p>Full Changelog: <a href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.103.0...sdk-v0.104.0">sdk-v0.103.0...sdk-v0.104.0</a></p> <h3>Features</h3> <ul> <li><strong>api:</strong> add support for Managed Agents deployments and environment variable credentials (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/d01e38b5b6f62400450b727d9724ea00a6b1eaf5">d01e38b</a>)</li> </ul> <h2>sdk: v0.103.0</h2> <h2>0.103.0 (2026-06-09)</h2> <p>Full Changelog: <a href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.102.0...sdk-v0.103.0">sdk-v0.102.0...sdk-v0.103.0</a></p> <h3>Features</h3> <ul> <li><strong>api:</strong> add support for claude-mythos-5 and claude-fable-5, with support for server-side fallbacks on refusal (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/cc337f72dcf22d2ffd92f511918330f37ffab652">cc337f7</a>)</li> <li><strong>client:</strong> adds client-side fallbacks middleware for API providers that do not support server-side fallbacks (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/cc337f72dcf22d2ffd92f511918330f37ffab652">cc337f7</a>)</li> <li><strong>middleware:</strong> add ctx.logger (<a href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/55">#55</a>) (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/edd14544173cf60ee2a2bf01acbf14e50bcfdaaa">edd1454</a>)</li> </ul> <h3>Bug Fixes</h3> <ul> <li><strong>client:</strong> 3p middleware ordering (<a href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/53">#53</a>) (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/2a4c339e6887aa2e8e1278c7b22d3732cf64a76c">2a4c339</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/anthropics/anthropic-sdk-typescript/blob/main/CHANGELOG.md">@anthropic-ai/sdk's changelog</a>.</em></p> <blockquote> <h2>0.104.1 (2026-06-09)</h2> <p>Full Changelog: <a href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.104.0...sdk-v0.104.1">sdk-v0.104.0...sdk-v0.104.1</a></p> <h3>Bug Fixes</h3> <ul> <li><strong>api:</strong> add <code>frontier_llm</code> refusal category (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/465e6866d66952c0a0a9eb2c465b2e4389da58f1">465e686</a>)</li> </ul> <h2>0.104.0 (2026-06-09)</h2> <p>Full Changelog: <a href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.103.0...sdk-v0.104.0">sdk-v0.103.0...sdk-v0.104.0</a></p> <h3>Features</h3> <ul> <li><strong>api:</strong> add support for Managed Agents deployments and environment variable credentials (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/d01e38b5b6f62400450b727d9724ea00a6b1eaf5">d01e38b</a>)</li> </ul> <h2>0.103.0 (2026-06-09)</h2> <p>Full Changelog: <a href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.102.0...sdk-v0.103.0">sdk-v0.102.0...sdk-v0.103.0</a></p> <h3>Features</h3> <ul> <li><strong>api:</strong> add support for claude-mythos-5 and claude-fable-5, with support for server-side fallbacks on refusal (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/cc337f72dcf22d2ffd92f511918330f37ffab652">cc337f7</a>)</li> <li><strong>client:</strong> adds client-side fallbacks middleware for API providers that do not support server-side fallbacks (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/cc337f72dcf22d2ffd92f511918330f37ffab652">cc337f7</a>)</li> <li><strong>middleware:</strong> add ctx.logger (<a href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/55">#55</a>) (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/edd14544173cf60ee2a2bf01acbf14e50bcfdaaa">edd1454</a>)</li> </ul> <h3>Bug Fixes</h3> <ul> <li><strong>client:</strong> 3p middleware ordering (<a href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/53">#53</a>) (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/2a4c339e6887aa2e8e1278c7b22d3732cf64a76c">2a4c339</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/9a0442d88eebd1861e595bed7c57d309a609c3a5"><code>9a0442d</code></a> chore: release main</li> <li><a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/1ccd4012e7931dd41c94c8bc02c05ebe9a1c5282"><code>1ccd401</code></a> fix(api): add <code>frontier_llm</code> refusal category</li> <li><a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/8be0232e92e8c55e1eb95a35be5cba287b1d70ad"><code>8be0232</code></a> chore: release main</li> <li><a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/813af321839a958b3a58855efaa60376b001fc3e"><code>813af32</code></a> feat(api): add support for Managed Agents deployments and environment variabl...</li> <li><a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/589eed1c73c29fef1159997f31b735d70c2b7c59"><code>589eed1</code></a> chore: release main</li> <li><a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/a785874823392bda6b0dd342d4569272f2d90caf"><code>a785874</code></a> feat(api): add support for claude-mythos-5 and claude-fable-5, with support f...</li> <li><a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/6322a4f9aa042d98f3e32005f78ab2dd18ed9929"><code>6322a4f</code></a> fix(client): 3p middleware ordering (<a href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/53">#53</a>)</li> <li><a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/c2e94fc13676016b292129924faa44cab1309a3b"><code>c2e94fc</code></a> feat(middleware): add ctx.logger (<a href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/55">#55</a>)</li> <li>See full diff in <a href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.102.0...sdk-v0.104.1">compare view</a></li> </ul> </details> <br /> Updates `posthog-node` from 5.36.6 to 5.36.8 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/PostHog/posthog-js/blob/main/packages/node/CHANGELOG.md">posthog-node's changelog</a>.</em></p> <blockquote> <h2>5.36.8</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies []: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.30.14</li> </ul> </li> </ul> <h2>5.36.7</h2> <h3>Patch Changes</h3> <ul> <li><a href="https://redirect.github.com/PostHog/posthog-js/pull/3748">#3748</a> <a href="https://github.com/PostHog/posthog-js/commit/78209299874f932e55b0050d3b891f5c8dbd66a6"><code>7820929</code></a> Thanks <a href="https://github.com/marandaneto"><code>@marandaneto</code></a>! - Reduce duplicate internal code found by dry4ts. (2026-06-09)</li> <li>Updated dependencies []: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.30.13</li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/PostHog/posthog-js/commit/57e4e256629e84233fad942ba4c95392c1b60285"><code>57e4e25</code></a> chore: update versions and lockfile [version bump]</li> <li><a href="https://github.com/PostHog/posthog-js/commit/65f9a67a264366a69bf24eaf8d3d283e2dbd23e0"><code>65f9a67</code></a> chore: update versions and lockfile [version bump]</li> <li><a href="https://github.com/PostHog/posthog-js/commit/78209299874f932e55b0050d3b891f5c8dbd66a6"><code>7820929</code></a> refactor: reduce duplicate code found by dry4ts (<a href="https://github.com/PostHog/posthog-js/tree/HEAD/packages/node/issues/3748">#3748</a>)</li> <li>See full diff in <a href="https://github.com/PostHog/posthog-js/commits/posthog-node@5.36.8/packages/node">compare view</a></li> </ul> </details> <br /> Updates `semantic-release` from 25.0.3 to 25.0.5 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/semantic-release/semantic-release/releases">semantic-release's releases</a>.</em></p> <blockquote> <h2>v25.0.5</h2> <h2><a href="https://github.com/semantic-release/semantic-release/compare/v25.0.4...v25.0.5">25.0.5</a> (2026-06-09)</h2> <h3>Bug Fixes</h3> <ul> <li><strong>revert:</strong> next (<a href="https://redirect.github.com/semantic-release/semantic-release/issues/4200">#4200</a>) (<a href="https://github.com/semantic-release/semantic-release/commit/db8ffaad90139532f30c0fcd955cf52ffdc1a267">db8ffaa</a>)</li> </ul> <h2>v25.0.4</h2> <h2><a href="https://github.com/semantic-release/semantic-release/compare/v25.0.3...v25.0.4">25.0.4</a> (2026-06-09)</h2> <h3>Bug Fixes</h3> <ul> <li><strong>code-quality:</strong> add missing comma in context object for consistency (<a href="https://github.com/semantic-release/semantic-release/commit/493d6cdaa1ed697427acea596d0d25eb53b462a2">493d6cd</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/semantic-release/semantic-release/commit/db8ffaad90139532f30c0fcd955cf52ffdc1a267"><code>db8ffaa</code></a> fix(revert): next (<a href="https://redirect.github.com/semantic-release/semantic-release/issues/4200">#4200</a>)</li> <li><a href="https://github.com/semantic-release/semantic-release/commit/4e476dee14bb9ee4c20aebd51970efc827769e68"><code>4e476de</code></a> docs: update README to include information about the new core engine integration</li> <li><a href="https://github.com/semantic-release/semantic-release/commit/493d6cdaa1ed697427acea596d0d25eb53b462a2"><code>493d6cd</code></a> fix(code-quality): add missing comma in context object for consistency</li> <li><a href="https://github.com/semantic-release/semantic-release/commit/d05e160668e8d31c534864cc00075a16fd683eeb"><code>d05e160</code></a> refactor: replace direct logger and env-ci replacements with a mockCore funct...</li> <li><a href="https://github.com/semantic-release/semantic-release/commit/4f464a72ae102fd1f4ffc2633fbb04ed0b220054"><code>4f464a7</code></a> test: add tests for core delegation and dry-run policy handling</li> <li><a href="https://github.com/semantic-release/semantic-release/commit/3f5d1b785ba26d95b30a98a4bf712b076d8c1e5e"><code>3f5d1b7</code></a> refactor: integrate <code>core</code>; remove unused imports and restructuring the main ...</li> <li><a href="https://github.com/semantic-release/semantic-release/commit/7d71f2eb14a7986f9c757874ec095af9139af432"><code>7d71f2e</code></a> refactor: remove obsolete release type constants and notes separator</li> <li><a href="https://github.com/semantic-release/semantic-release/commit/1ae1a19cdf3ef4a5fd7b4b2bbb1ed194e4096433"><code>1ae1a19</code></a> refactor: remove obsolete test files for logger, git, sensitive data handling...</li> <li><a href="https://github.com/semantic-release/semantic-release/commit/bedddc409194882da889e5451be73de0ef8c066d"><code>bedddc4</code></a> refactor: remove obsolete Git-related utilities and logging functions</li> <li><a href="https://github.com/semantic-release/semantic-release/commit/7172195d12d809b23c0ede6595e0b91e653780d1"><code>7172195</code></a> refactor(tests): remove obsolete tests for plugins and verification</li> <li>Additional commits viewable in <a href="https://github.com/semantic-release/semantic-release/compare/v25.0.3...v25.0.5">compare view</a></li> </ul> </details> <br /> Updates `next` from 16.2.7 to 16.2.9 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/vercel/next.js/releases">next's releases</a>.</em></p> <blockquote> <h2>v16.2.9</h2> <p>Empty release to ensure <code>next@latest</code> points at a stable release. Next.js only allows publishing with Trusted Publishing enabled. In order to fix NPM dist-tags, we have to release a new version. Updating dist-tags is not possible with Trusted Publishing.</p> <h2>v16.2.8</h2> <p>Release with no changes in an attempt to fix <code>next@latest</code> pointing at a prerelease version.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/vercel/next.js/commit/f37fad940522e000af5498209fd237d863b4fa16"><code>f37fad9</code></a> v16.2.9</li> <li><a href="https://github.com/vercel/next.js/commit/d9aaaedfd8050e58e3c82c1cea412d670750b32b"><code>d9aaaed</code></a> [cd] Allow tagging semver-lower releases as <code>@latest</code> if <code>@latest</code> po… (<a href="https://redirect.github.com/vercel/next.js/issues/94627">#94627</a>)</li> <li><a href="https://github.com/vercel/next.js/commit/6f1680448c81904efcd36704edf01a6b7323abbf"><code>6f16804</code></a> v16.2.8</li> <li><a href="https://github.com/vercel/next.js/commit/0dbc1d5c860bf47c8c4f794e053b93fd02355d4e"><code>0dbc1d5</code></a> [16.2.x][cd] Ensure release can be triggered on old branches (<a href="https://redirect.github.com/vercel/next.js/issues/94598">#94598</a>)</li> <li><a href="https://github.com/vercel/next.js/commit/90e3c811e7a3603a60dfcf627cc65f8b24ad1d5d"><code>90e3c81</code></a> [16.2.x] Align Actions dependencies with Canary (<a href="https://redirect.github.com/vercel/next.js/issues/94339">#94339</a>)</li> <li><a href="https://github.com/vercel/next.js/commit/83f402c69db9faf3f727bea5c85249fe9af9af54"><code>83f402c</code></a> [16.2.x][cd] Stop fetching all tags when searching parent tag (<a href="https://redirect.github.com/vercel/next.js/issues/94334">#94334</a>)</li> <li><a href="https://github.com/vercel/next.js/commit/411c455dcdec630b9e2e83d24e27b0f9e05927b6"><code>411c455</code></a> v16.2.7</li> <li>See full diff in <a href="https://github.com/vercel/next.js/compare/v16.2.7...v16.2.9">compare view</a></li> </ul> </details> <br /> Updates `@swc/core` from 1.15.40 to 1.15.41 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/swc-project/swc/blob/main/CHANGELOG.md">@swc/core's changelog</a>.</em></p> <blockquote> <h2>[1.15.41] - 2026-06-09</h2> <h3>Bug Fixes</h3> <ul> <li> <p><strong>(bindings/node)</strong> Preserve source context for AST transforms (<a href="https://redirect.github.com/swc-project/swc/issues/11920">#11920</a>) (<a href="https://github.com/swc-project/swc/commit/b6dfa74d9e518904f93a39ad05ab2e17e3229d2d">b6dfa74</a>)</p> </li> <li> <p><strong>(es/codegen)</strong> Emit <code>export as namespace</code> correctly (<a href="https://redirect.github.com/swc-project/swc/issues/11923">#11923</a>) (<a href="https://github.com/swc-project/swc/commit/4e1f8326295932d77faa3d617a5b7cb8ba993a38">4e1f832</a>)</p> </li> <li> <p><strong>(es/codegen)</strong> Emit <code>export as namespace</code> minified correctly (<a href="https://redirect.github.com/swc-project/swc/issues/11924">#11924</a>) (<a href="https://github.com/swc-project/swc/commit/71574992dde5c4ef5de6a564ea096d48d739b6e2">7157499</a>)</p> </li> <li> <p><strong>(es/compat)</strong> Rewrite this in destructuring defaults (<a href="https://redirect.github.com/swc-project/swc/issues/11909">#11909</a>) (<a href="https://github.com/swc-project/swc/commit/68af779eff35120407a7147b3b60700c54db243c">68af779</a>)</p> </li> <li> <p><strong>(es/decorators)</strong> Delay 2022 decorator initializers after private fields (<a href="https://redirect.github.com/swc-project/swc/issues/11847">#11847</a>) (<a href="https://github.com/swc-project/swc/commit/3f1a4f59670f58533d6f7545b671704d0ef469de">3f1a4f5</a>)</p> </li> <li> <p><strong>(es/decorators)</strong> Handle import types in decorator metadata (<a href="https://redirect.github.com/swc-project/swc/issues/11916">#11916</a>) (<a href="https://github.com/swc-project/swc/commit/f4114297983e1f62220f57caaa4e2138ab906f5d">f411429</a>)</p> </li> <li> <p><strong>(es/fixer)</strong> Preserve new tagged template callee parens (<a href="https://redirect.github.com/swc-project/swc/issues/11922">#11922</a>) (<a href="https://github.com/swc-project/swc/commit/242a03a5fcd6542eab527dfdcb67590b0b477eba">242a03a</a>)</p> </li> <li> <p><strong>(es/minifier)</strong> Handle unknown member props (<a href="https://redirect.github.com/swc-project/swc/issues/11927">#11927</a>) (<a href="https://github.com/swc-project/swc/commit/e59ba6890764a2f121c38df1a71d5f70e179b08d">e59ba68</a>)</p> </li> <li> <p><strong>(es/parser)</strong> Handle Flow async generic arrows (<a href="https://redirect.github.com/swc-project/swc/issues/11926">#11926</a>) (<a href="https://github.com/swc-project/swc/commit/b9b8993391168e6b83e9f84b3c4c063cf4ccd4f7">b9b8993</a>)</p> </li> <li> <p><strong>(es/renamer)</strong> Avoid duplicate mangled names across eval scope boundaries (<a href="https://redirect.github.com/swc-project/swc/issues/11913">#11913</a>) (<a href="https://github.com/swc-project/swc/commit/4a1af846d2cc0039b3a0d6e997f8c1c131e22a2b">4a1af84</a>)</p> </li> <li> <p><strong>(plugin)</strong> Avoid importing __free from env (<a href="https://redirect.github.com/swc-project/swc/issues/11908">#11908</a>) (<a href="https://github.com/swc-project/swc/commit/4584296629bd87f7186a09b0ec37d5ab3dd3ff94">4584296</a>)</p> </li> <li> <p><strong>(swc)</strong> Preserve plugin error context (<a href="https://redirect.github.com/swc-project/swc/issues/11904">#11904</a>) (<a href="https://github.com/swc-project/swc/commit/4e2e9fc3900475085e3f426e59e81d3a51fa34fa">4e2e9fc</a>)</p> </li> <li> <p><strong>(swc_common)</strong> Fix sourcemap panic for multibyte mapping positions (<a href="https://redirect.github.com/swc-project/swc/issues/11918">#11918</a>) (<a href="https://github.com/swc-project/swc/commit/40c16011bc5487732483164886d8031f3f03cf79">40c1601</a>)</p> </li> </ul> <h3>Documentation</h3> <ul> <li>Fix architecture fixer link (<a href="https://redirect.github.com/swc-project/swc/issues/11911">#11911</a>) (<a href="https://github.com/swc-project/swc/commit/51cbc8c8d24021c59895c7787aa800d4a5fb4110">51cbc8c</a>)</li> </ul>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/swc-project/swc/commit/7a72340b21d080cc61e109296ff083bb2cfc91d5"><code>7a72340</code></a> chore: Publish <code>1.15.41</code> with <code>swc_core</code> <code>v68.0.6</code></li> <li><a href="https://github.com/swc-project/swc/commit/82ae083b7fbfd623d1c665feca556cfa710f68ce"><code>82ae083</code></a> chore: Publish <code>1.15.41-nightly-20260609.1</code> with <code>swc_core</code> <code>v68.0.6</code></li> <li><a href="https://github.com/swc-project/swc/commit/b6dfa74d9e518904f93a39ad05ab2e17e3229d2d"><code>b6dfa74</code></a> fix(bindings/node): Preserve source context for AST transforms (<a href="https://github.com/swc-project/swc/tree/HEAD/packages/core/issues/11920">#11920</a>)</li> <li>See full diff in <a href="https://github.com/swc-project/swc/commits/v1.15.41/packages/core">compare view</a></li> </ul> </details> <br /> Updates `@typescript/native-preview` from 7.0.0-dev.20260608.1 to 7.0.0-dev.20260609.1 <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/microsoft/typescript-go/commits">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…emplates with 2 updates (#5592) Bumps the docker-minor group in /apps/cli-go/pkg/config/templates with 2 updates: supabase/realtime and supabase/storage-api. Updates `supabase/realtime` from v2.107.2 to v2.107.5 Updates `supabase/storage-api` from v1.60.18 to v1.60.20 Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d5114c7954

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

chatgpt-codex-connector · 2026-06-17T00:53:28Z

    Flag.withDescription("Select a desired instance size for your project."),
    Flag.optional,
  ),
+  highAvailability: Flag.boolean("high-availability").pipe(


Remove the TS-only project-create flag

This adds a legacy projects create flag that the Go command still does not expose; I checked apps/cli-go/cmd/projects.go where the create flag set only wires interactive, org-id, db-password, region, hidden plan, and size. Because the legacy TS shell is supposed to be a 1:1 Go port, invocations such as supabase projects create ... --high-availability now succeed and send high_availability in TS but fail as an unknown flag in Go, so scripts see different command surfaces depending on the shipped shell.

Useful? React with 👍 / 👎.

chatgpt-codex-connector · 2026-06-17T00:53:28Z

+  if (env !== "test") filenames.push(".env.local");
+  filenames.push(`.env.${env}`, ".env");
+  // Go walks `supabase/` first, then the repo root; first writer wins.
+  const dirs = [path.join(workdir, "supabase"), workdir];


Walk parent directories when loading project env

When the project lives below the invocation directory, for example supabase ... --workdir apps/api from the repo root, this only reads .env* from apps/api/supabase and apps/api. Go's loadNestedEnv in apps/cli-go/pkg/config/config.go walks from the supabase/ dir through every parent up to the original cwd, so values in apps/.env or the repo-root .env still back env(...) config and PG* fallbacks. With this truncation, nested workdirs that rely on a parent .env for [db].password or ports fail to resolve or connect differently from Go.

Useful? React with 👍 / 👎.

chatgpt-codex-connector · 2026-06-17T00:53:28Z

@@ -254,6 +262,7 @@ export class ApiProxy extends Context.Service<
              backendPort: config.edgeRuntimePort,
              stripPrefix: "/functions/v1",
              transformAuth: true,
+              transformAuthCustomHeader: true,


Mint sb-api-key even with ApiKey auth

For /functions/v1 this enables the new custom-header mode, but the shared transformer still returns before setting anything whenever the request already has a non-Bearer sb_ Authorization value. I checked the Go Kong template in apps/cli-go/internal/start/templates/kong.yml, where the functions route adds/replaces sb-api-key independently of the original Authorization header; with the TS stack, a browser/client that sends apikey: <publishable key> plus Authorization: ApiKey <publishable key> never gets the minted JWT in sb-api-key, so verifyJWT functions reject a request the Go local stack forwards successfully.

Useful? React with 👍 / 👎.

chatgpt-codex-connector · 2026-06-17T00:53:28Z

+    const isEscapedChar = (j: number): boolean =>
+      value[j] === "\\" && j + 1 < n && (value[j + 1] === "\\" || value[j + 1] === "'");


Honor backslash-escaped DSN values

For libpq keyword/value DSNs, this only treats \\ and \' as escapes, but pgconn's DSN scanner skips the character after any backslash before looking for whitespace and only normalizes those two escape pairs afterward. As a result, valid Go-accepted strings such as password=foo\ bar or other unquoted values that escape a space are rejected/truncated by the TS parser, so --db-url and PG service/env-backed keyword DSNs can fail in the native path even though the Go CLI connects.

Useful? React with 👍 / 👎.

## What changed - Relax SSO provider response schemas so nested SAML IDs and attribute_mapping keys can be omitted when the Management API returns sparse provider payloads. - Keep request payload schemas strict while updating the generated OpenAPI snapshot and Effect contracts for provider responses. - Add decoder regression coverage for the list/show payload shape that caused the SSO command failures. ## Why Hosted projects can return SAML providers with attribute_mapping as an empty object and without a nested saml.id. The TypeScript legacy SSO commands use the generated Management API client for list, show, and update preflight reads, so strict response decoding failed before commands could render or update providers. Fixes #5589.

## What changed `storage --local` now runs through the local-development command path before the root pre-run checks for Management API authentication. When the local flag is set, the storage command clears the linked project ref so the storage client uses the local service-role key instead of trying to fetch remote API keys. ## Why The storage command still lives in the Go CLI. It was grouped as a Management API command, so the root pre-run required a logged-in access token even when the user selected the local storage target. This made local storage operations fail in linked projects unless `SUPABASE_ACCESS_TOKEN` was set.

…#5579) Native (Phase 1+) TypeScript port of `supabase db lint` and `supabase db advisors` into the legacy shell, replacing the Go-proxy handlers (CLI-1314). ## What changed **`db lint`** — runs `plpgsql_check` per user schema inside an always-rolled-back transaction (matching Go's "lint has no side effects" contract, including the in-transaction `CREATE EXTENSION`). Resolves schemas via `ListUserSchemas` when `--schema` is omitted. **`db advisors`** — two backends: - `--local` / `--db-url`: runs the embedded `lints.sql` query in a rolled-back transaction and filters by `--type` category. - `--linked`: fetches the security/performance advisor endpoints via **raw HTTP** with a tolerant parse, mirroring Go's permissive `type X string` structs — the generated client's closed `name` / `metadata.type` literals would reject values the API can add. **Shared, hoisted helpers (`legacy/shared/`):** - `legacy-go-json.ts` — a byte-faithful reproduction of Go's `encoding/json` indented encoder (struct-order keys, HTML escaping of `<>&`, `omitempty`, trailing newline). `JSON.stringify` gets the escaping and key order wrong, so a dedicated encoder is required for stdout parity. - `legacy-fail-on.ts` — the `--level` / `--fail-on` ordinal machinery shared by both commands (lint's prefix matcher vs advisors' exact case-insensitive matcher). ## Reviewer-relevant context - **Output modes:** `text` is byte-exact with Go (pretty 2-space JSON array to stdout, diagnostics like `Connecting to … database...` / `Linting schema:` / `No schema errors found` / `No issues found` to stderr). `json` / `stream-json` add a standard `output.success` envelope — additive, since Go has no machine output. `--fail-on` forces a non-zero exit in every mode (via `ProcessControl.setExitCode` in machine modes so the payload isn't clobbered). - **Layer wiring (legacy CLAUDE.md item 5):** `advisors.layers.ts` deliberately does **not** use `legacyManagementApiRuntimeLayer` (which eagerly resolves an access token at build and would break the auth-free `--local` path). It uses the lazy `legacyPlatformApiFactoryLayer`, whose `make` is only forced by an interactive project-ref prompt that advisors never triggers. Verified against the bundled binary: `db advisors --local` is auth-free, `--linked` surfaces a proper not-logged-in error rather than a layer panic. - **`db lint` does not write the linked-project cache** (no `LegacyLinkedProjectCache` dependency); `db advisors --linked` does, on success and failure, matching Go's `PersistentPostRun`. - `SUPABASE_API_URL` is intentionally not honored (Go parity; API URL comes from `SUPABASE_PROFILE`). - Telemetry: only the standard `cli_command_executed` event; no flags are marked telemetry-safe (matches Go). - `apps/cli/docs/go-cli-porting-status.md` flips only the `db lint` and `db advisors` rows to `ported`. CLOSES CLI-1314

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: cc50dce33e

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

chatgpt-codex-connector · 2026-06-17T09:25:25Z

+      ...init,
+      headers: {
+        ...init?.headers,
+        Host: hostHeader,
+      },


Preserve Request data when rewriting DoH fetches

When --dns-resolver https is used and this fetch shim is invoked with a standard Request input, the rewritten call builds a fresh URL and only spreads init; if init is absent, the original Request's method, body, and headers (including Authorization/User-Agent) are dropped, so a Management API POST can be retried as an unauthenticated GET to the resolved IP. Clone/merge from the original Request (and normalize Headers/tuple headers via new Headers(...)) before adding the Host header.

Useful? React with 👍 / 👎.

## Summary Replaces the legacy Markdown issue templates with GitHub Issue Forms for bug reports, feature requests, and documentation improvements. The new forms require the core information maintainers need for triage, apply the repo emoji category labels, and disable blank issues while routing support and docs requests to the appropriate Supabase resources.

Removes empty `title` keys from the issue form templates merged in #5458. GitHub treats empty strings as invalid for issue-form string fields. Because each form had `title: ""`, the template chooser hid the bug, feature, and docs forms and only showed the blank issue/contact links. Leaving the optional title key absent lets GitHub render the forms while preserving the existing form names, labels, and fields.

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 73d91d2372

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

chatgpt-codex-connector · 2026-06-17T12:29:47Z

+        uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
-          name: code-coverage-report
          path: apps/cli-go/coverage.out


Save the coverage file from the path the test writes

In this workflow the test step has no working-directory and invokes go tool gotestsum ... -coverprofile=coverage.out, so the report is written as coverage.out in the checkout root. The new cache path saves apps/cli-go/coverage.out instead, which means a successful test run does not populate the cache key that the coverage job restores with fail-on-cache-miss: true; the coverage job will fail to find the report. Save/restore coverage.out or write the profile into apps/cli-go/coverage.out.

Useful? React with 👍 / 👎.

dependabot Bot and others added 16 commits June 11, 2026 12:33

supabase-cli-releaser Bot requested a review from a team as a code owner June 12, 2026 14:46

supabase-cli-releaser Bot added the do not merge Approve to apply; do not merge. label Jun 12, 2026

github-advanced-security AI found potential problems Jun 12, 2026

View reviewed changes

Comment thread apps/cli/src/legacy/commands/inspect/db/legacy-inspect-schemas.ts Fixed

chatgpt-codex-connector Bot reviewed Jun 12, 2026

View reviewed changes

dependabot Bot added 3 commits June 13, 2026 00:08

chatgpt-codex-connector Bot reviewed Jun 13, 2026

View reviewed changes

chatgpt-codex-connector Bot reviewed Jun 14, 2026

View reviewed changes

depthfirst-app Bot reviewed Jun 15, 2026

View reviewed changes

dependabot Bot and others added 3 commits June 15, 2026 08:00

chatgpt-codex-connector Bot reviewed Jun 15, 2026

View reviewed changes

depthfirst-app Bot reviewed Jun 15, 2026

View reviewed changes

chatgpt-codex-connector Bot reviewed Jun 15, 2026

View reviewed changes

jgoux added 2 commits June 15, 2026 13:20

chatgpt-codex-connector Bot reviewed Jun 15, 2026

View reviewed changes

dependabot Bot added 4 commits June 16, 2026 00:11

chatgpt-codex-connector Bot reviewed Jun 16, 2026

View reviewed changes

dependabot Bot added 3 commits June 17, 2026 00:12

chatgpt-codex-connector Bot reviewed Jun 17, 2026

View reviewed changes

jgoux and others added 3 commits June 17, 2026 08:31

chatgpt-codex-connector Bot reviewed Jun 17, 2026

View reviewed changes

jgoux added 2 commits June 17, 2026 11:39

chatgpt-codex-connector Bot reviewed Jun 17, 2026

View reviewed changes

avallete approved these changes Jun 17, 2026

View reviewed changes

supabase-cli-releaser Bot merged commit 73d91d2 into main Jun 17, 2026

stefan-girlich mentioned this pull request Jun 22, 2026

supabase test db: effect/sql/SqlError: PgClient: Failed to connect #5643

Closed

		if (flags.linked) setFlags.push("linked");
		if (flags.local) setFlags.push("local");

		.replace(/(:\/\/[^:@/?#]:).(@)(?=[^@/?#]*(?:[/?#]\|$))/, "$1[REDACTED]$2")
		.replace(/(\bpassword\s=\s)('(?:[^'\\]\|\\.)'\|'.$\|\S+)/i, "$1[REDACTED]");

		const forwardedHost = req.headers.get('x-forwarded-host')
		clonedURL.hostname = forwardedHost ?? clonedURL.hostname

		const isEscapedChar = (j: number): boolean =>
		value[j] === "\\" && j + 1 < n && (value[j + 1] === "\\" \|\| value[j + 1] === "'");

Conversation

supabase-cli-releaser Bot commented Jun 12, 2026

Uh oh!

Uh oh!

chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

💡 Codex Review

Uh oh!

chatgpt-codex-connector Bot Jun 12, 2026

Choose a reason for hiding this comment

Uh oh!

chatgpt-codex-connector Bot Jun 12, 2026

Choose a reason for hiding this comment

Uh oh!

chatgpt-codex-connector Bot Jun 12, 2026

Choose a reason for hiding this comment

Uh oh!

chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

💡 Codex Review

Uh oh!

chatgpt-codex-connector Bot Jun 12, 2026

Choose a reason for hiding this comment

Uh oh!

chatgpt-codex-connector Bot Jun 12, 2026

Choose a reason for hiding this comment

Uh oh!

chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

💡 Codex Review

Uh oh!

chatgpt-codex-connector Bot Jun 13, 2026

Choose a reason for hiding this comment

Uh oh!

chatgpt-codex-connector Bot Jun 13, 2026

Choose a reason for hiding this comment

Uh oh!

chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

💡 Codex Review

Uh oh!

chatgpt-codex-connector Bot Jun 14, 2026

Choose a reason for hiding this comment

Uh oh!

depthfirst-app Bot Jun 15, 2026

Choose a reason for hiding this comment

Uh oh!

chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

💡 Codex Review

Uh oh!

chatgpt-codex-connector Bot Jun 15, 2026

Choose a reason for hiding this comment

Uh oh!

chatgpt-codex-connector Bot Jun 15, 2026

Choose a reason for hiding this comment

Uh oh!

chatgpt-codex-connector Bot Jun 15, 2026

Choose a reason for hiding this comment

Uh oh!

chatgpt-codex-connector Bot Jun 15, 2026

Choose a reason for hiding this comment

Uh oh!

depthfirst-app Bot Jun 15, 2026

Choose a reason for hiding this comment

Uh oh!

chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

💡 Codex Review

Uh oh!

chatgpt-codex-connector Bot Jun 15, 2026

Choose a reason for hiding this comment

Uh oh!

chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

💡 Codex Review

Uh oh!

chatgpt-codex-connector Bot Jun 15, 2026

Choose a reason for hiding this comment

Uh oh!