Skip to content

chore: production deploy#5657

Open
supabase-cli-releaser[bot] wants to merge 72 commits into
mainfrom
develop
Open

chore: production deploy#5657
supabase-cli-releaser[bot] wants to merge 72 commits into
mainfrom
develop

Conversation

@supabase-cli-releaser

@supabase-cli-releaser supabase-cli-releaser Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

jgoux and others added 30 commits June 17, 2026 13:08
@jgoux
feat(cli): add issue form command (#5459)
b1864cb 
Depends on #5458.

Adds `supabase issue bug|feature|docs` for opening the repository issue
forms with useful fields prefilled from CLI flags and runtime context.

Adds a shared issue-template contract test so command field IDs, option
values, and required-field policy stay aligned with the YAML issue
forms.
@staaldraad @jgoux
ci: setup dependency firewall (#5581)
41159af 
## What kind of change does this PR introduce?

CI update


## What is the new behavior?

Uses Dependency Firewall from DepthFirst:
https://depthfirst.com/dependency-firewall

---------

Co-authored-by: Julien Goux <hi@jgoux.dev>
@jgoux
ci: add stale issue and PR cleanup workflow (#5456)
7c35fd6 
## What changed

Adds a GitHub Actions workflow for stale issue and pull request cleanup.
The workflow runs daily as a dry run so maintainers can see what would
be closed, and it can also be run manually.

Manual runs stay in dry-run mode unless `execute` is set to `true`.
Execute runs comment on and close matching items, skip protected labels,
and default to a 25-item batch cap so cleanup can happen gradually.

The default stale window is 45 days for issues and 60 days for pull
requests.

## Why

The CLI repo has a large stale backlog. The workflow gives maintainers a
repeatable way to review the next stale batch, close old inactive items
with a clear comment, and let users reopen or ask maintainers to reopen
anything that is still relevant.
@7ttp @avallete
feat(cli): port functions deploy (#5561)
3d3ca02 
## TL;DR

ports `functions deploy` to native ts

## What’s introduced

adds the native ts implementation for `supabase functions deploy`,
keeping the existing command surface for API deploys, Docker bundling,
import maps, static files, pruning, disabled functions, and output


& includes coverage around all this! 

> ~~Behavior change: the default deploy path is now api based /
dockerless.
but users can still opt back into the previous local Docker bundling
path with `--use-docker` if needed~~

(will address as a followup)


## ref:

- Closes CLI-1319

---------

Co-authored-by: Andrew Valleteau <avallete@users.noreply.github.com>
@jgoux
ci: read stale cleanup dispatch inputs (#5600)
53ea9e5 
## What changed

Updates the stale cleanup workflow to read manual `workflow_dispatch`
inputs from the workflow event payload instead of action inputs.

This makes the `execute` checkbox and manual overrides for stale
windows, batch size, and excluded labels take effect when maintainers
run the workflow manually.

## Why

`actions/github-script`'s `core.getInput()` reads inputs passed to the
action itself. The stale cleanup workflow needs the values submitted
through GitHub's manual workflow form.
@supabase-cli-releaser @avallete
chore: sync API types from infrastructure (#5599)
ca86ec7 
This PR was automatically created to sync API types from the
infrastructure repository.

Changes were detected in the generated API code after syncing with the
latest spec from infrastructure.

Co-authored-by: supabase-cli-releaser[bot] <246109035+supabase-cli-releaser[bot]@users.noreply.github.com>
Co-authored-by: Andrew Valleteau <avallete@users.noreply.github.com>
@avallete @claude
ci: derive brew/scoop checksums from the published build (#5604)
57111ae 
publish-homebrew and publish-scoop restored the blacksmith build cache
(-v1) and computed formula/manifest checksums from its
dist/checksums.txt, but the GitHub Release and npm ship the
github-hosted build (-github-v1). Bun-compiled binaries are not
byte-for-byte reproducible across the two builds, so every sha256 in the
published Homebrew formula referenced a tarball that was never released
and `brew install supabase/tap/supabase` failed with "Formula reports
different checksum". The Scoop manifest had the same latent defect.

Restore the -github-v1 cache in both jobs and run them on github-hosted
runners so they share a cache store with the publish job whose artifacts
they describe.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Y23nV6fJ78f6RKJHjMNZau

Co-authored-by: Claude <noreply@anthropic.com>
@jgoux
ci: enable scheduled stale cleanup (#5606)
21b0c12 
Updates the stale cleanup workflow so the daily scheduled run performs
the same closing behavior as an executed manual run.

The per-run item cap has also been removed, so every currently eligible
issue or pull request is processed in one run.

Issues closed by stale cleanup now receive a stale-closed marker, and a
separate issue-comment workflow lets users reopen those issues by
commenting with /reopen as the first non-empty line.

Manual dispatches can still be used as a dry run unless execute is
enabled.
@seanoliver @jgoux
fix(cli): reconcile hybrid stitch+stamp identity with shared LegacyId…
cbbcd06 
…entityStitch service (#5607)

## Problem

The #5366 gate stopped the ephemeral-env `$identify` spike, but at the
cost of attribution: in CI, Docker, and `npx supabase`, `cli_*` events
stay orphaned on throwaway device IDs and never link to the
authenticated user. GROWTH-891 (#5559) fixes that with a hybrid
stitch+stamp model.

While #5559 was in review, #5579 (db lint/advisors port) landed on
develop and independently extracted the legacy identity stitch into a
shared `LegacyIdentityStitch` service — one per-command
`stitchAttempted` guard so the advisor transports alias at most once.
That's the architecture we want, but it's a port of the pre-891
behavior: it only stamps when it aliases (persistent, first login), so
it doesn't restore CI/Docker/npx attribution; it sets `stitchAttempted`
after the file-read yield; and it reads the `runtime.distinctId` field
that 891 replaced with a mutable identity slot. Merging #5559 on top
as-is would silently drop the attribution feature and reintroduce the
race.

This PR reconciles the two: keep #5579's shared-service architecture,
fold the hybrid stitch+stamp behavior into it. Supersedes #5559.

## Changes

- **The shared `LegacyIdentityStitch` now stamps everywhere.** On the
first authenticated response the user UUID is stamped into
`runtime.identity` in every runtime, so captures in CI/Docker/npx carry
the real user. The `$create_alias` (pre-login history merge) and the
`telemetry.json` write still only happen on a persistent machine.
- **Hardening preserved:** `stitchAttempted` is set before the first
yield (no double-stitch race); when an identity already exists we stamp
without aliasing (never merge two person graphs); alias fires at most
once across all transports sharing the service.
- **`stitchedDistinctId()` returns `runtime.identity.current()`** so the
post-run `cli_command_executed` is attributed to the real user in every
runtime, including steady state.
- `legacy-analytics.layer.ts` resolves `distinctId` from the identity
slot while keeping develop's already-keyed `groups` map.
- Stitch behavior tests live in
`legacy-identity-stitch.integration.test.ts` (CI-stamp-no-alias,
stale-identity-stamp-no-alias, concurrent-alias-once); the platform-api
layer test keeps develop's service-mocked wiring. A few command test
runtimes still using the removed `distinctId` field were updated to
`makeTelemetryIdentity`.
- Brings the Go + next-TS 891 changes (logout identity reset + device-id
rotation, the redundant `$identify` removal, ADR 0013) along through the
merge.

## Testing

Typecheck clean, full unit suite (1318) green, and the affected
integration suites (identity-stitch, platform-api, login, logout,
advisors, lint, services, gen/types, issue, linked-project-cache) pass
under bun. Also ran an independent Codex review focused on the
spike-regression risk — it confirmed no alias in ephemeral runtimes,
alias-at-most-once across transports, the pre-yield race guard, and the
no-cross-graph-merge invariant, with no findings.

GROWTH-891

---------

Co-authored-by: Julien Goux <hi@jgoux.dev>
@jgoux
ci: silence stale reopen confirmation (#5608)
c6127da 
Removes the extra success comment posted after the stale issue reopen
workflow reopens an issue.

The workflow still reopens stale-closed issues, removes the marker
label, and logs the action in the workflow run.
@jgoux
chore(cli-go): unblock OpenAPI codegen for upgrade warnings (#5609)
aa764ec 
## What changed

- Removes the unsupported inline discriminator from
`ProjectUpgradeEligibilityResponse.warnings` in the OpenAPI overlay.
- Regenerates the Go API types so the newly added upgrade warning
variants are represented.

## Context

The remote API spec now exposes inline `oneOf` warning variants under
`ProjectUpgradeEligibilityResponse.warnings` with a discriminator. The
current generator fails with `discriminator: not all schemas were
mapped` before it can write updated types. I also checked `oapi-codegen`
v2.7.1, and it fails with the same error, so a version bump alone does
not unblock the sync.
@dependabot
chore(ci): bump actions/github-script from 7.1.0 to 9.0.0 in the acti…
049e95b 
…ons-major group (#5613)

Bumps the actions-major group with 1 update:
[actions/github-script](https://github.com/actions/github-script).

Updates `actions/github-script` from 7.1.0 to 9.0.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/github-script/releases">actions/github-script's
releases</a>.</em></p>
<blockquote>
<h2>v9.0.0</h2>
<p><strong>New features:</strong></p>
<ul>
<li><strong><code>getOctokit</code> factory function</strong> —
Available directly in the script context. Create additional
authenticated Octokit clients with different tokens for multi-token
workflows, GitHub App tokens, and cross-org access. See <a
href="https://github.com/actions/github-script#creating-additional-clients-with-getoctokit">Creating
additional clients with <code>getOctokit</code></a> for details and
examples.</li>
<li><strong>Orchestration ID in user-agent</strong> — The
<code>ACTIONS_ORCHESTRATION_ID</code> environment variable is
automatically appended to the user-agent string for request
tracing.</li>
</ul>
<p><strong>Breaking changes:</strong></p>
<ul>
<li><strong><code>require('@actions/github')</code> no longer works in
scripts.</strong> The upgrade to <code>@actions/github</code> v9
(ESM-only) means <code>require('@actions/github')</code> will fail at
runtime. If you previously used patterns like <code>const { getOctokit }
= require('@actions/github')</code> to create secondary clients, use the
new injected <code>getOctokit</code> function instead — it's available
directly in the script context with no imports needed.</li>
<li><code>getOctokit</code> is now an injected function parameter.
Scripts that declare <code>const getOctokit = ...</code> or <code>let
getOctokit = ...</code> will get a <code>SyntaxError</code> because
JavaScript does not allow <code>const</code>/<code>let</code>
redeclaration of function parameters. Use the injected
<code>getOctokit</code> directly, or use <code>var getOctokit =
...</code> if you need to redeclare it.</li>
<li>If your script accesses other <code>@actions/github</code> internals
beyond the standard <code>github</code>/<code>octokit</code> client, you
may need to update those references for v9 compatibility.</li>
</ul>
<h2>What's Changed</h2>
<ul>
<li>Add ACTIONS_ORCHESTRATION_ID to user-agent string by <a
href="https://github.com/Copilot"><code>@​Copilot</code></a> in <a
href="https://redirect.github.com/actions/github-script/pull/695">actions/github-script#695</a></li>
<li>ci: use deployment: false for integration test environments by <a
href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a> in <a
href="https://redirect.github.com/actions/github-script/pull/712">actions/github-script#712</a></li>
<li>feat!: add getOctokit to script context, upgrade
<code>@​actions/github</code> v9, <code>@​octokit/core</code> v7, and
related packages by <a
href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a> in <a
href="https://redirect.github.com/actions/github-script/pull/700">actions/github-script#700</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/Copilot"><code>@​Copilot</code></a> made
their first contribution in <a
href="https://redirect.github.com/actions/github-script/pull/695">actions/github-script#695</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/github-script/compare/v8.0.0...v9.0.0">https://github.com/actions/github-script/compare/v8.0.0...v9.0.0</a></p>
<h2>v8.0.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Update Node.js version support to 24.x by <a
href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a> in <a
href="https://redirect.github.com/actions/github-script/pull/637">actions/github-script#637</a></li>
<li>README for updating actions/github-script from v7 to v8 by <a
href="https://github.com/sneha-krip"><code>@​sneha-krip</code></a> in <a
href="https://redirect.github.com/actions/github-script/pull/653">actions/github-script#653</a></li>
</ul>
<h2>⚠️ Minimum Compatible Runner Version</h2>
<p><strong>v2.327.1</strong><br />
<a
href="https://github.com/actions/runner/releases/tag/v2.327.1">Release
Notes</a></p>
<p>Make sure your runner is updated to this version or newer to use this
release.</p>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a>
made their first contribution in <a
href="https://redirect.github.com/actions/github-script/pull/637">actions/github-script#637</a></li>
<li><a
href="https://github.com/sneha-krip"><code>@​sneha-krip</code></a> made
their first contribution in <a
href="https://redirect.github.com/actions/github-script/pull/653">actions/github-script#653</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/github-script/compare/v7.1.0...v8.0.0">https://github.com/actions/github-script/compare/v7.1.0...v8.0.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/actions/github-script/commit/3a2844b7e9c422d3c10d287c895573f7108da1b3"><code>3a2844b</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/github-script/issues/700">#700</a>
from actions/salmanmkc/expose-getoctokit + prepare re...</li>
<li><a
href="https://github.com/actions/github-script/commit/ca10bbdd1a7739de09e99a200c7a59f5d73a4079"><code>ca10bbd</code></a>
fix: use <code>@​octokit/core/</code>types import for v7
compatibility</li>
<li><a
href="https://github.com/actions/github-script/commit/86e48e20ac85c970ed1f96e718fd068173948b7b"><code>86e48e2</code></a>
merge: incorporate main branch changes</li>
<li><a
href="https://github.com/actions/github-script/commit/c1084728b5b935ec4ddc1e4cee877b01797b3ff9"><code>c108472</code></a>
chore: rebuild dist for v9 upgrade and getOctokit factory</li>
<li><a
href="https://github.com/actions/github-script/commit/afff112e4f8b57c718168af75b89ce00bc8d091d"><code>afff112</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/github-script/issues/712">#712</a>
from actions/salmanmkc/deployment-false + fix user-ag...</li>
<li><a
href="https://github.com/actions/github-script/commit/ff8117e5b78c415f814f39ad6998f424fee7b817"><code>ff8117e</code></a>
ci: fix user-agent test to handle orchestration ID</li>
<li><a
href="https://github.com/actions/github-script/commit/81c6b7876079abe10ff715951c9fc7b3e1ab389d"><code>81c6b78</code></a>
ci: use deployment: false to suppress deployment noise from integration
tests</li>
<li><a
href="https://github.com/actions/github-script/commit/3953caf8858d318f37b6cc53a9f5708859b5a7b7"><code>3953caf</code></a>
docs: update README examples from <a
href="https://github.com/v8"><code>@​v8</code></a> to <a
href="https://github.com/v9"><code>@​v9</code></a>, add getOctokit docs
and v9 brea...</li>
<li><a
href="https://github.com/actions/github-script/commit/c17d55b90dcdb3d554d0027a6c180a7adc2daf78"><code>c17d55b</code></a>
ci: add getOctokit integration test job</li>
<li><a
href="https://github.com/actions/github-script/commit/a047196d9a02fe92098771cafbb98c2f1814e408"><code>a047196</code></a>
test: add getOctokit integration tests via callAsyncFunction</li>
<li>Additional commits viewable in <a
href="https://github.com/actions/github-script/compare/f28e40c7f34bde8b3046d885e986cb6290c5673b...3a2844b7e9c422d3c10d287c895573f7108da1b3">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/github-script&package-manager=github_actions&previous-version=7.1.0&new-version=9.0.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
fix(docker): bump supabase/realtime from v2.107.5 to v2.108.0 in /app…
79fdcbd 
…s/cli-go/pkg/config/templates in the docker-minor group (#5611)

Bumps the docker-minor group in /apps/cli-go/pkg/config/templates with 1
update: supabase/realtime.

Updates `supabase/realtime` from v2.107.5 to v2.108.0


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=supabase/realtime&package-manager=docker&previous-version=v2.107.5&new-version=v2.108.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
fix(deps): bump the npm-major group with 6 updates (#5612)
32ef81c 
Bumps the npm-major group with 6 updates:

| Package | From | To |
| --- | --- | --- |
|
[@anthropic-ai/claude-agent-sdk](https://github.com/anthropics/claude-agent-sdk-typescript)
| `0.3.170` | `0.3.172` |
|
[posthog-node](https://github.com/PostHog/posthog-js/tree/HEAD/packages/node)
| `5.36.8` | `5.36.15` |
| [fumadocs-core](https://github.com/fuma-nama/fumadocs) | `16.9.3` |
`16.10.0` |
| [fumadocs-mdx](https://github.com/fuma-nama/fumadocs) | `15.0.11` |
`15.0.12` |
| [fumadocs-ui](https://github.com/fuma-nama/fumadocs) | `16.9.3` |
`16.10.0` |
|
[@typescript/native-preview](https://github.com/microsoft/typescript-go)
| `7.0.0-dev.20260609.1` | `7.0.0-dev.20260610.1` |

Updates `@anthropic-ai/claude-agent-sdk` from 0.3.170 to 0.3.172
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/anthropics/claude-agent-sdk-typescript/releases">@​anthropic-ai/claude-agent-sdk's
releases</a>.</em></p>
<blockquote>
<h2>v0.3.172</h2>
<h2>What's changed</h2>
<ul>
<li>SDK <code>plugins</code> option now accepts <code>skipMcpDiscovery:
true</code> per plugin, so a host that manages a plugin's MCP
connections itself can load skills/hooks from the plugin path without
the engine re-reading its <code>.mcp.json</code></li>
<li>Fixed slash-followed-by-whitespace input (e.g. <code>/ add
tests</code>) being silently dropped instead of treated as a plain
prompt</li>
</ul>
<h2>Update</h2>
<pre lang="sh"><code>npm install @anthropic-ai/claude-agent-sdk@0.3.172
# or
yarn add @anthropic-ai/claude-agent-sdk@0.3.172
# or
pnpm add @anthropic-ai/claude-agent-sdk@0.3.172
# or
bun add @anthropic-ai/claude-agent-sdk@0.3.172
</code></pre>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/anthropics/claude-agent-sdk-typescript/blob/main/CHANGELOG.md">@​anthropic-ai/claude-agent-sdk's
changelog</a>.</em></p>
<blockquote>
<h2>0.3.172</h2>
<ul>
<li>SDK <code>plugins</code> option now accepts <code>skipMcpDiscovery:
true</code> per plugin, so a host that manages a plugin's MCP
connections itself can load skills/hooks from the plugin path without
the engine re-reading its <code>.mcp.json</code></li>
<li>Fixed slash-followed-by-whitespace input (e.g. <code>/ add
tests</code>) being silently dropped instead of treated as a plain
prompt</li>
</ul>
<h2>0.3.171</h2>
<ul>
<li>Updated to parity with Claude Code v2.1.171</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/anthropics/claude-agent-sdk-typescript/commit/2cfb79cb3556c965c3ec19f1119f87a95b02dacb"><code>2cfb79c</code></a>
chore: Update CHANGELOG.md</li>
<li>See full diff in <a
href="https://github.com/anthropics/claude-agent-sdk-typescript/compare/v0.3.170...v0.3.172">compare
view</a></li>
</ul>
</details>
<br />

Updates `posthog-node` from 5.36.8 to 5.36.15
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/PostHog/posthog-js/releases">posthog-node's
releases</a>.</em></p>
<blockquote>
<h2>posthog-node@5.36.15</h2>
<h2>5.36.15</h2>
<h3>Patch Changes</h3>
<ul>
<li>Updated dependencies []:
<ul>
<li><code>@​posthog/core</code><a
href="https://github.com/1"><code>@​1</code></a>.32.1</li>
</ul>
</li>
</ul>
<h2>posthog-node@5.36.14</h2>
<h2>5.36.14</h2>
<h3>Patch Changes</h3>
<ul>
<li>Updated dependencies [<a
href="https://github.com/PostHog/posthog-js/commit/612f97adebd3d863602533180ac4bee3f3ed731d"><code>612f97a</code></a>]:
<ul>
<li><code>@​posthog/core</code><a
href="https://github.com/1"><code>@​1</code></a>.32.0</li>
</ul>
</li>
</ul>
<h2>posthog-node@5.36.13</h2>
<h2>5.36.13</h2>
<h3>Patch Changes</h3>
<ul>
<li>Updated dependencies []:
<ul>
<li><code>@​posthog/core</code><a
href="https://github.com/1"><code>@​1</code></a>.31.4</li>
</ul>
</li>
</ul>
<h2>posthog-node@5.36.12</h2>
<h2>5.36.12</h2>
<h3>Patch Changes</h3>
<ul>
<li>Updated dependencies []:
<ul>
<li><code>@​posthog/core</code><a
href="https://github.com/1"><code>@​1</code></a>.31.3</li>
</ul>
</li>
</ul>
<h2>posthog-node@5.36.11</h2>
<h2>5.36.11</h2>
<h3>Patch Changes</h3>
<ul>
<li>Updated dependencies []:
<ul>
<li><code>@​posthog/core</code><a
href="https://github.com/1"><code>@​1</code></a>.31.2</li>
</ul>
</li>
</ul>
<h2>posthog-node@5.36.10</h2>
<h2>5.36.10</h2>
<h3>Patch Changes</h3>
<ul>
<li>Updated dependencies []:
<ul>
<li><code>@​posthog/core</code><a
href="https://github.com/1"><code>@​1</code></a>.31.1</li>
</ul>
</li>
</ul>
<h2>posthog-node@5.36.9</h2>
<h2>5.36.9</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/PostHog/posthog-js/blob/main/packages/node/CHANGELOG.md">posthog-node's
changelog</a>.</em></p>
<blockquote>
<h2>5.36.15</h2>
<h3>Patch Changes</h3>
<ul>
<li>Updated dependencies []:
<ul>
<li><code>@​posthog/core</code><a
href="https://github.com/1"><code>@​1</code></a>.32.1</li>
</ul>
</li>
</ul>
<h2>5.36.14</h2>
<h3>Patch Changes</h3>
<ul>
<li>Updated dependencies [<a
href="https://github.com/PostHog/posthog-js/commit/612f97adebd3d863602533180ac4bee3f3ed731d"><code>612f97a</code></a>]:
<ul>
<li><code>@​posthog/core</code><a
href="https://github.com/1"><code>@​1</code></a>.32.0</li>
</ul>
</li>
</ul>
<h2>5.36.13</h2>
<h3>Patch Changes</h3>
<ul>
<li>Updated dependencies []:
<ul>
<li><code>@​posthog/core</code><a
href="https://github.com/1"><code>@​1</code></a>.31.4</li>
</ul>
</li>
</ul>
<h2>5.36.12</h2>
<h3>Patch Changes</h3>
<ul>
<li>Updated dependencies []:
<ul>
<li><code>@​posthog/core</code><a
href="https://github.com/1"><code>@​1</code></a>.31.3</li>
</ul>
</li>
</ul>
<h2>5.36.11</h2>
<h3>Patch Changes</h3>
<ul>
<li>Updated dependencies []:
<ul>
<li><code>@​posthog/core</code><a
href="https://github.com/1"><code>@​1</code></a>.31.2</li>
</ul>
</li>
</ul>
<h2>5.36.10</h2>
<h3>Patch Changes</h3>
<ul>
<li>Updated dependencies []:
<ul>
<li><code>@​posthog/core</code><a
href="https://github.com/1"><code>@​1</code></a>.31.1</li>
</ul>
</li>
</ul>
<h2>5.36.9</h2>
<h3>Patch Changes</h3>
<ul>
<li>Updated dependencies [<a
href="https://github.com/PostHog/posthog-js/commit/0c2acb9f30d545bb89d1f950ba8f840c76e47dc2"><code>0c2acb9</code></a>]:
<ul>
<li><code>@​posthog/core</code><a
href="https://github.com/1"><code>@​1</code></a>.31.0</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/PostHog/posthog-js/commit/defbc62fc22d64fe57ee22e0ade43d1758866a76"><code>defbc62</code></a>
chore: update versions and lockfile [version bump]</li>
<li><a
href="https://github.com/PostHog/posthog-js/commit/50a666fe03ce61b889c335593cade36dacb74270"><code>50a666f</code></a>
chore: update versions and lockfile [version bump]</li>
<li><a
href="https://github.com/PostHog/posthog-js/commit/f4d4c8b84663c983d67fffe02e284d9496cff5f1"><code>f4d4c8b</code></a>
chore: update versions and lockfile [version bump]</li>
<li><a
href="https://github.com/PostHog/posthog-js/commit/8b8b196a19bc32e91970212c26a41119c84c2f32"><code>8b8b196</code></a>
chore: update versions and lockfile [version bump]</li>
<li><a
href="https://github.com/PostHog/posthog-js/commit/a88dfa10e46e797889bb27a4183f5e44f5327bc1"><code>a88dfa1</code></a>
chore: update versions and lockfile [version bump]</li>
<li><a
href="https://github.com/PostHog/posthog-js/commit/a116ad3c2079570b77c39bacda5750996a12b005"><code>a116ad3</code></a>
chore: update versions and lockfile [version bump]</li>
<li><a
href="https://github.com/PostHog/posthog-js/commit/e93fcb168f0dfc546385a2633aaf968b6724f480"><code>e93fcb1</code></a>
chore: update versions and lockfile [version bump]</li>
<li>See full diff in <a
href="https://github.com/PostHog/posthog-js/commits/posthog-node@5.36.15/packages/node">compare
view</a></li>
</ul>
</details>
<br />

Updates `fumadocs-core` from 16.9.3 to 16.10.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/fuma-nama/fumadocs/releases">fumadocs-core's
releases</a>.</em></p>
<blockquote>
<h2>fumadocs-core@16.10.0</h2>
<h3>Patch Changes</h3>
<ul>
<li>9b9545f: Add package issue tracker metadata.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/7974b8655bdb14d91792b9382186afbabe37a00b"><code>7974b86</code></a>
Version Packages</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/5d981ab5400c6c7979f41cb005ea065696d70466"><code>5d981ab</code></a>
docs: migration guide for OpenAPI v11</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/0415b4ad6a41d67c43e7d9a979accce58cad84dc"><code>0415b4a</code></a>
breaking(openapi): drop other deprecated APIs</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/9b9545fd82994ac34b896a2395b80529a63754b5"><code>9b9545f</code></a>
Add Fumadocs package bugs metadata (<a
href="https://redirect.github.com/fuma-nama/fumadocs/issues/3347">#3347</a>)</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/55c5fdbf8a9e8544960a97c227b020a1f0c87f86"><code>55c5fdb</code></a>
feat(core): allow legacy usage of translations API</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/7285343f9068b093120b9db0d503bc54c5ede569"><code>7285343</code></a>
feat(openapi): keep more legacy options</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/e8d6cc3048eafba38951e0ae39f772627ae8096c"><code>e8d6cc3</code></a>
feat(openapi): backward compat with <code>\&lt;APIPage /&gt;</code></li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/2642fa69eb703f4b01cb2ac3ee552cdc11d7832d"><code>2642fa6</code></a>
feat(asyncapi): better message example selector</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/c524740641b7f630661c550624fb4fc620e7cd83"><code>c524740</code></a>
fix(asyncapi): padding of extension bindings</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/f0e7738d4f03c01722154fd4ab0fbf3ec9efd4aa"><code>f0e7738</code></a>
feat(asyncapi): support server bindings UI</li>
<li>Additional commits viewable in <a
href="https://github.com/fuma-nama/fumadocs/compare/fumadocs-core@16.9.3...fumadocs-core@16.10.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `fumadocs-mdx` from 15.0.11 to 15.0.12
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/fuma-nama/fumadocs/releases">fumadocs-mdx's
releases</a>.</em></p>
<blockquote>
<h2>fumadocs-mdx@15.0.12</h2>
<h3>Patch Changes</h3>
<ul>
<li>9b9545f: Add package issue tracker metadata.</li>
<li>Updated dependencies [9b9545f]
<ul>
<li>fumadocs-core@16.10.0</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/7974b8655bdb14d91792b9382186afbabe37a00b"><code>7974b86</code></a>
Version Packages</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/5d981ab5400c6c7979f41cb005ea065696d70466"><code>5d981ab</code></a>
docs: migration guide for OpenAPI v11</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/0415b4ad6a41d67c43e7d9a979accce58cad84dc"><code>0415b4a</code></a>
breaking(openapi): drop other deprecated APIs</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/9b9545fd82994ac34b896a2395b80529a63754b5"><code>9b9545f</code></a>
Add Fumadocs package bugs metadata (<a
href="https://redirect.github.com/fuma-nama/fumadocs/issues/3347">#3347</a>)</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/55c5fdbf8a9e8544960a97c227b020a1f0c87f86"><code>55c5fdb</code></a>
feat(core): allow legacy usage of translations API</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/7285343f9068b093120b9db0d503bc54c5ede569"><code>7285343</code></a>
feat(openapi): keep more legacy options</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/e8d6cc3048eafba38951e0ae39f772627ae8096c"><code>e8d6cc3</code></a>
feat(openapi): backward compat with <code>\&lt;APIPage /&gt;</code></li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/2642fa69eb703f4b01cb2ac3ee552cdc11d7832d"><code>2642fa6</code></a>
feat(asyncapi): better message example selector</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/c524740641b7f630661c550624fb4fc620e7cd83"><code>c524740</code></a>
fix(asyncapi): padding of extension bindings</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/f0e7738d4f03c01722154fd4ab0fbf3ec9efd4aa"><code>f0e7738</code></a>
feat(asyncapi): support server bindings UI</li>
<li>Additional commits viewable in <a
href="https://github.com/fuma-nama/fumadocs/compare/fumadocs-mdx@15.0.11...fumadocs-mdx@15.0.12">compare
view</a></li>
</ul>
</details>
<br />

Updates `fumadocs-ui` from 16.9.3 to 16.10.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/fuma-nama/fumadocs/releases">fumadocs-ui's
releases</a>.</em></p>
<blockquote>
<h2>fumadocs-ui@16.10.0</h2>
<h3>Minor Changes</h3>
<ul>
<li>
<p>779efff: <strong>Introduce new translations API</strong></p>
<p>It is now powered by <code>fuma-translate</code>. Be careful: while
the API surface is same, some translation keys are changed, unused
labels will be ignored.</p>
</li>
</ul>
<h3>Patch Changes</h3>
<ul>
<li>0cc1fac: Make <code>uiTranslations()</code> optional for
translations API</li>
<li>Updated dependencies [9b9545f]
<ul>
<li>fumadocs-core@16.10.0</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/7974b8655bdb14d91792b9382186afbabe37a00b"><code>7974b86</code></a>
Version Packages</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/5d981ab5400c6c7979f41cb005ea065696d70466"><code>5d981ab</code></a>
docs: migration guide for OpenAPI v11</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/0415b4ad6a41d67c43e7d9a979accce58cad84dc"><code>0415b4a</code></a>
breaking(openapi): drop other deprecated APIs</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/9b9545fd82994ac34b896a2395b80529a63754b5"><code>9b9545f</code></a>
Add Fumadocs package bugs metadata (<a
href="https://redirect.github.com/fuma-nama/fumadocs/issues/3347">#3347</a>)</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/55c5fdbf8a9e8544960a97c227b020a1f0c87f86"><code>55c5fdb</code></a>
feat(core): allow legacy usage of translations API</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/7285343f9068b093120b9db0d503bc54c5ede569"><code>7285343</code></a>
feat(openapi): keep more legacy options</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/e8d6cc3048eafba38951e0ae39f772627ae8096c"><code>e8d6cc3</code></a>
feat(openapi): backward compat with <code>\&lt;APIPage /&gt;</code></li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/2642fa69eb703f4b01cb2ac3ee552cdc11d7832d"><code>2642fa6</code></a>
feat(asyncapi): better message example selector</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/c524740641b7f630661c550624fb4fc620e7cd83"><code>c524740</code></a>
fix(asyncapi): padding of extension bindings</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/f0e7738d4f03c01722154fd4ab0fbf3ec9efd4aa"><code>f0e7738</code></a>
feat(asyncapi): support server bindings UI</li>
<li>Additional commits viewable in <a
href="https://github.com/fuma-nama/fumadocs/compare/fumadocs-ui@16.9.3...fumadocs-ui@16.10.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `@typescript/native-preview` from 7.0.0-dev.20260609.1 to
7.0.0-dev.20260610.1
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/microsoft/typescript-go/commits">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@jgoux
ci(release): free space before artifact cache save (#5610)
17546b3 
## Summary
- Free disk space before saving the GitHub-hosted release artifact
cache.
- Keep the cleanup scoped to the `-github` cache producer so the
Blacksmith artifact cache path is unchanged.

## Context
The release run built the correct `-github-v1` artifacts, but
`actions/cache/save` failed while writing `cache.tzst` with `No space
left on device`. The downstream macOS smoke test then missed the same
`-github-v1` key.

This keeps the published/checksum-sensitive path on GitHub-hosted
artifacts while reducing disk pressure before the cache archive is
created.
@avallete @claude
ci: add post-publish install channel verification workflow (#5605)
df41fbc 
Add automated end-to-end verification that published install channels
(Homebrew, Scoop, and curl|bash install script) successfully install the
released CLI and serve artifacts with matching checksums.

## Summary

This adds a new `verify-install-channels.yml` workflow that runs real
`brew install`, `scoop install`, and install-script installs against the
just-published channels, then verifies the installed version matches.
The workflow is triggered automatically after successful Homebrew and
Scoop publishes, and can also be manually dispatched for debugging
install regressions.

## Key Changes

- **New workflow**: `.github/workflows/verify-install-channels.yml`
- Homebrew job: installs from the supabase/tap on macOS, verifies
version
- Scoop job: installs from the supabase/scoop-bucket on Windows,
verifies version
- Install script job: runs `./install` on Linux and macOS, verifies
version
- Each job verifies the installed `supabase --version` matches the
released version
  - Accepts `version`, `brew_name`, and `scoop_name` as workflow inputs

- **Integration into release pipeline**: Modified
`.github/workflows/release-shared.yml`
- Added `verify-install-channels` job that runs after successful
`publish-homebrew` and `publish-scoop`
- Non-gating: runs last so failures surface as post-release signals
rather than blocking distribution
- Only runs for beta/stable channels (skipped for alpha and dry-run
releases)

- **Documentation**: Updated `apps/cli/docs/release-process.md`
  - Added `verify-install-channels` to the release flowchart
  - Documented the post-publish verification step and its purpose
- Explained that it catches regressions like v2.107.0 where brew/scoop
checksums mismatched the release tarballs

## Implementation Details

The workflow catches checksum mismatches that would cause real user
installs to fail, since brew, scoop, and the install script all verify
published checksums against downloaded tarballs before installation. By
running actual installs against the live channels immediately after
publish, this provides the signal that would have caught the v2.107.0
regression where every `brew install` / `scoop install` failed with
"Formula reports different checksum".

Closes: CLI-1642

https://claude.ai/code/session_01RNp9yTyRoDYJTs5xsWRbAr

---------

Co-authored-by: Claude <noreply@anthropic.com>
@Coly010
feat(cli): port db dump, query, and schema declarative to native Type…
a60a532 
…Script (#5586)

## What changed

Replaces the Go-proxy stubs for `db dump`, `db query`, and `db schema
declarative generate`/`sync` with native Effect handlers in the legacy
shell, along with the shared infrastructure they need:

- **Connection layer** (`legacy-db-connection.sql-pg.layer.ts`): raw
`pg` client for the COPY protocol and full-metadata `queryRaw` (command
tag via the `commandComplete` protocol message), reusing the winning
dial target so TLS/fallback/DoH parity holds.
- **Docker run-capture**, db/edge-runtime image resolution, pg-delta SSL
+ Postgres-URL helpers, edge-runtime script layer, SQL splitter,
migration-apply helper.
- **Declarative orchestration**: catalog cache, debug bundles, deno
templates, the gate/flow logic, and the `__catalog` Go seam
(`apps/cli-go/...`) the TS port delegates to for shadow-database
provisioning.

## Why / reviewer context

- **Strict Go parity** is the contract for the legacy shell. Behaviors
that look improvable but match Go are intentional and documented in each
`SIDE_EFFECTS.md` (e.g. `db dump --dry-run` prints the resolved
`PGPASSWORD` in cleartext like Go's `noExec`; `db query --linked`
non-2xx maps to a uniform `unexpected status` message; failed
declarative `sync --apply` leaves the migration file on disk).

- **`-o`/`--output` parity.** Go registers `--output` per command (`db
query` → `json|table|csv`; resource commands →
`env|pretty|json|toml|yaml`). The Effect CLI hoists global flags into a
single tree-wide registry, so a command cannot redeclare an `output`
global to vary its enum. The shared `LegacyOutputFlag` choice is
therefore the *union* of all commands' values, and each command
re-validates against its own Go enum in
`withLegacyCommandInstrumentation` (`outputFormats`), rejecting
out-of-enum values with Go's byte-exact pflag message (`invalid argument
"x" for "-o, --output" flag: must be one of [ … ]`) before the handler
runs and before any telemetry event fires. The validation reads the flag
via `Effect.serviceOption`, so it adds no requirement to the wrapper.
Net result: `db query -o csv/table` works; resource commands still
reject `table`/`csv` exactly as Go does. This change is fully
legacy-scoped — `next/` uses its own `--output-format` flag and is
untouched.

- **Connection error typing.** Establishing the shared raw client now
raises `LegacyDbConnectError` (surfaced verbatim by both `copyToCsv` and
`queryRaw`) rather than a misleading "failed to copy output" / "failed
to execute query".

## Follow-ups (tracked, not in scope)

- `db dump --linked` IPv6 suggestion uses the generic `ipv6Suggestion()`
text on the no-fallback / failed-retry path rather than Go's
`SuggestIPv6Pooler`, which prefills the project's specific pooler
connection string. Surfacing that exact URL needs the pooler string
exposed at this seam — noted in `dump/SIDE_EFFECTS.md`. (The
container-level pooler fallback retry itself is ported, and dump output
streams to `--file`.)

CLOSES CLI-1315
@jgoux
ci(release): tolerate read-only Go cache cleanup (#5617)
1d113d7 
## Summary

- Allow the GitHub-hosted release artifact cleanup to remove read-only
Go cache files.
- Keep the cleanup scoped to the GitHub-hosted artifact cache producer.

## Context

The release workflow failed after building artifacts because the
free-space cleanup step tried to remove Go module cache files that were
not writable. The chmod guard makes those cache directories writable
before deletion so the cleanup can finish and the artifact cache save
can continue.
@Coly010
fix(cli): merge matching [remotes.*] block on config push (#5618)
4f94f6d 
## What changed

`config push` regressed in v2.106.0 (the native-TS port): when a
`[remotes.<name>]` block in `config.toml` targeted the project ref, the
command aborted with

> cannot push config: a [remotes.*] block targets project ***, which
config push does not yet support.

The Go CLI (v2.105.0) instead merges that remote's subtree over the base
config and pushes it. The port had punted on Go's `mergeRemoteConfig`.

This ports the merge faithfully and removes the abort.

## Why this location

The merge is owned by `@supabase/config`, mirroring Go doing it in
`pkg/config`. `loadProjectConfig` / `loadProjectConfigFile` now accept
an optional `{ projectRef }`. When set, after `env()` interpolation and
**before** schema decode, the matching `[remotes.<name>]` raw subtree is
deep-merged over the base document (objects recurse; arrays and scalars
replace wholesale — viper's `v.Set` semantics), `db.seed.enabled` is
forced `false` when the remote omits it, the `remotes` key is stripped,
and the merged document is decoded. Doing it on the raw document (not
the decoded config) is essential: the decoded remote section carries
full schema defaults that would otherwise clobber every field the block
doesn't override.

The merge is gated on `projectRef`, so every other `loadProjectConfig`
caller is unaffected.

## Notable details for reviewers

- New `DuplicateRemoteProjectIdError` (exported from `@supabase/config`)
raised when two remotes share the target `project_id`, carrying Go's
verbatim message `duplicate project_id for [remotes.<b>] and
[remotes.<a>]`.
- `LoadedProjectConfig` gains optional `document` (merged,
post-interpolation raw doc) and `appliedRemote` fields.
- The push handler prints `Loading config override: [remotes.<name>]` to
stderr (Go parity) when a remote applies, and now derives optional
pointer-section presence (`db.ssl_enforcement`,
`storage.image_transformation`, `storage.s3_protocol`, auth subsections)
from the merged document instead of re-reading the file — so sections
introduced by the remote are detected. Dead code removed
(`matchesRemoteProjectRef`, `resolveRemoteByProjectRef`,
`LegacyConfigPushUnsupportedRemoteError`).
- `functions deploy` is consolidated onto the same shared merge,
deleting its divergent partial copy (`configForProjectRef` /
`mergeFunctionConfigByPresence`, which only handled `functions.*` and
`edge_runtime.deno_version`). Verified behavior-preserving since deploy
reads only those fields. This also corrects deploy's
duplicate-`project_id` message to match Go (both remote names
bracketed).

Closes CLI-1808
@Coly010
fix(cli): mount test file's directory so \ir includes resolve (#5619)
e09cf29 
## What kind of change does this PR introduce?

Bug fix.

## What is the current behavior?

Running `supabase db test <single_file.sql>` fails when that file pulls
in a sibling via psql's `\ir ./other.sql` include:

```
psql:.../storage_object_operations.sql:5: error: .../testing_constants.sql: No such file or directory
```

Running the whole suite (`supabase db test`) works, and so does running
a file with no includes.

**Root cause:** `buildLegacyPgProveArgs` bind-mounted each test path
exactly as given. For a single **file** that mounts only that one file
into the pg_prove container. psql's `\ir` (include-relative) resolves
relative to the test file's *own directory*, so it looks for
`<dir>/sibling.sql` inside the container — which was never mounted. The
whole-suite run works because the entire `tests` **directory** is
mounted, so all siblings are present.

Closes #4850
Fixes CLI-1139

## What is the new behavior?

When a test path is a file, its **containing directory** is bind-mounted
read-only instead of the lone file, so `\ir`/`\i` siblings resolve.
Directories are still mounted as-is. Binds are deduped by container
target so multiple files in the same directory don't emit duplicate `-v`
mounts (which Docker rejects). The full file path is still passed to
`pg_prove`, so only the requested file runs and the TAP output is
byte-identical.

Scope is the TS legacy port only (the stable channel). The Go reference
has the same latent bug; this is a deliberate, output-preserving
divergence noted in the code.
@jgoux
chore(api): simplify OpenAPI sync workflow (#5602)
3016806 
The scheduled API package sync workflow was failing because its inline
OpenAPI comparison logic drifted from the package generator. In
particular, the workflow reimplemented override handling in jq, so
adding new override operations could break the detector before the real
generator ever ran.

This removes the custom detector job and makes the workflow use `pnpm
generate` as the source of truth on every scheduled run. The workflow
now regenerates the API package, formats it, checks for changes under
`packages/api/src/generated`, and only creates a sync PR when generated
output actually changes.

This also removes the stale `high_availability` add override now that
the upstream spec includes that field directly, and refreshes the
generated API files for the current upstream spec.

Reviewer context: future OpenAPI override operation support only needs
to be implemented in the generator path; the workflow no longer has a
second override interpreter to keep in sync.
@avallete @claude
test(cli-e2e): add live e2e suite covering the CLI command matrix (#5588
557e3eb 
)

## What

Adds a **live** e2e mode to `apps/cli-e2e` and a real-staging command
matrix on top of it, per
[CLI-1630](https://linear.app/supabase/issue/CLI-1630/set-up-proper-live-e2e-tests-for-the-cli)
and
[ADR-0013](https://github.com/supabase/cli/blob/develop/docs/adr/0013-live-e2e-bypasses-replay-server.md).

Live mode is a third mode (`CLI_E2E_MODE=live`) that, unlike
replay/record, **does not use the replay server**. The harness points
the CLI straight at the real Management API (`CLI_E2E_API_URL`) and the
real Docker socket; tests assert on **real outcomes** — process exit
codes, the HTTP responses of deployed functions (status + JSON body),
and real DB/Storage state. This is ID-agnostic, so there are no
snapshots/normalization by default.

## Changes

- **`env.ts`** — `CLI_E2E_MODE` (`replay`/`record`/`live`), `isLive`,
`TARGET_API_URL`, `CLI_E2E_PROJECT_HOST`; back-compat `RECORD=true` →
`record`.
- **`tests/staging-project.ts`** — project-lifecycle helpers extracted
from `setup.ts`: create/delete an ephemeral project, resolve the anon
JWT, the IPv4 **session-pooler `dbUrl`**, the service-role key, and seed
a Storage bucket. Record behavior is unchanged.
- **`tests/live-setup.ts`** — global setup that provisions **one
ephemeral project per run** (`cli-e2e-live-{target}-{runId}-{short}`),
waits `ACTIVE_HEALTHY`, and exposes
`projectRef`/`anonKey`/`functionsUrl`/`dbUrl`/`storageBucket` via
`inject()`; deletes the project on teardown (even on failure).
Intentionally dumb — no in-setup retry.
- **`src/tests/live/`** — `testLive` context (direct-wired `run`, HTTP
`invoke` sending the anon JWT, a `supabase init`-generated `workspace`,
`seedFunctions` to layer the `deploy-e2e-*` fixtures + their
`[functions.*]` config) plus live coverage for: functions deploy (the
three bundler modes + deploy-all), functions lifecycle (re-deploy +
delete), database (`inspect`/`migration list`/`db dump`), db push→pull,
`link`, `projects`, `gen types`, `branches`, `storage`, `secrets`.
- **`vitest.live.config.ts`** + `test:e2e:live`; the default config
excludes `*.live.e2e.test.ts`.
- **`harness.ts`** — `projectHost` option so host-derived commands
(`storage --linked` → `<ref>.<host>`, `db.<ref>.<host>`) reach the real
endpoint instead of `localhost`.
- **`.github/workflows/live-e2e.yml`** — `workflow_dispatch` + an hourly
`@beta` `schedule`; `go` + `ts-legacy` matrix (`fail-fast: false`);
`docker info` preflight; 3× retry; project cleanup scoped to the job's
own prefix.
- **`apps/cli/.../functions/deploy/deploy.e2e.test.ts`** — collocated
integration coverage for the negative/arg-validation cases that don't
belong in the live suite.
- **`docs/adr/0013-…`** + README index row;
`fixtures/live/functions-project/` `deploy-e2e-*` functions.

## Reviewer notes

- **Why bypass the replay server.** Live mode is a deliberately
different signal from the replay suite: it exercises the real
subprocess, real runtime wiring, and real cross-boundary behavior (API +
Docker + DB + Storage) that fixtures can't represent. The replay suite
stays the fast, deterministic default.
- **IPv6 → IPv4 pooler.** Staging's direct DB host
(`db.<ref>.supabase.red`) is **IPv6-only by design**, and the CI runners
have **no IPv6 egress** — so DB-touching commands connect through the
project's **IPv4 session-mode Supavisor pooler** via `--db-url` (the
CLI's own blessed fallback). Session mode (not transaction `6543`) is
required for `pg_dump`.
- **Authoring target is `go`** (source of truth for the port);
`ts-legacy` runs the same tests to prove the shim matches. Both run as
separate CI jobs (independent green/red signals).
- **Trigger model.** There is **no `pull_request` trigger** — run the
workflow manually on a branch for pre-merge coverage.
`workflow_dispatch` (Actions branch picker; no free-form `ref` input, so
the staging token never reaches arbitrary code) and `schedule` only
become active once this file is on the default branch (`develop`) —
classic GitHub bootstrap. The hourly run exercises the `@beta` channel:
`develop` is the default branch and the beta release source, so it
builds `develop` from source and runs the same matrix. A `gate` job
skips the run unless the published `supabase@beta` version changed since
the last green run (an `actions/cache` marker keyed on the version,
written by `finalize` only after **both** legs pass).
- **Secret / fork safety.** Uses
`SUPABASE_E2E_CLI_LIVE_STAGING_ACCESS_TOKEN`; never
`pull_request_target`, so the token is never exposed to fork code.
- **Out of scope:** `config push` surfaced a TS↔remote config-schema
parity bug on `ts-legacy`, tracked separately in
[CLI-1810](https://linear.app/supabase/issue/CLI-1810/config-push-fails-on-ts-legacy-ts-config-schema-rejects-remote-storage);
it is intentionally not covered here.

Refs: CLI-1630

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
@dependabot
fix(deps): bump undici from 8.4.1 to 8.5.0 (#5623)
7264b7c 
Bumps [undici](https://github.com/nodejs/undici) from 8.4.1 to 8.5.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/nodejs/undici/releases">undici's
releases</a>.</em></p>
<blockquote>
<h2>v8.5.0</h2>
<h1>⚠️ Security Release</h1>
<p>This release line addresses <strong>8 security advisories</strong>.
Most are fixed in
<strong>v8.5.0</strong>; the SOCKS5 pool-reuse issue was fixed earlier
in <strong>v8.2.0</strong>.</p>
<blockquote>
<p><strong>Action required:</strong> Upgrade to <strong>undici
8.5.0</strong> or later.</p>
<pre lang="sh"><code>npm install undici@^8.5.0
</code></pre>
</blockquote>
<h2>Summary</h2>
<table>
<thead>
<tr>
<th>Advisory</th>
<th>CVE</th>
<th>Severity (CVSS)</th>
<th>Fixed in</th>
<th>Fix commit</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q">GHSA-vxpw-j846-p89q</a></td>
<td>CVE-2026-12151</td>
<td>High (7.5)</td>
<td>8.5.0</td>
<td><a
href="https://github.com/nodejs/undici/commit/32dbf0b3"><code>32dbf0b3</code></a></td>
</tr>
<tr>
<td><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-38rv-x7px-6hhq">GHSA-38rv-x7px-6hhq</a></td>
<td>CVE-2026-9675</td>
<td>High (7.5)</td>
<td>8.5.0</td>
<td><a
href="https://github.com/nodejs/undici/commit/b4c287b3"><code>b4c287b3</code></a></td>
</tr>
<tr>
<td><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-vmh5-mc38-953g">GHSA-vmh5-mc38-953g</a></td>
<td>CVE-2026-9697</td>
<td>High (7.4)</td>
<td>8.5.0</td>
<td><a
href="https://github.com/nodejs/undici/commit/42d49559"><code>42d49559</code></a></td>
</tr>
<tr>
<td><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-hm92-r4w5-c3mj">GHSA-hm92-r4w5-c3mj</a></td>
<td>CVE-2026-6734</td>
<td>High (7.5)</td>
<td>8.2.0</td>
<td><a
href="https://github.com/nodejs/undici/commit/a516f870"><code>a516f870</code></a></td>
</tr>
<tr>
<td><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-pr7r-676h-xcf6">GHSA-pr7r-676h-xcf6</a></td>
<td>CVE-2026-9678</td>
<td>Moderate (5.9)</td>
<td>8.5.0</td>
<td><a
href="https://github.com/nodejs/undici/commit/cb105d7c"><code>cb105d7c</code></a></td>
</tr>
<tr>
<td><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-p88m-4jfj-68fv">GHSA-p88m-4jfj-68fv</a></td>
<td>CVE-2026-9679</td>
<td>Moderate (5.9)</td>
<td>8.5.0</td>
<td><a
href="https://github.com/nodejs/undici/commit/5655ea43"><code>5655ea43</code></a></td>
</tr>
<tr>
<td><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-g8m3-5g58-fq7m">GHSA-g8m3-5g58-fq7m</a></td>
<td>CVE-2026-11525</td>
<td>Low (3.7)</td>
<td>8.5.0</td>
<td><a
href="https://github.com/nodejs/undici/commit/5655ea43"><code>5655ea43</code></a></td>
</tr>
<tr>
<td><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-35p6-xmwp-9g52">GHSA-35p6-xmwp-9g52</a></td>
<td>CVE-2026-6733</td>
<td>Low (3.7)</td>
<td>8.5.0</td>
<td><a
href="https://github.com/nodejs/undici/commit/6ea54ef8"><code>6ea54ef8</code></a></td>
</tr>
</tbody>
</table>
<hr />
<h2>High severity</h2>
<h3>WebSocket DoS via fragment count bypass — CVE-2026-12151</h3>
<p><strong><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q">GHSA-vxpw-j846-p89q</a></strong>
· CWE-400, CWE-770
<strong>Fix:</strong> <a
href="https://github.com/nodejs/undici/commit/32dbf0b3"><code>32dbf0b3</code></a>
<em>websocket: limit the number of fragments in a message</em> (also <a
href="https://github.com/nodejs/undici/commit/c5ed7875"><code>c5ed7875</code></a>
<em>handle empty fragments and stream limits</em>)</p>
<p>A malicious WebSocket server can stream a large number of small or
empty
continuation frames. Undici enforced a limit on cumulative payload size
but did
not limit the <em>number</em> of fragments per message, leading to
unbounded memory
growth and denial of service.</p>
<ul>
<li><strong>Affected:</strong> applications using <code>new
WebSocket(...)</code> or <code>WebSocketStream</code>
against untrusted endpoints.</li>
<li><strong>Workaround:</strong> none — upgrade is required.</li>
</ul>
<h3>WebSocket DoS via cumulative fragment bypass — CVE-2026-9675</h3>
<p><strong><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-38rv-x7px-6hhq">GHSA-38rv-x7px-6hhq</a></strong>
· CWE-400, CWE-770
<strong>Fix:</strong> <a
href="https://github.com/nodejs/undici/commit/b4c287b3"><code>b4c287b3</code></a>
<em>fix(websocket): enforce max payload size across fragments</em></p>
<p>Undici validated the size of individual frames but did not track
cumulative size
across a fragmented message. An attacker could send many small fragments
that
each pass per-frame validation but collectively exceed the configured
limit,
causing memory exhaustion. <strong>This is a regression introduced in
8.1.0</strong> (the</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/nodejs/undici/commit/a0806e1f66a83db0a792b8407c2e97fcf8ed58af"><code>a0806e1</code></a>
Bumped v8.5.0 (<a
href="https://redirect.github.com/nodejs/undici/issues/5429">#5429</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/8a0392cf0d0148c86ece7dc50c1bf6819f7110eb"><code>8a0392c</code></a>
test: detect available python command in wpt runner (<a
href="https://redirect.github.com/nodejs/undici/issues/5427">#5427</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/f4045b9d440e4ebfde4bbcc9f530ab042a1c5100"><code>f4045b9</code></a>
ci: increase Node.js workflow timeout (<a
href="https://redirect.github.com/nodejs/undici/issues/5426">#5426</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/363e44fe4add1528fb3529cde5d71ddc978c8338"><code>363e44f</code></a>
chore: removed repro-h2-pipelining-default.mjs and lint (<a
href="https://redirect.github.com/nodejs/undici/issues/5420">#5420</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/c5ed78756914b17501223dcc345b3a966351604a"><code>c5ed787</code></a>
websocket: handle empty fragments and stream limits</li>
<li><a
href="https://github.com/nodejs/undici/commit/e114e778de1476172a1a9a0d4668af8cf2c25cac"><code>e114e77</code></a>
align EventSource with spec (<a
href="https://redirect.github.com/nodejs/undici/issues/5418">#5418</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/6df53c50daf252c2e7a3d8cb631c94b7fb0e3817"><code>6df53c5</code></a>
fix: preserve h2 queue on out-of-order completion (<a
href="https://redirect.github.com/nodejs/undici/issues/5410">#5410</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/32dbf0b3dd93daf6d87badf506d52e89f2e20e78"><code>32dbf0b</code></a>
websocket: limit the number of fragments in a message</li>
<li><a
href="https://github.com/nodejs/undici/commit/0d6ecc571095a6bff1c2ad4ee43dd6ae4e97411c"><code>0d6ecc5</code></a>
add bodymixin.textStream() (<a
href="https://redirect.github.com/nodejs/undici/issues/5416">#5416</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/42d4955987a136ab29beff6c4ed424c9209b2600"><code>42d4955</code></a>
fix: honor requestTls when proxy is SOCKS5</li>
<li>Additional commits viewable in <a
href="https://github.com/nodejs/undici/compare/v8.4.1...v8.5.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=undici&package-manager=npm_and_yarn&previous-version=8.4.1&new-version=8.5.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts page](https://github.com/supabase/cli/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
fix(docker): bump the docker-minor group in /apps/cli-go/pkg/config/t…
0d63164 
…emplates with 3 updates (#5625)

Bumps the docker-minor group in /apps/cli-go/pkg/config/templates with 3
updates: supabase/realtime, supabase/storage-api and supabase/logflare.

Updates `supabase/realtime` from v2.108.0 to v2.109.1

Updates `supabase/storage-api` from v1.60.20 to v1.60.21

Updates `supabase/logflare` from 1.44.3 to 1.45.0


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
fix(deps): bump the npm-major group with 11 updates (#5626)
3eb35e5 
Bumps the npm-major group with 11 updates:

| Package | From | To |
| --- | --- | --- |
|
[@anthropic-ai/claude-agent-sdk](https://github.com/anthropics/claude-agent-sdk-typescript)
| `0.3.172` | `0.3.174` |
|
[posthog-node](https://github.com/PostHog/posthog-js/tree/HEAD/packages/node)
| `5.36.15` | `5.36.17` |
| [fumadocs-core](https://github.com/fuma-nama/fumadocs) | `16.10.0` |
`16.10.1` |
| [fumadocs-ui](https://github.com/fuma-nama/fumadocs) | `16.10.0` |
`16.10.1` |
|
[@effect/atom-react](https://github.com/Effect-TS/effect-smol/tree/HEAD/packages/atom/react)
| `4.0.0-beta.78` | `4.0.0-beta.80` |
|
[@effect/platform-bun](https://github.com/Effect-TS/effect/tree/HEAD/packages/platform-bun)
| `4.0.0-beta.78` | `4.0.0-beta.80` |
|
[@effect/platform-node](https://github.com/Effect-TS/effect/tree/HEAD/packages/platform-node)
| `4.0.0-beta.78` | `4.0.0-beta.80` |
|
[@effect/sql-pg](https://github.com/Effect-TS/effect/tree/HEAD/packages/sql-pg)
| `4.0.0-beta.78` | `4.0.0-beta.80` |
|
[@effect/vitest](https://github.com/Effect-TS/effect/tree/HEAD/packages/vitest)
| `4.0.0-beta.78` | `4.0.0-beta.80` |
|
[@typescript/native-preview](https://github.com/microsoft/typescript-go)
| `7.0.0-dev.20260610.1` | `7.0.0-dev.20260611.2` |
|
[effect](https://github.com/Effect-TS/effect/tree/HEAD/packages/effect)
| `4.0.0-beta.78` | `4.0.0-beta.80` |

Updates `@anthropic-ai/claude-agent-sdk` from 0.3.172 to 0.3.174
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/anthropics/claude-agent-sdk-typescript/releases">@​anthropic-ai/claude-agent-sdk's
releases</a>.</em></p>
<blockquote>
<h2>v0.3.174</h2>
<h2>What's changed</h2>
<ul>
<li>SDK consumers now receive the <code>system/model_fallback</code>
message for all fallback triggers — <code>overloaded</code>,
<code>server_error</code>, and <code>last_resort</code> in addition to
<code>model_not_found</code> and <code>permission_denied</code> — and
the message's <code>trigger</code> field gained the
<code>server_error</code> and <code>last_resort</code> values</li>
</ul>
<h2>Update</h2>
<pre lang="sh"><code>npm install @anthropic-ai/claude-agent-sdk@0.3.174
# or
yarn add @anthropic-ai/claude-agent-sdk@0.3.174
# or
pnpm add @anthropic-ai/claude-agent-sdk@0.3.174
# or
bun add @anthropic-ai/claude-agent-sdk@0.3.174
</code></pre>
<h2>v0.3.173</h2>
<h2>What's changed</h2>
<ul>
<li>Updated to parity with Claude Code v2.1.173</li>
</ul>
<h2>Update</h2>
<pre lang="sh"><code>npm install @anthropic-ai/claude-agent-sdk@0.3.173
# or
yarn add @anthropic-ai/claude-agent-sdk@0.3.173
# or
pnpm add @anthropic-ai/claude-agent-sdk@0.3.173
# or
bun add @anthropic-ai/claude-agent-sdk@0.3.173
</code></pre>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/anthropics/claude-agent-sdk-typescript/blob/main/CHANGELOG.md">@​anthropic-ai/claude-agent-sdk's
changelog</a>.</em></p>
<blockquote>
<h2>0.3.174</h2>
<ul>
<li>SDK consumers now receive the <code>system/model_fallback</code>
message for all fallback triggers — <code>overloaded</code>,
<code>server_error</code>, and <code>last_resort</code> in addition to
<code>model_not_found</code> and <code>permission_denied</code> — and
the message's <code>trigger</code> field gained the
<code>server_error</code> and <code>last_resort</code> values</li>
</ul>
<h2>0.3.173</h2>
<ul>
<li>Updated to parity with Claude Code v2.1.173</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/anthropics/claude-agent-sdk-typescript/commit/8ef4c3fe8e1b263cd4e8aef8bf352c0367d53a29"><code>8ef4c3f</code></a>
chore: Update CHANGELOG.md</li>
<li><a
href="https://github.com/anthropics/claude-agent-sdk-typescript/commit/944ab13cf2d82768ceabb018bfdeb5bbd79cedf2"><code>944ab13</code></a>
chore: Update CHANGELOG.md</li>
<li>See full diff in <a
href="https://github.com/anthropics/claude-agent-sdk-typescript/compare/v0.3.172...v0.3.174">compare
view</a></li>
</ul>
</details>
<br />

Updates `posthog-node` from 5.36.15 to 5.36.17
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/PostHog/posthog-js/releases">posthog-node's
releases</a>.</em></p>
<blockquote>
<h2>posthog-node@5.36.17</h2>
<h2>5.36.17</h2>
<h3>Patch Changes</h3>
<ul>
<li>Updated dependencies []:
<ul>
<li><code>@​posthog/core</code><a
href="https://github.com/1"><code>@​1</code></a>.32.3</li>
</ul>
</li>
</ul>
<h2>posthog-node@5.36.16</h2>
<h2>5.36.16</h2>
<h3>Patch Changes</h3>
<ul>
<li>Updated dependencies [<a
href="https://github.com/PostHog/posthog-js/commit/25822acc0d16f9f1d6fbbd65da57b3e060c6c558"><code>25822ac</code></a>]:
<ul>
<li><code>@​posthog/core</code><a
href="https://github.com/1"><code>@​1</code></a>.32.2</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/PostHog/posthog-js/blob/main/packages/node/CHANGELOG.md">posthog-node's
changelog</a>.</em></p>
<blockquote>
<h2>5.36.17</h2>
<h3>Patch Changes</h3>
<ul>
<li>Updated dependencies []:
<ul>
<li><code>@​posthog/core</code><a
href="https://github.com/1"><code>@​1</code></a>.32.3</li>
</ul>
</li>
</ul>
<h2>5.36.16</h2>
<h3>Patch Changes</h3>
<ul>
<li>Updated dependencies [<a
href="https://github.com/PostHog/posthog-js/commit/25822acc0d16f9f1d6fbbd65da57b3e060c6c558"><code>25822ac</code></a>]:
<ul>
<li><code>@​posthog/core</code><a
href="https://github.com/1"><code>@​1</code></a>.32.2</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/PostHog/posthog-js/commit/c7abf85f7af52b8b01fbd61b5749eb7649360287"><code>c7abf85</code></a>
chore: update versions and lockfile [version bump]</li>
<li><a
href="https://github.com/PostHog/posthog-js/commit/5fe3bd488c9809d7ef84e365a2435664ff7fa91d"><code>5fe3bd4</code></a>
chore: update versions and lockfile [version bump]</li>
<li>See full diff in <a
href="https://github.com/PostHog/posthog-js/commits/posthog-node@5.36.17/packages/node">compare
view</a></li>
</ul>
</details>
<br />

Updates `fumadocs-core` from 16.10.0 to 16.10.1
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/d1c19de6a1a3c3126efccb13c5ac5737c420f6d4"><code>d1c19de</code></a>
Merge pull request <a
href="https://redirect.github.com/fuma-nama/fumadocs/issues/3351">#3351</a>
from fuma-nama/changeset-release/dev</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/86083078b774fa2ce9944eed828507e688b8ee0a"><code>8608307</code></a>
fix radix-ui types</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/501728965f78e65bafff04f36f2438be8429b5bd"><code>5017289</code></a>
chore: bump deps</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/7a777226f1886235a7ca8f349e20055bac1b6398"><code>7a77722</code></a>
fix(ui): language display name</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/fc1beed2b5f8a72819a3f17ce582e5ee7ef36ae0"><code>fc1beed</code></a>
docs: add demo for AsyncAPI</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/970ec3c917a8c6bbb4ffbe1997d7409594aecb6e"><code>970ec3c</code></a>
fix format</li>
<li>See full diff in <a
href="https://github.com/fuma-nama/fumadocs/compare/fumadocs-core@16.10.0...fumadocs-core@16.10.1">compare
view</a></li>
</ul>
</details>
<br />

Updates `fumadocs-ui` from 16.10.0 to 16.10.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/fuma-nama/fumadocs/releases">fumadocs-ui's
releases</a>.</em></p>
<blockquote>
<h2>fumadocs-ui@16.10.1</h2>
<h3>Patch Changes</h3>
<ul>
<li>5017289: Use stable <code>fuma-translate</code></li>
<li>7a77722: fix display name of languages
<ul>
<li>fumadocs-core@16.10.1</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/d1c19de6a1a3c3126efccb13c5ac5737c420f6d4"><code>d1c19de</code></a>
Merge pull request <a
href="https://redirect.github.com/fuma-nama/fumadocs/issues/3351">#3351</a>
from fuma-nama/changeset-release/dev</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/86083078b774fa2ce9944eed828507e688b8ee0a"><code>8608307</code></a>
fix radix-ui types</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/501728965f78e65bafff04f36f2438be8429b5bd"><code>5017289</code></a>
chore: bump deps</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/7a777226f1886235a7ca8f349e20055bac1b6398"><code>7a77722</code></a>
fix(ui): language display name</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/fc1beed2b5f8a72819a3f17ce582e5ee7ef36ae0"><code>fc1beed</code></a>
docs: add demo for AsyncAPI</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/970ec3c917a8c6bbb4ffbe1997d7409594aecb6e"><code>970ec3c</code></a>
fix format</li>
<li>See full diff in <a
href="https://github.com/fuma-nama/fumadocs/compare/fumadocs-ui@16.10.0...fumadocs-ui@16.10.1">compare
view</a></li>
</ul>
</details>
<br />

Updates `@effect/atom-react` from 4.0.0-beta.78 to 4.0.0-beta.80
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/Effect-TS/effect-smol/blob/main/packages/atom/react/CHANGELOG.md">@​effect/atom-react's
changelog</a>.</em></p>
<blockquote>
<h2>4.0.0-beta.80</h2>
<h3>Patch Changes</h3>
<ul>
<li>Updated dependencies [<a
href="https://github.com/Effect-TS/effect-smol/commit/d94433090ee03f426d43e13b883abae4494e55e6"><code>d944330</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/f48659fdcc84930ebc1e5b45b540c0f973389182"><code>f48659f</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/7652aaa3bdbc39f241fe58b54b9a43b713e22e12"><code>7652aaa</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/98630b7c8f679c352ba6796636c85688fa009d8d"><code>98630b7</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/90ae23cf07284da5e1bcd9dffa882e85df7e617b"><code>90ae23c</code></a>]:
<ul>
<li>effect@4.0.0-beta.80</li>
</ul>
</li>
</ul>
<h2>4.0.0-beta.79</h2>
<h3>Patch Changes</h3>
<ul>
<li>Updated dependencies [<a
href="https://github.com/Effect-TS/effect-smol/commit/b9704dc9de9f1649ad502371014fe869b69a49a3"><code>b9704dc</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/a207113f66837bb54416926718a9a7d66774d079"><code>a207113</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/5e9b9e217b164ebfd4a002dd4380b3b1563200c3"><code>5e9b9e2</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/7c128aef458a1e2d224712e51c483c9badad1d44"><code>7c128ae</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/0ada457c0513d8d908254ab77ebb7d29d2b523d6"><code>0ada457</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/d7cc5a2bede3de10943aa0c6bdb4f26836a91efd"><code>d7cc5a2</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/aad63becf65e0a6b076e94f8973be7bbe7fbd46f"><code>aad63be</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/09809f60f19ec98232f98b33e33e02ecb7e4fbd6"><code>09809f6</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/2fddda5311929f46b61e503f0ade4fc749e8c77d"><code>2fddda5</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/5f2176833399757c4500d8875b7f2fba0393de75"><code>5f21768</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/f27003e00524ff83f20dd9909f62b2f8795efe03"><code>f27003e</code></a>]:
<ul>
<li>effect@4.0.0-beta.79</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/Effect-TS/effect-smol/commit/6ca5b218f6587e6736829e08778fdc007bcfa4fe"><code>6ca5b21</code></a>
Version Packages (beta) (<a
href="https://github.com/Effect-TS/effect-smol/tree/HEAD/packages/atom/react/issues/2370">#2370</a>)</li>
<li><a
href="https://github.com/Effect-TS/effect-smol/commit/c4b58818ac61bc862567666f1235e49406e97700"><code>c4b5881</code></a>
Version Packages (beta) (<a
href="https://github.com/Effect-TS/effect-smol/tree/HEAD/packages/atom/react/issues/2340">#2340</a>)</li>
<li><a
href="https://github.com/Effect-TS/effect-smol/commit/9de58cc0bb4b45d8a30f77abc75071ca5f2e74ea"><code>9de58cc</code></a>
Refactor module jsdocs (<a
href="https://github.com/Effect-TS/effect-smol/tree/HEAD/packages/atom/react/issues/2330">#2330</a>)</li>
<li>See full diff in <a
href="https://github.com/Effect-TS/effect-smol/commits/@effect/atom-react@4.0.0-beta.80/packages/atom/react">compare
view</a></li>
</ul>
</details>
<br />

Updates `@effect/platform-bun` from 4.0.0-beta.78 to 4.0.0-beta.80
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/Effect-TS/effect/commits/HEAD/packages/platform-bun">compare
view</a></li>
</ul>
</details>
<br />

Updates `@effect/platform-node` from 4.0.0-beta.78 to 4.0.0-beta.80
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/Effect-TS/effect/commits/HEAD/packages/platform-node">compare
view</a></li>
</ul>
</details>
<br />

Updates `@effect/sql-pg` from 4.0.0-beta.78 to 4.0.0-beta.80
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/Effect-TS/effect/commits/HEAD/packages/sql-pg">compare
view</a></li>
</ul>
</details>
<br />

Updates `@effect/vitest` from 4.0.0-beta.78 to 4.0.0-beta.80
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/Effect-TS/effect/commits/HEAD/packages/vitest">compare
view</a></li>
</ul>
</details>
<br />

Updates `@typescript/native-preview` from 7.0.0-dev.20260610.1 to
7.0.0-dev.20260611.2
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/microsoft/typescript-go/commits">compare
view</a></li>
</ul>
</details>
<br />

Updates `effect` from 4.0.0-beta.78 to 4.0.0-beta.80
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/Effect-TS/effect/commits/HEAD/packages/effect">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@avallete @claude
ci: add dependency-cache input to setup action (#5627)
82e5fe2 
Add a configurable `dependency-cache` input to the setup action to allow
workflows to disable pnpm dependency caching when needed.

## Changes

- Added `dependency-cache` input to `.github/actions/setup/action.yml`
with a default value of `"true"`
- Made the "Configure dependency cache" step conditional based on the
new input
- Updated `build-cli-artifacts.yml` to disable dependency caching for
GitHub-hosted runners, which delete the pnpm store before exiting and
would cause the post-job cache save to fail with a path validation error

## Context

GitHub-hosted producers in the build workflow free disk space by
deleting the pnpm store before exiting. This causes the post-job pnpm
cache save step to fail with a path validation error. The new input
allows workflows to skip dependency caching in these scenarios while
keeping it enabled by default for other use cases.

https://claude.ai/code/session_01DDTzGPYndWYVXaqm3mMGXy

---------

Co-authored-by: Claude <noreply@anthropic.com>
@jgoux
fix(cli): improve local start diagnostics (#5616)
62f7b83 
## What changed

This improves local stack startup behavior in the Go CLI path used by
the TypeScript legacy wrappers.

When a local API request fails because the configured API port returns a
malformed HTTP response, the CLI now adds a targeted hint that another
process may be listening on that port. The hint includes the configured
port, an `lsof` command to identify the listener, and the `api.port`
config field to change when the port is intentionally occupied.

Startup also now waits for all started services to pass health checks
before seeding storage buckets declared in `[storage.buckets]`. This
keeps bucket creation from appearing to be the failing step when another
service, especially edge runtime, has not become healthy yet.

The edge-runtime main service keeps its regular remote module imports.
This PR does not change the edge-runtime module graph; it focuses on
making local-start failures easier to diagnose and preserving clearer
startup ordering.

## Why

Issue #3265 has shown two recurring local-start failure patterns: a
misleading malformed `/storage/v1/bucket` response when another process
owns the API port, and bucket seeding logs appearing before edge runtime
health failures. These changes make the port-conflict case
self-diagnosing and ensure storage bucket seeding only runs after the
local stack is healthy.
@avallete @claude
chore(cli): downgrade realtime image to v2.108.0 (#5628)
88c94c9 
Downgrades the Supabase Realtime Docker image from v2.109.1 to v2.108.0
in the generated Dockerfile template.

This change updates the base image version used in the CLI's Docker
configuration for local development environments.

https://claude.ai/code/session_01RLY7KJJ6So673p6ung8yFV

---------

Co-authored-by: Claude <noreply@anthropic.com>
@dependabot
fix(docker): bump supabase/storage-api from v1.60.21 to v1.60.22 in /…
e404074 
…apps/cli-go/pkg/config/templates in the docker-minor group (#5630)

Bumps the docker-minor group in /apps/cli-go/pkg/config/templates with 1
update: supabase/storage-api.

Updates `supabase/storage-api` from v1.60.21 to v1.60.22


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=supabase/storage-api&package-manager=docker&previous-version=v1.60.21&new-version=v1.60.22)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
fix(deps): bump the npm-major group with 2 updates (#5631)
979afe5 
Bumps the npm-major group with 2 updates:
[@anthropic-ai/claude-agent-sdk](https://github.com/anthropics/claude-agent-sdk-typescript)
and
[@typescript/native-preview](https://github.com/microsoft/typescript-go).

Updates `@anthropic-ai/claude-agent-sdk` from 0.3.174 to 0.3.175
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/anthropics/claude-agent-sdk-typescript/releases">@​anthropic-ai/claude-agent-sdk's
releases</a>.</em></p>
<blockquote>
<h2>v0.3.175</h2>
<h2>What's changed</h2>
<ul>
<li>Updated to parity with Claude Code v2.1.175</li>
</ul>
<h2>Update</h2>
<pre lang="sh"><code>npm install @anthropic-ai/claude-agent-sdk@0.3.175
# or
yarn add @anthropic-ai/claude-agent-sdk@0.3.175
# or
pnpm add @anthropic-ai/claude-agent-sdk@0.3.175
# or
bun add @anthropic-ai/claude-agent-sdk@0.3.175
</code></pre>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/anthropics/claude-agent-sdk-typescript/blob/main/CHANGELOG.md">@​anthropic-ai/claude-agent-sdk's
changelog</a>.</em></p>
<blockquote>
<h2>0.3.175</h2>
<ul>
<li>Updated to parity with Claude Code v2.1.175</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/anthropics/claude-agent-sdk-typescript/commit/e05f10c790c8e230293c5aae9156d1c28bfd352b"><code>e05f10c</code></a>
chore: Update CHANGELOG.md</li>
<li>See full diff in <a
href="https://github.com/anthropics/claude-agent-sdk-typescript/compare/v0.3.174...v0.3.175">compare
view</a></li>
</ul>
</details>
<br />

Updates `@typescript/native-preview` from 7.0.0-dev.20260611.2 to
7.0.0-dev.20260612.1
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/microsoft/typescript-go/commits">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@chatgpt-codex-connector

chatgpt-codex-connector Bot commented Jun 23, 2026

Copy link
Copy Markdown

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

@jgoux @claude
chore(ci): exclude generated API code from CODEOWNERS review (#5663)
d314f76 
Adds an ownerless rule for `/packages/api/src/generated/` to
`.github/CODEOWNERS`.

The catch-all `* @supabase/cli` requires CLI-team code-owner review on
every PR. A later, more-specific rule with no owner removes that
required reviewer for matching paths — the same mechanism already used
for the Dependabot dependency surfaces.

This unblocks the recurring Management API OpenAPI spec sync PRs (e.g.
#5662), whose entire diff lives under `packages/api/src/generated/`, so
they no longer wait on code-owner review and can be auto-merged once CI
is green.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
@chatgpt-codex-connector

chatgpt-codex-connector Bot commented Jun 23, 2026

Copy link
Copy Markdown

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

jgoux and others added 2 commits June 23, 2026 16:37
@jgoux @claude
ci: auto-approve and auto-merge API package sync PRs (#5665)
b672b15 
Brings the `@supabase/api` package sync workflow in line with the Go CLI
API sync workflow
([cli-go-api-sync.yml](.github/workflows/cli-go-api-sync.yml)), which
already auto-approves and auto-merges its generated PRs.

Previously
[api-package-sync.yml](.github/workflows/api-package-sync.yml) created a
PR on its hourly cron but stopped there — every sync PR waited on a
human even when all checks were green.

Changes:
- Add `id: cpr` to the Create Pull Request step so its outputs can be
referenced.
- Add an Approve step that runs only when a PR was actually created
(`pull-request-operation == 'created'`), with `continue-on-error: true`
so re-runs against an existing PR don't fail the job.
- Add an Enable Pull Request Automerge step (`gh pr merge --auto
--squash`) so the PR merges once required checks pass.

Note: relies on the repo's "Allow auto-merge" setting and branch
protection on `develop` requiring checks — the same prerequisites the Go
sync workflow already depends on.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
@jgoux @cursoragent
fix(docker): bump logflare to 1.45.3 (#5666)
6fa5fd5 
## Summary
- Bump the local stack logflare image from `1.44.3` to `1.45.3` in the
CLI Dockerfile manifest.
- Remove the stale Dependabot ignore for `supabase/logflare` versions
`>= 1.45.0` — those tags are now mirrored to GHCR and ECR.

Co-authored-by: Cursor <cursoragent@cursor.com>
@chatgpt-codex-connector

chatgpt-codex-connector Bot commented Jun 23, 2026

Copy link
Copy Markdown

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

dependabot Bot added 2 commits June 23, 2026 16:50
@dependabot
fix(docker): bump supabase/storage-api from v1.60.29 to v1.61.0 in /a…
3f583a0 
…pps/cli-go/pkg/config/templates in the docker-minor group (#5668)

Bumps the docker-minor group in /apps/cli-go/pkg/config/templates with 1
update: supabase/storage-api.

Updates `supabase/storage-api` from v1.60.29 to v1.61.0


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=supabase/storage-api&package-manager=docker&previous-version=v1.60.29&new-version=v1.61.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
fix(deps): bump github.com/getsentry/sentry-go from 0.46.2 to 0.47.0 …
242812b 
…in /apps/cli-go in the go-minor group across 1 directory (#5669)

Bumps the go-minor group with 1 update in the /apps/cli-go directory:
[github.com/getsentry/sentry-go](https://github.com/getsentry/sentry-go).

Updates `github.com/getsentry/sentry-go` from 0.46.2 to 0.47.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/getsentry/sentry-go/releases">github.com/getsentry/sentry-go's
releases</a>.</em></p>
<blockquote>
<h2>0.47.0</h2>
<h3>Breaking Changes 🛠</h3>
<ul>
<li>Fix <code>transaction_info</code> source getting set incorrectly
across HTTP middleware integrations (http, fasthttp, fiber). Users
should now expect traces to properly get grouped with their
parameterized path. Transactions in affected integrations may regroup
after upgrading. by <a
href="https://github.com/giortzisg"><code>@​giortzisg</code></a> in <a
href="https://redirect.github.com/getsentry/sentry-go/pull/1325">#1325</a></li>
<li>remove deprecated<code>otel.NewSentrySpanProcessor</code>. Users
should now use the <code>sentryotlp.NewTraceExporter</code> instead by
<a href="https://github.com/giortzisg"><code>@​giortzisg</code></a> in
<a
href="https://redirect.github.com/getsentry/sentry-go/pull/1307">#1307</a>
<pre lang="go"><code>// Before
sentry.Init(sentry.ClientOptions{Dsn: dsn, EnableTracing: true,
TracesSampleRate: 1.0})
<p>tp := sdktrace.NewTracerProvider(
sdktrace.WithSpanProcessor(sentryotel.NewSentrySpanProcessor()),
)
otel.SetTextMapPropagator(sentryotel.NewSentryPropagator())
otel.SetTracerProvider(tp)</p>
<p>// After:
sentry.Init(sentry.ClientOptions{
Dsn: dsn, EnableTracing: true, TracesSampleRate: 1.0,
Integrations: func(i []sentry.Integration) []sentry.Integration {
return append(i, sentryotel.NewOtelIntegration())
},
})</p>
<p>exporter, _ := sentryotlp.NewTraceExporter(ctx, dsn)
tp := sdktrace.NewTracerProvider(sdktrace.WithBatcher(exporter))
otel.SetTracerProvider(tp)
</code></pre></p>
</li>
<li>Enable logs by default to skip double allow behavior. Enabling logs
now happens once when setting up either <code>sentry.NewLogger</code> or
any supported integration. Also the EnableLogs flag changes to
DisableLogs for a global override switch by <a
href="https://github.com/giortzisg"><code>@​giortzisg</code></a> in <a
href="https://redirect.github.com/getsentry/sentry-go/pull/1306">#1306</a></li>
<li>Remove the <code>ContextifyFrames</code> integration. The
recommended way to add source context is <a
href="https://docs.sentry.io/integrations/source-code-mgmt/source-context/">SCM</a>
by <a href="https://github.com/giortzisg"><code>@​giortzisg</code></a>
in <a
href="https://redirect.github.com/getsentry/sentry-go/pull/1302">#1302</a></li>
</ul>
<h3>New Features ✨</h3>
<ul>
<li>Add fiber v3 integration by <a
href="https://github.com/giortzisg"><code>@​giortzisg</code></a> in <a
href="https://redirect.github.com/getsentry/sentry-go/pull/1324">#1324</a></li>
<li>Bump fasthttp from 1.51.0 to 1.71.0 by <a
href="https://github.com/giortzisg"><code>@​giortzisg</code></a> in <a
href="https://redirect.github.com/getsentry/sentry-go/pull/1324">#1324</a></li>
<li>Add sentrysql SQL tracing integration by <a
href="https://github.com/giortzisg"><code>@​giortzisg</code></a> in <a
href="https://redirect.github.com/getsentry/sentry-go/pull/1305">#1305</a>
<ul>
<li>Supports multiple integration paths depending on how your app opens
database connections: <code>sentrysql.Open(...)</code>,
<code>sentrysql.OpenDB(...)</code>, and wrapped drivers/connectors for
custom setups.</li>
<li>Database metadata is not inferred in every setup. If the database
name is not discoverable automatically, pass
<code>sentrysql.WithDatabaseName(...)</code> so spans are populated
correctly.</li>
<li>Example:</li>
</ul>
<pre lang="go"><code> // Simple driver-based setup
 db, err := sentrysql.Open(&quot;sqlite&quot;, &quot;:memory:&quot;,
     sentrysql.WithDatabaseSystem(sentrysql.SystemSQLite),
     sentrysql.WithDatabaseName(&quot;main&quot;),
 )
</code></pre>
</li>
</ul>
<h3>Internal Changes 🔧</h3>
<h4>Deps</h4>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/getsentry/sentry-go/blob/master/CHANGELOG.md">github.com/getsentry/sentry-go's
changelog</a>.</em></p>
<blockquote>
<h2>0.47.0</h2>
<h3>Breaking Changes 🛠</h3>
<ul>
<li>Fix <code>transaction_info</code> source getting set incorrectly
across HTTP middleware integrations (http, fasthttp, fiber). Users
should now expect traces to properly get grouped with their
parameterized path. Transactions in affected integrations may regroup
after upgrading. by <a
href="https://github.com/giortzisg"><code>@​giortzisg</code></a> in <a
href="https://redirect.github.com/getsentry/sentry-go/pull/1325">#1325</a></li>
<li>remove deprecated<code>otel.NewSentrySpanProcessor</code>. Users
should now use the <code>sentryotlp.NewTraceExporter</code> instead by
<a href="https://github.com/giortzisg"><code>@​giortzisg</code></a> in
<a
href="https://redirect.github.com/getsentry/sentry-go/pull/1307">#1307</a>
<pre lang="go"><code>// Before
sentry.Init(sentry.ClientOptions{Dsn: dsn, EnableTracing: true,
TracesSampleRate: 1.0})
<p>tp := sdktrace.NewTracerProvider(
sdktrace.WithSpanProcessor(sentryotel.NewSentrySpanProcessor()),
)
otel.SetTextMapPropagator(sentryotel.NewSentryPropagator())
otel.SetTracerProvider(tp)</p>
<p>// After:
sentry.Init(sentry.ClientOptions{
Dsn: dsn, EnableTracing: true, TracesSampleRate: 1.0,
Integrations: func(i []sentry.Integration) []sentry.Integration {
return append(i, sentryotel.NewOtelIntegration())
},
})</p>
<p>exporter, _ := sentryotlp.NewTraceExporter(ctx, dsn)
tp := sdktrace.NewTracerProvider(sdktrace.WithBatcher(exporter))
otel.SetTracerProvider(tp)
</code></pre></p>
</li>
<li>Enable logs by default to skip double allow behavior. Enabling logs
now happens once when setting up either <code>sentry.NewLogger</code> or
any supported integration. Also the EnableLogs flag changes to
DisableLogs for a global override switch by <a
href="https://github.com/giortzisg"><code>@​giortzisg</code></a> in <a
href="https://redirect.github.com/getsentry/sentry-go/pull/1306">#1306</a></li>
<li>Remove the <code>ContextifyFrames</code> integration. The
recommended way to add source context is <a
href="https://docs.sentry.io/integrations/source-code-mgmt/source-context/">SCM</a>
by <a href="https://github.com/giortzisg"><code>@​giortzisg</code></a>
in <a
href="https://redirect.github.com/getsentry/sentry-go/pull/1302">#1302</a></li>
</ul>
<h3>New Features ✨</h3>
<ul>
<li>Add fiber v3 integration by <a
href="https://github.com/giortzisg"><code>@​giortzisg</code></a> in <a
href="https://redirect.github.com/getsentry/sentry-go/pull/1324">#1324</a></li>
<li>Bump fasthttp from 1.51.0 to 1.71.0 by <a
href="https://github.com/giortzisg"><code>@​giortzisg</code></a> in <a
href="https://redirect.github.com/getsentry/sentry-go/pull/1324">#1324</a></li>
<li>Add sentrysql SQL tracing integration by <a
href="https://github.com/giortzisg"><code>@​giortzisg</code></a> in <a
href="https://redirect.github.com/getsentry/sentry-go/pull/1305">#1305</a>
<ul>
<li>Supports multiple integration paths depending on how your app opens
database connections: <code>sentrysql.Open(...)</code>,
<code>sentrysql.OpenDB(...)</code>, and wrapped drivers/connectors for
custom setups.</li>
<li>Database metadata is not inferred in every setup. If the database
name is not discoverable automatically, pass
<code>sentrysql.WithDatabaseName(...)</code> so spans are populated
correctly.</li>
<li>Example:</li>
</ul>
<pre lang="go"><code> // Simple driver-based setup
 db, err := sentrysql.Open(&quot;sqlite&quot;, &quot;:memory:&quot;,
     sentrysql.WithDatabaseSystem(sentrysql.SystemSQLite),
     sentrysql.WithDatabaseName(&quot;main&quot;),
 )
</code></pre>
</li>
</ul>
<h3>Internal Changes 🔧</h3>
<h4>Deps</h4>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/getsentry/sentry-go/commit/9b7a5624089638c2ba32feb0f19ada8d43a6cc45"><code>9b7a562</code></a>
release: 0.47.0</li>
<li><a
href="https://github.com/getsentry/sentry-go/commit/320597ca56231b04d8cbecd7fb1638022a5f0f31"><code>320597c</code></a>
chore: update bump-version script to also bump crosstest (<a
href="https://redirect.github.com/getsentry/sentry-go/issues/1327">#1327</a>)</li>
<li><a
href="https://github.com/getsentry/sentry-go/commit/02a836d7aa0d9714e7b043165aa8f576e051278c"><code>02a836d</code></a>
build(deps): sync go.work (<a
href="https://redirect.github.com/getsentry/sentry-go/issues/1326">#1326</a>)</li>
<li><a
href="https://github.com/getsentry/sentry-go/commit/dc18868e4665622e8754b14693dfe74a03a0353d"><code>dc18868</code></a>
feat: add fiberv3 integration (<a
href="https://redirect.github.com/getsentry/sentry-go/issues/1324">#1324</a>)</li>
<li><a
href="https://github.com/getsentry/sentry-go/commit/f970fb569e96394f1bee44e24cdbcdb8c03f3b5e"><code>f970fb5</code></a>
feat: add sql transaction instrumentation (<a
href="https://redirect.github.com/getsentry/sentry-go/issues/1305">#1305</a>)</li>
<li><a
href="https://github.com/getsentry/sentry-go/commit/1010c034417791bc4e8863f8d350684e64557a7b"><code>1010c03</code></a>
fix!: transaction source for integrations (<a
href="https://redirect.github.com/getsentry/sentry-go/issues/1325">#1325</a>)</li>
<li><a
href="https://github.com/getsentry/sentry-go/commit/97b9ddf7adee2af74ce3b129d4eef204de7cb307"><code>97b9ddf</code></a>
build(deps): bump getsentry/github-workflows from
71588ddf95134f804e82c5970a8...</li>
<li><a
href="https://github.com/getsentry/sentry-go/commit/9cce79eaf28fec76f526628878f0819330bd85c0"><code>9cce79e</code></a>
feat(sql): add lexer and obfuscator (<a
href="https://redirect.github.com/getsentry/sentry-go/issues/1299">#1299</a>)</li>
<li><a
href="https://github.com/getsentry/sentry-go/commit/063a5730fdb192c7fe3330f67a7e433841d8aeb9"><code>063a573</code></a>
feat(sql): add span instrumentation (<a
href="https://redirect.github.com/getsentry/sentry-go/issues/1286">#1286</a>)</li>
<li><a
href="https://github.com/getsentry/sentry-go/commit/34d7db0afca784b8a73bc1b336ffa04163733c0d"><code>34d7db0</code></a>
chore(otel): remove unused semconv helpers (<a
href="https://redirect.github.com/getsentry/sentry-go/issues/1321">#1321</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/getsentry/sentry-go/compare/v0.46.2...v0.47.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/getsentry/sentry-go&package-manager=go_modules&previous-version=0.46.2&new-version=0.47.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
depthfirst-app[bot]
depthfirst-app Bot reviewed Jun 23, 2026
View reviewed changes
Comment thread .github/workflows/api-package-sync.yml

- name: Enable Pull Request Automerge
if: steps.check.outputs.has_changes == 'true'
run: gh pr merge --auto --squash --repo "${{ github.repository }}" "${STEPS_CPR_OUTPUTS_PULL_REQUEST_NUMBER}"

@depthfirst-app depthfirst-app Bot Jun 23, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 Severity: MEDIUM

This new auto-approve + auto-merge pipeline, combined with the CODEOWNERS change making /packages/api/src/generated/ ownerless, means code generated from an external HTTP endpoint (https://api.supabase.com/api/v1-json via pnpm generate) is now merged into the repository with no human review. A supply-chain compromise of that API endpoint would result in attacker-controlled code being automatically merged.
Helpful? Add 👍 / 👎

💡 Fix Suggestion

Suggestion: This supply-chain risk requires a coordinated set of changes across multiple files to ensure generated code cannot be merged without human review:

  1. Remove the 'Approve a PR' step (lines 68–74 in the workflow): The workflow should not self-approve its own PR. Self-approval using the same app token eliminates any meaningful review gate.

  2. Remove the 'Enable Pull Request Automerge' step (lines 76–81 in the workflow, including line 78): Disabling auto-merge forces a human to explicitly trigger the merge, providing a last line of defense even if the auto-approval gate were left in place.

  3. Re-add a code owner for /packages/api/src/generated/ in .github/CODEOWNERS: The line /packages/api/src/generated/ currently has no owner, which bypasses the default @supabase/cli team requirement. Change it to /packages/api/src/generated/ @supabase/cli (or a dedicated review team) so that GitHub's branch-protection rules enforce at least one human approval before any generated code can be merged.

  4. (Optional but recommended) Add integrity verification before code generation: Before running pnpm generate, download the OpenAPI spec, verify it against a known checksum or a pinned digest, and abort if it does not match. This reduces the blast radius of a compromised upstream endpoint.

Implementing steps 1–3 together ensures that auto-created sync PRs require a genuine human review and approval from a codeowner before they can be merged into the develop branch.

@chatgpt-codex-connector

chatgpt-codex-connector Bot commented Jun 23, 2026

Copy link
Copy Markdown

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

dependabot Bot added 2 commits June 24, 2026 00:11
@dependabot
fix(docker): bump the docker-minor group in /apps/cli-go/pkg/config/t…
04f3907 
…emplates with 2 updates (#5672)

Bumps the docker-minor group in /apps/cli-go/pkg/config/templates with 2
updates: supabase/storage-api and supabase/logflare.

Updates `supabase/storage-api` from v1.61.0 to v1.61.1

Updates `supabase/logflare` from 1.45.3 to 1.45.4


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
chore(ci): bump actions/checkout from 6.0.3 to 7.0.0 in the actions-m…
04b9db4 
…ajor group (#5674)

Bumps the actions-major group with 1 update:
[actions/checkout](https://github.com/actions/checkout).

Updates `actions/checkout` from 6.0.3 to 7.0.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/checkout/releases">actions/checkout's
releases</a>.</em></p>
<blockquote>
<h2>v7.0.0</h2>
<h2>What's Changed</h2>
<ul>
<li>block checking out fork pr for pull_request_target and workflow_run
by <a href="https://github.com/aiqiaoy"><code>@​aiqiaoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2454">actions/checkout#2454</a></li>
<li>Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the
minor-actions-dependencies group across 1 directory by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2458">actions/checkout#2458</a></li>
<li>Bump flatted from 3.3.1 to 3.4.2 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2460">actions/checkout#2460</a></li>
<li>Bump js-yaml from 4.1.0 to 4.2.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2461">actions/checkout#2461</a></li>
<li>Bump <code>@​actions/core</code> and
<code>@​actions/tool-cache</code> and Remove uuid by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2459">actions/checkout#2459</a></li>
<li>upgrade module to esm and update dependencies by <a
href="https://github.com/aiqiaoy"><code>@​aiqiaoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2463">actions/checkout#2463</a></li>
<li>Bump the minor-npm-dependencies group across 1 directory with 3
updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2462">actions/checkout#2462</a></li>
<li>getting ready for checkout v7 release by <a
href="https://github.com/aiqiaoy"><code>@​aiqiaoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2464">actions/checkout#2464</a></li>
<li>update error wording by <a
href="https://github.com/aiqiaoy"><code>@​aiqiaoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2467">actions/checkout#2467</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/aiqiaoy"><code>@​aiqiaoy</code></a> made
their first contribution in <a
href="https://redirect.github.com/actions/checkout/pull/2454">actions/checkout#2454</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/checkout/compare/v6.0.3...v7.0.0">https://github.com/actions/checkout/compare/v6.0.3...v7.0.0</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/actions/checkout/blob/main/CHANGELOG.md">actions/checkout's
changelog</a>.</em></p>
<blockquote>
<h1>Changelog</h1>
<h2>v7.0.0</h2>
<ul>
<li>Block checking out fork PR for pull_request_target and workflow_run
by <a href="https://github.com/aiqiaoy"><code>@​aiqiaoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2454">actions/checkout#2454</a></li>
<li>Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the
minor-actions-dependencies group across 1 directory by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2458">actions/checkout#2458</a></li>
<li>Bump flatted from 3.3.1 to 3.4.2 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2460">actions/checkout#2460</a></li>
<li>Bump js-yaml from 4.1.0 to 4.2.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2461">actions/checkout#2461</a></li>
<li>Bump <code>@​actions/core</code> and
<code>@​actions/tool-cache</code> and Remove uuid by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2459">actions/checkout#2459</a></li>
<li>upgrade module to esm and update dependencies by <a
href="https://github.com/aiqiaoy"><code>@​aiqiaoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2463">actions/checkout#2463</a></li>
<li>Bump the minor-npm-dependencies group across 1 directory with 3
updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2462">actions/checkout#2462</a></li>
</ul>
<h2>v6.0.3</h2>
<ul>
<li>Fix checkout init for SHA-256 repositories by <a
href="https://github.com/yaananth"><code>@​yaananth</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2439">actions/checkout#2439</a></li>
<li>fix: expand merge commit SHA regex and add SHA-256 test cases by <a
href="https://github.com/yaananth"><code>@​yaananth</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2414">actions/checkout#2414</a></li>
</ul>
<h2>v6.0.2</h2>
<ul>
<li>Fix tag handling: preserve annotations and explicit fetch-tags by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2356">actions/checkout#2356</a></li>
</ul>
<h2>v6.0.1</h2>
<ul>
<li>Add worktree support for persist-credentials includeIf by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2327">actions/checkout#2327</a></li>
</ul>
<h2>v6.0.0</h2>
<ul>
<li>Persist creds to a separate file by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2286">actions/checkout#2286</a></li>
<li>Update README to include Node.js 24 support details and requirements
by <a href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a>
in <a
href="https://redirect.github.com/actions/checkout/pull/2248">actions/checkout#2248</a></li>
</ul>
<h2>v5.0.1</h2>
<ul>
<li>Port v6 cleanup to v5 by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2301">actions/checkout#2301</a></li>
</ul>
<h2>v5.0.0</h2>
<ul>
<li>Update actions checkout to use node 24 by <a
href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2226">actions/checkout#2226</a></li>
</ul>
<h2>v4.3.1</h2>
<ul>
<li>Port v6 cleanup to v4 by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2305">actions/checkout#2305</a></li>
</ul>
<h2>v4.3.0</h2>
<ul>
<li>docs: update README.md by <a
href="https://github.com/motss"><code>@​motss</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1971">actions/checkout#1971</a></li>
<li>Add internal repos for checking out multiple repositories by <a
href="https://github.com/mouismail"><code>@​mouismail</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1977">actions/checkout#1977</a></li>
<li>Documentation update - add recommended permissions to Readme by <a
href="https://github.com/benwells"><code>@​benwells</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2043">actions/checkout#2043</a></li>
<li>Adjust positioning of user email note and permissions heading by <a
href="https://github.com/joshmgross"><code>@​joshmgross</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2044">actions/checkout#2044</a></li>
<li>Update README.md by <a
href="https://github.com/nebuk89"><code>@​nebuk89</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2194">actions/checkout#2194</a></li>
<li>Update CODEOWNERS for actions by <a
href="https://github.com/TingluoHuang"><code>@​TingluoHuang</code></a>
in <a
href="https://redirect.github.com/actions/checkout/pull/2224">actions/checkout#2224</a></li>
<li>Update package dependencies by <a
href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2236">actions/checkout#2236</a></li>
</ul>
<h2>v4.2.2</h2>
<ul>
<li><code>url-helper.ts</code> now leverages well-known environment
variables by <a href="https://github.com/jww3"><code>@​jww3</code></a>
in <a
href="https://redirect.github.com/actions/checkout/pull/1941">actions/checkout#1941</a></li>
<li>Expand unit test coverage for <code>isGhes</code> by <a
href="https://github.com/jww3"><code>@​jww3</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1946">actions/checkout#1946</a></li>
</ul>
<h2>v4.2.1</h2>
<ul>
<li>Check out other refs/* by commit if provided, fall back to ref by <a
href="https://github.com/orhantoy"><code>@​orhantoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1924">actions/checkout#1924</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/actions/checkout/commit/9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0"><code>9c091bb</code></a>
update error wording (<a
href="https://redirect.github.com/actions/checkout/issues/2467">#2467</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/1044a6dea927916f2c38ba5aeffbc0a847b1221a"><code>1044a6d</code></a>
getting ready for checkout v7 release (<a
href="https://redirect.github.com/actions/checkout/issues/2464">#2464</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/f0282184c7ce73ab54c7e4ab5a617122602e575f"><code>f028218</code></a>
Bump the minor-npm-dependencies group across 1 directory with 3 updates
(<a
href="https://redirect.github.com/actions/checkout/issues/2462">#2462</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/d914b262ffc244530a203ab40decab34c3abf34d"><code>d914b26</code></a>
upgrade module to esm and update dependencies (<a
href="https://redirect.github.com/actions/checkout/issues/2463">#2463</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/537c7ef99cef6e5ddb5e7ff5d16d14510503801d"><code>537c7ef</code></a>
Bump <code>@​actions/core</code> and <code>@​actions/tool-cache</code>
and Remove uuid (<a
href="https://redirect.github.com/actions/checkout/issues/2459">#2459</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/130a169078a413d3a5246a393625e8e742f387f6"><code>130a169</code></a>
Bump js-yaml from 4.1.0 to 4.2.0 (<a
href="https://redirect.github.com/actions/checkout/issues/2461">#2461</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/7d09575332117a40b46e5e020664df234cd416f3"><code>7d09575</code></a>
Bump flatted from 3.3.1 to 3.4.2 (<a
href="https://redirect.github.com/actions/checkout/issues/2460">#2460</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/0f9f3aa320cb53abeb534aeb54048075d9697a0e"><code>0f9f3aa</code></a>
Bump actions/publish-immutable-action (<a
href="https://redirect.github.com/actions/checkout/issues/2458">#2458</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/f9e715a95fcd1f9253f77dd28f11e88d2d6460c7"><code>f9e715a</code></a>
block checking out fork pr for pull_request_target and workflow_run (<a
href="https://redirect.github.com/actions/checkout/issues/2454">#2454</a>)</li>
<li>See full diff in <a
href="https://github.com/actions/checkout/compare/df4cb1c069e1874edd31b4311f1884172cec0e10...9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/checkout&package-manager=github_actions&previous-version=6.0.3&new-version=7.0.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@chatgpt-codex-connector

chatgpt-codex-connector Bot commented Jun 24, 2026

Copy link
Copy Markdown

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

1 similar comment
@chatgpt-codex-connector

chatgpt-codex-connector Bot commented Jun 24, 2026

Copy link
Copy Markdown

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

depthfirst-app[bot]
depthfirst-app Bot reviewed Jun 24, 2026
View reviewed changes
Comment thread .github/workflows/live-e2e.yml
Comment on lines +113 to +114
- name: Setup
uses: ./.github/actions/setup

@depthfirst-app depthfirst-app Bot Jun 24, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Severity: LOW

The live-e2e job's Setup step omits dependency-firewall-token, unlike every other workflow updated in this PR (test.yml, release-shared.yml, publish-preview-cli-packages.yml, etc.). Without the token, pnpm install falls back to the default npm registry, bypassing the dependency firewall security control that guards against malicious or compromised packages.
Helpful? Add 👍 / 👎

💡 Fix Suggestion

Suggestion: Add a with: block to the Setup step in the live-e2e job to pass the dependency-firewall-token, matching the pattern used in all other CI workflows (test.yml, release-shared.yml, etc.). This ensures pnpm install routes through the dependency firewall instead of falling back to the default npm registry.

⚠️ Experimental Feature: This code suggestion is automatically generated. Please review carefully.

Suggested change
- name: Setup
uses: ./.github/actions/setup
- name: Setup
uses: ./.github/actions/setup
with:
dependency-firewall-token: ${{ secrets.DF_FIREWALL_TOKEN }}

@jgoux @claude
test(cli): guard config schema against inbucket name leakage (#5664)
7a6d456 
Follow-up to #5333 (the `inbucket` → `local_smtp` config rename).

Strengthens the config-schema unit test so the deprecated implementation
name cannot creep back into the published schema: the assertion now
checks the generated schema case-insensitively
(`schemaString.toLowerCase()`), covering descriptions as well as keys —
not just the lowercase `inbucket` substring.

#5333 already removed the last user-facing `inbucket` references (the
section key, plus the schema descriptions/link which now point at the
actual local tool, Mailpit). This test makes that invariant durable.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
@chatgpt-codex-connector

chatgpt-codex-connector Bot commented Jun 24, 2026

Copy link
Copy Markdown

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

avallete and others added 2 commits June 24, 2026 12:02
@avallete @claude
ci(cli): add macOS code signing with rcodesign (#5675)
71338e6 
Implement Phase 1 of macOS code signing to fix the SIGKILL issue on
macOS 26+ (CLI-1621). The Bun SFE and Go sidecar binaries are now signed
with a full ad-hoc signature during the build pipeline, replacing the
degenerate linker-signed signature that AMFI rejects.

## Changes

- **Build pipeline signing**: Added `signDarwinBinaries()` and
`resolveSignMode()` to `apps/cli/scripts/build.ts` to sign macOS
binaries (`supabase` and `supabase-go`) with `rcodesign` between
compilation and archiving. This ensures all distribution channels (npm,
Homebrew, GitHub Releases) ship the signed bytes.

- **CI integration**: Updated
`.github/workflows/build-cli-artifacts.yml` to install `rcodesign`
v0.29.0 (pinned with sha256), set `SUPABASE_CLI_REQUIRE_SIGNING=1` to
enforce signing in release builds, and verify signatures post-build
using `rcodesign print-signature-info`.

- **Smoke test verification**: Extended
`apps/cli/tests/smoke-test-macos.ts` with native signature verification
via new `verifyMacSignature()` helper in
`apps/cli/tests/helpers/macos-signature.ts`. On macOS runners, this
checks the signature is valid, carries the correct identifier
(`com.supabase.cli` / `com.supabase.cli-go`), and is no longer
linker-signed.

- **Documentation**: Added ADR 0013 documenting the decision, rationale,
and Phase 2 roadmap (Developer ID + notarization). Updated
`release-process.md` and `binary-distribution.md` to describe the
signing step and its role in the release pipeline.

## Implementation details

- **No Apple credentials required for Phase 1**: Full ad-hoc signatures
are self-contained and do not require an Apple Developer ID. This fixes
the SIGKILL without blocking on account provisioning.

- **Linux-only signing**: `rcodesign` runs on the existing Linux build
runner, avoiding a macOS job and pipeline split. Verification happens on
macOS smoke-test runners.

- **Graceful degradation**: Local builds without `rcodesign` warn and
skip signing (unless `SUPABASE_CLI_REQUIRE_SIGNING=1` is set), allowing
contributors to build unsigned binaries for testing.

- **Identifiers**: `com.supabase.cli` for the Bun SFE,
`com.supabase.cli-go` for the Go sidecar, configured in
`MACOS_IDENTIFIERS` map.

See ADR 0013 for full context, Phase 2 roadmap (Developer ID +
notarization), and related follow-ups (Windows Authenticode, Linux
cosign).

Related #5556 

https://claude.ai/code/session_01GnLjngbm48rMYVwn9Guduc

---------

Co-authored-by: Claude <noreply@anthropic.com>
@dependabot @jgoux @claude
fix(docker): bump supabase/postgres from 17.6.1.138 to 17.6.1.139 in …
fefe607 
…/apps/cli-go/pkg/config/templates (#5673)

Bumps supabase/postgres from 17.6.1.138 to 17.6.1.139.


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=supabase/postgres&package-manager=docker&previous-version=17.6.1.138&new-version=17.6.1.139)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Julien Goux <hi@jgoux.dev>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
@chatgpt-codex-connector

chatgpt-codex-connector Bot commented Jun 24, 2026

Copy link
Copy Markdown

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

1 similar comment
@chatgpt-codex-connector

chatgpt-codex-connector Bot commented Jun 24, 2026

Copy link
Copy Markdown

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

jgoux and others added 2 commits June 24, 2026 12:16
@jgoux @claude
fix(stack): retry edge function cold-start to avoid first-request 502 (
346fec8 
…#5677)

## What

Add a bounded, transport-level retry to the local API proxy's
`/functions/v1/*` route so the first request to an Edge Function does
not surface as a `502 Bad Gateway` while edge-runtime cold-boots its
user worker.

## Why

The proxy forwarded function requests to edge-runtime with no retry,
mapping any transport `HttpClientError` straight to a 502. Edge
functions cold-boot lazily: the first request to a function makes
edge-runtime spin up a user worker, and the connection can be
refused/reset during that window. The runtime's `/_internal/health`
probe answers immediately, so the stack reporting `edge-runtime:
Healthy` does **not** mean a given function is servable yet. The result
is an intermittent one-off 502 on a user's first call — and the same
race made the `packages/stack` edge-function e2e test flaky.

## How

- New `retryColdStart` option on the proxy handler, enabled only on the
functions route (other routes proxy to already-warm services and are
unchanged).
- Retries only transient `TransportError`s, spaced 250ms, bounded to 8
attempts (~2s ceiling).
- Buffers the request body into memory on that route so the request can
be safely re-sent across attempts; a body-read failure returns a 502
instead.

Covered by new `ApiProxy.unit.test.ts` cases: the functions route
retries a reset connection to success, non-functions routes do **not**
retry, and the buffered body is replayed on retry (the last test fails
if the body is streamed instead of buffered).

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
@jgoux @claude
fix(cli): serve edge functions offline by bundling the runtime templa…
89e3ccd 
…te (#5678)

## What

Makes `supabase functions serve` start fully offline. The edge-runtime
bootstrap template (`apps/cli/src/shared/functions/serve.main.ts`)
imported three modules that Deno resolved **over the network on every
container start**:

- `https://deno.land/std/http/status.ts`
- `https://deno.land/std/path/posix/mod.ts`
- `jsr:@panva/jose@6`

With no network these fail to resolve and the worker never boots — the
offline failure reported in
[supabase/supabase#45570](supabase/supabase#45570).

## How

The two `deno.land/std` imports are trivially eliminable; `jose` is the
only real dependency. So:

- **Inline the std deps** — `STATUS_CODE`/`STATUS_TEXT` and posix
`join`/`dirname`/`toFileUrl` move into a new, normally-typed,
unit-tested `serve-main-deps.ts` (the template imports it relatively).
- **Bundle `jose` locally** — a new `serve-main-bundler.ts` uses esbuild
(`platform: browser` → jose's Web Crypto build) to bundle
`serve.main.ts` into a single self-contained ES module with `jose` and
the helpers inlined. `Deno`/`EdgeRuntime` stay as free globals.
- **Delivery is unchanged in shape** — compiled binaries embed the
pre-bundled template via the existing
`SUPABASE_FUNCTIONS_SERVE_MAIN_TEMPLATE` define (now produced by the
bundler in `build.ts` and the new `build-binary.ts` used by
`build:next`/`build:legacy`). Running from source bundles on demand via
a lazy import, so esbuild is never loaded by shipped binaries. The
container launch path (`heredoc → /root/index.ts`, `edge-runtime start
--main-service=/root`) is untouched — only the template contents differ.

## Why this approach (and not a pre-bundled eszip)

The edge-functions team suggested shipping the template as a pre-bundled
**eszip** (as hosted `ef-ingress` does). That works, but for the CLI it
couples the eszip to a single edge-runtime version while users can
override `edge_runtime.image` / `supabase/.temp/edge-runtime-version`,
and it adds a Docker bundling step to every release. Local bundling
avoids both: no version coupling, no release-pipeline change, and the
template stays readable source. `jose` is explicitly cross-runtime (Web
Crypto), confirmed running under `edge-runtime:v1.74.1`'s Deno.

## Scope

- **Only the legacy TS native serve** is affected — `functions serve` is
`ported`, so the Go template is not on the released path, and the
`next`/`packages/stack` local-dev path already has a remote-import-free
bootstrap.
- This fixes the **runtime bootstrap**. User functions with their own
remote imports still fetch on first run (Deno-cached after); the
edge-runtime image itself must also be pulled online once.

Closes supabase/supabase#45570

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
@chatgpt-codex-connector

chatgpt-codex-connector Bot commented Jun 24, 2026

Copy link
Copy Markdown

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

1 similar comment
@chatgpt-codex-connector

chatgpt-codex-connector Bot commented Jun 24, 2026

Copy link
Copy Markdown

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

@supabase-cli-releaser @jgoux
chore(api): sync Management API OpenAPI spec (#5676)
88062fc 
This PR was automatically created to sync the generated `@supabase/api`
package with the latest Management API OpenAPI document.

Changes were detected in the upstream OpenAPI document exposed by
`https://api.supabase.com/api/v1-json`.

Co-authored-by: jgoux <1443499+jgoux@users.noreply.github.com>
@chatgpt-codex-connector

chatgpt-codex-connector Bot commented Jun 24, 2026

Copy link
Copy Markdown

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

@dependabot @claude
chore(deps): bump nx from 22.7.5 to 23.0.0 in the npm-major group acr…
e26ac14 
…oss 1 directory (#5670)

[//]: # (dependabot-start)
⚠️  **Dependabot is rebasing this PR** ⚠️ 

Rebasing might not happen immediately, so don't worry if this takes some
time.

Note: if you make any changes to this PR yourself, they will take
precedence over the rebase.

---

[//]: # (dependabot-end)

Bumps the npm-major group with 1 update in the / directory:
[nx](https://github.com/nrwl/nx/tree/HEAD/packages/nx).

Updates `nx` from 22.7.5 to 23.0.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/nrwl/nx/releases">nx's
releases</a>.</em></p>
<blockquote>
<h1>23.0.0 (2026-06-16)</h1>
<h3>🚀 Features</h3>
<ul>
<li>⚠️ <strong>angular:</strong> remove deprecated
<code>@​nx/angular/</code>module-federation entry point (<a
href="https://redirect.github.com/nrwl/nx/pull/35512">#35512</a>)</li>
<li>⚠️ <strong>angular:</strong> remove deprecated move generator (<a
href="https://redirect.github.com/nrwl/nx/pull/35513">#35513</a>)</li>
<li>⚠️ <strong>angular:</strong> remove deprecated ngrx generator (<a
href="https://redirect.github.com/nrwl/nx/pull/35567">#35567</a>)</li>
<li><strong>angular:</strong> deprecate convert-to-with-mf generator (<a
href="https://redirect.github.com/nrwl/nx/pull/35862">#35862</a>)</li>
<li><strong>angular:</strong> deprecate SCAM generators (<a
href="https://redirect.github.com/nrwl/nx/pull/35887">#35887</a>)</li>
<li>⚠️ <strong>bundling:</strong> drop legacy typescript plugin and
align rollup buildLibsFromSource default (<a
href="https://redirect.github.com/nrwl/nx/pull/35516">#35516</a>)</li>
<li>⚠️ <strong>bundling:</strong> remove SVGR option and provide
withSvgr migration (<a
href="https://redirect.github.com/nrwl/nx/pull/35611">#35611</a>)</li>
<li><strong>bundling:</strong> add Vite 7 -&gt; 8 migrations (<a
href="https://redirect.github.com/nrwl/nx/pull/35614">#35614</a>)</li>
<li><strong>core:</strong> add support for '...' as a spread token when
merging target config (<a
href="https://redirect.github.com/nrwl/nx/pull/34285">#34285</a>)</li>
<li><strong>core:</strong> show target uses task graph + filter broken
dependsOn during normalization (<a
href="https://redirect.github.com/nrwl/nx/pull/35367">#35367</a>)</li>
<li><strong>core:</strong> add --mode and --multi-major-mode flags to nx
migrate (<a
href="https://redirect.github.com/nrwl/nx/pull/35497">#35497</a>)</li>
<li><strong>core:</strong> support <code>prompt</code> field in
migration entries (<a
href="https://redirect.github.com/nrwl/nx/pull/35638">#35638</a>)</li>
<li><strong>core:</strong> rename nx watch --includeDependentProjects to
--includeDependencies (<a
href="https://redirect.github.com/nrwl/nx/pull/35699">#35699</a>)</li>
<li><strong>core:</strong> support filtered array-shape targetDefaults
with projects and source (<a
href="https://redirect.github.com/nrwl/nx/pull/35340">#35340</a>)</li>
<li><strong>core:</strong> enable native Node.js TypeScript stripping by
default (<a
href="https://redirect.github.com/nrwl/nx/pull/35608">#35608</a>)</li>
<li><strong>core:</strong> add shell tab-completion (bash, zsh, fish,
powershell) (<a
href="https://redirect.github.com/nrwl/nx/pull/34951">#34951</a>)</li>
<li><strong>core:</strong> add agentic mode to nx migrate
--run-migrations (<a
href="https://redirect.github.com/nrwl/nx/pull/35718">#35718</a>)</li>
<li><strong>core:</strong> add a migrate configuration section to
nx.json (<a
href="https://redirect.github.com/nrwl/nx/pull/35831">#35831</a>)</li>
<li><strong>core:</strong> feed migration docs to agents in nx migrate
(<a
href="https://redirect.github.com/nrwl/nx/pull/35835">#35835</a>)</li>
<li><strong>core:</strong> avoid redundant rematch in
findMatchingConfigFiles (<a
href="https://redirect.github.com/nrwl/nx/pull/35793">#35793</a>, <a
href="https://redirect.github.com/nrwl/nx/issues/35792">#35792</a>)</li>
<li>⚠️ <strong>core:</strong> rename CreateNodes V2 types to canonical
OG names (<a
href="https://redirect.github.com/nrwl/nx/pull/35386">#35386</a>, <a
href="https://redirect.github.com/nrwl/nx/issues/32951">#32951</a>)</li>
<li><strong>core:</strong> support prompt-only and hybrid migrations in
Nx Console UI (<a
href="https://redirect.github.com/nrwl/nx/pull/35822">#35822</a>, <a
href="https://redirect.github.com/nrwl/nx/issues/35718">#35718</a>, <a
href="https://redirect.github.com/nrwl/nx/issues/3153">#3153</a>)</li>
<li><strong>core:</strong> add JSON schema for migrations.json files (<a
href="https://redirect.github.com/nrwl/nx/pull/35888">#35888</a>)</li>
<li><strong>core:</strong> add migrations for createNodesV2 -&gt;
createNodes rename (<a
href="https://redirect.github.com/nrwl/nx/pull/35893">#35893</a>, <a
href="https://redirect.github.com/nrwl/nx/issues/35386">#35386</a>)</li>
<li><strong>core:</strong> extend <code>nx migrate --include</code> to
any package that supports optional updates (<a
href="https://redirect.github.com/nrwl/nx/pull/35905">#35905</a>)</li>
<li><strong>core:</strong> report analytics events for the nx migrate
flow (<a
href="https://redirect.github.com/nrwl/nx/pull/35937">#35937</a>)</li>
<li><strong>core:</strong> revert array-shape targetDefaults support
pending redesign and reapplication (<a
href="https://redirect.github.com/nrwl/nx/pull/36005">#36005</a>, <a
href="https://redirect.github.com/nrwl/nx/issues/35340">#35340</a>, <a
href="https://redirect.github.com/nrwl/nx/issues/35711">#35711</a>, <a
href="https://redirect.github.com/nrwl/nx/issues/35752">#35752</a>, <a
href="https://redirect.github.com/nrwl/nx/issues/35991">#35991</a>)</li>
<li>⚠️ <strong>detox:</strong> deprecate the <code>@​nx/detox</code>
build and test executors (<a
href="https://redirect.github.com/nrwl/nx/pull/35529">#35529</a>)</li>
<li><strong>devkit:</strong> migrate <code>@nx/devkit/src/...</code>
deep imports (<a
href="https://redirect.github.com/nrwl/nx/pull/35541">#35541</a>, <a
href="https://redirect.github.com/nrwl/nx/issues/34946">#34946</a>)</li>
<li>⚠️ <strong>devkit:</strong> deprecate the standalone parameter of
addProjectConfiguration (<a
href="https://redirect.github.com/nrwl/nx/pull/35883">#35883</a>)</li>
<li><strong>gradle:</strong> stream batch task results to nx as they
finish (<a
href="https://redirect.github.com/nrwl/nx/pull/35487">#35487</a>)</li>
<li><strong>js:</strong> support pnpm 11.2.2 (<a
href="https://redirect.github.com/nrwl/nx/pull/35772">#35772</a>)</li>
<li><strong>linter:</strong> allow prompt-only entries in migration
nx-plugin-checks (<a
href="https://redirect.github.com/nrwl/nx/pull/35700">#35700</a>, <a
href="https://redirect.github.com/nrwl/nx/issues/35638">#35638</a>)</li>
<li><strong>linter:</strong> deprecate ESLint v8 support (<a
href="https://redirect.github.com/nrwl/nx/pull/35819">#35819</a>)</li>
<li>⚠️ <strong>misc:</strong> remove Tailwind CSS setup-tailwind
generators (<a
href="https://redirect.github.com/nrwl/nx/pull/35049">#35049</a>)</li>
<li>⚠️ <strong>misc:</strong> remove deprecated stylesheet options from
generators (<a
href="https://redirect.github.com/nrwl/nx/pull/35103">#35103</a>)</li>
<li><strong>misc:</strong> drop Node 20 support and bump
<code>@​types/node</code> (<a
href="https://redirect.github.com/nrwl/nx/pull/35591">#35591</a>)</li>
<li>⚠️ <strong>misc:</strong> deprecate executors with inferred-plugin
replacements (<a
href="https://redirect.github.com/nrwl/nx/pull/35576">#35576</a>, <a
href="https://redirect.github.com/nrwl/nx/issues/35517">#35517</a>)</li>
<li>⚠️ <strong>misc:</strong> remove deprecated js option from component
generators (<a
href="https://redirect.github.com/nrwl/nx/pull/35616">#35616</a>, <a
href="https://redirect.github.com/nrwl/nx/issues/29111">#29111</a>)</li>
<li><strong>misc:</strong> convert prompt generator migrations to use
prompt field (<a
href="https://redirect.github.com/nrwl/nx/pull/35688">#35688</a>)</li>
<li>⚠️ <strong>misc:</strong> drop deprecated webpack plugin re-exports
+ v23 polish (<a
href="https://redirect.github.com/nrwl/nx/pull/35659">#35659</a>)</li>
<li><strong>misc:</strong> add --trustThirdPartyPreset flag to skip
confirmation prompt (<a
href="https://redirect.github.com/nrwl/nx/pull/35827">#35827</a>, <a
href="https://redirect.github.com/nrwl/nx/issues/35826">#35826</a>)</li>
<li><strong>misc:</strong> remove migrations prior to v21 in preparation
for v23 (<a
href="https://redirect.github.com/nrwl/nx/pull/35909">#35909</a>, <a
href="https://redirect.github.com/nrwl/nx/issues/30839">#30839</a>, <a
href="https://redirect.github.com/nrwl/nx/issues/32904">#32904</a>, <a
href="https://redirect.github.com/nrwl/nx/issues/35900">#35900</a>)</li>
<li><strong>misc:</strong> multi-version support compliance for detox,
expo, react-native, and remix (<a
href="https://redirect.github.com/nrwl/nx/pull/35885">#35885</a>)</li>
<li><strong>misc:</strong> prompt analytics earlier in init flow (<a
href="https://redirect.github.com/nrwl/nx/pull/35922">#35922</a>)</li>
<li><strong>module-federation:</strong> deprecate old generators and add
new consumer/provider generators (<a
href="https://redirect.github.com/nrwl/nx/pull/35825">#35825</a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/nrwl/nx/commit/71bbc709f475b263ff2c3a9056bfb63de2a06963"><code>71bbc70</code></a>
feat(core): revert array-shape targetDefaults support pending redesign
and re...</li>
<li><a
href="https://github.com/nrwl/nx/commit/fda23a3c55861e4ef9643766b097c1cf4e53c80b"><code>fda23a3</code></a>
fix(core): read and replay cached failures when NX_CACHE_FAILURES is
enabled ...</li>
<li><a
href="https://github.com/nrwl/nx/commit/958e60a8a85e6f4706a92c740d2b6ee18af6c734"><code>958e60a</code></a>
docs(core): rewrite targetDefaults reference and guide for array shape
and vo...</li>
<li><a
href="https://github.com/nrwl/nx/commit/8a4a4f98ef67bf97dfaf706882d9bc333f8f9a56"><code>8a4a4f9</code></a>
fix(core): allow {projectRoot} after the start of an output when project
is a...</li>
<li><a
href="https://github.com/nrwl/nx/commit/93cf1d1bbcbdbd73c1cf722b24d4c43c9dc277cd"><code>93cf1d1</code></a>
fix(core): handle --help for commands that bypass workspace handling (<a
href="https://github.com/nrwl/nx/tree/HEAD/packages/nx/issues/35989">#35989</a>)</li>
<li><a
href="https://github.com/nrwl/nx/commit/4567848206a883edd1e8ae43cff6576f2c5885bf"><code>4567848</code></a>
fix(core): do not fail local plugin lookup when workspace has no root
tsconfi...</li>
<li><a
href="https://github.com/nrwl/nx/commit/c7aaf904f916b0a8b2161a2137deef7617b3fbe6"><code>c7aaf90</code></a>
fix(core): re-hash batch tasks with deps outputs after execution (<a
href="https://github.com/nrwl/nx/tree/HEAD/packages/nx/issues/35980">#35980</a>)</li>
<li><a
href="https://github.com/nrwl/nx/commit/0cad57ef9e5c0ca317eb7672a344fc64f054d4cc"><code>0cad57e</code></a>
cleanup(core): stop migrate tests from hitting the registry in local TTY
runs...</li>
<li><a
href="https://github.com/nrwl/nx/commit/4e76a4ba70b71af9fa9f5a117ffec7df4306bb6e"><code>4e76a4b</code></a>
fix(core): degrade cooldown-blocked dist-tags within their own channel
(<a
href="https://github.com/nrwl/nx/tree/HEAD/packages/nx/issues/35967">#35967</a>)</li>
<li><a
href="https://github.com/nrwl/nx/commit/681b5928ac159d10e405c539cfb6f575bddf01ea"><code>681b592</code></a>
fix(core): exclude NX_CLOUD_ env vars from daemon env reflection (<a
href="https://github.com/nrwl/nx/tree/HEAD/packages/nx/issues/35961">#35961</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/nrwl/nx/commits/23.0.0/packages/nx">compare
view</a></li>
</ul>
</details>
<br />

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Julien Goux <julien@supabase.io>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
depthfirst-app[bot]
depthfirst-app Bot reviewed Jun 24, 2026
View reviewed changes
Comment thread .github/workflows/verify-install-channels.yml
- name: Install Scoop
shell: pwsh
run: |
iex "& {$(irm get.scoop.sh)} -RunAsAdmin"

@depthfirst-app depthfirst-app Bot Jun 24, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 Severity: MEDIUM

Downloads and immediately executes a PowerShell script from the third-party domain get.scoop.sh with -RunAsAdmin (elevated privileges) on a CI runner. A supply-chain compromise of get.scoop.sh would yield arbitrary code execution as Administrator on the Windows runner, where the GITHUB_TOKEN and any other transient runner credentials are accessible.
Helpful? Add 👍 / 👎

💡 Fix Suggestion

Suggestion: Replace the unsafe iex "& {$(irm get.scoop.sh)} -RunAsAdmin" pattern with a download-then-verify-then-execute approach:

  1. Download the Scoop installer to a local file instead of piping it directly into iex.
  2. Pin the download to a specific commit of the official installer at https://github.com/ScoopInstaller/Install (use the raw GitHub URL with an explicit commit SHA, e.g. https://raw.githubusercontent.com/ScoopInstaller/Install/<COMMIT_SHA>/install.ps1).
  3. Compute the SHA-256 of the downloaded file and compare it against a pre-calculated expected hash before executing it.
  4. Abort with a non-zero exit code if the hash does not match.

Example replacement for the run block:

$installerUrl  = 'https://raw.githubusercontent.com/ScoopInstaller/Install/<COMMIT_SHA>/install.ps1'
$expectedHash  = '<SHA256_OF_INSTALLER_AT_THAT_COMMIT>'  # compute with: (Get-FileHash install.ps1 -Algorithm SHA256).Hash
$installerPath = Join-Path $env:TEMP 'scoop_install.ps1'
Invoke-RestMethod -Uri $installerUrl -OutFile $installerPath
$actualHash = (Get-FileHash $installerPath -Algorithm SHA256).Hash.ToUpper()
if ($actualHash -ne $expectedHash.ToUpper()) {
  throw "Scoop installer hash mismatch: expected $expectedHash but got $actualHash"
}
& $installerPath -RunAsAdmin
Join-Path (Resolve-Path ~).Path 'scoop\shims' >> $env:GITHUB_PATH

Update <COMMIT_SHA> and <SHA256_OF_INSTALLER_AT_THAT_COMMIT> whenever the Scoop installer is deliberately upgraded, and commit both together so reviewers can audit the change.

@chatgpt-codex-connector

chatgpt-codex-connector Bot commented Jun 24, 2026

Copy link
Copy Markdown

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@depthfirst-app depthfirst-app[bot] depthfirst-app[bot] left review comments

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

+1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

do not merge Approve to apply; do not merge.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

10 participants

@github-advanced-security @jgoux @staaldraad @7ttp @avallete @seanoliver @Coly010 @encima @mittal-parth @deepshekhardas