chore(deps): bump the actions-major group across 1 directory with 5 updates by dependabot[bot] · Pull Request #5088 · supabase/cli

dependabot · 2026-04-16T00:07:13Z

Bumps the actions-major group with 5 updates in the / directory:

Package	From	To
actions/create-github-app-token	`3.0.0`	`3.1.1`
peter-evans/create-pull-request	`8.1.0`	`8.1.1`
actions/upload-artifact	`7.0.0`	`7.0.1`
github/codeql-action	`4.35.1`	`4.35.2`
docker/build-push-action	`7.0.0`	`7.1.0`

Updates actions/create-github-app-token from 3.0.0 to 3.1.1

Release notes

Sourced from actions/create-github-app-token's releases.

v3.1.1

3.1.1 (2026-04-11)

Bug Fixes

improve error message when app identifier is empty (#362) (07e2b76), closes #249

v3.1.0

3.1.0 (2026-04-11)

Bug Fixes

deps: bump p-retry from 7.1.1 to 8.0.0 (#357) (3bbe07d)

Features

add client-id input and deprecate app-id (#353) (e6bd4e6)

update permission inputs (#358) (076e948)

Commits

1b10c78 build(release): 3.1.1 [skip ci]
07e2b76 fix: improve error message when app identifier is empty (#362)
ea01216 ci: remove publish-immutable-action workflow (#361)
7bd0371 build(release): 3.1.0 [skip ci]
e6bd4e6 feat: add client-id input and deprecate app-id (#353)
076e948 feat: update permission inputs (#358)
3bbe07d fix(deps): bump p-retry from 7.1.1 to 8.0.0 (#357)
28a99e3 build(deps-dev): bump c8 from 10.1.3 to 11.0.0
4df5060 build(deps-dev): bump open-cli from 8.0.0 to 9.0.0
4843c53 build(deps-dev): bump the development-dependencies group with 3 updates
See full diff in compare view

Updates peter-evans/create-pull-request from 8.1.0 to 8.1.1

Release notes

Sourced from peter-evans/create-pull-request's releases.

Create Pull Request v8.1.1

What's Changed

build(deps-dev): bump the npm group with 2 updates by @dependabot[bot] in peter-evans/create-pull-request#4305

build(deps): bump minimatch by @dependabot[bot] in peter-evans/create-pull-request#4311

build(deps): bump the github-actions group with 2 updates by @dependabot[bot] in peter-evans/create-pull-request#4316

build(deps): bump @tootallnate/once and jest-environment-jsdom by @dependabot[bot] in peter-evans/create-pull-request#4323

build(deps-dev): bump undici from 6.23.0 to 6.24.0 by @dependabot[bot] in peter-evans/create-pull-request#4328

build(deps-dev): bump flatted from 3.3.1 to 3.4.2 by @dependabot[bot] in peter-evans/create-pull-request#4334

build(deps): bump picomatch by @dependabot[bot] in peter-evans/create-pull-request#4339

build(deps-dev): bump handlebars from 4.7.8 to 4.7.9 by @dependabot[bot] in peter-evans/create-pull-request#4344

build(deps-dev): bump the npm group with 3 updates by @dependabot[bot] in peter-evans/create-pull-request#4349

fix: retry post-creation API calls on 422 eventual consistency errors by @peter-evans in peter-evans/create-pull-request#4356

Full Changelog: peter-evans/create-pull-request@v8.1.0...v8.1.1

Commits

5f6978f fix: retry post-creation API calls on 422 eventual consistency errors (#4356)
d32e88d build(deps-dev): bump the npm group with 3 updates (#4349)
8170bcc build(deps-dev): bump handlebars from 4.7.8 to 4.7.9 (#4344)
0041819 build(deps): bump picomatch (#4339)
b993918 build(deps-dev): bump flatted from 3.3.1 to 3.4.2 (#4334)
36d7c84 build(deps-dev): bump undici from 6.23.0 to 6.24.0 (#4328)
a45d1fb build(deps): bump @tootallnate/once and jest-environment-jsdom (#4323)
3499eb6 build(deps): bump the github-actions group with 2 updates (#4316)
3f3b473 build(deps): bump minimatch (#4311)
6699836 build(deps-dev): bump the npm group with 2 updates (#4305)
See full diff in compare view

Updates actions/upload-artifact from 7.0.0 to 7.0.1

Release notes

Sourced from actions/upload-artifact's releases.

v7.0.1

What's Changed

Update the readme with direct upload details by @danwkennedy in actions/upload-artifact#795

Readme: bump all the example versions to v7 by @danwkennedy in actions/upload-artifact#796

Include changes in typespec/ts-http-runtime 0.3.5 by @yacaovsnc in actions/upload-artifact#797

Full Changelog: actions/upload-artifact@v7...v7.0.1

Commits

043fb46 Merge pull request #797 from actions/yacaovsnc/update-dependency
634250c Include changes in typespec/ts-http-runtime 0.3.5
e454baa Readme: bump all the example versions to v7 (#796)
74fad66 Update the readme with direct upload details (#795)
See full diff in compare view

Updates github/codeql-action from 4.35.1 to 4.35.2

Release notes

Sourced from github/codeql-action's releases.

v4.35.2

The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795

The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789

Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794

Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807

Update default CodeQL bundle version to 2.25.2. #3823

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

4.35.2 - 15 Apr 2026

The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795

The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789

Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794

Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807

Update default CodeQL bundle version to 2.25.2. #3823

4.35.1 - 27 Mar 2026

Fix incorrect minimum required Git version for improved incremental analysis: it should have been 2.36.0, not 2.11.0. #3781

4.35.0 - 27 Mar 2026

Reduced the minimum Git version required for improved incremental analysis from 2.38.0 to 2.11.0. #3767

Update default CodeQL bundle version to 2.25.1. #3773

4.34.1 - 20 Mar 2026

Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses. #3762

4.34.0 - 20 Mar 2026

Added an experimental change which disables TRAP caching when improved incremental analysis is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. #3569

We are rolling out improved incremental analysis to C/C++ analyses that use build mode none. We expect this rollout to be complete by the end of April 2026. #3584

Update default CodeQL bundle version to 2.25.0. #3585

4.33.0 - 16 Mar 2026

Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #3562

To opt out of this change:

Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #3557

The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as github-codeql-disable-overlay that was previously only available on GitHub.com. #3559

Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #3563

Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #3564

A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #3570

4.32.6 - 05 Mar 2026

... (truncated)

Commits

95e58e9 Merge pull request #3824 from github/update-v4.35.2-d2e135a73
6f31bfe Update changelog for v4.35.2
d2e135a Merge pull request #3823 from github/update-bundle/codeql-bundle-v2.25.2
60abb65 Add changelog note
5a0a562 Update default bundle to codeql-bundle-v2.25.2
6521697 Merge pull request #3820 from github/dependabot/github_actions/dot-github/wor...
3c45af2 Merge pull request #3821 from github/dependabot/npm_and_yarn/npm-minor-345b93...
f1c3393 Rebuild
1024fc4 Rebuild
9dd4cfe Bump the npm-minor group across 1 directory with 6 updates
Additional commits viewable in compare view

Updates docker/build-push-action from 7.0.0 to 7.1.0

Release notes

Sourced from docker/build-push-action's releases.

v7.1.0

Git context query format support by @crazy-max in docker/build-push-action#1505

Bump @docker/actions-toolkit from 0.79.0 to 0.87.0 by @crazy-max in docker/build-push-action#1505

Bump brace-expansion from 1.1.12 to 1.1.13 in docker/build-push-action#1500

Bump fast-xml-parser from 5.4.2 to 5.5.7 in docker/build-push-action#1489

Bump flatted from 3.3.3 to 3.4.2 in docker/build-push-action#1491

Bump glob from 10.3.12 to 10.5.0 in docker/build-push-action#1490

Bump handlebars from 4.7.8 to 4.7.9 in docker/build-push-action#1497

Bump lodash from 4.17.23 to 4.18.1 in docker/build-push-action#1510

Bump picomatch from 4.0.3 to 4.0.4 in docker/build-push-action#1496

Bump undici from 6.23.0 to 6.24.1 in docker/build-push-action#1486

Bump vite from 7.3.1 to 7.3.2 in docker/build-push-action#1509

Full Changelog: docker/build-push-action@v7.0.0...v7.1.0

Commits

bcafcac Merge pull request #1509 from docker/dependabot/npm_and_yarn/vite-7.3.2
18e62f1 Merge pull request #1510 from docker/dependabot/npm_and_yarn/lodash-4.18.1
46580d2 chore: update generated content
3f80b25 chore(deps): Bump lodash from 4.17.23 to 4.18.1
efeec95 Merge pull request #1505 from crazy-max/refactor-git-context
ddf04b0 Merge pull request #1511 from docker/dependabot/github_actions/crazy-max-dot-...
db08d97 chore(deps): Bump the crazy-max-dot-github group with 2 updates
ef1fb96 Merge pull request #1508 from docker/dependabot/github_actions/docker/login-a...
2d8f2a1 chore: update generated content
919ac7b fix test since secrets are not written to temp path anymore
Additional commits viewable in compare view

coveralls · 2026-04-16T00:13:30Z

Coverage Report for CI Build 24547013890

Warning

Build has drifted: This PR's base is out of sync with its target branch, so coverage data may include unrelated changes.
Quick fix: rebase this PR. Learn more →

Coverage decreased (-0.02%) to 63.66%

Details

Coverage decreased (-0.02%) from the base build.
Patch coverage: No coverable lines changed in this PR.
5 coverage regressions across 1 file.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

5 previously-covered lines in 1 file lost coverage.

File	Lines Losing Coverage	Coverage
internal/utils/git.go	5	57.14%

Coverage Stats


Relevant Lines:	15498
Covered Lines:	9866
Line Coverage:	63.66%
Coverage Strength:	7.01 hits per line

💛 - Coveralls

…pdates Bumps the actions-major group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [actions/create-github-app-token](https://github.com/actions/create-github-app-token) | `3.0.0` | `3.1.1` | | [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) | `8.1.0` | `8.1.1` | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `7.0.0` | `7.0.1` | | [github/codeql-action](https://github.com/github/codeql-action) | `4.35.1` | `4.35.2` | | [docker/build-push-action](https://github.com/docker/build-push-action) | `7.0.0` | `7.1.0` | Updates `actions/create-github-app-token` from 3.0.0 to 3.1.1 - [Release notes](https://github.com/actions/create-github-app-token/releases) - [Commits](actions/create-github-app-token@f8d387b...1b10c78) Updates `peter-evans/create-pull-request` from 8.1.0 to 8.1.1 - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](peter-evans/create-pull-request@c0f553f...5f6978f) Updates `actions/upload-artifact` from 7.0.0 to 7.0.1 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@bbbca2d...043fb46) Updates `github/codeql-action` from 4.35.1 to 4.35.2 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@c10b806...95e58e9) Updates `docker/build-push-action` from 7.0.0 to 7.1.0 - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](docker/build-push-action@d08e5c3...bcafcac) --- updated-dependencies: - dependency-name: actions/create-github-app-token dependency-version: 3.1.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major - dependency-name: peter-evans/create-pull-request dependency-version: 8.1.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-major - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-major - dependency-name: github/codeql-action dependency-version: 4.35.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-major - dependency-name: docker/build-push-action dependency-version: 7.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major ... Signed-off-by: dependabot[bot] <support@github.com>

…9ae7ab8c2

* fix(pg-delta): declarative-sync-no-declarative-dir-set (#5078) * feat(declarative): add tests for skipping config updates when PgDelta is enabled - These tests verify that the configuration remains unchanged when PgDelta is enabled, ensuring the declarative directory is the source of truth. - Updated the WriteDeclarativeSchemas function to reflect the new behavior regarding PgDelta configuration. * fix(declarative): DSL change due to upgrade * feat(auth): add support for configuring passkeys and webauthn (#5077) * fix: atomic parser (#5064) * fix * test --------- Co-authored-by: Andrew Valleteau <avallete@users.noreply.github.com> * fix(pg-delta): declarative apply error results (#5082) * fix(pg-delta): declarative apply error results Improve readability report for decalrative appy errors wrapping * chore: upgrade pg-delta to alpha 13 * feat(telemetry): attach org/project groups to all CLI events Only ~19% of CLI events had PostHog group properties ($group_0, $group_1) because groups were only set during `supabase link`. Commands using --project-ref without linking sent events invisible to group analytics. Add EnsureProjectGroupsCached which resolves and caches project metadata (including org ID) in linked-project.json when a project ref is available. The cache is checked before every cli_command_executed event, so the API call only happens once per unique project ref. Closes GROWTH-761 * fix: address code review feedback - Guard against log.Fatalln crash: check auth token before calling GetSupabase(), and move the API call to cmd/root.go where it belongs - Don't overwrite existing linked-project.json cache — supabase link is the authoritative source, we only fill the gap when no cache exists - Fire GroupIdentify for org and project after caching, matching the link flow so PostHog has group metadata - Restructure so telemetry package has no API dependencies (pure caching + PostHog calls), making tests reliable without gock/mocks * fix: adds etl to managed schema (#5090) * chore: sync API types from infrastructure (#5093) Co-authored-by: supabase-cli-releaser[bot] <246109035+supabase-cli-releaser[bot]@users.noreply.github.com> * chore(deps): bump the actions-major group across 1 directory with 5 updates (#5088) Bumps the actions-major group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [actions/create-github-app-token](https://github.com/actions/create-github-app-token) | `3.0.0` | `3.1.1` | | [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) | `8.1.0` | `8.1.1` | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `7.0.0` | `7.0.1` | | [github/codeql-action](https://github.com/github/codeql-action) | `4.35.1` | `4.35.2` | | [docker/build-push-action](https://github.com/docker/build-push-action) | `7.0.0` | `7.1.0` | Updates `actions/create-github-app-token` from 3.0.0 to 3.1.1 - [Release notes](https://github.com/actions/create-github-app-token/releases) - [Commits](actions/create-github-app-token@f8d387b...1b10c78) Updates `peter-evans/create-pull-request` from 8.1.0 to 8.1.1 - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](peter-evans/create-pull-request@c0f553f...5f6978f) Updates `actions/upload-artifact` from 7.0.0 to 7.0.1 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@bbbca2d...043fb46) Updates `github/codeql-action` from 4.35.1 to 4.35.2 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@c10b806...95e58e9) Updates `docker/build-push-action` from 7.0.0 to 7.1.0 - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](docker/build-push-action@d08e5c3...bcafcac) --- updated-dependencies: - dependency-name: actions/create-github-app-token dependency-version: 3.1.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major - dependency-name: peter-evans/create-pull-request dependency-version: 8.1.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-major - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-major - dependency-name: github/codeql-action dependency-version: 4.35.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-major - dependency-name: docker/build-push-action dependency-version: 7.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Andrew Valleteau <avallete@users.noreply.github.com> * fix: functions download (#5096) * fix * test --------- Co-authored-by: Andrew Valleteau <avallete@users.noreply.github.com> * feat(db): strengthen RLS advisory message for stronger agent compliance * chore(deps): upgrade pg-delta to alpha.17 (#5110) Closes: #5094 * chore(deps): bump the actions-major group across 1 directory with 4 updates (#5108) Bumps the actions-major group with 4 updates in the / directory: [dependabot/fetch-metadata](https://github.com/dependabot/fetch-metadata), [t1m0thyj/unlock-keyring](https://github.com/t1m0thyj/unlock-keyring), [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) and [actions/setup-node](https://github.com/actions/setup-node). Updates `dependabot/fetch-metadata` from 3.0.0 to 3.1.0 - [Release notes](https://github.com/dependabot/fetch-metadata/releases) - [Commits](dependabot/fetch-metadata@ffa630c...25dd0e3) Updates `t1m0thyj/unlock-keyring` from 1.1.0 to 1.2.0 - [Release notes](https://github.com/t1m0thyj/unlock-keyring/releases) - [Commits](t1m0thyj/unlock-keyring@728cc71...cbcf205) Updates `goreleaser/goreleaser-action` from 7.0.0 to 7.1.0 - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](goreleaser/goreleaser-action@ec59f47...e24998b) Updates `actions/setup-node` from 6.3.0 to 6.4.0 - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@53b8394...48b55a0) --- updated-dependencies: - dependency-name: dependabot/fetch-metadata dependency-version: 3.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major - dependency-name: t1m0thyj/unlock-keyring dependency-version: 1.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major - dependency-name: goreleaser/goreleaser-action dependency-version: 7.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major - dependency-name: actions/setup-node dependency-version: 6.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Andrew Valleteau <avallete@users.noreply.github.com> * fix(docker): bump the docker-minor group across 1 directory with 6 updates (#5079) * fix(docker): bump the docker-minor group across 1 directory with 6 updates Bumps the docker-minor group with 6 updates in the /pkg/config/templates directory: | Package | From | To | | --- | --- | --- | | postgrest/postgrest | `v14.8` | `v14.9` | | supabase/studio | `2026.04.08-sha-205cbe7` | `2026.04.13-sha-e95f1cc` | | supabase/edge-runtime | `v1.73.3` | `v1.73.5` | | supabase/realtime | `v2.82.0` | `v2.83.1` | | supabase/storage-api | `v1.48.28` | `v1.51.0` | | supabase/logflare | `1.37.1` | `1.38.2` | Updates `postgrest/postgrest` from v14.8 to v14.9 Updates `supabase/studio` from 2026.04.08-sha-205cbe7 to 2026.04.13-sha-e95f1cc Updates `supabase/edge-runtime` from v1.73.3 to v1.73.5 Updates `supabase/realtime` from v2.82.0 to v2.83.1 Updates `supabase/storage-api` from v1.48.28 to v1.51.0 Updates `supabase/logflare` from 1.37.1 to 1.38.2 --- updated-dependencies: - dependency-name: postgrest/postgrest dependency-version: v14.9 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/studio dependency-version: 2026.04.13-sha-e95f1cc dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/edge-runtime dependency-version: v1.73.5 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/realtime dependency-version: v2.83.1 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/storage-api dependency-version: v1.51.0 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/logflare dependency-version: 1.38.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: docker-minor ... Signed-off-by: dependabot[bot] <support@github.com> * Downgrade postgrest version from 14.9 to 14.8 --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Andrew Valleteau <avallete@users.noreply.github.com> * chore(workflows): enable install scripts for supabase package in Yarn (#5111) chore(workflows): enable install scripts for supabase package in Yarn Berry setup This change sets the YARN_ENABLE_SCRIPTS environment variable to true during the installation of the supabase package, allowing its postinstall script to run as required by Yarn Berry 4.14+. This adjustment ensures the necessary binary is fetched correctly. * feat: --diff-engine flag on db pull * fix(docker): bump the docker-minor group in /pkg/config/templates with 6 updates (#5113) fix(docker): bump the docker-minor group Bumps the docker-minor group in /pkg/config/templates with 6 updates: | Package | From | To | | --- | --- | --- | | postgrest/postgrest | `v14.8` | `v14.10` | | supabase/studio | `2026.04.13-sha-e95f1cc` | `2026.04.20-sha-b721a2d` | | supabase/edge-runtime | `v1.73.5` | `v1.73.13` | | supabase/realtime | `v2.83.1` | `v2.86.3` | | supabase/storage-api | `v1.51.0` | `v1.54.1` | | supabase/logflare | `1.38.2` | `1.39.1` | Updates `postgrest/postgrest` from v14.8 to v14.10 Updates `supabase/studio` from 2026.04.13-sha-e95f1cc to 2026.04.20-sha-b721a2d Updates `supabase/edge-runtime` from v1.73.5 to v1.73.13 Updates `supabase/realtime` from v2.83.1 to v2.86.3 Updates `supabase/storage-api` from v1.51.0 to v1.54.1 Updates `supabase/logflare` from 1.38.2 to 1.39.1 --- updated-dependencies: - dependency-name: postgrest/postgrest dependency-version: v14.10 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/studio dependency-version: 2026.04.20-sha-b721a2d dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/edge-runtime dependency-version: v1.73.13 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/realtime dependency-version: v2.86.3 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/storage-api dependency-version: v1.54.1 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/logflare dependency-version: 1.39.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: docker-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Andrew Valleteau <avallete@users.noreply.github.com> * feat: exposing new api keys to functions (#4946) Co-authored-by: Andrew Valleteau <avallete@users.noreply.github.com> * chore: upgrade pg-delta to alpha.20 in multiple templates * fix: remove version comparison check for storage image updates (#5118) fix: honor pinned storage version offline Remove the version comparison that only pinned storage when the local version was newer than the default. This prevented `supabase start` from using an already-downloaded image offline, since Docker would still try to pull the default newer image. Fixes CLI-1393. Co-authored-by: Claude <noreply@anthropic.com> * fix: improve error handling and output formatting in pg-delta apply process (#5120) - Updated the `runDeclarativeSync` function to avoid wrapping SQL output with `utils.Bold`, preventing excessive whitespace in multi-line SQL. - Changed the result accumulation in `migra.ts` from string concatenation to an array for better performance and clarity. - Enhanced the `ApplyResult` struct to include `ValidationErrors` and `Diagnostics`, allowing for more detailed error reporting. - Modified the `formatApplyFailure` function to include validation errors and diagnostics in the output, improving user feedback on apply failures. - Added tests for validation error handling in `apply_test.go` to ensure robustness against various error scenarios. --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Andrew Valleteau <avallete@users.noreply.github.com> Co-authored-by: fadymak <dev@fadymak.com> Co-authored-by: Vaibhav <117663341+7ttp@users.noreply.github.com> Co-authored-by: Sean Oliver <882952+seanoliver@users.noreply.github.com> Co-authored-by: Han Qiao <sweatybridge@gmail.com> Co-authored-by: Julien Goux <hi@jgoux.dev> Co-authored-by: supabase-cli-releaser[bot] <246109035+supabase-cli-releaser[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Mert YEREKAPAN <mertyerekapan@gmail.com> Co-authored-by: Mert YEREKAPAN <33198490+myerekapan@users.noreply.github.com> Co-authored-by: Kalleby Santos <105971119+kallebysantos@users.noreply.github.com> Co-authored-by: avallete <andrew.valleteau@supabase.io> Co-authored-by: Claude <noreply@anthropic.com>

Prod deploy (#5109) * fix(pg-delta): declarative-sync-no-declarative-dir-set (#5078) * feat(declarative): add tests for skipping config updates when PgDelta is enabled - These tests verify that the configuration remains unchanged when PgDelta is enabled, ensuring the declarative directory is the source of truth. - Updated the WriteDeclarativeSchemas function to reflect the new behavior regarding PgDelta configuration. * fix(declarative): DSL change due to upgrade * feat(auth): add support for configuring passkeys and webauthn (#5077) * fix: atomic parser (#5064) * fix * test --------- * fix(pg-delta): declarative apply error results (#5082) * fix(pg-delta): declarative apply error results Improve readability report for decalrative appy errors wrapping * chore: upgrade pg-delta to alpha 13 * feat(telemetry): attach org/project groups to all CLI events Only ~19% of CLI events had PostHog group properties ($group_0, $group_1) because groups were only set during `supabase link`. Commands using --project-ref without linking sent events invisible to group analytics. Add EnsureProjectGroupsCached which resolves and caches project metadata (including org ID) in linked-project.json when a project ref is available. The cache is checked before every cli_command_executed event, so the API call only happens once per unique project ref. Closes GROWTH-761 * fix: address code review feedback - Guard against log.Fatalln crash: check auth token before calling GetSupabase(), and move the API call to cmd/root.go where it belongs - Don't overwrite existing linked-project.json cache — supabase link is the authoritative source, we only fill the gap when no cache exists - Fire GroupIdentify for org and project after caching, matching the link flow so PostHog has group metadata - Restructure so telemetry package has no API dependencies (pure caching + PostHog calls), making tests reliable without gock/mocks * fix: adds etl to managed schema (#5090) * chore: sync API types from infrastructure (#5093) * chore(deps): bump the actions-major group across 1 directory with 5 updates (#5088) Bumps the actions-major group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [actions/create-github-app-token](https://github.com/actions/create-github-app-token) | `3.0.0` | `3.1.1` | | [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) | `8.1.0` | `8.1.1` | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `7.0.0` | `7.0.1` | | [github/codeql-action](https://github.com/github/codeql-action) | `4.35.1` | `4.35.2` | | [docker/build-push-action](https://github.com/docker/build-push-action) | `7.0.0` | `7.1.0` | Updates `actions/create-github-app-token` from 3.0.0 to 3.1.1 - [Release notes](https://github.com/actions/create-github-app-token/releases) - [Commits](actions/create-github-app-token@f8d387b...1b10c78) Updates `peter-evans/create-pull-request` from 8.1.0 to 8.1.1 - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](peter-evans/create-pull-request@c0f553f...5f6978f) Updates `actions/upload-artifact` from 7.0.0 to 7.0.1 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@bbbca2d...043fb46) Updates `github/codeql-action` from 4.35.1 to 4.35.2 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@c10b806...95e58e9) Updates `docker/build-push-action` from 7.0.0 to 7.1.0 - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](docker/build-push-action@d08e5c3...bcafcac) --- updated-dependencies: - dependency-name: actions/create-github-app-token dependency-version: 3.1.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major - dependency-name: peter-evans/create-pull-request dependency-version: 8.1.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-major - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-major - dependency-name: github/codeql-action dependency-version: 4.35.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-major - dependency-name: docker/build-push-action dependency-version: 7.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major ... * fix: functions download (#5096) * fix * test --------- * feat(db): strengthen RLS advisory message for stronger agent compliance * chore(deps): upgrade pg-delta to alpha.17 (#5110) Closes: #5094 * chore(deps): bump the actions-major group across 1 directory with 4 updates (#5108) Bumps the actions-major group with 4 updates in the / directory: [dependabot/fetch-metadata](https://github.com/dependabot/fetch-metadata), [t1m0thyj/unlock-keyring](https://github.com/t1m0thyj/unlock-keyring), [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) and [actions/setup-node](https://github.com/actions/setup-node). Updates `dependabot/fetch-metadata` from 3.0.0 to 3.1.0 - [Release notes](https://github.com/dependabot/fetch-metadata/releases) - [Commits](dependabot/fetch-metadata@ffa630c...25dd0e3) Updates `t1m0thyj/unlock-keyring` from 1.1.0 to 1.2.0 - [Release notes](https://github.com/t1m0thyj/unlock-keyring/releases) - [Commits](t1m0thyj/unlock-keyring@728cc71...cbcf205) Updates `goreleaser/goreleaser-action` from 7.0.0 to 7.1.0 - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](goreleaser/goreleaser-action@ec59f47...e24998b) Updates `actions/setup-node` from 6.3.0 to 6.4.0 - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@53b8394...48b55a0) --- updated-dependencies: - dependency-name: dependabot/fetch-metadata dependency-version: 3.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major - dependency-name: t1m0thyj/unlock-keyring dependency-version: 1.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major - dependency-name: goreleaser/goreleaser-action dependency-version: 7.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major - dependency-name: actions/setup-node dependency-version: 6.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major ... * fix(docker): bump the docker-minor group across 1 directory with 6 updates (#5079) * fix(docker): bump the docker-minor group across 1 directory with 6 updates Bumps the docker-minor group with 6 updates in the /pkg/config/templates directory: | Package | From | To | | --- | --- | --- | | postgrest/postgrest | `v14.8` | `v14.9` | | supabase/studio | `2026.04.08-sha-205cbe7` | `2026.04.13-sha-e95f1cc` | | supabase/edge-runtime | `v1.73.3` | `v1.73.5` | | supabase/realtime | `v2.82.0` | `v2.83.1` | | supabase/storage-api | `v1.48.28` | `v1.51.0` | | supabase/logflare | `1.37.1` | `1.38.2` | Updates `postgrest/postgrest` from v14.8 to v14.9 Updates `supabase/studio` from 2026.04.08-sha-205cbe7 to 2026.04.13-sha-e95f1cc Updates `supabase/edge-runtime` from v1.73.3 to v1.73.5 Updates `supabase/realtime` from v2.82.0 to v2.83.1 Updates `supabase/storage-api` from v1.48.28 to v1.51.0 Updates `supabase/logflare` from 1.37.1 to 1.38.2 --- updated-dependencies: - dependency-name: postgrest/postgrest dependency-version: v14.9 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/studio dependency-version: 2026.04.13-sha-e95f1cc dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/edge-runtime dependency-version: v1.73.5 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/realtime dependency-version: v2.83.1 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/storage-api dependency-version: v1.51.0 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/logflare dependency-version: 1.38.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: docker-minor ... * Downgrade postgrest version from 14.9 to 14.8 --------- * chore(workflows): enable install scripts for supabase package in Yarn (#5111) chore(workflows): enable install scripts for supabase package in Yarn Berry setup This change sets the YARN_ENABLE_SCRIPTS environment variable to true during the installation of the supabase package, allowing its postinstall script to run as required by Yarn Berry 4.14+. This adjustment ensures the necessary binary is fetched correctly. * feat: --diff-engine flag on db pull * fix(docker): bump the docker-minor group in /pkg/config/templates with 6 updates (#5113) fix(docker): bump the docker-minor group Bumps the docker-minor group in /pkg/config/templates with 6 updates: | Package | From | To | | --- | --- | --- | | postgrest/postgrest | `v14.8` | `v14.10` | | supabase/studio | `2026.04.13-sha-e95f1cc` | `2026.04.20-sha-b721a2d` | | supabase/edge-runtime | `v1.73.5` | `v1.73.13` | | supabase/realtime | `v2.83.1` | `v2.86.3` | | supabase/storage-api | `v1.51.0` | `v1.54.1` | | supabase/logflare | `1.38.2` | `1.39.1` | Updates `postgrest/postgrest` from v14.8 to v14.10 Updates `supabase/studio` from 2026.04.13-sha-e95f1cc to 2026.04.20-sha-b721a2d Updates `supabase/edge-runtime` from v1.73.5 to v1.73.13 Updates `supabase/realtime` from v2.83.1 to v2.86.3 Updates `supabase/storage-api` from v1.51.0 to v1.54.1 Updates `supabase/logflare` from 1.38.2 to 1.39.1 --- updated-dependencies: - dependency-name: postgrest/postgrest dependency-version: v14.10 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/studio dependency-version: 2026.04.20-sha-b721a2d dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/edge-runtime dependency-version: v1.73.13 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/realtime dependency-version: v2.86.3 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/storage-api dependency-version: v1.54.1 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/logflare dependency-version: 1.39.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: docker-minor ... * feat: exposing new api keys to functions (#4946) * chore: upgrade pg-delta to alpha.20 in multiple templates * fix: remove version comparison check for storage image updates (#5118) fix: honor pinned storage version offline Remove the version comparison that only pinned storage when the local version was newer than the default. This prevented `supabase start` from using an already-downloaded image offline, since Docker would still try to pull the default newer image. Fixes CLI-1393. * fix: improve error handling and output formatting in pg-delta apply process (#5120) - Updated the `runDeclarativeSync` function to avoid wrapping SQL output with `utils.Bold`, preventing excessive whitespace in multi-line SQL. - Changed the result accumulation in `migra.ts` from string concatenation to an array for better performance and clarity. - Enhanced the `ApplyResult` struct to include `ValidationErrors` and `Diagnostics`, allowing for more detailed error reporting. - Modified the `formatApplyFailure` function to include validation errors and diagnostics in the output, improving user feedback on apply failures. - Added tests for validation error handling in `apply_test.go` to ensure robustness against various error scenarios. --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: supabase-cli-releaser[bot] <246109035+supabase-cli-releaser[bot]@users.noreply.github.com> Co-authored-by: fadymak <dev@fadymak.com> Co-authored-by: Vaibhav <117663341+7ttp@users.noreply.github.com> Co-authored-by: Sean Oliver <882952+seanoliver@users.noreply.github.com> Co-authored-by: Han Qiao <sweatybridge@gmail.com> Co-authored-by: Julien Goux <hi@jgoux.dev> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Mert YEREKAPAN <mertyerekapan@gmail.com> Co-authored-by: Mert YEREKAPAN <33198490+myerekapan@users.noreply.github.com> Co-authored-by: Kalleby Santos <105971119+kallebysantos@users.noreply.github.com> Co-authored-by: Claude <noreply@anthropic.com>

* refactor: encode auth external url explicitly * chore(deps): upgrade pg-delta to alpha.17 (#5110) Closes: #5094 * chore(deps): bump the actions-major group across 1 directory with 4 updates (#5108) Bumps the actions-major group with 4 updates in the / directory: [dependabot/fetch-metadata](https://github.com/dependabot/fetch-metadata), [t1m0thyj/unlock-keyring](https://github.com/t1m0thyj/unlock-keyring), [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) and [actions/setup-node](https://github.com/actions/setup-node). Updates `dependabot/fetch-metadata` from 3.0.0 to 3.1.0 - [Release notes](https://github.com/dependabot/fetch-metadata/releases) - [Commits](dependabot/fetch-metadata@ffa630c...25dd0e3) Updates `t1m0thyj/unlock-keyring` from 1.1.0 to 1.2.0 - [Release notes](https://github.com/t1m0thyj/unlock-keyring/releases) - [Commits](t1m0thyj/unlock-keyring@728cc71...cbcf205) Updates `goreleaser/goreleaser-action` from 7.0.0 to 7.1.0 - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](goreleaser/goreleaser-action@ec59f47...e24998b) Updates `actions/setup-node` from 6.3.0 to 6.4.0 - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@53b8394...48b55a0) --- updated-dependencies: - dependency-name: dependabot/fetch-metadata dependency-version: 3.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major - dependency-name: t1m0thyj/unlock-keyring dependency-version: 1.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major - dependency-name: goreleaser/goreleaser-action dependency-version: 7.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major - dependency-name: actions/setup-node dependency-version: 6.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Andrew Valleteau <avallete@users.noreply.github.com> * fix(docker): bump the docker-minor group across 1 directory with 6 updates (#5079) * fix(docker): bump the docker-minor group across 1 directory with 6 updates Bumps the docker-minor group with 6 updates in the /pkg/config/templates directory: | Package | From | To | | --- | --- | --- | | postgrest/postgrest | `v14.8` | `v14.9` | | supabase/studio | `2026.04.08-sha-205cbe7` | `2026.04.13-sha-e95f1cc` | | supabase/edge-runtime | `v1.73.3` | `v1.73.5` | | supabase/realtime | `v2.82.0` | `v2.83.1` | | supabase/storage-api | `v1.48.28` | `v1.51.0` | | supabase/logflare | `1.37.1` | `1.38.2` | Updates `postgrest/postgrest` from v14.8 to v14.9 Updates `supabase/studio` from 2026.04.08-sha-205cbe7 to 2026.04.13-sha-e95f1cc Updates `supabase/edge-runtime` from v1.73.3 to v1.73.5 Updates `supabase/realtime` from v2.82.0 to v2.83.1 Updates `supabase/storage-api` from v1.48.28 to v1.51.0 Updates `supabase/logflare` from 1.37.1 to 1.38.2 --- updated-dependencies: - dependency-name: postgrest/postgrest dependency-version: v14.9 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/studio dependency-version: 2026.04.13-sha-e95f1cc dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/edge-runtime dependency-version: v1.73.5 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/realtime dependency-version: v2.83.1 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/storage-api dependency-version: v1.51.0 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/logflare dependency-version: 1.38.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: docker-minor ... Signed-off-by: dependabot[bot] <support@github.com> * Downgrade postgrest version from 14.9 to 14.8 --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Andrew Valleteau <avallete@users.noreply.github.com> * chore(workflows): enable install scripts for supabase package in Yarn (#5111) chore(workflows): enable install scripts for supabase package in Yarn Berry setup This change sets the YARN_ENABLE_SCRIPTS environment variable to true during the installation of the supabase package, allowing its postinstall script to run as required by Yarn Berry 4.14+. This adjustment ensures the necessary binary is fetched correctly. * feat: --diff-engine flag on db pull * fix(docker): bump the docker-minor group in /pkg/config/templates with 6 updates (#5113) fix(docker): bump the docker-minor group Bumps the docker-minor group in /pkg/config/templates with 6 updates: | Package | From | To | | --- | --- | --- | | postgrest/postgrest | `v14.8` | `v14.10` | | supabase/studio | `2026.04.13-sha-e95f1cc` | `2026.04.20-sha-b721a2d` | | supabase/edge-runtime | `v1.73.5` | `v1.73.13` | | supabase/realtime | `v2.83.1` | `v2.86.3` | | supabase/storage-api | `v1.51.0` | `v1.54.1` | | supabase/logflare | `1.38.2` | `1.39.1` | Updates `postgrest/postgrest` from v14.8 to v14.10 Updates `supabase/studio` from 2026.04.13-sha-e95f1cc to 2026.04.20-sha-b721a2d Updates `supabase/edge-runtime` from v1.73.5 to v1.73.13 Updates `supabase/realtime` from v2.83.1 to v2.86.3 Updates `supabase/storage-api` from v1.51.0 to v1.54.1 Updates `supabase/logflare` from 1.38.2 to 1.39.1 --- updated-dependencies: - dependency-name: postgrest/postgrest dependency-version: v14.10 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/studio dependency-version: 2026.04.20-sha-b721a2d dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/edge-runtime dependency-version: v1.73.13 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/realtime dependency-version: v2.86.3 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/storage-api dependency-version: v1.54.1 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/logflare dependency-version: 1.39.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: docker-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Andrew Valleteau <avallete@users.noreply.github.com> * feat: exposing new api keys to functions (#4946) Co-authored-by: Andrew Valleteau <avallete@users.noreply.github.com> * chore: upgrade pg-delta to alpha.20 in multiple templates * fix: remove version comparison check for storage image updates (#5118) fix: honor pinned storage version offline Remove the version comparison that only pinned storage when the local version was newer than the default. This prevented `supabase start` from using an already-downloaded image offline, since Docker would still try to pull the default newer image. Fixes CLI-1393. Co-authored-by: Claude <noreply@anthropic.com> * fix: improve error handling and output formatting in pg-delta apply process (#5120) - Updated the `runDeclarativeSync` function to avoid wrapping SQL output with `utils.Bold`, preventing excessive whitespace in multi-line SQL. - Changed the result accumulation in `migra.ts` from string concatenation to an array for better performance and clarity. - Enhanced the `ApplyResult` struct to include `ValidationErrors` and `Diagnostics`, allowing for more detailed error reporting. - Modified the `formatApplyFailure` function to include validation errors and diagnostics in the output, improving user feedback on apply failures. - Added tests for validation error handling in `apply_test.go` to ensure robustness against various error scenarios. * fix(start): guard db_logs vector transform against null regex capture (#5126) The `db_logs` transform aborts with `expected string, got null` in `upcase!()` when `parse_regex` matches an event message but the `level` named group resolves to null. The fallback branch only covers regex failure (`err != null || parsed == null`), leaving a third path where the match succeeds but the capture is null. That path overwrites the would-be fallback with null and crashes on upcase. Observed under routine local dev load (Next.js dev server issuing service-role Postgres queries): 3,000+ aborted transforms in two minutes, cascading into Vector retry storms and Logflare `ErlSysMon` message-queue backpressure. Extend the fallback condition to also fire when `parsed.level` is null, and guard the assignment in the match branch, so `error_severity` always has a non-null string before `upcase!`. Co-authored-by: rebasecase <rebasecase@localhost> * Update Dockerfile for Studio image 2026-04-27 * chore: resync develop with main (#5123) Prod deploy (#5109) * fix(pg-delta): declarative-sync-no-declarative-dir-set (#5078) * feat(declarative): add tests for skipping config updates when PgDelta is enabled - These tests verify that the configuration remains unchanged when PgDelta is enabled, ensuring the declarative directory is the source of truth. - Updated the WriteDeclarativeSchemas function to reflect the new behavior regarding PgDelta configuration. * fix(declarative): DSL change due to upgrade * feat(auth): add support for configuring passkeys and webauthn (#5077) * fix: atomic parser (#5064) * fix * test --------- * fix(pg-delta): declarative apply error results (#5082) * fix(pg-delta): declarative apply error results Improve readability report for decalrative appy errors wrapping * chore: upgrade pg-delta to alpha 13 * feat(telemetry): attach org/project groups to all CLI events Only ~19% of CLI events had PostHog group properties ($group_0, $group_1) because groups were only set during `supabase link`. Commands using --project-ref without linking sent events invisible to group analytics. Add EnsureProjectGroupsCached which resolves and caches project metadata (including org ID) in linked-project.json when a project ref is available. The cache is checked before every cli_command_executed event, so the API call only happens once per unique project ref. Closes GROWTH-761 * fix: address code review feedback - Guard against log.Fatalln crash: check auth token before calling GetSupabase(), and move the API call to cmd/root.go where it belongs - Don't overwrite existing linked-project.json cache — supabase link is the authoritative source, we only fill the gap when no cache exists - Fire GroupIdentify for org and project after caching, matching the link flow so PostHog has group metadata - Restructure so telemetry package has no API dependencies (pure caching + PostHog calls), making tests reliable without gock/mocks * fix: adds etl to managed schema (#5090) * chore: sync API types from infrastructure (#5093) * chore(deps): bump the actions-major group across 1 directory with 5 updates (#5088) Bumps the actions-major group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [actions/create-github-app-token](https://github.com/actions/create-github-app-token) | `3.0.0` | `3.1.1` | | [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) | `8.1.0` | `8.1.1` | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `7.0.0` | `7.0.1` | | [github/codeql-action](https://github.com/github/codeql-action) | `4.35.1` | `4.35.2` | | [docker/build-push-action](https://github.com/docker/build-push-action) | `7.0.0` | `7.1.0` | Updates `actions/create-github-app-token` from 3.0.0 to 3.1.1 - [Release notes](https://github.com/actions/create-github-app-token/releases) - [Commits](actions/create-github-app-token@f8d387b...1b10c78) Updates `peter-evans/create-pull-request` from 8.1.0 to 8.1.1 - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](peter-evans/create-pull-request@c0f553f...5f6978f) Updates `actions/upload-artifact` from 7.0.0 to 7.0.1 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@bbbca2d...043fb46) Updates `github/codeql-action` from 4.35.1 to 4.35.2 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@c10b806...95e58e9) Updates `docker/build-push-action` from 7.0.0 to 7.1.0 - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](docker/build-push-action@d08e5c3...bcafcac) --- updated-dependencies: - dependency-name: actions/create-github-app-token dependency-version: 3.1.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major - dependency-name: peter-evans/create-pull-request dependency-version: 8.1.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-major - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-major - dependency-name: github/codeql-action dependency-version: 4.35.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-major - dependency-name: docker/build-push-action dependency-version: 7.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major ... * fix: functions download (#5096) * fix * test --------- * feat(db): strengthen RLS advisory message for stronger agent compliance * chore(deps): upgrade pg-delta to alpha.17 (#5110) Closes: #5094 * chore(deps): bump the actions-major group across 1 directory with 4 updates (#5108) Bumps the actions-major group with 4 updates in the / directory: [dependabot/fetch-metadata](https://github.com/dependabot/fetch-metadata), [t1m0thyj/unlock-keyring](https://github.com/t1m0thyj/unlock-keyring), [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) and [actions/setup-node](https://github.com/actions/setup-node). Updates `dependabot/fetch-metadata` from 3.0.0 to 3.1.0 - [Release notes](https://github.com/dependabot/fetch-metadata/releases) - [Commits](dependabot/fetch-metadata@ffa630c...25dd0e3) Updates `t1m0thyj/unlock-keyring` from 1.1.0 to 1.2.0 - [Release notes](https://github.com/t1m0thyj/unlock-keyring/releases) - [Commits](t1m0thyj/unlock-keyring@728cc71...cbcf205) Updates `goreleaser/goreleaser-action` from 7.0.0 to 7.1.0 - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](goreleaser/goreleaser-action@ec59f47...e24998b) Updates `actions/setup-node` from 6.3.0 to 6.4.0 - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@53b8394...48b55a0) --- updated-dependencies: - dependency-name: dependabot/fetch-metadata dependency-version: 3.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major - dependency-name: t1m0thyj/unlock-keyring dependency-version: 1.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major - dependency-name: goreleaser/goreleaser-action dependency-version: 7.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major - dependency-name: actions/setup-node dependency-version: 6.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major ... * fix(docker): bump the docker-minor group across 1 directory with 6 updates (#5079) * fix(docker): bump the docker-minor group across 1 directory with 6 updates Bumps the docker-minor group with 6 updates in the /pkg/config/templates directory: | Package | From | To | | --- | --- | --- | | postgrest/postgrest | `v14.8` | `v14.9` | | supabase/studio | `2026.04.08-sha-205cbe7` | `2026.04.13-sha-e95f1cc` | | supabase/edge-runtime | `v1.73.3` | `v1.73.5` | | supabase/realtime | `v2.82.0` | `v2.83.1` | | supabase/storage-api | `v1.48.28` | `v1.51.0` | | supabase/logflare | `1.37.1` | `1.38.2` | Updates `postgrest/postgrest` from v14.8 to v14.9 Updates `supabase/studio` from 2026.04.08-sha-205cbe7 to 2026.04.13-sha-e95f1cc Updates `supabase/edge-runtime` from v1.73.3 to v1.73.5 Updates `supabase/realtime` from v2.82.0 to v2.83.1 Updates `supabase/storage-api` from v1.48.28 to v1.51.0 Updates `supabase/logflare` from 1.37.1 to 1.38.2 --- updated-dependencies: - dependency-name: postgrest/postgrest dependency-version: v14.9 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/studio dependency-version: 2026.04.13-sha-e95f1cc dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/edge-runtime dependency-version: v1.73.5 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/realtime dependency-version: v2.83.1 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/storage-api dependency-version: v1.51.0 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/logflare dependency-version: 1.38.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: docker-minor ... * Downgrade postgrest version from 14.9 to 14.8 --------- * chore(workflows): enable install scripts for supabase package in Yarn (#5111) chore(workflows): enable install scripts for supabase package in Yarn Berry setup This change sets the YARN_ENABLE_SCRIPTS environment variable to true during the installation of the supabase package, allowing its postinstall script to run as required by Yarn Berry 4.14+. This adjustment ensures the necessary binary is fetched correctly. * feat: --diff-engine flag on db pull * fix(docker): bump the docker-minor group in /pkg/config/templates with 6 updates (#5113) fix(docker): bump the docker-minor group Bumps the docker-minor group in /pkg/config/templates with 6 updates: | Package | From | To | | --- | --- | --- | | postgrest/postgrest | `v14.8` | `v14.10` | | supabase/studio | `2026.04.13-sha-e95f1cc` | `2026.04.20-sha-b721a2d` | | supabase/edge-runtime | `v1.73.5` | `v1.73.13` | | supabase/realtime | `v2.83.1` | `v2.86.3` | | supabase/storage-api | `v1.51.0` | `v1.54.1` | | supabase/logflare | `1.38.2` | `1.39.1` | Updates `postgrest/postgrest` from v14.8 to v14.10 Updates `supabase/studio` from 2026.04.13-sha-e95f1cc to 2026.04.20-sha-b721a2d Updates `supabase/edge-runtime` from v1.73.5 to v1.73.13 Updates `supabase/realtime` from v2.83.1 to v2.86.3 Updates `supabase/storage-api` from v1.51.0 to v1.54.1 Updates `supabase/logflare` from 1.38.2 to 1.39.1 --- updated-dependencies: - dependency-name: postgrest/postgrest dependency-version: v14.10 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/studio dependency-version: 2026.04.20-sha-b721a2d dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/edge-runtime dependency-version: v1.73.13 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/realtime dependency-version: v2.86.3 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/storage-api dependency-version: v1.54.1 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/logflare dependency-version: 1.39.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: docker-minor ... * feat: exposing new api keys to functions (#4946) * chore: upgrade pg-delta to alpha.20 in multiple templates * fix: remove version comparison check for storage image updates (#5118) fix: honor pinned storage version offline Remove the version comparison that only pinned storage when the local version was newer than the default. This prevented `supabase start` from using an already-downloaded image offline, since Docker would still try to pull the default newer image. Fixes CLI-1393. * fix: improve error handling and output formatting in pg-delta apply process (#5120) - Updated the `runDeclarativeSync` function to avoid wrapping SQL output with `utils.Bold`, preventing excessive whitespace in multi-line SQL. - Changed the result accumulation in `migra.ts` from string concatenation to an array for better performance and clarity. - Enhanced the `ApplyResult` struct to include `ValidationErrors` and `Diagnostics`, allowing for more detailed error reporting. - Modified the `formatApplyFailure` function to include validation errors and diagnostics in the output, improving user feedback on apply failures. - Added tests for validation error handling in `apply_test.go` to ensure robustness against various error scenarios. --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: supabase-cli-releaser[bot] <246109035+supabase-cli-releaser[bot]@users.noreply.github.com> Co-authored-by: fadymak <dev@fadymak.com> Co-authored-by: Vaibhav <117663341+7ttp@users.noreply.github.com> Co-authored-by: Sean Oliver <882952+seanoliver@users.noreply.github.com> Co-authored-by: Han Qiao <sweatybridge@gmail.com> Co-authored-by: Julien Goux <hi@jgoux.dev> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Mert YEREKAPAN <mertyerekapan@gmail.com> Co-authored-by: Mert YEREKAPAN <33198490+myerekapan@users.noreply.github.com> Co-authored-by: Kalleby Santos <105971119+kallebysantos@users.noreply.github.com> Co-authored-by: Claude <noreply@anthropic.com> * Revert "Update Dockerfile for Studio image 2026-04-27" (#5132) * Revert "Revert "Update Dockerfile for Studio image 2026-04-27"" (#5134) Revert "Revert "Update Dockerfile for Studio image 2026-04-27" (#5132)" This reverts commit 9251eaf. * fix(windows): json unmarshal errors in telemetry and pg-delta declarative sync (#5128) * fix(windows): json unmarshal errors in telemetry and pg-delta declarative sync Three Windows-only failures, all surfacing as JSON parse errors: 1. telemetry: any field-level unmarshal error (e.g. session_last_active stored as a number) now recreates state instead of propagating, since identity fields aren't worth surfacing an error for. 2. pg-delta declarative sync: containerRef now normalises Windows path separators with filepath.ToSlash so paths like supabase\.temp\pgdelta\catalog-baseline.json resolve correctly inside the Linux edge-runtime container. 3. pg-delta export/diff: parse callers (DeclarativeExportPgDeltaRef, ExportCatalogPgDelta, pgcache.exportCatalog) now surface stderr when stdout is empty, instead of failing later with "unexpected end of JSON input". DiffPgDeltaRef intentionally still accepts empty stdout as a legitimate "no schema changes" result. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore: only run test on windows and fix lint --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Andrew Valleteau <avallete@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Kalleby Santos <105971119+kallebysantos@users.noreply.github.com> Co-authored-by: avallete <andrew.valleteau@supabase.io> Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: It's Me! <192345912+rebasecase@users.noreply.github.com> Co-authored-by: rebasecase <rebasecase@localhost> Co-authored-by: Joshen Lim <joshenlimek@gmail.com> Co-authored-by: supabase-cli-releaser[bot] <246109035+supabase-cli-releaser[bot]@users.noreply.github.com> Co-authored-by: fadymak <dev@fadymak.com> Co-authored-by: Vaibhav <117663341+7ttp@users.noreply.github.com> Co-authored-by: Sean Oliver <882952+seanoliver@users.noreply.github.com> Co-authored-by: Han Qiao <sweatybridge@gmail.com> Co-authored-by: Mert YEREKAPAN <mertyerekapan@gmail.com> Co-authored-by: Mert YEREKAPAN <33198490+myerekapan@users.noreply.github.com>

Prod deploy (#5109) * fix(pg-delta): declarative-sync-no-declarative-dir-set (#5078) * feat(declarative): add tests for skipping config updates when PgDelta is enabled - These tests verify that the configuration remains unchanged when PgDelta is enabled, ensuring the declarative directory is the source of truth. - Updated the WriteDeclarativeSchemas function to reflect the new behavior regarding PgDelta configuration. * fix(declarative): DSL change due to upgrade * feat(auth): add support for configuring passkeys and webauthn (#5077) * fix: atomic parser (#5064) * fix * test --------- * fix(pg-delta): declarative apply error results (#5082) * fix(pg-delta): declarative apply error results Improve readability report for decalrative appy errors wrapping * chore: upgrade pg-delta to alpha 13 * feat(telemetry): attach org/project groups to all CLI events Only ~19% of CLI events had PostHog group properties ($group_0, $group_1) because groups were only set during `supabase link`. Commands using --project-ref without linking sent events invisible to group analytics. Add EnsureProjectGroupsCached which resolves and caches project metadata (including org ID) in linked-project.json when a project ref is available. The cache is checked before every cli_command_executed event, so the API call only happens once per unique project ref. Closes GROWTH-761 * fix: address code review feedback - Guard against log.Fatalln crash: check auth token before calling GetSupabase(), and move the API call to cmd/root.go where it belongs - Don't overwrite existing linked-project.json cache — supabase link is the authoritative source, we only fill the gap when no cache exists - Fire GroupIdentify for org and project after caching, matching the link flow so PostHog has group metadata - Restructure so telemetry package has no API dependencies (pure caching + PostHog calls), making tests reliable without gock/mocks * fix: adds etl to managed schema (#5090) * chore: sync API types from infrastructure (#5093) * chore(deps): bump the actions-major group across 1 directory with 5 updates (#5088) Bumps the actions-major group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [actions/create-github-app-token](https://github.com/actions/create-github-app-token) | `3.0.0` | `3.1.1` | | [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) | `8.1.0` | `8.1.1` | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `7.0.0` | `7.0.1` | | [github/codeql-action](https://github.com/github/codeql-action) | `4.35.1` | `4.35.2` | | [docker/build-push-action](https://github.com/docker/build-push-action) | `7.0.0` | `7.1.0` | Updates `actions/create-github-app-token` from 3.0.0 to 3.1.1 - [Release notes](https://github.com/actions/create-github-app-token/releases) - [Commits](actions/create-github-app-token@f8d387b...1b10c78) Updates `peter-evans/create-pull-request` from 8.1.0 to 8.1.1 - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](peter-evans/create-pull-request@c0f553f...5f6978f) Updates `actions/upload-artifact` from 7.0.0 to 7.0.1 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@bbbca2d...043fb46) Updates `github/codeql-action` from 4.35.1 to 4.35.2 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@c10b806...95e58e9) Updates `docker/build-push-action` from 7.0.0 to 7.1.0 - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](docker/build-push-action@d08e5c3...bcafcac) --- updated-dependencies: - dependency-name: actions/create-github-app-token dependency-version: 3.1.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major - dependency-name: peter-evans/create-pull-request dependency-version: 8.1.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-major - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-major - dependency-name: github/codeql-action dependency-version: 4.35.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-major - dependency-name: docker/build-push-action dependency-version: 7.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major ... * fix: functions download (#5096) * fix * test --------- * feat(db): strengthen RLS advisory message for stronger agent compliance * chore(deps): upgrade pg-delta to alpha.17 (#5110) Closes: #5094 * chore(deps): bump the actions-major group across 1 directory with 4 updates (#5108) Bumps the actions-major group with 4 updates in the / directory: [dependabot/fetch-metadata](https://github.com/dependabot/fetch-metadata), [t1m0thyj/unlock-keyring](https://github.com/t1m0thyj/unlock-keyring), [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) and [actions/setup-node](https://github.com/actions/setup-node). Updates `dependabot/fetch-metadata` from 3.0.0 to 3.1.0 - [Release notes](https://github.com/dependabot/fetch-metadata/releases) - [Commits](dependabot/fetch-metadata@ffa630c...25dd0e3) Updates `t1m0thyj/unlock-keyring` from 1.1.0 to 1.2.0 - [Release notes](https://github.com/t1m0thyj/unlock-keyring/releases) - [Commits](t1m0thyj/unlock-keyring@728cc71...cbcf205) Updates `goreleaser/goreleaser-action` from 7.0.0 to 7.1.0 - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](goreleaser/goreleaser-action@ec59f47...e24998b) Updates `actions/setup-node` from 6.3.0 to 6.4.0 - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@53b8394...48b55a0) --- updated-dependencies: - dependency-name: dependabot/fetch-metadata dependency-version: 3.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major - dependency-name: t1m0thyj/unlock-keyring dependency-version: 1.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major - dependency-name: goreleaser/goreleaser-action dependency-version: 7.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major - dependency-name: actions/setup-node dependency-version: 6.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major ... * fix(docker): bump the docker-minor group across 1 directory with 6 updates (#5079) * fix(docker): bump the docker-minor group across 1 directory with 6 updates Bumps the docker-minor group with 6 updates in the /pkg/config/templates directory: | Package | From | To | | --- | --- | --- | | postgrest/postgrest | `v14.8` | `v14.9` | | supabase/studio | `2026.04.08-sha-205cbe7` | `2026.04.13-sha-e95f1cc` | | supabase/edge-runtime | `v1.73.3` | `v1.73.5` | | supabase/realtime | `v2.82.0` | `v2.83.1` | | supabase/storage-api | `v1.48.28` | `v1.51.0` | | supabase/logflare | `1.37.1` | `1.38.2` | Updates `postgrest/postgrest` from v14.8 to v14.9 Updates `supabase/studio` from 2026.04.08-sha-205cbe7 to 2026.04.13-sha-e95f1cc Updates `supabase/edge-runtime` from v1.73.3 to v1.73.5 Updates `supabase/realtime` from v2.82.0 to v2.83.1 Updates `supabase/storage-api` from v1.48.28 to v1.51.0 Updates `supabase/logflare` from 1.37.1 to 1.38.2 --- updated-dependencies: - dependency-name: postgrest/postgrest dependency-version: v14.9 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/studio dependency-version: 2026.04.13-sha-e95f1cc dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/edge-runtime dependency-version: v1.73.5 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/realtime dependency-version: v2.83.1 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/storage-api dependency-version: v1.51.0 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/logflare dependency-version: 1.38.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: docker-minor ... * Downgrade postgrest version from 14.9 to 14.8 --------- * chore(workflows): enable install scripts for supabase package in Yarn (#5111) chore(workflows): enable install scripts for supabase package in Yarn Berry setup This change sets the YARN_ENABLE_SCRIPTS environment variable to true during the installation of the supabase package, allowing its postinstall script to run as required by Yarn Berry 4.14+. This adjustment ensures the necessary binary is fetched correctly. * feat: --diff-engine flag on db pull * fix(docker): bump the docker-minor group in /pkg/config/templates with 6 updates (#5113) fix(docker): bump the docker-minor group Bumps the docker-minor group in /pkg/config/templates with 6 updates: | Package | From | To | | --- | --- | --- | | postgrest/postgrest | `v14.8` | `v14.10` | | supabase/studio | `2026.04.13-sha-e95f1cc` | `2026.04.20-sha-b721a2d` | | supabase/edge-runtime | `v1.73.5` | `v1.73.13` | | supabase/realtime | `v2.83.1` | `v2.86.3` | | supabase/storage-api | `v1.51.0` | `v1.54.1` | | supabase/logflare | `1.38.2` | `1.39.1` | Updates `postgrest/postgrest` from v14.8 to v14.10 Updates `supabase/studio` from 2026.04.13-sha-e95f1cc to 2026.04.20-sha-b721a2d Updates `supabase/edge-runtime` from v1.73.5 to v1.73.13 Updates `supabase/realtime` from v2.83.1 to v2.86.3 Updates `supabase/storage-api` from v1.51.0 to v1.54.1 Updates `supabase/logflare` from 1.38.2 to 1.39.1 --- updated-dependencies: - dependency-name: postgrest/postgrest dependency-version: v14.10 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/studio dependency-version: 2026.04.20-sha-b721a2d dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/edge-runtime dependency-version: v1.73.13 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/realtime dependency-version: v2.86.3 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/storage-api dependency-version: v1.54.1 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/logflare dependency-version: 1.39.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: docker-minor ... * feat: exposing new api keys to functions (#4946) * chore: upgrade pg-delta to alpha.20 in multiple templates * fix: remove version comparison check for storage image updates (#5118) fix: honor pinned storage version offline Remove the version comparison that only pinned storage when the local version was newer than the default. This prevented `supabase start` from using an already-downloaded image offline, since Docker would still try to pull the default newer image. Fixes CLI-1393. * fix: improve error handling and output formatting in pg-delta apply process (#5120) - Updated the `runDeclarativeSync` function to avoid wrapping SQL output with `utils.Bold`, preventing excessive whitespace in multi-line SQL. - Changed the result accumulation in `migra.ts` from string concatenation to an array for better performance and clarity. - Enhanced the `ApplyResult` struct to include `ValidationErrors` and `Diagnostics`, allowing for more detailed error reporting. - Modified the `formatApplyFailure` function to include validation errors and diagnostics in the output, improving user feedback on apply failures. - Added tests for validation error handling in `apply_test.go` to ensure robustness against various error scenarios. --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: supabase-cli-releaser[bot] <246109035+supabase-cli-releaser[bot]@users.noreply.github.com> Co-authored-by: fadymak <dev@fadymak.com> Co-authored-by: Vaibhav <117663341+7ttp@users.noreply.github.com> Co-authored-by: Sean Oliver <882952+seanoliver@users.noreply.github.com> Co-authored-by: Han Qiao <sweatybridge@gmail.com> Co-authored-by: Julien Goux <hi@jgoux.dev> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Mert YEREKAPAN <mertyerekapan@gmail.com> Co-authored-by: Mert YEREKAPAN <33198490+myerekapan@users.noreply.github.com> Co-authored-by: Kalleby Santos <105971119+kallebysantos@users.noreply.github.com> Co-authored-by: Claude <noreply@anthropic.com>

dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Apr 16, 2026

dependabot Bot requested a review from a team as a code owner April 16, 2026 00:07

dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Apr 16, 2026

supabase-cli-releaser Bot approved these changes Apr 16, 2026

View reviewed changes

github-actions Bot enabled auto-merge (squash) April 16, 2026 00:07

dependabot Bot force-pushed the dependabot/github_actions/actions-major-b9ae7ab8c2 branch from 2f7a887 to 68e1508 Compare April 17, 2026 00:06

supabase-cli-releaser Bot approved these changes Apr 17, 2026

View reviewed changes

avallete approved these changes Apr 17, 2026

View reviewed changes

Merge branch 'develop' into dependabot/github_actions/actions-major-b…

b91ad63

…9ae7ab8c2

github-actions Bot merged commit a03a8bf into develop Apr 17, 2026
22 of 25 checks passed

github-actions Bot deleted the dependabot/github_actions/actions-major-b9ae7ab8c2 branch April 17, 2026 04:08

supabase-cli-releaser Bot mentioned this pull request Apr 21, 2026

Prod deploy #5109

Merged

This was referenced Apr 27, 2026

Prod deploy #5131

Closed

Prod deploy #5136

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the actions-major group across 1 directory with 5 updates#5088

chore(deps): bump the actions-major group across 1 directory with 5 updates#5088
github-actions[bot] merged 2 commits into
developfrom
dependabot/github_actions/actions-major-b9ae7ab8c2

dependabot Bot commented on behalf of github Apr 16, 2026 •

edited

Loading

Uh oh!

coveralls commented Apr 16, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

dependabot Bot commented on behalf of github Apr 16, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v3.1.1

3.1.1 (2026-04-11)

Bug Fixes

v3.1.0

3.1.0 (2026-04-11)

Bug Fixes

Features

Create Pull Request v8.1.1

What's Changed

v7.0.1

What's Changed

v4.35.2

CodeQL Action Changelog

[UNRELEASED]

4.35.2 - 15 Apr 2026

4.35.1 - 27 Mar 2026

4.35.0 - 27 Mar 2026

4.34.1 - 20 Mar 2026

4.34.0 - 20 Mar 2026

4.33.0 - 16 Mar 2026

4.32.6 - 05 Mar 2026

v7.1.0

Uh oh!

coveralls commented Apr 16, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Coverage Report for CI Build 24547013890

Coverage decreased (-0.02%) to 63.66%

Details

Uncovered Changes

Coverage Regressions

Coverage Stats

💛 - Coveralls

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

dependabot Bot commented on behalf of github Apr 16, 2026 •

edited

Loading

coveralls commented Apr 16, 2026 •

edited

Loading