[pull] master from supabase:master#949
Merged
Merged
Conversation
…se) (#46287) ## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? Feature - Security infrastructure ## What is the current behavior? Analytics queries (BigQuery for legacy cloud, ClickHouse for self-hosted OTEL) lack a compile-time safety model to prevent SQL injection from untrusted input sources like URL parameters, UI inputs, or LLM output. ## What is the new behavior? Implement a security model with a branded type `SafeLogSqlFragment` that ensures all SQL fragments originate from either static code or sanitization helpers. This includes: - `analyticsLiteral()` for escaping string/number/boolean values - `bqIdent()` and `clickhouseIdent()` for quoting identifiers with engine-specific syntax - `safeSql` template tag for composing fragments safely - `executeAnalyticsSql()` wire boundary that rejects plain strings at compile time The pattern prevents cross-engine confusion by keeping `SafeLogSqlFragment` (analytics) distinct from pg-meta's `SafeSqlFragment` (Postgres). ## Additional context <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Introduced analytics SQL execution capabilities with built-in safety validation for queries. * Enhanced query robustness through keyword and identifier validation mechanisms. * Improved error handling and reporting for analytics operations. * **Tests** * Added comprehensive test suite for analytics SQL safety and validation utilities. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46287?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary - Adds **Data API** (API Gateway / edge logs) as a new service row in the observability overview, positioned before PostgREST - Data API row is only shown when Data API is enabled for the project (gated on `useIsDataApiEnabled`) - Renames the existing PostgREST entry from "Data API" to "PostgREST" to correctly reflect the service - Adds the Data API description to `SERVICE_DESCRIPTIONS` ## Test plan - [ ] Enable Data API for a project — Data API row appears before PostgREST in the overview with chart data - [ ] Disable Data API for a project — Data API row is hidden, PostgREST row remains - [ ] PostgREST row label now reads "PostgREST" instead of "Data API" 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Observability dashboard can optionally show an “API Gateway” service when the Data API feature is enabled; it surfaces logs and health metrics. * The service health table now includes a description/tooltip for the API Gateway and aggregates its metrics. * **Bug Fixes** * Restored and relabeled the PostgREST entry so its observability report and reporting links appear correctly. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46266?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This PR updates @supabase/*-js libraries to version 2.106.2. **Source**: supabase-js-stable-release **Changes**: - Updated @supabase/supabase-js to 2.106.2 - Updated @supabase/auth-js to 2.106.2 - Updated @supabase/realtime-js to 2.106.2 - Updated @supabase/postgest-js to 2.106.2 - Refreshed pnpm-lock.yaml --- ## Release Notes ## v2.106.2 ## 2.106.2 (2026-05-25) ### 🩹 Fixes - **auth:** restore signup user response ([#2391](supabase/supabase-js#2391)) - **misc:** add react-native export condition for Hermes-safe resolution ([#2393](supabase/supabase-js#2393)) ### ❤️ Thank You - Myroslav Hryhschenko @BLOCKMATERIAL - Vaibhav @7ttp ## v2.106.1 ## 2.106.1 (2026-05-20) ### 🩹 Fixes - **auth:** encode client-id in oauth requests ([#2383](supabase/supabase-js#2383)) - **misc:** hide dynamic import from hermesc ([#2381](supabase/supabase-js#2381)) ### ❤️ Thank You - Etienne Stalmans @staaldraad - Katerina Skroumpelou @mandarini This PR was created automatically. Co-authored-by: supabase-workflow-trigger[bot] <266661614+supabase-workflow-trigger[bot]@users.noreply.github.com>
## Why this happens - `@tanstack/hotkeys` matches `Mod+/` against `event.key`, then falls back to `event.code` via `PUNCTUATION_CODE_MAP` (the library's macOS Option+punctuation workaround). - On Spanish/Italian ISO keyboards, the physical key at the `Slash` position produces `-`/`_`, so `Cmd+-` (browser zoom out) reports `event.key='-'` and `event.code='Slash'`. - The fallback maps `Slash → '/'`, the match succeeds, and the shortcuts drawer opens. US/Canada layouts report `event.code='Minus'` and are unaffected. ## Fix - Change the hotkey to `Shift+?`. The shift-modifier check fails before the punctuation `event.code` fallback runs, so no misfire. - Matches the `?`-for-help convention used by GitHub, Linear, Notion. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Updated keyboard shortcut for opening the keyboard shortcuts reference from Mod+/ to Shift+?, so the reference can be opened with Shift+? on supported keyboards. This aligns the trigger with the expected key label and improves discoverability. No other user-facing behavior changed. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46279?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary Wires Linear-style keyboard shortcuts across all observability pages — refresh, time picker, filters, and sub-page navigation — with hover tooltips surfacing each binding. | Page | Shortcut | Action | | --- | --- | --- | | Overview | `Shift+R` | Refresh report | | Overview | `Shift+P` | Open time picker | | Query Performance | `Shift+R` | Refresh report | | Query Performance | `R` then `C` | Reset report (`pg_stat_statements_reset`) | | Query Performance | `Shift+F` | Search queries | | Query Performance | `F` then `C` | Reset filters | | API Gateway | `Shift+R` | Refresh report | | API Gateway | `Shift+P` | Open time picker | | API Gateway | `Shift+F` | Add filter | | API Gateway | `F` then `C` | Reset filters | | API Gateway | `Shift+S` | Filter requests by service | | Database | `Shift+R` | Refresh report | | Database | `Shift+P` | Open time picker | | Auth | `Shift+R` | Refresh report | | Auth | `Shift+P` | Open time picker | | Data API | `Shift+R` | Refresh report | | Data API | `Shift+P` | Open time picker | | Storage | `Shift+R` | Refresh report | | Storage | `Shift+P` | Open time picker | | Realtime | `Shift+R` | Refresh report | | Realtime | `Shift+P` | Open time picker | | Edge Functions | `Shift+R` | Refresh report | | Edge Functions | `Shift+P` | Open time picker | | All observability pages | `U` then `O/Q/G/D/P/A/F/S/L` | Jump to sub-page | ## Test plan - [ ] Each shortcut fires on its page; tooltip on hover shows the binding - [ ] Picker shortcut toggles the popover open/closed without leaving the tooltip visible - [ ] Reset-report on Query Performance opens the confirm modal - [ ] `Escape` on the query search clears the value, then blurs - [ ] No "Shift+R already registered" / Tooltip controlled-uncontrolled warnings in the console <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Keyboard shortcuts to navigate Observability pages and perform common actions (refresh, toggle date picker/interval, focus search, reset filters, create reports). * Shortcut hints shown on relevant buttons and controls; date pickers and interval dropdowns can be controlled via shortcuts. * Global shortcut groups/registries added for Observability navigation and page actions. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46277?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai -->
) ## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? Security / refactor — routes all unified-logs analytics queries through the `executeAnalyticsSql` wire-boundary wrapper (PR 2 of the safe-analytics-sql series). ## What is the current behavior? All five unified-logs query hooks call `post()` directly with a raw SQL string, bypassing the `SafeLogSqlFragment` type enforcement. The `getUnifiedLogs` infinite-query also drops the brand by composing with a plain template literal before sending to the wire. ## What is the new behavior? - `unified-logs-infinite-query`: brand-dropping plain template literal replaced with `safeSql` + `analyticsLiteral`; `post()` replaced with `executeAnalyticsSql` - `unified-logs-count-query`, `unified-logs-chart-query`, `unified-logs-facet-count-query`: `post()` replaced with `executeAnalyticsSql` - `unified-log-inspection-query` (OTEL branch only): both `post()` calls replaced with `executeAnalyticsSql`; legacy BigQuery branch is unchanged pending PR 3 The wire boundary now rejects plain strings at compile time for all OTEL unified-logs paths. ## Additional context <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46333?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? We used to hide pointer events when someone hovered over this banner. That logic is no longer needed and caused issues on mobile. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Simplified banner component styling logic. Bottom banner styling is now fixed and consistently applied, removing conditional CSS class logic that previously adjusted behavior based on hover interactions. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46338?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? Refactor / security hardening (part 3 of stacked analytics safe-SQL series; stacks on top of PR 2: "feat(logs): route unified-logs hooks through executeAnalyticsSql") ## What is the current behavior? `ServiceFlow.sql.ts` interpolates `logId` and `serviceType` as raw template-literal strings directly into SQL (e.g. `` `WHERE el.id = '${logId}'` ``). The legacy BigQuery branch of `unified-log-inspection-query.ts` calls `post()` directly with a plain `string`-typed SQL value, bypassing the `executeAnalyticsSql` wire-boundary. ## What is the new behavior? - Add `SAFE_SERVICE_LITERAL: Record<EdgeServiceType, SafeLogSqlFragment>` — pre-branded SQL string literals for each service type, built with `analyticsLiteral`. - Rewrite `getBaseEdgeServiceFlowQuery`, `getEdgeFunctionServiceFlowQuery`, and `getPostgresServiceFlowQuery` to use `safeSql` template tag with `analyticsLiteral(logId)` and `SAFE_SERVICE_LITERAL[serviceType]`. Return types changed to `SafeLogSqlFragment`. - Update the four thin wrappers (`getPostgrestServiceFlowQuery`, `getAuthServiceFlowQuery`, `getStorageServiceFlowQuery`) to return `SafeLogSqlFragment`. - Replace `let sql = ''` + direct `post()` call in `unified-log-inspection-query.ts`'s legacy BigQuery branch with `let sql: SafeLogSqlFragment` + `executeAnalyticsSql`, eliminating the last direct `post()` call to the analytics endpoint in this file. `pnpm typecheck` passes cleanly. ## Additional context <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Secured analytics and log inspection queries through parameterized SQL execution, preventing potential SQL injection vulnerabilities. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46336?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Problem Realtime still uses the deprecated `Modal` for: - sending a message ## Solution - use `Dialog` instead - Fix `ChooseChannelPopover` ## Screenshots Before: <img width="379" height="289" alt="image" src="https://github.com/user-attachments/assets/d0389aef-e00e-463d-b994-3ef495ff2baa" /> After: <img width="340" height="289" alt="image" src="https://github.com/user-attachments/assets/75e5d982-6f26-4e92-beea-dcc136a75bd1" /> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Message-sending modal redesigned to use a dialog layout with a clear header, body and footer; confirm/cancel actions and inline JSON validation behave as before. * Channel-join form updated to a compact grouped input-and-button layout for more consistent, space-efficient entry. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46284?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai -->
Automated weekly decrease of ESLint ratchet baselines. Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
…46341) Remove useless expire snapshot configuration > This is an alpha feature not already deployed to any of our customers so breaking changes are not an issue. Signed-off-by: Benjamin <5719034+bnjjj@users.noreply.github.com>
## Problem Organization settings still uses the deprecated `Modal` for: - downgrading subscription - requesting feedback after downgrading - showing an alert about members limit - requesting feedback after upgrading - deleting a published OAuth app - showing preview of a new OAuth app - Revoking an OAuth app ## Solution - use `Dialog` instead <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Replaced legacy modal UI with the app's modern dialog/alert-dialog components across billing and OAuth settings (upgrade/downgrade, exit survey, members-limit, delete/revoke, preview), keeping existing content and flows. * Confirm/cancel flows updated for more reliable async handling and clearer loading/disabled states during actions. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46332?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai -->
](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46287?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack){kind=link}
](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46266?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack){kind=link}
](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46279?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack){kind=link}
](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46277?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack){kind=link}
](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46333?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack){kind=link}
](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46338?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack){kind=link}
](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46336?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack){kind=link}
](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46284?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack){kind=link}
](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46332?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack){kind=link}
github-actions
Bot
added
the
documentation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )