chore(cubejs): bump Cube.js from 1.6.19 to 1.6.37#44
Merged
Conversation
Cube.js v1.6 invokes checkSqlAuth as (request, user, password) — three
positional args — see
@cubejs-backend/api-gateway/dist/src/sql-server.js:291,105.
Our implementation declared (_, user) and did:
password = typeof user === "string" ? user : user?.password
username = typeof user === "string" ? _ : user?.username
With the v1.6 wire server, user arrives as a plain string (the Postgres
username), so the code took the username as the password AND used the
request metadata object as the username. findSqlCredentials then
received the {protocol, method, apiType} object, and Hasura rejected
the query with:
parsing Text failed, expected String, but encountered Object
path: $.selectionSet.sql_credentials.args.where.username._eq
Every SQL API login failed before any password comparison ran
(reproduced via `psql -U <valid> -h <cubejs>` → 28P01).
Fix: match the documented v1.6 signature and keep a defensive branch
for the legacy object-shape call. Also reject non-string username
early so the Hasura GraphQL layer cannot receive a non-string variable.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…gins
queryRewrite's rule-based row filtering relies on
`securityContext.userScope.teamProperties` and `.memberProperties` to
look up per-rule property values (e.g. `partition` from team settings).
defineUserScope populates both from the member's team settings and
member properties. buildSqlSecurityContext (the SQL API path) never
did, so userScope for SQL logins had no team/member properties. Every
rule whose property lookup returned undefined blocked the whole query
and queryRewrite replaced query.filters with:
[{ member: allMembers[0], operator: "equals",
values: ["__blocked_by_access_control__"] }]
When the first member was a numeric measure (e.g. `count`), ClickHouse
tried to cast the sentinel to Float64:
Cannot parse string '__blocked_by_access_control__' as Float64
Fix: buildSqlSecurityContext now resolves the member for the
datasource's team and passes the team settings + member properties
into the scope (matching defineUserScope). Team settings also flow
into buildSecurityContext so the content hash includes them, keeping
cache isolation consistent between REST and SQL paths.
Reproduced via `SELECT count(*) FROM stockout_event` over the Postgres
wire — rule `semantic_events.partition` couldn't resolve
team.partition, blocked fired, sentinel filter crashed ClickHouse.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…agment Follow-up to #42. buildSqlSecurityContext now resolves teamProperties and memberProperties from sqlCredentials.user.members, but the GraphQL query used to load sql_credentials (sqlCredentialsQuery → membersFragment) never selected those fields. At runtime teamMember was found but team and properties were undefined, so teamProperties stayed empty and queryRewrite rules that look up teamProperties.<key> still blocked every query. Observed via: SELECT count(*) FROM stockout_event → still rewritten to: HAVING count(*) = toFloat64('__blocked_by_access_control__') Add team { id settings } and properties to membersFragment so the SQL API path has the same shape defineUserScope consumes on the REST path. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
akshaykumar2505
approved these changes
Apr 20, 2026
Brings in 16 patch releases of upstream Cube.js fixes and features, including cubesql improvements (Tableau format codes, Talend compat, MEASURE function panic fix, LAG/LEAD pushdown, TO_TIMESTAMP formats, SET TIMEZONE, FETCH directions, CASE/LIKE planning, pg_catalog.pg_collation, SAVEPOINT/ROLLBACK TO/RELEASE, SET ROLE auth context, and more). Does not close the DataGrip introspection gap (regclass in functions, pg_get_userbyid coercion, OPERATOR(schema.~), CHAR[] arrays, SHOW server_version, pg_description.objoid mapping, empty pg_index/ pg_constraint — none addressed upstream between 1.6.21 and 1.6.37), but keeps us current before we build or wait on a JetBrains-friendly fix. yarn.lock will regenerate on CI build (Dockerfile runs `yarn --network-timeout 100000`). No breaking changes relevant to us (server-core access-policy row filtering breaking change doesn't affect our usage — we don't use cube's access_policy feature; row filtering is via queryRewrite.js). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
acmeguy
force-pushed
the
feat/cube-1.6.37
branch
from
c55e1bd to
f062947
Compare
Keeps local docker-compose in sync with the Cube.js backend bump. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bump all `@cubejs-backend/*` dependencies from `^1.6.19` to `^1.6.37` — 16 patch releases of upstream Cube.js.
What changes
Scanning the changelog for 1.6.22 → 1.6.37, the relevant entries for us:
cubesql planner improvements
api-gateway / server-core
schema-compiler
clickhouse-driver
Why we can't just wait
Our running 1.6.21 is missing all of the above. The upgrade is low-risk (no breaking changes affect our setup).
What this does NOT solve
The DataGrip introspection gaps we hit earlier today — `regclass` inside `obj_description()`, `pg_get_userbyid` UInt32 coercion, `OPERATOR(pg_catalog.~)`, `ANY(... ::CHAR[])`, `SHOW server_version`, `pg_description.objoid` mapping, empty `pg_index` / `pg_constraint` — none of these are addressed in 1.6.22..1.6.37. Upstream tracking issue #7714 remains open. We still need the pg-gateway-based proxy (separate PR) for DataGrip.
Lockfile
`yarn.lock` not regenerated locally (needs Java toolchain for one transitive build that fails on my machine). The Dockerfile runs `yarn --network-timeout 100000` without `--frozen-lockfile`, so CI will reconcile `yarn.lock` during the image build. If we want a clean lockfile update before merge, run `yarn install` in `services/cubejs/` and amend.
Test plan
🤖 Generated with Claude Code