chore: production deploy#5874
Conversation
supabase-cli-releaser
Bot
commented
Jul 14, 2026
- fix(cli): read piped stdin for gen signing-key's overwrite prompt (Go parity) (fix(cli): read piped stdin for gen signing-key's overwrite prompt (Go parity) #5794)
- docs(cli): correct inaccurate SIDE_EFFECTS.md and AGENTS.md claims (docs(cli): correct inaccurate SIDE_EFFECTS.md and AGENTS.md claims #5813)
- docs(cli): fix fabricated SUPABASE_API_URL and bare PROJECT_ID env-var references (docs(cli): fix fabricated SUPABASE_API_URL and bare PROJECT_ID env-var references #5811)
- feat(cli): port db push, db reset, and db start to native TypeScript (feat(cli): port db push, db reset, and db start to native TypeScript #5715)
- fix(cli): functions deploy --jobs validation + bundler routing (Go parity) (fix(cli): functions deploy --jobs validation + bundler routing (Go parity) #5797)
- fix(cli): exempt enum/choice flags from telemetry redaction (Go isEnumFlag parity) (fix(cli): exempt enum/choice flags from telemetry redaction (Go isEnumFlag parity) #5810)
- chore(api): sync Management API OpenAPI spec (chore(api): sync Management API OpenAPI spec #5818)
- fix(cli): use cobra's exact mutual-exclusivity error for functions deploy/download (fix(cli): use cobra's exact mutual-exclusivity error for functions deploy/download #5804)
- fix(cli): warn but skip remote lookup for a malformed services project ref (fix(cli): warn but skip remote lookup for a malformed services project ref #5802)
- fix(cli): default functions download --use-docker to true (Go parity) (fix(cli): default functions download --use-docker to true (Go parity) #5793)
- fix(cli): functions delete/download mark --project-ref telemetry-safe (Go parity) (fix(cli): functions delete/download mark --project-ref telemetry-safe (Go parity) #5809)
- fix(cli): secrets set tolerates a malformed config.toml (Go parity) (fix(cli): secrets set tolerates a malformed config.toml (Go parity) #5796)
- fix(cli): telemetry enable/disable fire cli_command_executed on pre-toggle consent (fix(cli): telemetry enable/disable fire cli_command_executed on pre-toggle consent #5798)
- fix(deps): bump the go-minor group across 2 directories with 1 update (fix(deps): bump the go-minor group across 2 directories with 1 update #5821)
- chore(ci): bump the actions-major group with 2 updates (chore(ci): bump the actions-major group with 2 updates #5824)
- fix(deps): bump the npm-major group with 6 updates (fix(deps): bump the npm-major group with 6 updates #5823)
- chore(deps): bump golang.org/x/crypto from 0.50.0 to 0.52.0 in /apps/cli-go/pkg (chore(deps): bump golang.org/x/crypto from 0.50.0 to 0.52.0 in /apps/cli-go/pkg #5825)
- fix(cli): colima socket (fix(cli): colima socket #5820)
- fix(docker): bump the docker-minor group in /apps/cli-go/pkg/config/templates with 3 updates (fix(docker): bump the docker-minor group in /apps/cli-go/pkg/config/templates with 3 updates #5822)
- fix(cli): remove "nano" from projects/branches create --size enum (fix(cli): remove "nano" from projects/branches create --size enum #5799)
- docs(cli): disclose --high-availability as TS-only on projects create (docs(cli): disclose --high-availability as TS-only on projects create #5800)
- fix(cli): run pg-delta/--experimental gate before mutex check in db schema declarative (fix(cli): run pg-delta/--experimental gate before mutex check in db schema declarative #5828)
- fix(cli): exit 0 for bare group commands to match Go cobra parity (fix(cli): exit 0 for bare group commands to match Go cobra parity #5827)
- feat(cli): port supabase stop and status commands to native TypeScript (feat(cli): port supabase stop and status commands to native TypeScript #5765)
- fix(deps): bump the npm-major group with 6 updates (fix(deps): bump the npm-major group with 6 updates #5835)
- chore(ci): bump the actions-major group with 4 updates (chore(ci): bump the actions-major group with 4 updates #5836)
- fix(docker): bump supabase/storage-api from v1.63.1 to v1.64.1 in /apps/cli-go/pkg/config/templates in the docker-minor group (fix(docker): bump supabase/storage-api from v1.63.1 to v1.64.1 in /apps/cli-go/pkg/config/templates in the docker-minor group #5834)
- fix(cli): remove doubled "Expected: Expected" prefix from Flag.choice/primitive errors (fix(cli): remove doubled "Expected: Expected" prefix from Flag.choice/primitive errors #5831)
- fix(cli): resolve global/persistent flag values in legacy telemetry (fix(cli): resolve global/persistent flag values in legacy telemetry #5830)
- fix(cli): use cobra's mutual-exclusivity error template for sso update (fix(cli): use cobra's mutual-exclusivity error template for sso update #5832)
- docs(cli): link Effect-TS upstream issue for doubled-Expected workaround (docs(cli): link Effect-TS upstream issue for doubled-Expected workaround #5837)
- fix(cli): validate config before the destructive db reset --local recreate (fix(cli): validate config before the destructive db reset --local recreate #5840)
- fix(cli): propagate delegated Go child exit codes through finalizers (fix(cli): propagate delegated Go child exit codes through finalizers #5841)
- fix(cli): legacy shell honors project .env for SUPABASE_YES + auth.enabled remote precedence (CLI-1878) (fix(cli): legacy shell honors project .env for SUPABASE_YES + auth.enabled remote precedence (CLI-1878) #5839)
- ci: add contribution gate workflow for external PRs (ci: add contribution gate workflow for external PRs #5843)
- fix(config-push): decrypt dotenvx encrypted: secrets instead of skipping (fix(config-push): decrypt dotenvx encrypted: secrets instead of skipping #5842)
- ci: exempt private org members from the contribution gate (ci: exempt private org members from the contribution gate #5848)
- fix(deps): bump github.com/posthog/posthog-go from 1.17.2 to 1.17.4 in /apps/cli-go in the go-minor group across 1 directory (fix(deps): bump github.com/posthog/posthog-go from 1.17.2 to 1.17.4 in /apps/cli-go in the go-minor group across 1 directory #5849)
- fix(deps): bump the npm-major group with 7 updates (fix(deps): bump the npm-major group with 7 updates #5850)
- chore(ci): bump docker/login-action from 4.3.0 to 4.4.0 in the actions-major group (chore(ci): bump docker/login-action from 4.3.0 to 4.4.0 in the actions-major group #5852)
- fix(docker): bump the docker-minor group in /apps/cli-go/pkg/config/templates with 3 updates (fix(docker): bump the docker-minor group in /apps/cli-go/pkg/config/templates with 3 updates #5851)
- fix(cli): suppress vendored effect CLI's stdout help-dump and duplicate error on parse failures (CLI-1901) (fix(cli): suppress vendored effect CLI's stdout help-dump and duplicate error on parse failures (CLI-1901) #5844)
- fix(cli): exempt global choice flags from telemetry redaction (Go isEnumFlag parity) (fix(cli): exempt global choice flags from telemetry redaction (Go isEnumFlag parity) #5855)
- fix(cli): match Go path.Match character-class negation in legacy seed globbing (fix(cli): match Go path.Match character-class negation in legacy seed globbing #5856)
- fix(deps): bump github.com/stripe/pg-schema-diff from 1.0.5 to 1.0.7 in /apps/cli-go in the go-minor group across 1 directory (fix(deps): bump github.com/stripe/pg-schema-diff from 1.0.5 to 1.0.7 in /apps/cli-go in the go-minor group across 1 directory #5858)
- fix(deps): bump the npm-major group with 3 updates (fix(deps): bump the npm-major group with 3 updates #5859)
- fix(deps): bump github.com/posthog/posthog-go from 1.17.4 to 1.17.5 in /apps/cli-go in the go-minor group across 1 directory (fix(deps): bump github.com/posthog/posthog-go from 1.17.4 to 1.17.5 in /apps/cli-go in the go-minor group across 1 directory #5865)
- chore(ci): bump aws-actions/configure-aws-credentials from 6.2.1 to 6.2.2 in the actions-major group (chore(ci): bump aws-actions/configure-aws-credentials from 6.2.1 to 6.2.2 in the actions-major group #5871)
… parity) (#5794) ## Current Behavior Go's overwrite-confirmation prompt for `gen signing-key` reads piped stdin even in non-TTY mode (`internal/utils/console.go`'s `PromptYesNo`/`ReadLine`, racing a 100ms timeout) and honors an explicit y/n answer. The TS port's `signing-key.handler.ts` had its own local `confirmOverwrite` that returned `true` unconditionally in non-TTY mode without reading stdin at all, so `echo n | supabase gen signing-key` silently overwrote the existing key file instead of canceling — a data-loss risk for scripted/CI usage. ## Expected Behavior - Deletes the local `confirmOverwrite` and switches the call site to the shared `legacyPromptYesNo` helper (already used by `seed buckets`, `config push`, `logout`, `storage rm`, `db pull`), which already correctly implements Go's non-TTY read-with-timeout-and-parse behavior. - Swaps `LegacyYesFlag` for `legacyResolveYes` (matching those same five callers), so `gen signing-key` now also honors `SUPABASE_YES` and an explicit `--yes=false`, matching Go's `viper.GetBool("YES")`. - Fails the overwrite closed (rather than silently defaulting to yes) when a real interactive TTY requests a non-text `--output-format` — this command has no structured json/stream-json payload (SIDE_EFFECTS.md), and the shared helper's own default-on-non-text short-circuit would otherwise silently overwrite irrecoverable key material with no prompt at all. A non-TTY caller (piped or not) is unaffected by this guard. Fixes CLI-1865
…5813) ## What kind of change does this PR introduce? Docs fix — Legacy port SIDE_EFFECTS.md / AGENTS.md accuracy (F3-F10, F12 from the parity audit). ## What is the current behavior? 11 `SIDE_EFFECTS.md` files and `AGENTS.md` contained factual errors where the code was already correct but the documentation was wrong — wrong file paths, a fabricated stdout message, an inverted claim about whether a command writes the linked-project cache, a missing json/stream-json output envelope, a fictitious subprocess name, a backwards project-ref claim, and a fabricated telemetry-identity call. Each claim was independently re-verified against `apps/cli-go/` (and, for the `completion` exit-code claim, against the actual compiled Go binary and the actual TS CLI) before editing. ## What is the new behavior? - **F3**: `db/branch/{create,delete,list,switch}` — corrected the current-branch file path to `supabase/.branches/_current_branch`, matching `internal/utils/misc.go:99`. - **F4**: `db/remote/commit` — removed the false claim it prints `Finished supabase db pull.` (that belongs only to `db pull`). - **F5**: `db/lint` — corrected: it DOES write the linked-project cache on `--linked`, matching Go's `ensureProjectGroupsCached`. - **F6**: `db/schema/declarative/generate` — corrected: it has a real json/stream-json success envelope. - **F7**: `db/schema/declarative/sync` — replaced a fictitious `migration up --local` subprocess with the real `db reset --local` recovery-path subprocess. - **F8**: `completion` — the doc's exit-code claim was backwards. Go exits `0` on both bare `completion` and an unrecognized shell subcommand (verified against the compiled binary); the legacy TS shell currently exits `1` for both — a genuine, systemic exit-code bug in the shared CLI harness, not `completion`-specific (it reproduces on any bare/unrecognized group-command invocation, e.g. `branches`). Rather than fixing the code here or describing the bug as intended, the doc now states Go's true behavior and flags the current TS divergence, filed separately as CLI-1906. - **F9**: `config/push` + `AGENTS.md` — corrected the linked-project-cache path (was a fabricated `~/.supabase/<hash>/...`, real path is `<workdir>/supabase/.temp/linked-project.json`) and fixed an adjacent conflation where the project-ref-fallback file was wrongly attributed to the same cache file, when it's actually a separate file (`<workdir>/supabase/.temp/project-ref`). - **F10**: `branches/update` — corrected: the upgrade-suggest call uses the branch's own resolved ref, not the parent `--project-ref`. - **F12**: `AGENTS.md` telemetry table — removed a fabricated `analytics.identify(gotrueId)` claim from the `login` row; Go's `StitchLogin` only aliases. A second, wider pre-existing doc bug was found during F9's verification (the same fabricated linked-project-cache path is copy-pasted across 29 other `SIDE_EFFECTS.md` files not touched here) — filed separately as CLI-1907 rather than expanding this diff. Docs-only change; no `.ts`/`.go` files touched. `pnpm check:all` passes.
…r references (#5811) ## What kind of change does this PR introduce? Docs fix — Legacy port SIDE_EFFECTS.md accuracy. ## What is the current behavior? Two systemic env-var documentation errors across `src/legacy/**/SIDE_EFFECTS.md`, found in the parity audit: - **~36 files** document `SUPABASE_API_URL` as a real override for the Management API base URL. No such env var exists in Go: `SetEnvPrefix("SUPABASE")` + `AutomaticEnv()` never binds `API_URL`, there's no `os.Getenv("SUPABASE_API_URL")` anywhere, and the `Profile.api_url` field loads on a separate, unbound `viper.New()` instance (`internal/utils/profile.go:99`). The real override is `SUPABASE_PROFILE` (built-in name or a path to a YAML profile file). - **~18 files** document bare `PROJECT_ID` as if it were itself a settable env var. It's Go's internal viper key name — the real, user-facing env var is `SUPABASE_PROJECT_ID` (`viper.GetString("PROJECT_ID")` under the global `SetEnvPrefix("SUPABASE")` singleton, `internal/utils/flags/project_ref.go:62`). Both claims were independently verified against the real Go source and, for the viper-specific mechanics, a compiled test program against the exact pinned `github.com/spf13/viper v1.21.0`. ## What is the new behavior? - Removed the fabricated `SUPABASE_API_URL` rows; where a file didn't already document `SUPABASE_PROFILE`, added a real row for it (including the persisted `~/.supabase/profile` fallback step in the resolution chain, matching `legacy-cli-config.layer.ts`). - Corrected every bare `PROJECT_ID` mention (Environment Variables tables, Files Read "When" columns, and prose) to `SUPABASE_PROJECT_ID`, converging on the dominant convention already used correctly across ~15 sibling files. - Left `db/advisors/SIDE_EFFECTS.md` untouched — it already correctly documents that `SUPABASE_API_URL` is not honored. - Filed follow-ups for two related-but-out-of-scope findings surfaced during review: CLI-1904 (global choice-flag telemetry gap, unrelated) and CLI-1905 (bare `DB_PASSWORD` has the same bug class as this PR's F2, in a set of files this PR doesn't touch). Docs-only change; no `.ts` files touched. `pnpm check:all` passes.
…5715) Ports the `db push`, `db reset`, and `db start` commands of the legacy CLI shell from Go-binary proxies to native TypeScript (CLI-1325), and introduces a hidden Go seam for the container-bootstrap primitives that aren't ported. ## What changed **`db push`** — fully native: pending-migration reconciliation, seed-file ops with `seed_files` hash tracking, `[db.vault]` upsert, `--include-roles`/`--include-seed`/`--dry-run`, against local / linked / `--db-url`. **`db reset`** — native on both legs: - Remote (`--linked` / remote `--db-url`): drop user schemas → vault upsert → migrate + seed, `--version`/`--last`, and the Go-parity `--sql-paths` seed override (merged from develop, mutually exclusive with `--no-seed`). - Local (`--local` / local `--db-url`): running check, `Resetting local database…`, container recreate + migrate + seed via the seam, storage-gated bucket seeding (reuses the ported `seed buckets` core), and the `Finished … on branch <branch>.` line. - Only the niche `--experimental` remote schema-files path still delegates to the Go binary. **`db start`** — native: config validation, the `AssertSupabaseDbIsRunning` check (prints Go's "already running" line), else container bootstrap via the seam. No status table and no `cli_stack_started` — those belong to the top-level `supabase start`, not `db start`. **Hidden Go seam (`db __db-bootstrap`)** — mirrors the existing `db __shadow` seam. Exposes the un-ported container primitives (`StartDatabase` + `DockerRemoveAll` cleanup, the PG14/PG15 reset recreate, the storage health gate) behind `--mode {start|recreate|await-storage}`. The TS side orchestrates everything else (messages, version resolution, bucket seeding, the git-branch line, telemetry, `--output-format` shaping); the seam runs with telemetry disabled and stderr inherited, like `__shadow`. **Config loading (review follow-ups)** — `db push` / `db reset` / `db start` load `config.toml` through the legacy Go-parity reader (`legacyCheckDbToml`, Go's `flags.LoadConfig` → `config.Load` + `Validate`) rather than `@supabase/config`, so their config semantics match the Go CLI exactly: - Go-style env-reference booleans (e.g. `[db.seed] enabled = "env(SEED_ENABLED)"`) load like Go (env-expand → `strconv.ParseBool`) instead of failing with a parse error. - a matched `[remotes.<ref>]` block's `db.migrations.enabled` / `db.seed.enabled` beats the `SUPABASE_DB_*_ENABLED` env var (Go's `v.Set` override tier sits above AutomaticEnv), closing the last remote-vs-env precedence gap. - `encrypted:` `[db.vault]` secrets are decrypted at config-load time with the shell **and** project-`.env` `DOTENV_PRIVATE_KEY*` keys and fail fast (before any connect / schema drop) on an undecryptable value, matching Go's `DecryptSecretHookFunc`. - seed `sql_paths` (config and `--sql-paths`) resolve once to Go's config-load form; `db start` validates config before the already-running check. Malformed config now surfaces the reader's Go message (`failed to load config`), consistent with `db diff` / `dump` / `pull` / `migration`. ## Why `db start` / `db reset --local` need container lifecycle (create/recreate, image pull, health checks, init schema, service restarts) that is impractical to reimplement in TS. The seam keeps that lifecycle in Go while moving orchestration, output parity, telemetry, and `--output-format` handling to native TS — matching the approach already used for `db diff` / `db pull`. ## Reviewer notes - The seam is the only `db reset`/`db start` boundary the in-process integration suites mock; it's covered end-to-end by the cli-e2e live suite (`db-reset-start.live.e2e.test.ts`, run via `pnpm --filter @supabase/cli-e2e test:e2e:live`), which exercises the local leg against a real Docker socket and the remote `db reset` leg against the staging session pooler. Both `describe`s skip the `ts-next` target (the next shell has no `db` group). - `db reset --local` recreate forwards `--no-seed` / `--sql-paths` to the seam, which applies them via the same `applyDbResetSeedFlags` helper `db reset` uses, so seed handling stays identical across local and remote. - The bundled `supabase-go` binary must be rebuilt (`pnpm build:go-sidecar` copies it into `dist/`) since the seam adds the `db __db-bootstrap` command. - `docs/go-cli-porting-status.md` flips `db push` / `db reset` / `db start` to `ported`; each command's `SIDE_EFFECTS.md` documents the files, subprocesses, DB mutations, env vars, and exit codes. 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude <noreply@anthropic.com>
…rity) (#5797) ## What kind of change does this PR introduce? Bug fix (Go parity). ## What is the current behavior? `supabase functions deploy --jobs` diverges from the Go CLI in two related ways: 1. The `--jobs` guard only errored when local bundling (Docker/legacy-bundle) was active, so `--use-docker=false --jobs 2` (no `--use-api`) silently passed in TS while Go rejects it. The error text also differed from Go's wording. 2. `useLocalBundler` decided Docker-vs-API routing based on whether `--use-api` was *typed* on the command line (`explicitUseApi`), not its *resolved* value — so `--use-api=false` alone silently forced the API bundler instead of falling through to Docker, contrary to Go's `if useApi { useDocker = false }` (which only fires when the resolved value is true). Go's only guard (`apps/cli-go/cmd/functions.go:79-82`) is: ```go if useApi { useDocker = false } else if maxJobs > 1 { return errors.New("--jobs must be used together with --use-api") } ``` ## What is the new behavior? - `--jobs > 1` is now rejected whenever `--use-api`'s resolved value is `false`, regardless of `--use-docker`/`--legacy-bundle`, with the exact Go error text: `--jobs must be used together with --use-api`. - Bundler routing (`useLocalBundler`) now keys off the same resolved `flags.useApi` value, so `--use-api=false` alone falls through to Docker/legacy-bundle instead of silently switching to the API path. - Both fixes land in the shared `deployFunctions()` used by both the `legacy` and `next` shells, with regression coverage added in both. Fixes CLI-1861.
…mFlag parity) (#5810) ## What kind of change does this PR introduce? Bug fix (Go CLI parity). ## What is the current behavior? Go's telemetry (`cmd/root_analytics.go:110-116`, `isEnumFlag`) unconditionally treats any enum/choice flag as telemetry-safe — the value is sent verbatim to PostHog, no per-flag opt-in required. The TS legacy port's `withLegacyCommandInstrumentation` only exempted booleans and explicit `safeFlags` entries, so every `Flag.choice` value was silently redacted to `<redacted>` unless someone remembered to hand-list it — which had already happened inconsistently across the 14 commands using `Flag.choice`. `gen signing-key`'s `algorithm` and `gen types`'s `lang`/`swift-access-control` had no exemption at all; several other commands had partial coverage via ad-hoc `safeFlags`. ## What is the new behavior? - `withLegacyCommandInstrumentation` now accepts a `config` option (the command's own flag config record, the same object passed to `Command.make`). Any flag built with `Flag.choice`/`Flag.choiceWithValue` is auto-detected and treated as telemetry-safe, covering every current and future enum flag on that command without hand-maintaining a `safeFlags` list. - The detection unwraps `Map`/`Transform`/`Optional`/`Variadic` wrapper params down to the underlying `Single` the same way `--help` rendering does internally, reimplemented using only type-visible public `effect` API (the library's own internal helpers for this exact purpose exist in the compiled JS but are absent from the published `.d.ts`, so calling them directly isn't possible without an `as` cast). - Wired `config` into all 14 commands with choice flags. Removed 3 files' now-redundant hand-listed `safeFlags` entries where every listed name was already choice-typed. - Filed CLI-1904 to track a related, pre-existing, out-of-scope gap: global/root flags (`--output`, `--dns-resolver`, `--agent`) aren't wired into any command's `config`, so they're not covered by this fix even though Go's equivalents are also `EnumFlag`. Fixes CLI-1866
This PR was automatically created to sync the generated `@supabase/api` package with the latest Management API OpenAPI document. Changes were detected in the upstream OpenAPI document exposed by `https://api.supabase.com/api/v1-json`. Co-authored-by: jgoux <1443499+jgoux@users.noreply.github.com>
…ploy/download (#5804) ## What kind of change does this PR introduce? Bug fix (Go-parity divergence). ## What is the current behavior? Go's cobra emits a fixed template for `MarkFlagsMutuallyExclusive` violations (`flag_groups.go:204`): the full group in registration order, plus the subset of flags actually set, sorted alphabetically. `functions deploy`/`functions download` emitted a custom TS string instead ("flags --use-api, --use-docker are mutually exclusive"), diverging on wording and dash usage. `download`'s check also branched on flag *truthiness* rather than whether the flag was explicitly *changed* on the command line, so `--use-api --use-docker=false` was silently allowed even though cobra's real `pflag.Changed` semantics reject it. ## What is the new behavior? Both commands now emit cobra's exact error text (verified byte-for-byte against the real compiled Go binary), and `download`'s mutex check now detects "explicitly changed" the same way `deploy`'s already did, closing the `--use-docker=false` gap. While fixing this, found the same cobra-template string duplicated in two other places during a review pass — `db dump` (own inline copy of the message format) and `gen types` (its own private `hasExplicitLongFlag` plus a *second* copy of the message template that had a real, independently-verified bug: it joined the violating-flag set in check order instead of sorting it, so `gen types --local --linked` printed `[local linked]` while the actual Go binary prints `[linked local]`). Hoisted the two generic helpers to `shared/cli/cobra-flag-groups.ts` and pointed all three call sites at them, fixing the `gen types` sort-order bug as a direct consequence. Filed two follow-ups discovered during review: CLI-1902 (`sso update`'s `--domains`/`--add-domains`/`--remove-domains` mutex has the same class of bug, different flag family, out of scope here) and CLI-1903 (`next/` inherits the same byte-exact cobra text via the shared validator, even though it isn't bound by the Go-parity contract — worth a friendlier message there, but that's additive UX work, not a parity fix). Reviewed via a 4-way parallel pass (architect/engineer/security/DX), all approved. Architect's finding (the two generic helpers were hoisted into a functions-specific file despite having zero functions-domain logic, evidenced by the two duplicate implementations above) is what prompted the `shared/cli/` relocation and dedup in this PR.
…t ref (#5802) ## What kind of change does this PR introduce? Bug fix (Go-parity divergence). ## What is the current behavior? On a malformed linked project ref, Go's `services` command validates the ref (`flags.LoadProjectRef`) but only warns to stderr on failure and still proceeds to call the remote tenant lookup with the bad ref (`cmd/services.go`, `internal/services/services.go:61-62`). The TypeScript port silently skipped the remote lookup on a malformed ref with no warning at all, and `services/SIDE_EFFECTS.md` mis-attributed that silent skip to Go. Fixes CLI-1872. ## What is the new behavior? TS now prints the same warning Go would print (`Invalid project ref format. Must be like \`abcdefghijklmnopqrst\`.`, reusing the constant already exported from `legacy-project-ref.service.ts`), matching Go's stderr ordering. Unlike Go, TS deliberately does **not** then proceed with the malformed ref — the ref gets embedded unescaped into the tenant gateway hostname in `fetchLinkedServiceVersions`, so proceeding would let a malformed/tampered ref redirect the service-role key to an attacker-controlled host. This is an intentional, documented TS-only divergence (SSRF hardening), not a parity bug — see the updated `SIDE_EFFECTS.md` and the new "Behavioral divergences" section in `docs/go-cli-porting-status.md`. Reviewed via a 4-way parallel pass (architect/engineer/security/DX); security and engineer approved outright, architect approved after closing a branch-coverage gap on the exact code this PR restructured, and DX surfaced that the identical Go idiom (`flags.LoadProjectRef`'s warn-and-continue) is also unhandled in `projects list` and a few `resolveOptional` callers — filed as CLI-1900 for its own dedicated audit, since each caller needs independent verification against its Go counterpart rather than a blanket fix.
…#5793) ## Current Behavior Go defaults `--use-docker` to `true` on `functions download` (`cmd/functions.go:181`); the TS port omitted the default, so it resolved to `false`. This flipped the default download path (native HTTP vs. Docker-proxied) whenever no flags were passed, and once fixed naively, the mutex check between `--use-api`/`--use-docker`/`--legacy-bundle` (truthiness-based) would start misfiring on the new default-true value, and `--use-api` alone would keep routing to Docker instead of overriding it the way Go's `if useApi { useDocker = false }` does. ## Expected Behavior - `useDocker` now defaults to `true` via `Flag.withDefault(true)`, matching Go. - The mutex check (`validateDownloadFlags`) now scans raw argv for explicit flag presence (`hasExplicitLongFlag`, hoisted out of `deploy.ts` into the shared `functions.shared.ts` family root, since it's now used by two commands) instead of checking parsed boolean truthiness — mirroring Go's `pflag.Changed`-based `MarkFlagsMutuallyExclusive`. - `downloadFunctions` gates the Docker/legacy-bundle proxy branch on `!flags.useApi`, mirroring Go's value-based `if useApi { useDocker = false }` override (`cmd/functions.go:51-53`) — not presence, so `--use-api=false` still proxies to Docker like an unpassed `--use-api` would. - The Go-proxy arg builder (`makeGoProxyDownloadArgs`) now forwards at most one of `--use-docker`/`--legacy-bundle` — previously it could forward both once `useDocker` defaults true, which the Go binary's own mutex check would then reject. - Slug validation now runs unconditionally, before the proxy-dispatch branch, so a malformed/traversal-shaped function name is rejected before ever reaching the Go proxy's argv. - The delegated Go call now runs with `SUPABASE_TELEMETRY_DISABLED=1` (mirrors `db pull`/`db diff`'s delegated-call pattern), and in `--output-format json|stream-json` its stdout is captured/discarded via `execCapture` instead of inherited, with `downloadFunctions` emitting the `Output` envelope itself — the Docker/legacy-bundle proxy branch is now safe as the default path for both telemetry accuracy and machine-output correctness (CLI-1546), not just opt-in flags. - `rawArgs` is threaded through `DownloadFunctionsDependencies` from the `Stdio.Stdio` service in both the legacy and next shell handlers (the shared `downloadFunctions` helper is used by both); `next`'s own `--use-docker` default is intentionally left unchanged — this is a legacy/Go-parity-only fix. ## Known follow-ups (not fixed here) - Go's own server-side unbundle extractor (`saveFile` in `apps/cli-go/internal/functions/download/download.go`) lacks the path-containment checks the native TS downloader already has — pre-existing Go CLI behavior, now reachable by default rather than via opt-in flags. Tracked as CLI-1891. - `hasExplicitLongFlag` detects flag token presence, not resolved value, so `--use-docker=false` isn't treated as disabling Docker in the mutex check. Pre-existing pattern shared with `deploy.ts`. Closes CLI-1862
… (Go parity) (#5809) ## What kind of change does this PR introduce? Bug fix (Go CLI parity). ## What is the current behavior? Go marks `--project-ref` telemetry-safe on all four `functions` leaf commands (`cmd/functions.go:151,153,165,178`) — `list`, `delete`, `deploy`, `download` — so the flag value is recorded verbatim in the `cli_command_executed` PostHog event instead of being redacted. The TS legacy port only did this for `list` and `deploy`. `functions delete` and `functions download` were both redacting `--project-ref`, diverging from Go and from their own sibling commands. ## What is the new behavior? - Added `safeFlags` for `--project-ref` to `functions delete` and `functions download`, matching `list`/`deploy` and Go. - Hoisted the `["project-ref"]` safe-flags list into a shared `FUNCTIONS_PROJECT_REF_SAFE_FLAGS` constant in `shared/functions/functions.shared.ts`, now referenced by all four commands instead of being duplicated inline. - Exported each command's composed handler (`legacyFunctionsDeleteHandler`, `legacyFunctionsDownloadHandler`) so integration tests can drive the exact effect `Command.withHandler` wires up, rather than re-testing the generic instrumentation wrapper in isolation. - Corrected stale/missing rows in `delete`/`download`'s `SIDE_EFFECTS.md` (missing `Files Written`/`Files Read`/`Environment Variables` rows, a stale `SUPABASE_API_URL` claim, and a new `Telemetry Events Fired` section), reconciled against `list`'s already-accurate doc. Fixes CLI-1864
…5796) ## Current Behavior Go's `secrets set` (`internal/secrets/set/set.go:20-24`) swallows a malformed `supabase/config.toml` parse error to the debug logger and proceeds with empty `EdgeRuntime.Secrets` — env-file and positional-arg secrets still apply. `secrets set` has no `--linked`/`--local`/`--db-url` flag, so the root PreRun never loads the config first either; this is the only load. The TS port instead let the parse error propagate as a fatal `LegacySecretsConfigParseError`, aborting the whole command even when the user only wanted to set a secret via CLI arg or env-file. ## Expected Behavior - Catches `ProjectConfigParseError`, logs it to the debug logger, and continues with no config-declared secrets, matching Go. - The logged message is truncated before any blank-line-separated source snippet: `smol-toml`'s `TomlError` (and some schema-decode errors) embed a codeblock of the surrounding file lines in their message, which for this file's `[edge_runtime.secrets]` section can include literal secret values. Go's equivalent log line (`DecodeError.Error()`) is a short, content-free message — its verbose `.String()` with the snippet is never called by `set.go`. Truncating avoids echoing a user's own secret value into `--debug` output next to an unrelated syntax error. - Deletes the now-unused `LegacySecretsConfigParseError` (no remaining references). - Threads `LegacyDebugLogger` into the shared `legacyManagementApiRuntimeLayer` (used by many legacy commands) since the layer was already building the same instance internally for `cliConfig`/`httpClient`/`credentials` but never exposed it at the top level — the file's own doc comment describes this as the sanctioned way to add a new commonly-needed top-level service. Fixes CLI-1867
…oggle consent (#5798) ## What kind of change does this PR introduce? Bug fix (Go parity). ## What is the current behavior? Go's `cli_command_executed` telemetry event is gated on a consent snapshot read once at process start (`PersistentPreRunE`, `apps/cli-go/cmd/root.go:131-138`), before a command's own handler runs, and fired after the handler completes (`:171-181`) based on that snapshot — not on any value the handler itself just wrote. This applies uniformly to every command, including `telemetry enable`/`disable` themselves. The TS legacy port instead unconditionally suppressed this event for both `telemetry enable` and `telemetry disable` via `analytics: false`, so neither command ever fired it, regardless of prior telemetry state. ## What is the new behavior? `analytics: false` is removed from both commands. The existing `legacyAnalyticsLayer`/`telemetryRuntimeLayer` machinery already reads consent from disk once, at Effect layer-construction time — before either handler mutates `telemetry.json` — so this reproduces Go's snapshot semantics without any new bespoke logic: - Running `disable` while telemetry is enabled fires the event one last time (using the pre-toggle, still-enabled snapshot); running it while already disabled stays silent. - Running `enable` while telemetry is already enabled (a redundant/idempotent invocation) fires the event; the common case (enabling from disabled) stays silent. This is intentionally broader than the original report's "disable only" framing — tracing Go's actual gate (`internal/telemetry/service.go`'s `canSend()`) showed it's symmetric and state-based, not command-based, so scoping the fix to `disable` alone would have left a real (if narrow) parity gap for the redundant-`enable` case. Also documents a previously-unmentioned side effect: when the event fires, the command now waits (bounded, ~5s) for a PostHog flush attempt before exiting, since the analytics client's shutdown is a finalizer around the whole command run. Closes CLI-1868
…#5821) Bumps the go-minor group with 1 update in the /apps/cli-go directory: [google.golang.org/grpc](https://github.com/grpc/grpc-go). Bumps the go-minor group with 1 update in the /apps/cli-go/pkg directory: [google.golang.org/grpc](https://github.com/grpc/grpc-go). Updates `google.golang.org/grpc` from 1.81.1 to 1.82.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/grpc/grpc-go/releases">google.golang.org/grpc's releases</a>.</em></p> <blockquote> <h2>Release 1.82.0</h2> <h1>Behavior Changes</h1> <ul> <li>server: Remove support for <code>GRPC_GO_EXPERIMENTAL_DISABLE_STRICT_PATH_CHECKING</code> environment varibale. Strict incoming RPC path validation (which has been the default since <code>v1.79.3</code>) can no longer be disabled. (<a href="https://redirect.github.com/grpc/grpc-go/issues/9112">#9112</a>)</li> <li>transport: Add environment variable to change the default max header list size from <code>16MB</code> to <code>8KB</code>. This may be enabled by setting <code>GRPC_GO_EXPERIMENTAL_ENABLE_8KB_DEFAULT_HEADER_LIST_SIZE=true</code>. This will be enabled by default in a subsequent release. (<a href="https://redirect.github.com/grpc/grpc-go/issues/9019">#9019</a>)</li> <li>balancer: Load Balancing policy registry is now case-sensitive. Set <code>GRPC_GO_EXPERIMENTAL_CASE_SENSITIVE_BALANCER_REGISTRIES=false</code> (and file an issue) to revert to case-insensitive behavior. (<a href="https://redirect.github.com/grpc/grpc-go/issues/9017">#9017</a>)</li> </ul> <h1>New Features</h1> <ul> <li>experimental/stats: Expose a new API, <code>NewContextWithLabelCallback</code>, to register a callback that is invoked when telemetry labels are added. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8877">#8877</a>) <ul> <li>Special Thanks: <a href="https://github.com/seth-epps"><code>@seth-epps</code></a></li> </ul> </li> <li>client: Return a portion of the response body in the error message, when the client receives an unexpected non-gRPC HTTP response, to make debugging easier. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8929">#8929</a>) <ul> <li>Special Thanks: <a href="https://github.com/chengxilo"><code>@chengxilo</code></a></li> </ul> </li> <li>server: Add environment variable <code>GRPC_GO_SERVER_GOROUTINE_LABELS</code> that controls setting <code>runtime/pprof.Labels</code> on goroutines spawned by the server. Set <code>GRPC_GO_SERVER_GOROUTINE_LABELS=grpc.method=true</code> to add the <code>grpc.method</code> label on goroutines spawned to handle incoming requests. (<a href="https://redirect.github.com/grpc/grpc-go/issues/9082">#9082</a>) <ul> <li>Special Thanks: <a href="https://github.com/dfinkel"><code>@dfinkel</code></a></li> </ul> </li> </ul> <h1>Bug Fixes</h1> <ul> <li>xds/server: Fix a memory leak of HTTP filter instances occurring when route configurations are updated in-place during a Route Discovery Service (RDS) update. (<a href="https://redirect.github.com/grpc/grpc-go/issues/9138">#9138</a>)</li> <li>grpc: In the deprecated <code>gzip</code> Compressor (used via the deprecated <code>WithCompressor</code> dial option), enforce the <code>MaxRecvMsgSize</code> limit on the decompressed message buffer, preventing excessive memory allocation from highly compressed payloads. (<a href="https://redirect.github.com/grpc/grpc-go/issues/9114">#9114</a>) <ul> <li>Special Thanks: <a href="https://github.com/evilgensec"><code>@evilgensec</code></a></li> </ul> </li> <li>stats/opentelemetry: Record retry attempts, <code>grpc.previous-rpc-attempts</code>, at the call level and not the attempt level. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8923">#8923</a>)</li> <li>encoding: Ensure <code>Close()</code> is always called on readers returned from <code>Compressor.Decompress</code> if possible. (<a href="https://redirect.github.com/grpc/grpc-go/issues/9135">#9135</a>)</li> <li>channelz: Fix the <code>LastMessageSentTimestamp</code> and <code>LastMessageReceivedTimestamp</code> fields in <code>SocketMetrics</code> to ensure they contain correct timestamp values. (<a href="https://redirect.github.com/grpc/grpc-go/issues/9109">#9109</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/grpc/grpc-go/commit/bd239854f0ab7f1ee63457d47f7c1d2675e1f736"><code>bd23985</code></a> Change version to 1.82.0 (<a href="https://redirect.github.com/grpc/grpc-go/issues/9170">#9170</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/0f3086db7a755b6af83a90809471dd7f645b345a"><code>0f3086d</code></a> Fix minor issues not covered by PR <a href="https://redirect.github.com/grpc/grpc-go/issues/9137">#9137</a> (<a href="https://redirect.github.com/grpc/grpc-go/issues/9147">#9147</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/fef07fbb2b94b668e8daca1f6b70433dcd36c1c8"><code>fef07fb</code></a> internal: Split v3procservicepb import into pb and grpc for extproc (<a href="https://redirect.github.com/grpc/grpc-go/issues/9163">#9163</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/91dd64f4b83cb5134e279d1126ebb1ccf47d4d31"><code>91dd64f</code></a> transport: surface subsequent data when receiving non-gRPC header (<a href="https://redirect.github.com/grpc/grpc-go/issues/8929">#8929</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/adc97de9521a9f377dab5e911039842dc4de23e5"><code>adc97de</code></a> test/kokoro: add config for regional-td test (<a href="https://redirect.github.com/grpc/grpc-go/issues/9158">#9158</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/57c9ff14e05b535ee6995ba49bc882b287a175de"><code>57c9ff1</code></a> xds: ensure full-string matching for RBAC Filter rules (<a href="https://redirect.github.com/grpc/grpc-go/issues/9148">#9148</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/b58f32d9ff07c612d64e677bd826bcbec88af9bd"><code>b58f32d</code></a> server: Set a pprof label on new stream goroutines (<a href="https://redirect.github.com/grpc/grpc-go/issues/9082">#9082</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/6c98be31ce0aec1592b783b0edb16916eb5acd89"><code>6c98be3</code></a> refactor(transport): extract shared stream state handling logic in `loopyWrit...</li> <li><a href="https://github.com/grpc/grpc-go/commit/bcaa6f4df4546c86e12ef3e95852c7baf7a08d67"><code>bcaa6f4</code></a> rls: only reset backoff on recovery from TRANSIENT_FAILURE (<a href="https://redirect.github.com/grpc/grpc-go/issues/9137">#9137</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/429e6e06363a01f0dd9f9b6b9cf0c0e6617cda12"><code>429e6e0</code></a> balancer: expose endpoint weight and hostname as experimental APIs (<a href="https://redirect.github.com/grpc/grpc-go/issues/9074">#9074</a>)</li> <li>Additional commits viewable in <a href="https://github.com/grpc/grpc-go/compare/v1.81.1...v1.82.0">compare view</a></li> </ul> </details> <br /> Updates `google.golang.org/grpc` from 1.81.1 to 1.82.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/grpc/grpc-go/releases">google.golang.org/grpc's releases</a>.</em></p> <blockquote> <h2>Release 1.82.0</h2> <h1>Behavior Changes</h1> <ul> <li>server: Remove support for <code>GRPC_GO_EXPERIMENTAL_DISABLE_STRICT_PATH_CHECKING</code> environment varibale. Strict incoming RPC path validation (which has been the default since <code>v1.79.3</code>) can no longer be disabled. (<a href="https://redirect.github.com/grpc/grpc-go/issues/9112">#9112</a>)</li> <li>transport: Add environment variable to change the default max header list size from <code>16MB</code> to <code>8KB</code>. This may be enabled by setting <code>GRPC_GO_EXPERIMENTAL_ENABLE_8KB_DEFAULT_HEADER_LIST_SIZE=true</code>. This will be enabled by default in a subsequent release. (<a href="https://redirect.github.com/grpc/grpc-go/issues/9019">#9019</a>)</li> <li>balancer: Load Balancing policy registry is now case-sensitive. Set <code>GRPC_GO_EXPERIMENTAL_CASE_SENSITIVE_BALANCER_REGISTRIES=false</code> (and file an issue) to revert to case-insensitive behavior. (<a href="https://redirect.github.com/grpc/grpc-go/issues/9017">#9017</a>)</li> </ul> <h1>New Features</h1> <ul> <li>experimental/stats: Expose a new API, <code>NewContextWithLabelCallback</code>, to register a callback that is invoked when telemetry labels are added. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8877">#8877</a>) <ul> <li>Special Thanks: <a href="https://github.com/seth-epps"><code>@seth-epps</code></a></li> </ul> </li> <li>client: Return a portion of the response body in the error message, when the client receives an unexpected non-gRPC HTTP response, to make debugging easier. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8929">#8929</a>) <ul> <li>Special Thanks: <a href="https://github.com/chengxilo"><code>@chengxilo</code></a></li> </ul> </li> <li>server: Add environment variable <code>GRPC_GO_SERVER_GOROUTINE_LABELS</code> that controls setting <code>runtime/pprof.Labels</code> on goroutines spawned by the server. Set <code>GRPC_GO_SERVER_GOROUTINE_LABELS=grpc.method=true</code> to add the <code>grpc.method</code> label on goroutines spawned to handle incoming requests. (<a href="https://redirect.github.com/grpc/grpc-go/issues/9082">#9082</a>) <ul> <li>Special Thanks: <a href="https://github.com/dfinkel"><code>@dfinkel</code></a></li> </ul> </li> </ul> <h1>Bug Fixes</h1> <ul> <li>xds/server: Fix a memory leak of HTTP filter instances occurring when route configurations are updated in-place during a Route Discovery Service (RDS) update. (<a href="https://redirect.github.com/grpc/grpc-go/issues/9138">#9138</a>)</li> <li>grpc: In the deprecated <code>gzip</code> Compressor (used via the deprecated <code>WithCompressor</code> dial option), enforce the <code>MaxRecvMsgSize</code> limit on the decompressed message buffer, preventing excessive memory allocation from highly compressed payloads. (<a href="https://redirect.github.com/grpc/grpc-go/issues/9114">#9114</a>) <ul> <li>Special Thanks: <a href="https://github.com/evilgensec"><code>@evilgensec</code></a></li> </ul> </li> <li>stats/opentelemetry: Record retry attempts, <code>grpc.previous-rpc-attempts</code>, at the call level and not the attempt level. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8923">#8923</a>)</li> <li>encoding: Ensure <code>Close()</code> is always called on readers returned from <code>Compressor.Decompress</code> if possible. (<a href="https://redirect.github.com/grpc/grpc-go/issues/9135">#9135</a>)</li> <li>channelz: Fix the <code>LastMessageSentTimestamp</code> and <code>LastMessageReceivedTimestamp</code> fields in <code>SocketMetrics</code> to ensure they contain correct timestamp values. (<a href="https://redirect.github.com/grpc/grpc-go/issues/9109">#9109</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/grpc/grpc-go/commit/bd239854f0ab7f1ee63457d47f7c1d2675e1f736"><code>bd23985</code></a> Change version to 1.82.0 (<a href="https://redirect.github.com/grpc/grpc-go/issues/9170">#9170</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/0f3086db7a755b6af83a90809471dd7f645b345a"><code>0f3086d</code></a> Fix minor issues not covered by PR <a href="https://redirect.github.com/grpc/grpc-go/issues/9137">#9137</a> (<a href="https://redirect.github.com/grpc/grpc-go/issues/9147">#9147</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/fef07fbb2b94b668e8daca1f6b70433dcd36c1c8"><code>fef07fb</code></a> internal: Split v3procservicepb import into pb and grpc for extproc (<a href="https://redirect.github.com/grpc/grpc-go/issues/9163">#9163</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/91dd64f4b83cb5134e279d1126ebb1ccf47d4d31"><code>91dd64f</code></a> transport: surface subsequent data when receiving non-gRPC header (<a href="https://redirect.github.com/grpc/grpc-go/issues/8929">#8929</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/adc97de9521a9f377dab5e911039842dc4de23e5"><code>adc97de</code></a> test/kokoro: add config for regional-td test (<a href="https://redirect.github.com/grpc/grpc-go/issues/9158">#9158</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/57c9ff14e05b535ee6995ba49bc882b287a175de"><code>57c9ff1</code></a> xds: ensure full-string matching for RBAC Filter rules (<a href="https://redirect.github.com/grpc/grpc-go/issues/9148">#9148</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/b58f32d9ff07c612d64e677bd826bcbec88af9bd"><code>b58f32d</code></a> server: Set a pprof label on new stream goroutines (<a href="https://redirect.github.com/grpc/grpc-go/issues/9082">#9082</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/6c98be31ce0aec1592b783b0edb16916eb5acd89"><code>6c98be3</code></a> refactor(transport): extract shared stream state handling logic in `loopyWrit...</li> <li><a href="https://github.com/grpc/grpc-go/commit/bcaa6f4df4546c86e12ef3e95852c7baf7a08d67"><code>bcaa6f4</code></a> rls: only reset backoff on recovery from TRANSIENT_FAILURE (<a href="https://redirect.github.com/grpc/grpc-go/issues/9137">#9137</a>)</li> <li><a href="https://github.com/grpc/grpc-go/commit/429e6e06363a01f0dd9f9b6b9cf0c0e6617cda12"><code>429e6e0</code></a> balancer: expose endpoint weight and hostname as experimental APIs (<a href="https://redirect.github.com/grpc/grpc-go/issues/9074">#9074</a>)</li> <li>Additional commits viewable in <a href="https://github.com/grpc/grpc-go/compare/v1.81.1...v1.82.0">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the actions-major group with 2 updates: [docker/build-push-action](https://github.com/docker/build-push-action) and [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action). Updates `docker/build-push-action` from 7.2.0 to 7.3.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/docker/build-push-action/releases">docker/build-push-action's releases</a>.</em></p> <blockquote> <h2>v7.3.0</h2> <ul> <li>Preserve names in esbuild bundle by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/build-push-action/pull/1567">docker/build-push-action#1567</a></li> <li>Bump <code>@docker/actions-toolkit</code> from 0.90.0 to 0.92.0 in <a href="https://redirect.github.com/docker/build-push-action/pull/1545">docker/build-push-action#1545</a> <a href="https://redirect.github.com/docker/build-push-action/pull/1572">docker/build-push-action#1572</a></li> <li>Bump <code>@sigstore/core</code> from 3.1.0 to 3.2.1 in <a href="https://redirect.github.com/docker/build-push-action/pull/1568">docker/build-push-action#1568</a></li> <li>Bump js-yaml from 4.1.1 to 4.3.0 in <a href="https://redirect.github.com/docker/build-push-action/pull/1566">docker/build-push-action#1566</a></li> <li>Bump tmp from 0.2.5 to 0.2.7 in <a href="https://redirect.github.com/docker/build-push-action/pull/1547">docker/build-push-action#1547</a></li> <li>Bump undici from 6.24.1 to 6.27.0 in <a href="https://redirect.github.com/docker/build-push-action/pull/1564">docker/build-push-action#1564</a></li> <li>Bump vite from 7.3.2 to 7.3.6 in <a href="https://redirect.github.com/docker/build-push-action/pull/1563">docker/build-push-action#1563</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/build-push-action/compare/v7.2.0...v7.3.0">https://github.com/docker/build-push-action/compare/v7.2.0...v7.3.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/docker/build-push-action/commit/53b7df96c91f9c12dcc8a07bcb9ccacbed38856a"><code>53b7df9</code></a> Merge pull request <a href="https://redirect.github.com/docker/build-push-action/issues/1572">#1572</a> from docker/dependabot/npm_and_yarn/docker/actions-t...</li> <li><a href="https://github.com/docker/build-push-action/commit/154298c1ca89be1c0e019084f0611ddca621aafc"><code>154298c</code></a> [dependabot skip] chore: update generated content</li> <li><a href="https://github.com/docker/build-push-action/commit/cb1238b9c9eb453d106b4e4142a5bd9cde710040"><code>cb1238b</code></a> chore(deps): Bump <code>@docker/actions-toolkit</code> from 0.91.0 to 0.92.0</li> <li><a href="https://github.com/docker/build-push-action/commit/24f845d5cbe75d2d350a984fd0e18cb7a3f29c1c"><code>24f845d</code></a> Merge pull request <a href="https://redirect.github.com/docker/build-push-action/issues/1566">#1566</a> from docker/dependabot/npm_and_yarn/js-yaml-4.2.0</li> <li><a href="https://github.com/docker/build-push-action/commit/9c6973007b52c322651c38915d5e8824cea95c50"><code>9c69730</code></a> [dependabot skip] chore: update generated content</li> <li><a href="https://github.com/docker/build-push-action/commit/bc3a3a5f72a6dca16c2c2468d1dfc55ee66d2193"><code>bc3a3a5</code></a> Merge pull request <a href="https://redirect.github.com/docker/build-push-action/issues/1574">#1574</a> from docker/dependabot/github_actions/aws-actions/co...</li> <li><a href="https://github.com/docker/build-push-action/commit/a82c504a2387bb8bedc50072f9c554ae2a7dab5d"><code>a82c504</code></a> chore(deps): Bump js-yaml from 4.1.1 to 4.3.0</li> <li><a href="https://github.com/docker/build-push-action/commit/0285a75190c039d6dac52b7711abcef3f5d8f6f6"><code>0285a75</code></a> Merge pull request <a href="https://redirect.github.com/docker/build-push-action/issues/1573">#1573</a> from docker/dependabot/github_actions/actions/cache-...</li> <li><a href="https://github.com/docker/build-push-action/commit/c6ad2a3f9644680619de938b97c8a10a87b2a88d"><code>c6ad2a3</code></a> Merge pull request <a href="https://redirect.github.com/docker/build-push-action/issues/1575">#1575</a> from docker/dependabot/github_actions/actions/checko...</li> <li><a href="https://github.com/docker/build-push-action/commit/d37484fb9737c5442a257e2f0ae5a8d756ed7d92"><code>d37484f</code></a> Merge pull request <a href="https://redirect.github.com/docker/build-push-action/issues/1564">#1564</a> from docker/dependabot/npm_and_yarn/undici-6.27.0</li> <li>Additional commits viewable in <a href="https://github.com/docker/build-push-action/compare/f9f3042f7e2789586610d6e8b85c8f03e5195baf...53b7df96c91f9c12dcc8a07bcb9ccacbed38856a">compare view</a></li> </ul> </details> <br /> Updates `docker/setup-qemu-action` from 4.1.0 to 4.2.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/docker/setup-qemu-action/releases">docker/setup-qemu-action's releases</a>.</em></p> <blockquote> <h2>v4.2.0</h2> <ul> <li>Preserve names in esbuild bundle by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/setup-qemu-action/pull/311">docker/setup-qemu-action#311</a></li> <li>Bump <code>@actions/core</code> from 3.0.0 to 3.0.1 in <a href="https://redirect.github.com/docker/setup-qemu-action/pull/295">docker/setup-qemu-action#295</a></li> <li>Bump <code>@docker/actions-toolkit</code> from 0.91.0 to 0.92.0 in <a href="https://redirect.github.com/docker/setup-qemu-action/pull/315">docker/setup-qemu-action#315</a></li> <li>Bump <code>@sigstore/core</code> from 3.1.0 to 3.2.1 in <a href="https://redirect.github.com/docker/setup-qemu-action/pull/312">docker/setup-qemu-action#312</a></li> <li>Bump js-yaml from 4.1.1 to 4.2.0 in <a href="https://redirect.github.com/docker/setup-qemu-action/pull/310">docker/setup-qemu-action#310</a></li> <li>Bump tmp from 0.2.6 to 0.2.7 in <a href="https://redirect.github.com/docker/setup-qemu-action/pull/304">docker/setup-qemu-action#304</a></li> <li>Bump undici from 6.26.0 to 6.27.0 in <a href="https://redirect.github.com/docker/setup-qemu-action/pull/308">docker/setup-qemu-action#308</a></li> <li>Bump vite from 7.3.2 to 7.3.6 in <a href="https://redirect.github.com/docker/setup-qemu-action/pull/307">docker/setup-qemu-action#307</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/setup-qemu-action/compare/v4.1.0...v4.2.0">https://github.com/docker/setup-qemu-action/compare/v4.1.0...v4.2.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/docker/setup-qemu-action/commit/96fe6ef7f33517b61c61be40b68a1882f3264fb8"><code>96fe6ef</code></a> Merge pull request <a href="https://redirect.github.com/docker/setup-qemu-action/issues/315">#315</a> from docker/dependabot/npm_and_yarn/docker/actions-to...</li> <li><a href="https://github.com/docker/setup-qemu-action/commit/31f08d3fc9186dbe4b4550696f2e32e9aa7f9465"><code>31f08d3</code></a> [dependabot skip] chore: update generated content</li> <li><a href="https://github.com/docker/setup-qemu-action/commit/4e7017a474d2cf3912bb0437f7fafec6d5fb6c52"><code>4e7017a</code></a> build(deps): bump <code>@docker/actions-toolkit</code> from 0.91.0 to 0.92.0</li> <li><a href="https://github.com/docker/setup-qemu-action/commit/0eca235293ca1939b58c082f69bdc981ccce8c94"><code>0eca235</code></a> Merge pull request <a href="https://redirect.github.com/docker/setup-qemu-action/issues/314">#314</a> from crazy-max/fix-yarn-preapprove-actions-toolkit</li> <li><a href="https://github.com/docker/setup-qemu-action/commit/ea66a4130b037e7961e14a0e5b155836e797cced"><code>ea66a41</code></a> chore: allow actions-toolkit to bypass yarn age gate</li> <li><a href="https://github.com/docker/setup-qemu-action/commit/451542b03ae7946b7082a398b11c8c315a0e4e80"><code>451542b</code></a> Merge pull request <a href="https://redirect.github.com/docker/setup-qemu-action/issues/308">#308</a> from docker/dependabot/npm_and_yarn/undici-6.27.0</li> <li><a href="https://github.com/docker/setup-qemu-action/commit/532ae0057542ec2102e2d19e9feccf85f1f69013"><code>532ae00</code></a> [dependabot skip] chore: update generated content</li> <li><a href="https://github.com/docker/setup-qemu-action/commit/b6f5af659afad3f9931b782668dee4595ae7e841"><code>b6f5af6</code></a> build(deps): bump undici from 6.26.0 to 6.27.0</li> <li><a href="https://github.com/docker/setup-qemu-action/commit/cf96b86294b57480ac6d330bd177fca87eac95bc"><code>cf96b86</code></a> Merge pull request <a href="https://redirect.github.com/docker/setup-qemu-action/issues/304">#304</a> from docker/dependabot/npm_and_yarn/tmp-0.2.7</li> <li><a href="https://github.com/docker/setup-qemu-action/commit/f0ba643f78dc96bc931fb83e5dadc39628e10047"><code>f0ba643</code></a> [dependabot skip] chore: update generated content</li> <li>Additional commits viewable in <a href="https://github.com/docker/setup-qemu-action/compare/06116385d9baf250c9f4dcb4858b16962ea869c3...96fe6ef7f33517b61c61be40b68a1882f3264fb8">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the npm-major group with 6 updates: | Package | From | To | | --- | --- | --- | | [@supabase/supabase-js](https://github.com/supabase/supabase-js/tree/HEAD/packages/core/supabase-js) | `2.108.2` | `2.110.0` | | [@anthropic-ai/claude-agent-sdk](https://github.com/anthropics/claude-agent-sdk-typescript) | `0.3.196` | `0.3.197` | | [@anthropic-ai/sdk](https://github.com/anthropics/anthropic-sdk-typescript) | `0.107.0` | `0.109.0` | | [posthog-node](https://github.com/PostHog/posthog-js/tree/HEAD/packages/node) | `5.38.8` | `5.39.1` | | [@typescript/native-preview](https://github.com/microsoft/typescript-go) | `7.0.0-dev.20260629.1` | `7.0.0-dev.20260630.1` | | [oxlint-tsgolint](https://github.com/oxc-project/tsgolint) | `0.23.0` | `0.24.0` | Updates `@supabase/supabase-js` from 2.108.2 to 2.110.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/supabase/supabase-js/releases">@supabase/supabase-js's releases</a>.</em></p> <blockquote> <h2>v2.110.0</h2> <h2>2.110.0 (2026-06-30)</h2> <h3>🚀 Features</h3> <ul> <li><strong>repo:</strong> drop Node.js 20 support (<a href="https://redirect.github.com/supabase/supabase-js/pull/2482">#2482</a>)</li> </ul> <h3>❤️ Thank You</h3> <ul> <li>Katerina Skroumpelou <a href="https://github.com/mandarini"><code>@mandarini</code></a></li> </ul> <h2>v2.110.0-canary.0</h2> <h2>2.110.0-canary.0 (2026-06-30)</h2> <h3>🚀 Features</h3> <ul> <li><strong>repo:</strong> drop Node.js 20 support (<a href="https://redirect.github.com/supabase/supabase-js/pull/2482">#2482</a>)</li> </ul> <h3>❤️ Thank You</h3> <ul> <li>Katerina Skroumpelou <a href="https://github.com/mandarini"><code>@mandarini</code></a></li> </ul> <h2>v2.109.0</h2> <h2>2.109.0 (2026-06-30)</h2> <h3>🚀 Features</h3> <ul> <li><strong>auth:</strong> add custom_claims_allowlist to custom providers admin API (<a href="https://redirect.github.com/supabase/supabase-js/pull/2473">#2473</a>)</li> <li><strong>realtime:</strong> add postgres_changes filter builder, new operators and select (<a href="https://redirect.github.com/supabase/supabase-js/pull/2463">#2463</a>)</li> <li><strong>storage:</strong> expose purgeCache for buckets and single objects (<a href="https://redirect.github.com/supabase/supabase-js/pull/2429">#2429</a>)</li> </ul> <h3>🩹 Fixes</h3> <ul> <li><strong>functions:</strong> honor a caller's Content-Type override regardless of casing (<a href="https://redirect.github.com/supabase/supabase-js/pull/2455">#2455</a>)</li> <li><strong>realtime:</strong> pin <code>@supabase/phoenix</code> and browser test CDN deps (<a href="https://redirect.github.com/supabase/supabase-js/pull/2457">#2457</a>)</li> <li><strong>realtime:</strong> add replication connection system message option (<a href="https://redirect.github.com/supabase/supabase-js/pull/2470">#2470</a>)</li> <li><strong>storage:</strong> keep sortBy defaults when list() is given a partial sortBy (<a href="https://redirect.github.com/supabase/supabase-js/pull/2454">#2454</a>)</li> </ul> <h3>❤️ Thank You</h3> <ul> <li>Anubhav Anand <a href="https://github.com/i-anubhav-anand"><code>@i-anubhav-anand</code></a></li> <li>Cemal Kılıç <a href="https://github.com/cemalkilic"><code>@cemalkilic</code></a></li> <li>Claude Opus 4.8 (1M context)</li> <li>Filipe Cabaço <a href="https://github.com/filipecabaco"><code>@filipecabaco</code></a></li> <li>Katerina Skroumpelou <a href="https://github.com/mandarini"><code>@mandarini</code></a></li> <li>Lenny</li> <li>Rodrigo Mansueli <a href="https://github.com/mansueli"><code>@mansueli</code></a></li> </ul> <h2>v2.108.3-canary.2</h2> <h2>2.108.3-canary.2 (2026-06-19)</h2> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/supabase/supabase-js/blob/master/packages/core/supabase-js/CHANGELOG.md">@supabase/supabase-js's changelog</a>.</em></p> <blockquote> <h2>2.110.0 (2026-06-30)</h2> <h3>🚀 Features</h3> <ul> <li><strong>repo:</strong> drop Node.js 20 support (<a href="https://redirect.github.com/supabase/supabase-js/pull/2482">#2482</a>)</li> </ul> <h3>❤️ Thank You</h3> <ul> <li>Katerina Skroumpelou <a href="https://github.com/mandarini"><code>@mandarini</code></a></li> </ul> <h2>2.109.0 (2026-06-30)</h2> <h3>🩹 Fixes</h3> <ul> <li><strong>realtime:</strong> pin <code>@supabase/phoenix</code> and browser test CDN deps (<a href="https://redirect.github.com/supabase/supabase-js/pull/2457">#2457</a>)</li> </ul> <h3>❤️ Thank You</h3> <ul> <li>Katerina Skroumpelou <a href="https://github.com/mandarini"><code>@mandarini</code></a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/supabase/supabase-js/commit/c3d5e6d2949b0248de8ba97991e4484f0b57c83f"><code>c3d5e6d</code></a> feat(repo): drop Node.js 20 support (<a href="https://github.com/supabase/supabase-js/tree/HEAD/packages/core/supabase-js/issues/2482">#2482</a>)</li> <li><a href="https://github.com/supabase/supabase-js/commit/b2e02b997aaf81b4c09dcc67966629296b96f681"><code>b2e02b9</code></a> chore(release): version 2.109.0 changelogs (<a href="https://github.com/supabase/supabase-js/tree/HEAD/packages/core/supabase-js/issues/2481">#2481</a>)</li> <li><a href="https://github.com/supabase/supabase-js/commit/dd2d4c270f0d6b84e61f3fa80330c42966783f87"><code>dd2d4c2</code></a> fix(realtime): pin <code>@supabase/phoenix</code> and browser test CDN deps (<a href="https://github.com/supabase/supabase-js/tree/HEAD/packages/core/supabase-js/issues/2457">#2457</a>)</li> <li><a href="https://github.com/supabase/supabase-js/commit/a25062e9285fa8e3bd702c59ddda0d87ad1fcc27"><code>a25062e</code></a> chore(release): version 2.108.2 changelogs (<a href="https://github.com/supabase/supabase-js/tree/HEAD/packages/core/supabase-js/issues/2449">#2449</a>)</li> <li><a href="https://github.com/supabase/supabase-js/commit/b3e5f2d7a312eff971dfd9c7226c9c4edbc0de0f"><code>b3e5f2d</code></a> chore(ci): unpin realtime version (<a href="https://github.com/supabase/supabase-js/tree/HEAD/packages/core/supabase-js/issues/2432">#2432</a>)</li> <li>See full diff in <a href="https://github.com/supabase/supabase-js/commits/v2.110.0/packages/core/supabase-js">compare view</a></li> </ul> </details> <br /> Updates `@anthropic-ai/claude-agent-sdk` from 0.3.196 to 0.3.197 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/anthropics/claude-agent-sdk-typescript/releases">@anthropic-ai/claude-agent-sdk's releases</a>.</em></p> <blockquote> <h2>v0.3.197</h2> <h2>What's changed</h2> <ul> <li>Updated to parity with Claude Code v2.1.197</li> </ul> <h2>Update</h2> <pre lang="sh"><code>npm install @anthropic-ai/claude-agent-sdk@0.3.197 # or yarn add @anthropic-ai/claude-agent-sdk@0.3.197 # or pnpm add @anthropic-ai/claude-agent-sdk@0.3.197 # or bun add @anthropic-ai/claude-agent-sdk@0.3.197 </code></pre> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/anthropics/claude-agent-sdk-typescript/blob/main/CHANGELOG.md">@anthropic-ai/claude-agent-sdk's changelog</a>.</em></p> <blockquote> <h2>0.3.197</h2> <ul> <li>Updated to parity with Claude Code v2.1.197</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/anthropics/claude-agent-sdk-typescript/commit/ccd90af1279349d9d1cf641eec8a43664c94ebdf"><code>ccd90af</code></a> chore: Update CHANGELOG.md</li> <li>See full diff in <a href="https://github.com/anthropics/claude-agent-sdk-typescript/compare/v0.3.196...v0.3.197">compare view</a></li> </ul> </details> <br /> Updates `@anthropic-ai/sdk` from 0.107.0 to 0.109.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/anthropics/anthropic-sdk-typescript/releases">@anthropic-ai/sdk's releases</a>.</em></p> <blockquote> <h2>sdk: v0.109.0</h2> <h2>0.109.0 (2026-06-30)</h2> <p>Full Changelog: <a href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.108.0...sdk-v0.109.0">sdk-v0.108.0...sdk-v0.109.0</a></p> <h3>Features</h3> <ul> <li><strong>api:</strong> add support for Managed Agents event delta streaming, agent overrides, reverse pagination, vault credential injection scoping, and agent and deployment webhook events (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/7f3211b4886053d25e98b91edc90fedc199ef186">7f3211b</a>)</li> </ul> <h2>sdk: v0.108.0</h2> <h2>0.108.0 (2026-06-30)</h2> <p>Full Changelog: <a href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.107.0...sdk-v0.108.0">sdk-v0.107.0...sdk-v0.108.0</a></p> <h3>Features</h3> <ul> <li><strong>api:</strong> add support for claude-sonnet-5 (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/4588db01eccd7529a5d2e99b8e5da3af1acdbbc8">4588db0</a>)</li> </ul> <h3>Bug Fixes</h3> <ul> <li><strong>agent-toolset:</strong> allow absolute paths that resolve inside workdir (<a href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/112">#112</a>) (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/e951fb2ed70f8d6cd0113ae1642a795404e1cc9a">e951fb2</a>)</li> </ul> <h3>Chores</h3> <ul> <li>format README.md (<a href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/176">#176</a>) (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/98dcff71b632a92e0e1dff19ca4a95439a5fe447">98dcff7</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/anthropics/anthropic-sdk-typescript/blob/main/CHANGELOG.md">@anthropic-ai/sdk's changelog</a>.</em></p> <blockquote> <h2>0.109.0 (2026-06-30)</h2> <p>Full Changelog: <a href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.108.0...sdk-v0.109.0">sdk-v0.108.0...sdk-v0.109.0</a></p> <h3>Features</h3> <ul> <li><strong>api:</strong> add support for Managed Agents event delta streaming, agent overrides, reverse pagination, vault credential injection scoping, and agent and deployment webhook events (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/7f3211b4886053d25e98b91edc90fedc199ef186">7f3211b</a>)</li> </ul> <h2>0.108.0 (2026-06-30)</h2> <p>Full Changelog: <a href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.107.0...sdk-v0.108.0">sdk-v0.107.0...sdk-v0.108.0</a></p> <h3>Features</h3> <ul> <li><strong>api:</strong> add support for claude-sonnet-5 (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/4588db01eccd7529a5d2e99b8e5da3af1acdbbc8">4588db0</a>)</li> </ul> <h3>Bug Fixes</h3> <ul> <li><strong>agent-toolset:</strong> allow absolute paths that resolve inside workdir (<a href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/112">#112</a>) (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/e951fb2ed70f8d6cd0113ae1642a795404e1cc9a">e951fb2</a>)</li> </ul> <h3>Chores</h3> <ul> <li>format README.md (<a href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/176">#176</a>) (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/98dcff71b632a92e0e1dff19ca4a95439a5fe447">98dcff7</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/cb829c764293963665481f0b2a60f2e0923270ac"><code>cb829c7</code></a> chore: release main</li> <li><a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/fd0341dfe7a77f28678c9e474485bc7331e426d4"><code>fd0341d</code></a> feat(api): add support for Managed Agents event delta streaming, agent overri...</li> <li><a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/90f767ae9078ac808c758670aac408267fa2c49f"><code>90f767a</code></a> codegen metadata</li> <li><a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/ed986cd68c9ca8674ac2548be479a1d4c6a282b6"><code>ed986cd</code></a> chore: release main</li> <li><a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/d3ffad4927b0da3baffde66b1372f8f0b4a7c434"><code>d3ffad4</code></a> chore: format README.md (<a href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/176">#176</a>)</li> <li><a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/6b46ad31ff2682376f6e9f4c732ed35d3c45693b"><code>6b46ad3</code></a> feat(api): add support for claude-sonnet-5</li> <li><a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/8200ffac10fab553883efae64cf24a514add2b04"><code>8200ffa</code></a> feat(vertex): bump google-auth-library to ^10.2.0 (SDK-91) (<a href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/30">#30</a>)</li> <li><a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/fa06d36ccb07b32a7098b71d40713add611548cc"><code>fa06d36</code></a> feat(bedrock): pass client logger to AWS credential provider chain (SDK-90) (...</li> <li><a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/0fff7faad710ffaf2ceeb7f7f05139bbec72e6cc"><code>0fff7fa</code></a> fix(agent-toolset): allow absolute paths that resolve inside workdir (<a href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/112">#112</a>)</li> <li>See full diff in <a href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.107.0...sdk-v0.109.0">compare view</a></li> </ul> </details> <br /> Updates `posthog-node` from 5.38.8 to 5.39.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/PostHog/posthog-js/releases">posthog-node's releases</a>.</em></p> <blockquote> <h2>posthog-node@5.39.1</h2> <h2>5.39.1</h2> <h3>Patch Changes</h3> <ul> <li> <p><a href="https://redirect.github.com/PostHog/posthog-js/pull/4029">#4029</a> <a href="https://github.com/PostHog/posthog-js/commit/b36b1cc2bf771bc944a304c9523d0991a31a5fbd"><code>b36b1cc</code></a> Thanks <a href="https://github.com/marandaneto"><code>@marandaneto</code></a>! - Call <code>before_send</code> for identify, group identify, and alias events. (2026-06-30)</p> </li> <li> <p><a href="https://redirect.github.com/PostHog/posthog-js/pull/4027">#4027</a> <a href="https://github.com/PostHog/posthog-js/commit/ab118d278856e5f995229ab476987fcac936a25a"><code>ab118d2</code></a> Thanks <a href="https://github.com/marandaneto"><code>@marandaneto</code></a>! - Safely serialize event batches with circular property references instead of crashing during flush. (2026-06-30)</p> </li> <li> <p>Updated dependencies [<a href="https://github.com/PostHog/posthog-js/commit/ab118d278856e5f995229ab476987fcac936a25a"><code>ab118d2</code></a>]:</p> <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.39.2</li> </ul> </li> </ul> <h2>posthog-node@5.39.0</h2> <h2>5.39.0</h2> <h3>Minor Changes</h3> <ul> <li><a href="https://redirect.github.com/PostHog/posthog-js/pull/4006">#4006</a> <a href="https://github.com/PostHog/posthog-js/commit/0063128fc443158e44c9b6bab623420fc04d8c4c"><code>0063128</code></a> Thanks <a href="https://github.com/apps/github-actions"><code>@github-actions</code></a>! - Add <code>groupIdentifyImmediate()</code> to await the network request when identifying a group, mirroring <code>captureImmediate</code>/<code>identifyImmediate</code>/<code>aliasImmediate</code>. Useful in edge/serverless environments where the background queue may not flush. The Convex integration now uses it directly instead of routing <code>$groupidentify</code> through <code>captureImmediate</code>. (2026-06-30)</li> </ul> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [<a href="https://github.com/PostHog/posthog-js/commit/0063128fc443158e44c9b6bab623420fc04d8c4c"><code>0063128</code></a>]: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.39.0</li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/PostHog/posthog-js/blob/main/packages/node/CHANGELOG.md">posthog-node's changelog</a>.</em></p> <blockquote> <h2>5.39.1</h2> <h3>Patch Changes</h3> <ul> <li> <p><a href="https://redirect.github.com/PostHog/posthog-js/pull/4029">#4029</a> <a href="https://github.com/PostHog/posthog-js/commit/b36b1cc2bf771bc944a304c9523d0991a31a5fbd"><code>b36b1cc</code></a> Thanks <a href="https://github.com/marandaneto"><code>@marandaneto</code></a>! - Call <code>before_send</code> for identify, group identify, and alias events. (2026-06-30)</p> </li> <li> <p><a href="https://redirect.github.com/PostHog/posthog-js/pull/4027">#4027</a> <a href="https://github.com/PostHog/posthog-js/commit/ab118d278856e5f995229ab476987fcac936a25a"><code>ab118d2</code></a> Thanks <a href="https://github.com/marandaneto"><code>@marandaneto</code></a>! - Safely serialize event batches with circular property references instead of crashing during flush. (2026-06-30)</p> </li> <li> <p>Updated dependencies [<a href="https://github.com/PostHog/posthog-js/commit/ab118d278856e5f995229ab476987fcac936a25a"><code>ab118d2</code></a>]:</p> <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.39.2</li> </ul> </li> </ul> <h2>5.39.0</h2> <h3>Minor Changes</h3> <ul> <li><a href="https://redirect.github.com/PostHog/posthog-js/pull/4006">#4006</a> <a href="https://github.com/PostHog/posthog-js/commit/0063128fc443158e44c9b6bab623420fc04d8c4c"><code>0063128</code></a> Thanks <a href="https://github.com/apps/github-actions"><code>@github-actions</code></a>! - Add <code>groupIdentifyImmediate()</code> to await the network request when identifying a group, mirroring <code>captureImmediate</code>/<code>identifyImmediate</code>/<code>aliasImmediate</code>. Useful in edge/serverless environments where the background queue may not flush. The Convex integration now uses it directly instead of routing <code>$groupidentify</code> through <code>captureImmediate</code>. (2026-06-30)</li> </ul> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [<a href="https://github.com/PostHog/posthog-js/commit/0063128fc443158e44c9b6bab623420fc04d8c4c"><code>0063128</code></a>]: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.39.0</li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/PostHog/posthog-js/commit/a5181ba36f64cf69108be2f0fbf1e68dbeb4e827"><code>a5181ba</code></a> chore: update versions and lockfile [version bump]</li> <li><a href="https://github.com/PostHog/posthog-js/commit/b36b1cc2bf771bc944a304c9523d0991a31a5fbd"><code>b36b1cc</code></a> fix(node): run before_send for all captured events (<a href="https://github.com/PostHog/posthog-js/tree/HEAD/packages/node/issues/4029">#4029</a>)</li> <li><a href="https://github.com/PostHog/posthog-js/commit/ab118d278856e5f995229ab476987fcac936a25a"><code>ab118d2</code></a> fix(node): handle circular event properties during flush (<a href="https://github.com/PostHog/posthog-js/tree/HEAD/packages/node/issues/4027">#4027</a>)</li> <li><a href="https://github.com/PostHog/posthog-js/commit/0c95bce7a2b01707691783a41730ec89699cb429"><code>0c95bce</code></a> fix: satisfy SDK compliance harness 0.8.0 (<a href="https://github.com/PostHog/posthog-js/tree/HEAD/packages/node/issues/3998">#3998</a>)</li> <li><a href="https://github.com/PostHog/posthog-js/commit/254c5b15597ea06c7cd9967708b11b49707267ae"><code>254c5b1</code></a> chore: update versions and lockfile [version bump]</li> <li><a href="https://github.com/PostHog/posthog-js/commit/0063128fc443158e44c9b6bab623420fc04d8c4c"><code>0063128</code></a> feat: Add groupIdentifyImmediate() method to Node.js SDK (<a href="https://github.com/PostHog/posthog-js/tree/HEAD/packages/node/issues/4006">#4006</a>)</li> <li>See full diff in <a href="https://github.com/PostHog/posthog-js/commits/posthog-node@5.39.1/packages/node">compare view</a></li> </ul> </details> <br /> Updates `@typescript/native-preview` from 7.0.0-dev.20260629.1 to 7.0.0-dev.20260630.1 <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/microsoft/typescript-go/commits">compare view</a></li> </ul> </details> <br /> Updates `oxlint-tsgolint` from 0.23.0 to 0.24.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/oxc-project/tsgolint/releases">oxlint-tsgolint's releases</a>.</em></p> <blockquote> <h2>v0.24.0</h2> <h2>What's Changed</h2> <ul> <li>ci: run windows e2e pnpm commands outside workspace by <a href="https://github.com/camc314"><code>@camc314</code></a> in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/969">oxc-project/tsgolint#969</a></li> <li>test(no-deprecated): add test for only <code>allow</code> by <a href="https://github.com/camc314"><code>@camc314</code></a> in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/970">oxc-project/tsgolint#970</a></li> <li>fix(no-deprecated): report contextual object literal properties by <a href="https://github.com/camc314"><code>@camc314</code></a> in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/944">oxc-project/tsgolint#944</a></li> <li>Update README with PRs note on new rules by <a href="https://github.com/camchenry"><code>@camchenry</code></a> in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/972">oxc-project/tsgolint#972</a></li> <li>fix(strict-boolean-expressions): guard invalid predicate indexes by <a href="https://github.com/camchenry"><code>@camchenry</code></a> in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/971">oxc-project/tsgolint#971</a></li> <li>fix(no-deprecated): fix crash when getting prop name for non-literal by <a href="https://github.com/camchenry"><code>@camchenry</code></a> in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/973">oxc-project/tsgolint#973</a></li> <li>test(no-deprecated): add non-literal computed key regression by <a href="https://github.com/camc314"><code>@camc314</code></a> in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/974">oxc-project/tsgolint#974</a></li> <li>test(no-floating-promises): sync tests with typescript-eslint by <a href="https://github.com/camc314"><code>@camc314</code></a> in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/975">oxc-project/tsgolint#975</a></li> <li>fix(no-floating-promises): handle spread arguments before rejection handlers by <a href="https://github.com/camc314"><code>@camc314</code></a> in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/976">oxc-project/tsgolint#976</a></li> <li>chore(deps): update crate-ci/typos action to v1.46.2 by <a href="https://github.com/renovate"><code>@renovate</code></a>[bot] in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/979">oxc-project/tsgolint#979</a></li> <li>refactor: remove unneeded <code>nil</code> checks in <code>strict-boolean-expressions</code> by <a href="https://github.com/camchenry"><code>@camchenry</code></a> in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/980">oxc-project/tsgolint#980</a></li> <li>perf(no-unsafe-assignment): add fast-path for sender type by <a href="https://github.com/camchenry"><code>@camchenry</code></a> in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/981">oxc-project/tsgolint#981</a></li> <li>feat: add per-rule debug timings by <a href="https://github.com/camchenry"><code>@camchenry</code></a> in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/960">oxc-project/tsgolint#960</a></li> <li>chore: update typescript-go submodule by <a href="https://github.com/camc314"><code>@camc314</code></a> in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/982">oxc-project/tsgolint#982</a></li> <li>chore(deps): update dprint plugins by <a href="https://github.com/renovate"><code>@renovate</code></a>[bot] in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/984">oxc-project/tsgolint#984</a></li> <li>chore(deps): update github actions by <a href="https://github.com/renovate"><code>@renovate</code></a>[bot] in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/985">oxc-project/tsgolint#985</a></li> <li>chore(deps): update gomod by <a href="https://github.com/renovate"><code>@renovate</code></a>[bot] in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/986">oxc-project/tsgolint#986</a></li> <li>chore(deps): update crate-ci/typos action to v1.46.3 by <a href="https://github.com/renovate"><code>@renovate</code></a>[bot] in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/988">oxc-project/tsgolint#988</a></li> <li>test(no-deprecated): cover call and jsx deprecated properties by <a href="https://github.com/camc314"><code>@camc314</code></a> in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/989">oxc-project/tsgolint#989</a></li> <li>chore: update typescript-go submodule by <a href="https://github.com/camc314"><code>@camc314</code></a> in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/991">oxc-project/tsgolint#991</a></li> <li>chore(deps): update github actions by <a href="https://github.com/renovate"><code>@renovate</code></a>[bot] in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/993">oxc-project/tsgolint#993</a></li> <li>chore(deps): update crate-ci/typos action to v1.47.0 by <a href="https://github.com/renovate"><code>@renovate</code></a>[bot] in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/995">oxc-project/tsgolint#995</a></li> <li>chore(deps): update module github.com/dlclark/regexp2/v2 to v2.1.1 by <a href="https://github.com/renovate"><code>@renovate</code></a>[bot] in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/994">oxc-project/tsgolint#994</a></li> <li>fix(prefer-optional-chain): suggest unsafe nullish rewrite by <a href="https://github.com/camc314"><code>@camc314</code></a> in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/996">oxc-project/tsgolint#996</a></li> <li>chore(deps): update pnpm to v11.4.0 by <a href="https://github.com/renovate"><code>@renovate</code></a>[bot] in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/997">oxc-project/tsgolint#997</a></li> <li>refactor: cache suppress program diagnostics env by <a href="https://github.com/camc314"><code>@camc314</code></a> in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/999">oxc-project/tsgolint#999</a></li> <li>refactor: use <code>sync.OnceValue</code> for logLevel by <a href="https://github.com/camc314"><code>@camc314</code></a> in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/1000">oxc-project/tsgolint#1000</a></li> <li>test(no-unnecessary-type-assertion): sync tests with typescript-eslint by <a href="https://github.com/camc314"><code>@camc314</code></a> in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/998">oxc-project/tsgolint#998</a></li> <li>fix(no-unnecessary-type-assertion): enable skipped upstream cases by <a href="https://github.com/camc314"><code>@camc314</code></a> in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/1001">oxc-project/tsgolint#1001</a></li> <li>fix(justfile): use --ignore-workspace for e2e pnpm commands by <a href="https://github.com/swandir"><code>@swandir</code></a> in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/983">oxc-project/tsgolint#983</a></li> <li>test(no-unnecessary-type-arguments): sync tests with typescript-eslint by <a href="https://github.com/camc314"><code>@camc314</code></a> in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/1003">oxc-project/tsgolint#1003</a></li> <li>test(no-unnecessary-type-assertion): cover nullable literal assertion by <a href="https://github.com/camc314"><code>@camc314</code></a> in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/1002">oxc-project/tsgolint#1002</a></li> <li>fix(no-unnecessary-type-arguments): preserve constructor inference by <a href="https://github.com/camc314"><code>@camc314</code></a> in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/1004">oxc-project/tsgolint#1004</a></li> <li>refactor: remove <code>OXLINT_TSGOLINT_TIMINGS</code> env var by <a href="https://github.com/camc314"><code>@camc314</code></a> in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/1005">oxc-project/tsgolint#1005</a></li> <li>chore: update typescript-go submodule by <a href="https://github.com/camc314"><code>@camc314</code></a> in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/1007">oxc-project/tsgolint#1007</a></li> <li>fix(prefer-optional-chain): optional chain type assertion handling by <a href="https://github.com/camc314"><code>@camc314</code></a> in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/1009">oxc-project/tsgolint#1009</a></li> <li>chore(deps): update typos to v1.47.1 by <a href="https://github.com/renovate"><code>@renovate</code></a>[bot] in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/1010">oxc-project/tsgolint#1010</a></li> <li>chore(deps): update typos to v1.47.2 by <a href="https://github.com/renovate"><code>@renovate</code></a>[bot] in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/1012">oxc-project/tsgolint#1012</a></li> <li>chore(deps): update github actions by <a href="https://github.com/renovate"><code>@renovate</code></a>[bot] in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/1013">oxc-project/tsgolint#1013</a></li> <li>chore(deps): update gomod by <a href="https://github.com/renovate"><code>@renovate</code></a>[bot] in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/1014">oxc-project/tsgolint#1014</a></li> <li>chore(deps): update github actions to v2.81.5 by <a href="https://github.com/renovate"><code>@renovate</code></a>[bot] in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/1015">oxc-project/tsgolint#1015</a></li> <li>chore: update typescript-go submodule by <a href="https://github.com/camc314"><code>@camc314</code></a> in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/1016">oxc-project/tsgolint#1016</a></li> <li>chore(deps): update github actions by <a href="https://github.com/renovate"><code>@renovate</code></a>[bot] in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/1017">oxc-project/tsgolint#1017</a></li> <li>chore(deps): update gomod to v0.46.0 by <a href="https://github.com/renovate"><code>@renovate</code></a>[bot] in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/1018">oxc-project/tsgolint#1018</a></li> <li>chore(deps): update gomod to v2.2.2 by <a href="https://github.com/renovate"><code>@renovate</code></a>[bot] in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/1021">oxc-project/tsgolint#1021</a></li> <li>chore(deps): update github actions to v2.82.0 by <a href="https://github.com/renovate"><code>@renovate</code></a>[bot] in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/1023">oxc-project/tsgolint#1023</a></li> <li>chore(deps): update dprint plugins to v0.22.0 by <a href="https://github.com/renovate"><code>@renovate</code></a>[bot] in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/1022">oxc-project/tsgolint#1022</a></li> <li>chore(deps): update github actions to v7 by <a href="https://github.com/renovate"><code>@renovate</code></a>[bot] in <a href="https://redirect.github.com/oxc-project/tsgolint/pull/1024">oxc-project/tsgolint#1024</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/oxc-project/tsgolint/commit/5a37e8902f65440900be1436b814919fcdb4e3d4"><code>5a37e89</code></a> fix(dot-notation): determine the relevant accessor (<a href="https://redirect.github.com/oxc-project/tsgolint/issues/1028">#1028</a>)</li> <li><a href="https://github.com/oxc-project/tsgolint/commit/67a281f613312a30665e7d39dfb47f5c15b0ca60"><code>67a281f</code></a> perf(consistent-return): defer per-function type resolution (<a href="https://redirect.github.com/oxc-project/tsgolint/issues/1031">#1031</a>)</li> <li><a href="https://github.com/oxc-project/tsgolint/commit/a5e2ff0be1102d9082e13ec35f1f0e4ca7fa65ad"><code>a5e2ff0</code></a> perf(no-unnecessary-qualifier): skip symbol resolution outside namespaces. (#...</li> <li><a href="https://github.com/oxc-project/tsgolint/commit/a8fc6685df0a817e7c5045a4e3e141d342839959"><code>a8fc668</code></a> perf(no-confusing-void-expression): check ancestor position before type query...</li> <li><a href="https://github.com/oxc-project/tsgolint/commit/03158cc4c0a0ef2c8bdccab71e6d2723fcc1c4f2"><code>03158cc</code></a> perf(no-unnecessary-type-conversion): hoist constant builtin-name slices (<a href="https://redirect.github.com/oxc-project/tsgolint/issues/1040">#1040</a>)</li> <li><a href="https://github.com/oxc-project/tsgolint/commit/d9e645c266b6c4b4671b0a3dc5d3935dbda3a5ef"><code>d9e645c</code></a> perf(prefer-optional-chain): lazily allocate chain-processor caches (<a href="https://redirect.github.com/oxc-project/tsgolint/issues/1041">#1041</a>)</li> <li><a href="https://github.com/oxc-project/tsgolint/commit/63f578abe093d7a7e8cb523a1e5e96aacf06b220"><code>63f578a</code></a> refactor(no-unnecessary-condition): remove dead containsUnguardedElementAcces...</li> <li><a href="https://github.com/oxc-project/tsgolint/commit/f174876a906e0350aff2b75d5607775529c9f845"><code>f174876</code></a> chore(deps): update gomod (<a href="https://redirect.github.com/oxc-project/tsgolint/issues/1035">#1035</a>)</li> <li><a href="https://github.com/oxc-project/tsgolint/commit/47de9cfea53da0ae274bc78d47388e3bdd5b7341"><code>47de9cf</code></a> chore(deps): update github actions (<a href="https://redirect.github.com/oxc-project/tsgolint/issues/1036">#1036</a>)</li> <li><a href="https://github.com/oxc-project/tsgolint/commit/e209b5b27f5fd22810735bfbfdb0785cbc5d4215"><code>e209b5b</code></a> chore(deps): update actions/cache action to v6 (<a href="https://redirect.github.com/oxc-project/tsgolint/issues/1037">#1037</a>)</li> <li>Additional commits viewable in <a href="https://github.com/oxc-project/tsgolint/compare/v0.23.0...v0.24.0">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…cli-go/pkg (#5825) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.50.0 to 0.52.0. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/golang/crypto/commit/a1c0d9929856c8aba2b31f079340f00578eda803"><code>a1c0d99</code></a> go.mod: update golang.org/x dependencies</li> <li><a href="https://github.com/golang/crypto/commit/3c7c86938f4541c333d506f719388d9c42d4763d"><code>3c7c869</code></a> ssh: fix deadlock on unexpected channel responses</li> <li><a href="https://github.com/golang/crypto/commit/533fb3f7e4a5ae23f69d1837cd851d35ff5b76ce"><code>533fb3f</code></a> ssh: fix source-address critical option bypass</li> <li><a href="https://github.com/golang/crypto/commit/abbc44d451a6f9236a2bbd26cbcd4d0fec473da3"><code>abbc44d</code></a> ssh: fix incorrect operator order</li> <li><a href="https://github.com/golang/crypto/commit/e052873987615dc96fe67607a9a6adb76311344f"><code>e052873</code></a> ssh: fix infinite loop on large channel writes due to integer overflow</li> <li><a href="https://github.com/golang/crypto/commit/b61cf853a89d82cad68da5e12a6beca2116f8456"><code>b61cf85</code></a> ssh: enforce user presence verification for security keys</li> <li><a href="https://github.com/golang/crypto/commit/9c2cd33e8d96a96133fd6ff732510ebba539c2bd"><code>9c2cd33</code></a> ssh: enforce strict limits on DSA key parameters</li> <li><a href="https://github.com/golang/crypto/commit/890731877d85f71cfdc9554e7a27fec4684fc4c4"><code>8907318</code></a> ssh: reject RSA keys with excessively large moduli</li> <li><a href="https://github.com/golang/crypto/commit/ffd87b4878fa98ca2908ec534e1a410bf095a35e"><code>ffd87b4</code></a> ssh: fix panic when authority callbacks are nil</li> <li><a href="https://github.com/golang/crypto/commit/4e7a7384ecbc8d519f6f4c11b36fa9d761fc8946"><code>4e7a738</code></a> ssh: fix deadlock on unexpected global responses</li> <li>Additional commits viewable in <a href="https://github.com/golang/crypto/compare/v0.50.0...v0.52.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/supabase/cli/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
## TL;DR adds Colima rootless docker socket fallback to vector start ## Ref - closes #5073
…emplates with 3 updates (#5822) Bumps the docker-minor group in /apps/cli-go/pkg/config/templates with 3 updates: supabase/studio, supabase/realtime and supabase/storage-api. Updates `supabase/studio` from 2026.07.06-sha-66cf431 to 2026.07.07-sha-a6a04f2 Updates `supabase/realtime` from v2.112.6 to v2.112.9 Updates `supabase/storage-api` from v1.62.5 to v1.63.1 Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
) ## What kind of change does this PR introduce? Bug fix (Go parity). ## What is the current behavior? Go's `--size` flag on `projects create` (`apps/cli-go/cmd/projects.go:34-55`) is a single shared 18-value `EnumFlag` reused by `branches create` (`apps/cli-go/cmd/branches.go:212`), and does not include `"nano"` (or `"pico"`). The TS legacy port's `INSTANCE_SIZES` (`projects/create/create.command.ts`) and `BRANCH_SIZES` (`branches/create/create.command.ts`) both included `"nano"` as a valid `Flag.choice` value, so `--size nano` silently succeeded in TS while Go rejects it. Verified directly against the real, compiled Go binary (`apps/cli-go`) rather than just reading source — `projects create --size nano` genuinely errors with `invalid argument "nano" for "--size" flag: must be one of [...]`, confirming this is current, shipped Go behavior and not a stale enum. Note: the live Management API contract (`packages/api/src/generated/contracts.ts`) does list `"nano"`/`"pico"` as accepted `desired_instance_size` values, and `next/`'s independently-authored `branches create` already exposes both. Neither the Go CLI nor this legacy port surfaces them as CLI options, though — that's a separate product question (filed as CLI-1897) about whether these tiers should eventually be CLI-selectable, not a reason to keep an option the legacy shell's own Go-parity contract says should be rejected. ## What is the new behavior? `--size nano` is now rejected identically on both `projects create` and `branches create`, matching Go's 18-value enum exactly. Fixes CLI-1869. See also CLI-1897 (product decision on nano/pico) and CLI-1898 (unrelated pre-existing bug in `effect`'s `Flag.choice` error-message formatting, found during this PR's review).
…#5800) ## What kind of change does this PR introduce? Docs update (Go parity disclosure) + telemetry-list correctness fix. ## What is the current behavior? `--high-availability` on `projects create` has no Go CLI equivalent — Go's `cmd/projects.go` never registers such a flag, and its `RunE` closure never sets `HighAvailability` on the create request body even though the underlying Management API field exists. Unlike `--reveal` on `projects api-keys` (which explicitly documents itself as a TS-only addition, in a code comment, `SIDE_EFFECTS.md`, and `docs/go-cli-porting-status.md`'s "Flag divergences" list), `--high-availability` was undisclosed everywhere. It was also listed in `safeFlags: ["org-id", "high-availability"]`, implying Go-parity telemetry-safety that doesn't exist (Go's `markFlagTelemetrySafe` only covers `org-id`). Since it's a boolean flag, this had no actual runtime effect — boolean flag values are always logged verbatim by the instrumentation regardless of `safeFlags` membership — but the array wrongly implied otherwise. The linked ticket (CLI-1870) offered two valid resolutions: remove the flag for strict parity, or disclose it as TS-only. This PR disclosure, since `--high-availability` is a real, working, user-facing capability that Go's CLI simply never got around to exposing (not a Go bug being ported forward) — removing it would regress anyone currently relying on it. ## What is the new behavior? `--high-availability` is now disclosed as TS-only in a code comment, `SIDE_EFFECTS.md`, and `docs/go-cli-porting-status.md`'s "Flag divergences" list, matching the `--reveal` precedent exactly. Removed from `safeFlags` (now just `["org-id"]`) to match Go's actual telemetry-safe set. Fixes CLI-1870.
…chema declarative (#5828) ## What changed `db schema declarative generate`/`sync` ran their mutual-exclusivity flag check (`db-url`/`linked`/`local`, `apply`/`no-apply`) BEFORE the pg-delta/`--experimental` gate (`legacyRequirePgDelta`). Go's cobra runs `PersistentPreRunE` (the gate) before `ValidateFlagGroups` (mutex check) — confirmed against `apps/cli-go/cmd/db_schema_declarative.go` and the actual `cobra@v1.10.2` source — so invoking either command with conflicting flags and no `--experimental` surfaced the wrong error in the TS shell vs Go. Same bug class already fixed for `storage ls/cp/mv/rm` in CLI-1855 (#5768); this mirrors that precedent as closely as the code structure allows. Declarative's gate needs a config read (`legacyReadDbToml`) that storage's didn't, so the check lives inline in each handler's body rather than at the `.command.ts` level — moving the config read ahead of the mutex check as part of the same reorder is also more correct (Go's `PersistentPreRunE` loads config unconditionally before validating flag groups too). Swaps the order in both handlers, fixes misleading ordering comments (and two stale Go line-number citations found nearby), documents the precedence in both commands' `SIDE_EFFECTS.md`, and adds regression coverage for the "mutex conflict without `--experimental`" case in both `generate` and `sync`. Fixes CLI-1876
) ## What changed Invoking a legacy-shell group command that has subcommands but is itself not runnable — e.g. `supabase branches`, `supabase completion` — with no subcommand and no `--help` exited **1** in the TS legacy shell. Go's cobra CLI exits **0** for the identical invocation: a non-`Runnable()` command with no `RunE` internally returns `flag.ErrHelp`, which cobra's `ExecuteC()` maps to "print help, return nil error". Only explicit `--help` got exit 0 before this fix; the bare/missing-subcommand form did not, even though the printed help text was identical in both cases. `CliError.ShowHelp` (in `effect/unstable/cli`) already declares the correct exit code via Effect's own `Runtime.errorExitCode` marker (`0` for a clean `ShowHelp` with no errors, `1` otherwise) — `apps/cli/src/shared/cli/run.ts` now delegates to `Runtime.getErrorExitCode(Cause.squash(cause))` instead of hand-rolling `ShowHelp` classification, which is simpler and tracks the library's own source of truth for any future `CliError` additions. Also added an integration test driving the real `legacyBranchesCommand` through `Command.runWith` (confirming the actual `ShowHelp` cause shape), and an e2e test asserting the real compiled-binary exit code, since this bug is specifically about the real OS process exit code. ## Known related (not fixed here) A typo'd subcommand under a group (e.g. `supabase branches bogus`) still exits 1 where Go cobra exits 0 for a non-root command — this is pre-existing on `develop`, not a regression from this change, and out of scope for this fix. Filed as a follow-up. Fixes CLI-1906
#5765) ## Summary Ports `supabase stop` and `supabase status` from Go-proxy stubs to native TypeScript in the legacy CLI shell (CLI-1324). - Both commands now talk directly to Docker/Podman via subprocess, replicating Go's label-filtering and container-naming scheme byte-for-byte. Legacy `start` is still Go-proxied, so this intentionally does **not** route through `@supabase/stack/effect`'s daemon-based orchestration model — that substrate manages a different set of containers than the ones Go's binary actually creates, and using it would silently no-op against a real running stack. - New shared infrastructure (`legacy-docker-lifecycle`, `legacy-go-jwt`, `legacy-local-config-values`, `legacy-api-url`) is reused by both commands, matching Go's local-dev defaults exactly — including a Go-byte-exact JWT signer, since `@supabase/stack`'s own JWT generator uses a different issuer/claim order than what Go prints for local dev keys. - Adds `*.live.test.ts` as a documented test category (`AGENTS.md`) alongside unit/integration/e2e: black-box subprocess tests run by the `cli-e2e-ci` harness against a real platform. `stop`/`status` don't call the Management API, so their live tests spin up a real local Docker stack instead and verify against it directly (e.g. confirming Docker itself has no containers left after `stop`, not just trusting the CLI's exit code). ## Notable review findings fixed along the way - Table/status output was colorizing based on `stderr`'s TTY status while writing to `stdout` — piping stdout while stderr stayed a TTY (`supabase status | less`) would have corrupted output with ANSI escapes (the same bug class CLI-1546 fixed once before). - `--override-name` was leaking into pretty-mode output; Go's `PrettyPrint` rebuilds a fresh, un-overridden view and ignores it there. - `--backup`/`--no-backup`: Go's `--backup` flag is dead code (declared, never bound to a variable in `cmd/stop.go`) — the port now matches that exactly instead of an intended-but-never-true semantic. - Docker/Podman-both-missing errors now name the actual root cause instead of a generic "failed to ..." string. ## Post-review hardening: scoping and consolidation Two structural fixes on top of the port, addressing drift introduced while iterating on review feedback: - **`next/` no longer inherits Go-parity config semantics.** The four viper-compat behaviors added during review (unconditional `[remotes.*]` project-id checks, the deprecated-provider WARN, the widened `env()` reference pattern, and comma-split coercion into array-typed fields) are now gated behind an opt-in `goViperCompat` flag on `LoadProjectConfigOptions` — default off restores the pre-review behavior for `next/`, `packages/stack`, and other non-parity consumers, following the same opt-in pattern as `tomlOnly`/`skipEnvLocal`. Only legacy-shell callers opt in. Regression tests pin the default-off behavior, including the `next start` config-load path that would otherwise have started hard-failing on a malformed `[remotes.*].project_id`. - **Go's `Config.Validate` now has exactly one TS home.** `legacy/shared/legacy-config-validate.ts` replaces the validation orchestration previously duplicated between `legacy-db-config.toml-read.ts` (db/migration family) and `legacy-local-config-values.ts` (status/stop); both callers build a normalized `LegacyConfigValidationInput` from their own pipelines and call the shared validator, and a cross-caller parity test feeds identical broken configs through both real pipelines asserting identical error strings. Consolidating surfaced and fixed three real divergences between the two copies: `db.major_version = 0` now emits Go's `Missing required field in config: db.major_version` (the db loader previously emitted a non-Go message), and the captcha provider-enum and email `content`-vs-`content_path` checks are now present in both paths. CLOSES CLI-1324
Bumps the npm-major group with 6 updates: | Package | From | To | | --- | --- | --- | | [@anthropic-ai/claude-agent-sdk](https://github.com/anthropics/claude-agent-sdk-typescript) | `0.3.197` | `0.3.198` | | [@anthropic-ai/sdk](https://github.com/anthropics/anthropic-sdk-typescript) | `0.109.0` | `0.109.1` | | [posthog-node](https://github.com/PostHog/posthog-js/tree/HEAD/packages/node) | `5.39.1` | `5.39.2` | | [next](https://github.com/vercel/next.js) | `16.2.9` | `16.2.10` | | [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `26.0.1` | `26.1.0` | | [@typescript/native-preview](https://github.com/microsoft/typescript-go) | `7.0.0-dev.20260630.1` | `7.0.0-dev.20260701.1` | Updates `@anthropic-ai/claude-agent-sdk` from 0.3.197 to 0.3.198 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/anthropics/claude-agent-sdk-typescript/releases">@anthropic-ai/claude-agent-sdk's releases</a>.</em></p> <blockquote> <h2>v0.3.198</h2> <h2>What's changed</h2> <ul> <li>Added a runtime warning when <code>canUseTool</code> is configured alongside <code>allowedTools</code> or <code>bypassPermissions</code>, which shadow the callback</li> <li>Added per-server <code>request_timeout_ms</code> option to <code>mcp_set_servers</code> control request</li> <li>Fixed <code>SDKUserMessage.isSynthetic</code> not being mapped to <code>isMeta</code> on ingestion, which could cause synthetic messages to be treated as real user messages</li> <li>Fixed workflow progress events silently dropping earliest agents from the list while the phase counter remained correct</li> </ul> <h2>Update</h2> <pre lang="sh"><code>npm install @anthropic-ai/claude-agent-sdk@0.3.198 # or yarn add @anthropic-ai/claude-agent-sdk@0.3.198 # or pnpm add @anthropic-ai/claude-agent-sdk@0.3.198 # or bun add @anthropic-ai/claude-agent-sdk@0.3.198 </code></pre> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/anthropics/claude-agent-sdk-typescript/blob/main/CHANGELOG.md">@anthropic-ai/claude-agent-sdk's changelog</a>.</em></p> <blockquote> <h2>0.3.198</h2> <ul> <li>Added a runtime warning when <code>canUseTool</code> is configured alongside <code>allowedTools</code> or <code>bypassPermissions</code>, which shadow the callback</li> <li>Added per-server <code>request_timeout_ms</code> option to <code>mcp_set_servers</code> control request</li> <li>Fixed <code>SDKUserMessage.isSynthetic</code> not being mapped to <code>isMeta</code> on ingestion, which could cause synthetic messages to be treated as real user messages</li> <li>Fixed workflow progress events silently dropping earliest agents from the list while the phase counter remained correct</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/anthropics/claude-agent-sdk-typescript/commit/23c685c51e5bf95ebf0aa3bd0e319a82d0cc39f9"><code>23c685c</code></a> chore: Update CHANGELOG.md</li> <li>See full diff in <a href="https://github.com/anthropics/claude-agent-sdk-typescript/compare/v0.3.197...v0.3.198">compare view</a></li> </ul> </details> <br /> Updates `@anthropic-ai/sdk` from 0.109.0 to 0.109.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/anthropics/anthropic-sdk-typescript/releases">@anthropic-ai/sdk's releases</a>.</em></p> <blockquote> <h2>sdk: v0.109.1</h2> <h2>0.109.1 (2026-07-01)</h2> <p>Full Changelog: <a href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.109.0...sdk-v0.109.1">sdk-v0.109.0...sdk-v0.109.1</a></p> <h3>Chores</h3> <ul> <li><strong>api:</strong> remove some nonfunctional types from the SDKs (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/cc4dd4e257cc3354f14e263b0d2441ddae71759e">cc4dd4e</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/anthropics/anthropic-sdk-typescript/blob/main/CHANGELOG.md">@anthropic-ai/sdk's changelog</a>.</em></p> <blockquote> <h2>0.109.1 (2026-07-01)</h2> <p>Full Changelog: <a href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.109.0...sdk-v0.109.1">sdk-v0.109.0...sdk-v0.109.1</a></p> <h3>Chores</h3> <ul> <li><strong>api:</strong> remove some nonfunctional types from the SDKs (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/cc4dd4e257cc3354f14e263b0d2441ddae71759e">cc4dd4e</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/96d1a991b64b1692b70d16435babe9c5d702ad8d"><code>96d1a99</code></a> chore: release main (<a href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/1106">#1106</a>)</li> <li>See full diff in <a href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.109.0...sdk-v0.109.1">compare view</a></li> </ul> </details> <br /> Updates `posthog-node` from 5.39.1 to 5.39.2 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/PostHog/posthog-js/releases">posthog-node's releases</a>.</em></p> <blockquote> <h2>posthog-node@5.39.2</h2> <h2>5.39.2</h2> <h3>Patch Changes</h3> <ul> <li><a href="https://redirect.github.com/PostHog/posthog-js/pull/4028">#4028</a> <a href="https://github.com/PostHog/posthog-js/commit/a664b815dd074c8eed87830904fa182306d07e6b"><code>a664b81</code></a> Thanks <a href="https://github.com/marandaneto"><code>@marandaneto</code></a>! - Make Node <code>flush()</code> wait for pending asynchronous SDK work before draining the event queue, so events produced by helpers like <code>captureException()</code> are not missed. Pending work rejections no longer prevent queued events from flushing. (2026-07-01)</li> <li>Updated dependencies [<a href="https://github.com/PostHog/posthog-js/commit/a664b815dd074c8eed87830904fa182306d07e6b"><code>a664b81</code></a>]: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.39.3</li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/PostHog/posthog-js/blob/main/packages/node/CHANGELOG.md">posthog-node's changelog</a>.</em></p> <blockquote> <h2>5.39.2</h2> <h3>Patch Changes</h3> <ul> <li><a href="https://redirect.github.com/PostHog/posthog-js/pull/4028">#4028</a> <a href="https://github.com/PostHog/posthog-js/commit/a664b815dd074c8eed87830904fa182306d07e6b"><code>a664b81</code></a> Thanks <a href="https://github.com/marandaneto"><code>@marandaneto</code></a>! - Make Node <code>flush()</code> wait for pending asynchronous SDK work before draining the event queue, so events produced by helpers like <code>captureException()</code> are not missed. Pending work rejections no longer prevent queued events from flushing. (2026-07-01)</li> <li>Updated dependencies [<a href="https://github.com/PostHog/posthog-js/commit/a664b815dd074c8eed87830904fa182306d07e6b"><code>a664b81</code></a>]: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.39.3</li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/PostHog/posthog-js/commit/d1e6df86ddbdbc3a9a542995986080e7e7c2cd4e"><code>d1e6df8</code></a> chore: update versions and lockfile [version bump]</li> <li><a href="https://github.com/PostHog/posthog-js/commit/a664b815dd074c8eed87830904fa182306d07e6b"><code>a664b81</code></a> fix: make flush wait for pending async work (<a href="https://github.com/PostHog/posthog-js/tree/HEAD/packages/node/issues/4028">#4028</a>)</li> <li>See full diff in <a href="https://github.com/PostHog/posthog-js/commits/posthog-node@5.39.2/packages/node">compare view</a></li> </ul> </details> <br /> Updates `next` from 16.2.9 to 16.2.10 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/vercel/next.js/releases">next's releases</a>.</em></p> <blockquote> <h2>v16.2.10</h2> <p>Contains no changes except publishing <code>@next/swc-wasm-web</code> which was accidentally not published since 16.2.4.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/vercel/next.js/commit/9dadfd693c5d26bb3c85d1c17802f49dde244b3e"><code>9dadfd6</code></a> v16.2.10</li> <li><a href="https://github.com/vercel/next.js/commit/534d9c144ca342ff9ee5569241a814539d6eadb9"><code>534d9c1</code></a> [16.2.x] Release pipeline updates (<a href="https://redirect.github.com/vercel/next.js/issues/95160">#95160</a>)</li> <li><a href="https://github.com/vercel/next.js/commit/98941fc427213b0b2770ac40e24a1855ea0ae349"><code>98941fc</code></a> backport: docs fixes 16.2.x (<a href="https://redirect.github.com/vercel/next.js/issues/94935">#94935</a>)</li> <li><a href="https://github.com/vercel/next.js/commit/6e1a94de7c4e68892de4b1e28262be5970358458"><code>6e1a94d</code></a> [16.2.x][ci]: fix release script to not strip newlines (<a href="https://redirect.github.com/vercel/next.js/issues/94640">#94640</a>)</li> <li>See full diff in <a href="https://github.com/vercel/next.js/compare/v16.2.9...v16.2.10">compare view</a></li> </ul> </details> <br /> Updates `@types/node` from 26.0.1 to 26.1.0 <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare view</a></li> </ul> </details> <br /> Updates `@typescript/native-preview` from 7.0.0-dev.20260630.1 to 7.0.0-dev.20260701.1 <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/microsoft/typescript-go/commits">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the actions-major group with 4 updates: [github/codeql-action/init](https://github.com/github/codeql-action), [github/codeql-action/analyze](https://github.com/github/codeql-action), [docker/login-action](https://github.com/docker/login-action) and [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action). Updates `github/codeql-action/init` from 4.36.2 to 4.36.3 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/github/codeql-action/releases">github/codeql-action/init's releases</a>.</em></p> <blockquote> <h2>v4.36.3</h2> <p>No user facing changes.</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action/init's changelog</a>.</em></p> <blockquote> <h1>CodeQL Action Changelog</h1> <p>See the <a href="https://github.com/github/codeql-action/releases">releases page</a> for the relevant changes to the CodeQL CLI and language packs.</p> <h2>[UNRELEASED]</h2> <p>No user facing changes.</p> <h2>4.37.0 - 08 Jul 2026</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.26.0">2.26.0</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3995">#3995</a></li> <li>In addition to the existing input format, the <code>config-file</code> input for the <code>codeql-action/init</code> step will soon support a new <code>[owner/]repo[@ref][:path]</code> format. All components except the repository name are optional. If omitted, <code>owner</code> defaults to the same owner as the repository the analysis is running for, <code>ref</code> to <code>main</code>, and <code>path</code> to <code>.github/codeql-action.yaml</code>. Support for this format ships in this version of the CodeQL Action, but will only be enabled over the coming weeks. <a href="https://redirect.github.com/github/codeql-action/pull/3973">#3973</a></li> </ul> <h2>4.36.3 - 01 Jul 2026</h2> <p>No user facing changes.</p> <h2>4.36.2 - 04 Jun 2026</h2> <ul> <li>Cache CodeQL CLI version information across Actions steps. <a href="https://redirect.github.com/github/codeql-action/pull/3943">#3943</a></li> <li>Reduce requests while waiting for analysis processing by using exponential backoff when polling SARIF processing status. <a href="https://redirect.github.com/github/codeql-action/pull/3937">#3937</a></li> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.6">2.25.6</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3948">#3948</a></li> </ul> <h2>4.36.1 - 02 Jun 2026</h2> <p>No user facing changes.</p> <h2>4.36.0 - 22 May 2026</h2> <ul> <li><em>Breaking change</em>: Bump the minimum required CodeQL bundle version to 2.19.4. <a href="https://redirect.github.com/github/codeql-action/pull/3894">#3894</a></li> <li>Add support for SHA-256 Git object IDs. <a href="https://redirect.github.com/github/codeql-action/pull/3893">#3893</a></li> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.5">2.25.5</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3926">#3926</a></li> </ul> <h2>4.35.5 - 15 May 2026</h2> <ul> <li>We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. <a href="https://redirect.github.com/github/codeql-action/pull/3899">#3899</a></li> <li>For performance and accuracy reasons, <a href="https://redirect.github.com/github/roadmap/issues/1158">improved incremental analysis</a> will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. <a href="https://redirect.github.com/github/codeql-action/pull/3791">#3791</a></li> <li>If multiple inputs are provided for the GitHub-internal <code>analysis-kinds</code> input, only <code>code-scanning</code> will be enabled. The <code>analysis-kinds</code> input is experimental, for GitHub-internal use only, and may change without notice at any time. <a href="https://redirect.github.com/github/codeql-action/pull/3892">#3892</a></li> <li>Added an experimental change which, when running a Code Scanning analysis for a PR with <a href="https://redirect.github.com/github/roadmap/issues/1158">improved incremental analysis</a> enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. <a href="https://redirect.github.com/github/codeql-action/pull/3880">#3880</a></li> </ul> <h2>4.35.4 - 07 May 2026</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.4">2.25.4</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3881">#3881</a></li> </ul> <h2>4.35.3 - 01 May 2026</h2> <ul> <li><em>Upcoming breaking change</em>: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. <a href="https://redirect.github.com/github/codeql-action/pull/3837">#3837</a></li> <li>Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. <a href="https://redirect.github.com/github/codeql-action/pull/3850">#3850</a></li> <li>Best-effort connection tests for private registries now use <code>GET</code> requests instead of <code>HEAD</code> for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. <a href="https://redirect.github.com/github/codeql-action/pull/3853">#3853</a></li> <li>Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. <a href="https://redirect.github.com/github/codeql-action/pull/3852">#3852</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/github/codeql-action/commit/54f647b7e1bb85c95cddabcd46b0c578ec92bc1a"><code>54f647b</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3984">#3984</a> from github/update-v4.36.3-1f34ec164</li> <li><a href="https://github.com/github/codeql-action/commit/e78819e05527766c3c5919e3177647e280c6cb83"><code>e78819e</code></a> Trigger checks</li> <li><a href="https://github.com/github/codeql-action/commit/2c9d3d63eb4941734e2d29468953529a56f5ff1c"><code>2c9d3d6</code></a> Update changelog for v4.36.3</li> <li><a href="https://github.com/github/codeql-action/commit/1f34ec16430d82636d18716acc7aaa6d843b35a9"><code>1f34ec1</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3983">#3983</a> from github/mbg/repo-props/ff-for-config-file-prop</li> <li><a href="https://github.com/github/codeql-action/commit/d5f0145480025b49d8b08c3f6b36e6ad41a68c90"><code>d5f0145</code></a> Log when repository property has a value but is ignored</li> <li><a href="https://github.com/github/codeql-action/commit/f27f56386a3c745af8d7bbfb806098c714a5e32a"><code>f27f563</code></a> Add test for when the FF is off</li> <li><a href="https://github.com/github/codeql-action/commit/0025d0f2b5676fde748a0be9725dcce18dd9f986"><code>0025d0f</code></a> Use FF</li> <li><a href="https://github.com/github/codeql-action/commit/f7fa18f05d107ff6735857c3510fbff190c9a1eb"><code>f7fa18f</code></a> Add FF for config file repo property</li> <li><a href="https://github.com/github/codeql-action/commit/628fc3f124e68b0151f0d2a5d81e864ee1e42335"><code>628fc3f</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3979">#3979</a> from github/henrymercer/overlay-db-cleanup-size-tele...</li> <li><a href="https://github.com/github/codeql-action/commit/9cfb67bab9b32441237f92d4ba29a7f3ccff259f"><code>9cfb67b</code></a> Add clarifying comments</li> <li>Additional commits viewable in <a href="https://github.com/github/codeql-action/compare/8aad20d150bbac5944a9f9d289da16a4b0d87c1e...54f647b7e1bb85c95cddabcd46b0c578ec92bc1a">compare view</a></li> </ul> </details> <br /> Updates `github/codeql-action/analyze` from 4.36.2 to 4.36.3 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/github/codeql-action/releases">github/codeql-action/analyze's releases</a>.</em></p> <blockquote> <h2>v4.36.3</h2> <p>No user facing changes.</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action/analyze's changelog</a>.</em></p> <blockquote> <h1>CodeQL Action Changelog</h1> <p>See the <a href="https://github.com/github/codeql-action/releases">releases page</a> for the relevant changes to the CodeQL CLI and language packs.</p> <h2>[UNRELEASED]</h2> <p>No user facing changes.</p> <h2>4.37.0 - 08 Jul 2026</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.26.0">2.26.0</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3995">#3995</a></li> <li>In addition to the existing input format, the <code>config-file</code> input for the <code>codeql-action/init</code> step will soon support a new <code>[owner/]repo[@ref][:path]</code> format. All components except the repository name are optional. If omitted, <code>owner</code> defaults to the same owner as the repository the analysis is running for, <code>ref</code> to <code>main</code>, and <code>path</code> to <code>.github/codeql-action.yaml</code>. Support for this format ships in this version of the CodeQL Action, but will only be enabled over the coming weeks. <a href="https://redirect.github.com/github/codeql-action/pull/3973">#3973</a></li> </ul> <h2>4.36.3 - 01 Jul 2026</h2> <p>No user facing changes.</p> <h2>4.36.2 - 04 Jun 2026</h2> <ul> <li>Cache CodeQL CLI version information across Actions steps. <a href="https://redirect.github.com/github/codeql-action/pull/3943">#3943</a></li> <li>Reduce requests while waiting for analysis processing by using exponential backoff when polling SARIF processing status. <a href="https://redirect.github.com/github/codeql-action/pull/3937">#3937</a></li> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.6">2.25.6</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3948">#3948</a></li> </ul> <h2>4.36.1 - 02 Jun 2026</h2> <p>No user facing changes.</p> <h2>4.36.0 - 22 May 2026</h2> <ul> <li><em>Breaking change</em>: Bump the minimum required CodeQL bundle version to 2.19.4. <a href="https://redirect.github.com/github/codeql-action/pull/3894">#3894</a></li> <li>Add support for SHA-256 Git object IDs. <a href="https://redirect.github.com/github/codeql-action/pull/3893">#3893</a></li> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.5">2.25.5</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3926">#3926</a></li> </ul> <h2>4.35.5 - 15 May 2026</h2> <ul> <li>We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. <a href="https://redirect.github.com/github/codeql-action/pull/3899">#3899</a></li> <li>For performance and accuracy reasons, <a href="https://redirect.github.com/github/roadmap/issues/1158">improved incremental analysis</a> will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. <a href="https://redirect.github.com/github/codeql-action/pull/3791">#3791</a></li> <li>If multiple inputs are provided for the GitHub-internal <code>analysis-kinds</code> input, only <code>code-scanning</code> will be enabled. The <code>analysis-kinds</code> input is experimental, for GitHub-internal use only, and may change without notice at any time. <a href="https://redirect.github.com/github/codeql-action/pull/3892">#3892</a></li> <li>Added an experimental change which, when running a Code Scanning analysis for a PR with <a href="https://redirect.github.com/github/roadmap/issues/1158">improved incremental analysis</a> enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. <a href="https://redirect.github.com/github/codeql-action/pull/3880">#3880</a></li> </ul> <h2>4.35.4 - 07 May 2026</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.4">2.25.4</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3881">#3881</a></li> </ul> <h2>4.35.3 - 01 May 2026</h2> <ul> <li><em>Upcoming breaking change</em>: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. <a href="https://redirect.github.com/github/codeql-action/pull/3837">#3837</a></li> <li>Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. <a href="https://redirect.github.com/github/codeql-action/pull/3850">#3850</a></li> <li>Best-effort connection tests for private registries now use <code>GET</code> requests instead of <code>HEAD</code> for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. <a href="https://redirect.github.com/github/codeql-action/pull/3853">#3853</a></li> <li>Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. <a href="https://redirect.github.com/github/codeql-action/pull/3852">#3852</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/github/codeql-action/commit/54f647b7e1bb85c95cddabcd46b0c578ec92bc1a"><code>54f647b</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3984">#3984</a> from github/update-v4.36.3-1f34ec164</li> <li><a href="https://github.com/github/codeql-action/commit/e78819e05527766c3c5919e3177647e280c6cb83"><code>e78819e</code></a> Trigger checks</li> <li><a href="https://github.com/github/codeql-action/commit/2c9d3d63eb4941734e2d29468953529a56f5ff1c"><code>2c9d3d6</code></a> Update changelog for v4.36.3</li> <li><a href="https://github.com/github/codeql-action/commit/1f34ec16430d82636d18716acc7aaa6d843b35a9"><code>1f34ec1</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3983">#3983</a> from github/mbg/repo-props/ff-for-config-file-prop</li> <li><a href="https://github.com/github/codeql-action/commit/d5f0145480025b49d8b08c3f6b36e6ad41a68c90"><code>d5f0145</code></a> Log when repository property has a value but is ignored</li> <li><a href="https://github.com/github/codeql-action/commit/f27f56386a3c745af8d7bbfb806098c714a5e32a"><code>f27f563</code></a> Add test for when the FF is off</li> <li><a href="https://github.com/github/codeql-action/commit/0025d0f2b5676fde748a0be9725dcce18dd9f986"><code>0025d0f</code></a> Use FF</li> <li><a href="https://github.com/github/codeql-action/commit/f7fa18f05d107ff6735857c3510fbff190c9a1eb"><code>f7fa18f</code></a> Add FF for config file repo property</li> <li><a href="https://github.com/github/codeql-action/commit/628fc3f124e68b0151f0d2a5d81e864ee1e42335"><code>628fc3f</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3979">#3979</a> from github/henrymercer/overlay-db-cleanup-size-tele...</li> <li><a href="https://github.com/github/codeql-action/commit/9cfb67bab9b32441237f92d4ba29a7f3ccff259f"><code>9cfb67b</code></a> Add clarifying comments</li> <li>Additional commits viewable in <a href="https://github.com/github/codeql-action/compare/8aad20d150bbac5944a9f9d289da16a4b0d87c1e...54f647b7e1bb85c95cddabcd46b0c578ec92bc1a">compare view</a></li> </ul> </details> <br /> Updates `docker/login-action` from 4.2.0 to 4.3.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/docker/login-action/releases">docker/login-action's releases</a>.</em></p> <blockquote> <h2>v4.3.0</h2> <ul> <li>Preserve names in esbuild bundle by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/login-action/pull/1022">docker/login-action#1022</a></li> <li>Bump <code>@aws-sdk/client-ecr</code> and <code>@aws-sdk/client-ecr-public</code> to 3.1076.0 <a href="https://redirect.github.com/docker/login-action/pull/999">docker/login-action#999</a> <a href="https://redirect.github.com/docker/login-action/pull/1030">docker/login-action#1030</a></li> <li>Bump <code>@docker/actions-toolkit</code> from 0.90.0 to 0.92.0 in <a href="https://redirect.github.com/docker/login-action/pull/1004">docker/login-action#1004</a> <a href="https://redirect.github.com/docker/login-action/pull/1027">docker/login-action#1027</a></li> <li>Bump <code>@sigstore/core</code> from 3.1.0 to 3.2.1 in <a href="https://redirect.github.com/docker/login-action/pull/1023">docker/login-action#1023</a></li> <li>Bump <code>@sigstore/verify</code> from 3.1.0 to 3.1.1 in <a href="https://redirect.github.com/docker/login-action/pull/1029">docker/login-action#1029</a></li> <li>Bump http-proxy-agent and https-proxy-agent to 9.1.0 in <a href="https://redirect.github.com/docker/login-action/pull/1017">docker/login-action#1017</a></li> <li>Bump js-yaml from 4.1.1 to 5.2.0 in <a href="https://redirect.github.com/docker/login-action/pull/1028">docker/login-action#1028</a></li> <li>Bump sigstore from 4.1.0 to 4.1.1 in <a href="https://redirect.github.com/docker/login-action/pull/1031">docker/login-action#1031</a></li> <li>Bump tmp from 0.2.5 to 0.2.7 in <a href="https://redirect.github.com/docker/login-action/pull/1002">docker/login-action#1002</a></li> <li>Bump undici from 6.24.1 to 6.27.0 in <a href="https://redirect.github.com/docker/login-action/pull/1020">docker/login-action#1020</a></li> <li>Bump vite from 7.3.3 to 7.3.6 in <a href="https://redirect.github.com/docker/login-action/pull/1019">docker/login-action#1019</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/login-action/compare/v4.2.0...v4.3.0">https://github.com/docker/login-action/compare/v4.2.0...v4.3.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/docker/login-action/commit/c99871dec2022cc055c062a10cc1a1310835ceb4"><code>c99871d</code></a> Merge pull request <a href="https://redirect.github.com/docker/login-action/issues/1030">#1030</a> from docker/dependabot/npm_and_yarn/aws-sdk-dependen...</li> <li><a href="https://github.com/docker/login-action/commit/b43355553d3ea8fb194053c74a883544c9fc25b1"><code>b433555</code></a> [dependabot skip] chore: update generated content</li> <li><a href="https://github.com/docker/login-action/commit/678a46a45e920924c7b07d6209b4d02a3031d403"><code>678a46a</code></a> build(deps): bump the aws-sdk-dependencies group across 1 directory with 2 up...</li> <li><a href="https://github.com/docker/login-action/commit/f9a0aea0f208193fd8b1c2cffdf4be3b345d3e8a"><code>f9a0aea</code></a> Merge pull request <a href="https://redirect.github.com/docker/login-action/issues/1031">#1031</a> from docker/dependabot/npm_and_yarn/sigstore-4.1.1</li> <li><a href="https://github.com/docker/login-action/commit/cc1e4cb459afd4c2ed14dd1998c217908162b52b"><code>cc1e4cb</code></a> build(deps): bump sigstore from 4.1.0 to 4.1.1</li> <li><a href="https://github.com/docker/login-action/commit/02e17303690804fb3ed891da7cd98e78c249fc3e"><code>02e1730</code></a> Merge pull request <a href="https://redirect.github.com/docker/login-action/issues/1029">#1029</a> from docker/dependabot/npm_and_yarn/sigstore/verify-...</li> <li><a href="https://github.com/docker/login-action/commit/b5485183742f9c17a05828cc9a655d45bcf24b31"><code>b548518</code></a> build(deps): bump <code>@sigstore/verify</code> from 3.1.0 to 3.1.1</li> <li><a href="https://github.com/docker/login-action/commit/a244be39449bb9d5bcc834770924d8c3f72806ab"><code>a244be3</code></a> Merge pull request <a href="https://redirect.github.com/docker/login-action/issues/1027">#1027</a> from docker/dependabot/npm_and_yarn/docker/actions-t...</li> <li><a href="https://github.com/docker/login-action/commit/ee0d698156bca198952822c0f8ef652bc58ab218"><code>ee0d698</code></a> [dependabot skip] chore: update generated content</li> <li><a href="https://github.com/docker/login-action/commit/127dc2c62e49cc3f37601f40b7bbf4fe7051fac4"><code>127dc2c</code></a> build(deps): bump <code>@docker/actions-toolkit</code> from 0.91.0 to 0.92.0</li> <li>Additional commits viewable in <a href="https://github.com/docker/login-action/compare/650006c6eb7dba73a995cc03b0b2d7f5ca915bee...c99871dec2022cc055c062a10cc1a1310835ceb4">compare view</a></li> </ul> </details> <br /> Updates `docker/setup-buildx-action` from 4.1.0 to 4.2.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/docker/setup-buildx-action/releases">docker/setup-buildx-action's releases</a>.</em></p> <blockquote> <h2>v4.2.0</h2> <ul> <li>Preserve names in esbuild bundle by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/572">docker/setup-buildx-action#572</a></li> <li>Bump <code>@actions/core</code> from 3.0.0 to 3.0.1 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/551">docker/setup-buildx-action#551</a></li> <li>Bump <code>@docker/actions-toolkit</code> from 0.90.0 to 0.92.0 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/557">docker/setup-buildx-action#557</a> <a href="https://redirect.github.com/docker/setup-buildx-action/pull/580">docker/setup-buildx-action#580</a></li> <li>Bump <code>@sigstore/core</code> from 3.1.0 to 3.2.1 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/573">docker/setup-buildx-action#573</a></li> <li>Bump <code>@sigstore/verify</code> from 3.1.0 to 3.1.1 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/576">docker/setup-buildx-action#576</a></li> <li>Bump js-yaml from 4.1.1 to 5.2.0 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/562">docker/setup-buildx-action#562</a></li> <li>Bump sigstore from 4.1.0 to 4.1.1 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/577">docker/setup-buildx-action#577</a></li> <li>Bump tmp from 0.2.5 to 0.2.7 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/556">docker/setup-buildx-action#556</a></li> <li>Bump undici from 6.25.0 to 6.27.0 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/570">docker/setup-buildx-action#570</a></li> <li>Bump vite from 7.3.2 to 7.3.6 in <a href="https://redirect.github.com/docker/setup-buildx-action/pull/569">docker/setup-buildx-action#569</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/setup-buildx-action/compare/v4.1.0...v4.2.0">https://github.com/docker/setup-buildx-action/compare/v4.1.0...v4.2.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/docker/setup-buildx-action/commit/bb05f3f5519dd87d3ba754cc423b652a5edd6d2c"><code>bb05f3f</code></a> Merge pull request <a href="https://redirect.github.com/docker/setup-buildx-action/issues/580">#580</a> from docker/dependabot/npm_and_yarn/docker/actions-to...</li> <li><a href="https://github.com/docker/setup-buildx-action/commit/321c814cb51fbe4af8eca00249525cc0973ea66f"><code>321c814</code></a> [dependabot skip] chore: update generated content</li> <li><a href="https://github.com/docker/setup-buildx-action/commit/b9a36ef79ba42cfc611885a1e8c388fbf8b8cb3f"><code>b9a36ef</code></a> build(deps): bump <code>@docker/actions-toolkit</code> from 0.91.0 to 0.92.0</li> <li><a href="https://github.com/docker/setup-buildx-action/commit/ebeab241289497cd564ac98b3cfc9e64607bb276"><code>ebeab24</code></a> Merge pull request <a href="https://redirect.github.com/docker/setup-buildx-action/issues/570">#570</a> from docker/dependabot/npm_and_yarn/undici-6.27.0</li> <li><a href="https://github.com/docker/setup-buildx-action/commit/5c7b8ae78cec97a3215d4d86679b1d072eaa80cb"><code>5c7b8ae</code></a> [dependabot skip] chore: update generated content</li> <li><a href="https://github.com/docker/setup-buildx-action/commit/037e618cd98e95e81525b15ff0e9c96f507e6a0e"><code>037e618</code></a> build(deps): bump undici from 6.25.0 to 6.27.0</li> <li><a href="https://github.com/docker/setup-buildx-action/commit/66080e5802281ec2e72b7f3108915643e702db85"><code>66080e5</code></a> Merge pull request <a href="https://redirect.github.com/docker/setup-buildx-action/issues/577">#577</a> from docker/dependabot/npm_and_yarn/sigstore-4.1.1</li> <li><a href="https://github.com/docker/setup-buildx-action/commit/409aef0aa3f48f0a742e7dec4e0e04ab19afe93c"><code>409aef0</code></a> Merge pull request <a href="https://redirect.github.com/docker/setup-buildx-action/issues/562">#562</a> from docker/dependabot/npm_and_yarn/js-yaml-4.2.0</li> <li><a href="https://github.com/docker/setup-buildx-action/commit/49c6e42949280fa0d70fb327633591be54efbfb6"><code>49c6e42</code></a> build(deps): bump sigstore from 4.1.0 to 4.1.1</li> <li><a href="https://github.com/docker/setup-buildx-action/commit/2211273e8121ecf9ecb7d6c7c0fcd55526d530c7"><code>2211273</code></a> [dependabot skip] chore: update generated content</li> <li>Additional commits viewable in <a href="https://github.com/docker/setup-buildx-action/compare/d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5...bb05f3f5519dd87d3ba754cc423b652a5edd6d2c">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Julien Goux <hi@jgoux.dev>
…ps/cli-go/pkg/config/templates in the docker-minor group (#5834) Bumps the docker-minor group in /apps/cli-go/pkg/config/templates with 1 update: supabase/storage-api. Updates `supabase/storage-api` from v1.63.1 to v1.64.1 [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…/primitive errors (#5831) ## What changed Any `Flag.choice(...)`/`Flag.choiceWithValue(...)`-backed flag (`--size` on `projects create`/`branches create`, `--dns-resolver`, `--output-format`, `--output`/`-o`, `--agent`) showed a doubled "Expected: Expected ..." prefix when given an invalid value, e.g.: ``` Invalid value for flag --size: "nano". Expected: Expected "micro" | "small" | ... , got "nano" ``` Root cause: several `Primitive`s under `effect@4.0.0-beta.93`'s `effect/unstable/cli` (`choice` — used by `Flag.choice`/`Flag.choiceWithValue` — plus the schema-backed `integer`, `float`, `boolean`, and `date`) fail with a raw message that already starts with the word "Expected" (e.g. `` `Expected ${validChoices}, got ${value}` `` for `choice`, or `Expected a valid date, got Invalid Date` for `date`), and `CliError.InvalidValue`'s own `message` getter (`CliError.ts:359-364`) independently prepends its own `"Expected: "` label on top of that — producing the doubling for any flag or argument backed by one of these primitives. This is a bug in the vendored `effect` beta package itself, not in this repo's code. Workaround (until upstream `effect` is fixed) added to the shared CLI error-formatting layer (`subcommand-flag-suggestions.ts`), which already carries similar per-tag rewrites for `UnrecognizedOption`/`UnknownSubcommand`: collapse the literal `"Expected: Expected "` substring down to a single `"Expected "` whenever it appears in an `InvalidValue` error's rendered message. Collapsing the exact doubled substring (rather than rebuilding the surrounding "Invalid value for ..." template ourselves) keeps the fix tied to the precise defect, covers every affected primitive uniformly, and lets every other part of the message keep tracking upstream's own wording if it changes. Verified against `go-parity-auditor`: Go's real CLI shows a completely different message for the same scenario (`Error: invalid argument "bogus" for "--size" flag: must be one of [ large | medium | ... ]`, from `apps/cli-go/internal/utils/enum.go` wrapped by cobra/pflag). Full byte-parity with Go's wording is out of scope here — this ticket is specifically about the doubled-prefix defect in the TS/Effect-native message, not a "TS wording differs from Go" report; rewriting every `Flag.choice` flag's phrasing to match Go's template would be a separate, larger change. ## Known related (not fixed here) The underlying `Primitive.choice` failure text also appends a redundant `, got "X"` suffix, so the invalid value still appears twice in the final message (once right after the flag name, once after "got"). That's a pre-existing wart in the same vendored `effect` failure string, not something this fix introduces, and collapsing it would mean post-processing `effect`'s `expected` string further — bigger than this "doubled prefix" ticket calls for. Left as-is. Fixes CLI-1898
…5830) ## What changed Go's `changedFlags(cmd)` (`apps/cli-go/cmd/root_analytics.go:52-76`) walks `cmd.Parent()` at every ancestor collecting `PersistentFlags()` (global/root flags: `--debug`, `--yes`, `--experimental`, `--create-ticket`, `--output`, `--dns-resolver`, `--agent`, `--profile`, `--workdir`, `--network-id`) in addition to a command's own flags, then reports booleans and enum-typed flags verbatim in `cli_command_executed` telemetry. The TS port's `withLegacyCommandInstrumentation` had no way to resolve *any* global/persistent flag's value — only the invoking command's own locally-declared `flags` option was ever consulted. So a changed global flag always fell back to the literal string `"<redacted>"`, even a boolean like `--debug`, diverging from Go's `flags: {debug: true}`. This adds `legacyGlobalFlagValues` (`shared/legacy/global-flags.ts`) to resolve every global flag's live value via `Effect.serviceOption` (a no-op outside the real CLI tree, so it adds no `R` requirement and no per-command wiring), and threads it into `buildFlagsMap` as a fallback used only when a changed CLI flag name isn't already declared in the invoking command's own `flags` record — mirroring Go's ancestor-walk precedence (a command's own flag always wins on a name collision, e.g. `db diff`'s local `--output` file-path flag shadowing the global `--output` enum, exactly as it does in Go's cobra tree). `safeFlags`/`config`-based safety classification is now restricted to values that actually came from the handler's own `flags` record, so a future per-command safe/choice annotation can never be misapplied to an unrelated global flag's value purely by CLI-name collision (raised in review). Scope is deliberately narrow: this fixes the 4 boolean globals (`--debug`, `--yes`, `--experimental`, `--create-ticket`) immediately. The 3 global choice flags (`--output`, `--dns-resolver`, `--agent`) remain redacted — that gap is the already-tracked CLI-1904, not this ticket. Fixes CLI-1896. ## Why Found during CLI-1868's review (architect-reviewer finding) as a systemic gap affecting all ~73 `withLegacyCommandInstrumentation({ flags })` call sites — it was previously unreachable for `telemetry enable`/`disable` specifically (hardcoded to `analytics: false`), but CLI-1868 made it reachable there, surfacing the gap. ## Reviewer-relevant context - One judgement call deliberately left open: global choice flags (`--output`/`--dns-resolver`/`--agent`) still redact. This is intentional — CLI-1904 already tracks teaching the safety pipeline about global `EnumFlag`s, and folding it into this change would blur two independent tickets. - Heads-up for whoever owns the CLI PostHog dashboards: `flags.debug` (and `yes`/`experimental`/`create-ticket`) will now emit real booleans going forward instead of the literal string `"<redacted>"` for these four flags specifically. Any saved insight/funnel doing exact-string matching on `"<redacted>"` for these keys will stop matching after this ships.
#5832) ## What kind of change does this PR introduce? Bug fix (Go-parity divergence). ## What is the current behavior? `sso update`'s `--domains`/`--add-domains`/`--remove-domains` mutex checks emitted custom, hand-written messages (`"only one of --domains or --add-domains may be set"`) instead of cobra's real `validateExclusiveFlagGroups` template (`flag_groups.go:204`), and gated "is this flag set" on the *parsed value's* `.length > 0` rather than cobra's actual `pflag.Changed` semantics — so `--domains=` (explicit but empty) was silently treated as unset, the same "changed vs truthy" class of bug CLI-1860 fixed for `functions download`'s `--use-docker`. Fixes [CLI-1902](https://linear.app/supabase/issue/CLI-1902/sso-update-use-cobras-mutual-exclusivity-error-template-for-domains). ## What is the new behavior? Reuses the `hasExplicitLongFlag`/`cobraMutuallyExclusiveErrorMessage` helpers already hoisted to `shared/cli/cobra-flag-groups.ts` (#5804) so `sso update` emits cobra's byte-exact error text for `--domains`/`--add-domains`/`--remove-domains`, keyed off raw argv rather than the parsed flag value. While reviewing, three independent reviewer passes (architect/engineer/DX) converged on two more in-scope gaps in the same handler that were cheap to close alongside the ticket's stated fix: - `--metadata-file`/`--metadata-url` had the identical divergence (Go also registers this pair with `MarkFlagsMutuallyExclusive`, `cmd/sso.go:178`) — folded into the same cobra-parity check rather than leaving one mutex group byte-exact and the other hand-written in the same command. - The mutex checks ran *after* the provider-ID UUID validation, but cobra runs `ValidateFlagGroups` before `RunE` (`command.go:1010,1014`) while Go's UUID check lives inside `RunE` (`cmd/sso.go:90-91`) — so a flag-group violation must win over an invalid provider ID when both apply. Reordered to match. Added regression tests for the exact cobra error text (both `--domains` groups and the metadata group), the changed-vs-truthy gap, the two-groups-not-a-3-way-group behavior, the group-check ordering when all three domain flags collide, and the mutex-before-UUID precedence — plus a flag-parser unit test proving `--domains=` really resolves to `[]`. `update.handler.ts`'s pre-existing branch-coverage gaps (GET/PUT network-failure paths, `--skip-url-validation`, no-access-token, malformed GET body) are unrelated to this change and were left alone; independently verified via `git stash` that none of them were introduced by this diff.
…und (#5837) ## What changed Files [Effect-TS/effect#6312](Effect-TS/effect#6312) for the doubled `"Expected: Expected ..."` prefix bug in `effect@4.0.0-beta.93`'s CLI primitive parsers (`Primitive.choice`/schema-backed `integer`/`float`/`boolean`/`date`), per [review feedback on #5831](#5831 (review)), and adds a `TODO` in `invalid-value-message.ts` linking to it, so the workaround is easy to find and remove once upstream fixes the underlying bug.
…reate (#5840) ## What changed `supabase db reset --local` now runs full Go-parity config validation (`legacyCheckDbToml`, matching Go's `flags.LoadConfig`) at the top of its local branch, before `AssertSupabaseDbIsRunning`/the destructive container recreate — the same pre-destructive-work gate `db start` and `db push` already have. A broken `supabase/config.toml` (unterminated TOML, an undecryptable `encrypted:` vault secret, an unparseable `env(VAR)` boolean, an explicit empty `project_id`) now aborts before the local database is ever recreated, instead of only surfacing later (or never) during bucket seeding. A genuinely **missing** `config.toml` is still tolerated, unchanged: Go's `Config.Load` defaults `project_id` to the current directory's basename when no config file exists, so `Validate` never rejects it — this is exactly the mechanism the `cli-e2e` parity suite relies on when it runs `db push --local` / `db reset --local` from a project with no `config.toml`. Only a config file that is *present but broken* is now caught earlier. `db reset --local`'s post-recreate bucket-seeding step catches a `LegacySeedConfigLoadError` from its own config reload and warns-and-continues rather than failing the command. An earlier version of this PR removed that fallback (reasoning: Go loads `config.toml` exactly once into memory, so it can never reach "recreate succeeded, then a later reload of the same file fails"). A Codex review on this PR caught that this doesn't transfer to the TS port: the new pre-recreate gate resolves `env(VAR)` via the Go-parity nested-env reader (sees `supabase/.env.development`, the project root, etc.), but the post-recreate reload goes through `@supabase/config`'s narrower loader (`supabase/.env`/`.env.local` only) — so a genuinely Go-valid config can pass the gate and the real recreate, then hard-fail only at the later, narrower reload, after the local database has already been dropped and rebuilt. The fallback is restored, with a comment naming the actual env-file-set gap instead of generic "loader strictness." ## Why Linear [CLI-1877](https://linear.app/supabase/issue/CLI-1877/reject-directlocal-db-push-db-reset-without-project-config-go): a Codex P1 finding on #5715 flagged that the native `db reset`/`db push`/`db start` port tolerates a missing project config more broadly than Go, and that `db reset --local`'s config validation happened too late relative to the destructive recreate. Investigation (via `go-parity-auditor`, cross-checked against the compiled Go binary) found the issue's literal premise — "reject direct/local db push + db reset without project config" — does **not** match current Go behavior: Go tolerates a missing config file by defaulting `project_id` to the cwd basename, and the TS port already matches that. Implementing a hard reject-on-missing-config would have been a *new* divergence from Go and would have broken the currently-green `cli-e2e` parity tests (exactly the regression risk the issue's own "deferred from #5715" note called out). `db start`'s and `db push`'s validation-ordering guarantees were also found to already be correct and already covered by existing tests. The one real, narrow gap was `db reset --local`'s ordering guarantee being implicit — buried inside a config resolver whose test double bypasses it entirely — rather than explicit and independently testable. This PR closes that gap. ## Test plan - Added regression tests in `reset.integration.test.ts` for a local reset: malformed config.toml, an unparseable boolean, an undecryptable vault secret, and an explicit empty `project_id`, all asserting the destructive recreate never runs; a test pinning that a broken config wins over the "not running" error; and a test confirming a genuinely missing config.toml is still tolerated. - `pnpm check:all` and the full `apps/cli` unit + integration suite (4758 tests) pass. - Ran the 4-agent `review-changes` procedure (architect/engineer/security/DX) against the diff and worked every finding; see "Judgement calls" below for what a `review-adjudicator` settled and what remains a documented, deliberate trade-off. ## Judgement calls / open notes - The `review-changes` engineer pass flagged that rewriting a pre-existing test orphaned the bucket-seed warn-and-skip branch, regressing coverage. A `review-adjudicator` pass at the time concluded there was no Go-parity reason to keep that fallback and recommended deleting it (done in the second commit) — a subsequent Codex review on the open PR found a concrete Go-valid config shape (an `env(VAR)` value sourced from `supabase/.env.development`) that the deletion broke, so the fallback was restored with an accurate comment (see "What changed" above). - The new pre-recreate gate is currently unreachable in production (the resolver's own internal read already validates first and would already reject a broken config identically) — it exists for defense-in-depth and so the "validate before destroy" guarantee is enforced directly by the handler and stays covered by a test even if the resolver is ever mocked or refactored to stop validating. Both the architect and DX review passes flagged this as worth calling out explicitly rather than as a blocking issue. - Not addressed here (flagged by review but out of scope): `LegacyDbConfigResolver.resolve` could return the validated config it already reads, so callers stop re-parsing `config.toml` up to 2-3 times on the local reset path. This is a pre-existing, codebase-wide pattern (`db push` does the same double-read), not something introduced by this PR, and is better done as its own resolver-contract refactor. Fixes CLI-1877.
…5841) ## What kind of change does this PR introduce? Bug fix — legacy-shell child exit-code and delegated-path semantics. ## What is the current behavior? Fixes [CLI-1879](https://linear.app/supabase/issue/CLI-1879/legacy-shell-child-exit-code-delegated-path-semantics-finalizers-json). Three related gaps around Go-delegated subprocess paths in the legacy shell: 1. `LegacyGoProxy.exec`/`execCapture` (`shared/legacy/go-proxy.layer.ts`) called `ProcessControl.exit()` directly on a non-zero child exit or "binary not found". That's a real `process.exit()` — it skips every `Effect.ensuring` finalizer between the call site and `runCli` (telemetry flush, command instrumentation), and loses the child's exact exit code (collapsing everything to whatever `process.exit()` was called with, with no chance for `runCli`'s own exit-code logic to run). 2. Because `execCapture`'s non-zero-exit branch hard-exited the process, it never reached `withJsonErrorHandling`, so a `--output-format json`/`stream-json` `db reset --experimental` failure emitted no structured error envelope at all — the process just died mid-flight. 3. `db reset --experimental --linked` (no resolved version) unconditionally resolved the linked DB connection — including minting/verifying a temporary Postgres login role over the Management API — before checking whether the remaining flow delegates to the Go child. On that branch the resolved connection was never used: the delegated Go child re-runs its own `ParseDatabaseConfig` (and mints its own temp role) once it starts, so the TS-side mint was pure duplicate privileged work. (A fourth item from the same issue — forwarding `--linked=false`'s target selector verbatim to the delegated child — was already correctly implemented and already covered by a passing test; no code change was needed there.) ## What is the new behavior? - New `LegacyGoChildExitError` (`shared/legacy/legacy-go-child-exit.error.ts`) carries a spawned child's exact exit code via Effect's `Runtime.errorExitCode` marker. `LegacyGoProxy.exec`/`execCapture` and the hidden `db __db-bootstrap` seam now fail with this typed error instead of calling `ProcessControl.exit()`, so the failure flows through the normal Effect channel: finalizers run first, then `runCli`/`withJsonErrorHandling` exit with the child's real code — in every output format, including a Ctrl-C mid-recreate (e.g. exit `130`) instead of a generic `1`. - `runCli`'s `handledProgram` special-cases `LegacyGoChildExitError` (by concrete type) to skip its own generic `output.fail` stderr line, since the child already printed its own detailed failure to the inherited stderr and Go itself never prints a second line on top of that. This is deliberately **not** keyed on Effect's shared `Runtime.errorReported` marker — `CliError.ShowHelp` also sets that marker, and gating on it would have silently suppressed the Go-parity `Error: required flag(s) "..." not set` message for every missing-required-flag error. (Caught by architect review before merge; regression test added.) - `withJsonErrorHandling` now reads `Runtime.getErrorExitCode` instead of hardcoding `1` when setting the process exit code, so the exact code propagates under `json`/`stream-json` too, not just text mode. - `db reset --experimental --linked` now checks whether it's about to delegate to the Go child *before* calling `LegacyDbConfigResolver.resolve()`, skipping the redundant temp-role mint on that path. The linked-project-cache finalizer is unaffected (it already reads a separately pre-loaded ref, exactly so this case still works). - Updated `SIDE_EFFECTS.md`'s exit-code tables for `db reset`/`db start` to reflect the child's exact code, and touched-up a couple of stale doc comments describing the old `process.exit()`-based behavior. ### Deliberately left open (judgement calls, not blockers) - The JSON error envelope for a delegated linked+experimental connection/mint failure is now a generic `"supabase-go exited with code N (see stderr for details)"` rather than the specific TS error the old (duplicate-minting) code path used to surface. This is an accepted tradeoff: the real detail is on the inherited stderr, and Go itself has no JSON error-envelope concept to hold this to a parity standard against. - The bootstrap seam's JSON error `code` field changes from `LegacyDbBootstrapError` to `LegacyGoChildExitError` for a non-zero child exit specifically. Nothing in this codebase treats that field as a stable public contract (most `Legacy*Error` tags already leak their raw class name into it), so this wasn't treated as a compatibility break. - The sibling `db __shadow` seam (`legacy-pgdelta.seam.layer.ts`) intentionally keeps its own generic domain error rather than adopting `LegacyGoChildExitError` — its failure is a TS-authored summary over noisy docker/pgdelta stderr (not a passthrough of a real user-facing Go child), and Go itself collapses shadow-DB failures to a generic exit `1`. Left a comment in place explaining the divergence so a future reader doesn't "fix" it into inconsistency. ## Test plan New/updated coverage in `go-proxy.layer.unit.test.ts`, `run.unit.test.ts`, `json-error-handling.unit.test.ts`, `reset.integration.test.ts`, and `start.integration.test.ts` — exact exit-code propagation, finalizers running after a non-zero exit, the JSON error envelope, the skipped pre-delegation resolve (and that the sibling `--db-url` delegate path still resolves), and a regression guard for the `ShowHelp`/`MissingOption` suppression bug caught during review.
…abled remote precedence (CLI-1878) (#5839) ## What Closes the remaining gaps in [CLI-1878](https://linear.app/supabase/issue/CLI-1878/legacy-shell-full-viper-env-override-semantics-project-env-remote): full viper env-override semantics (project `.env`, remote precedence, malformed bools) in the TS legacy shell. A `go-parity-auditor` pass determined most of the issue's original claims had already been fixed by an earlier PR (#5715) — project-`.env`-aware `SUPABASE_YES`/`SUPABASE_EXPERIMENTAL` resolvers, remote-config precedence, malformed-bool-fails-the-load, explicit-flag-beats-env, and case-agnostic `env(...)` resolution all already exist for `db push`/`db reset`/`db pull`/`config push`/`migration down`/`repair`/declarative-schema. This PR closes the **5 concrete gaps** that pass left open: 1. **`gen signing-key`** — the overwrite-confirmation prompt only consulted the shell env for `SUPABASE_YES`. Go's `flags.LoadConfig` loads the project `.env` before the prompt (`signingkeys.go:99,130`). 2. **`storage rm`** — same gap for the delete-confirmation prompt (both the `--local` and default `--linked` branches of Go's `ParseDatabaseConfig` load the project `.env` first). 3. **`migration fetch`** — same gap for the migrations-dir overwrite prompt (defaults to `--linked`, same `ParseDatabaseConfig` path). 4. **standalone `seed buckets`** — its fallback `yes` resolution (used when `db reset` doesn't pass a pre-resolved value) had the same gap. `db reset`'s own passthrough was already correct. 5. **`[remotes.*].auth.enabled` remote precedence** — this key was missing from `LEGACY_ENV_OVERRIDABLE_KEYS`, so a linked remote's `auth.enabled` TOML value could lose to a `SUPABASE_AUTH_ENABLED` env var instead of winning, unlike every other allowlisted key (Go's `mergeRemoteConfig` applies the whole matched block above `AutomaticEnv`). Each of the 4 handler fixes follows the existing `legacyLoadProjectEnv` + `legacyResolveYesWithProjectEnv` pattern already used by `db push`/`config push`/`migration down`/`repair`. ### Fixed along the way - `migration fetch`'s new project-`.env` load initially ran *before* the `[db-url linked local]` flag-conflict check — an ordering regression relative to Go and sibling `migration down`/`repair` (caught by `architect-reviewer`). Reordered so the flag check runs first; added a regression test that fails without the fix. ## Behavior changes to be aware of - `gen signing-key`, `storage rm`, `migration fetch`, and `seed buckets` now honor `SUPABASE_YES` set only in `supabase/.env`/`.env.local`/`.env.<env>[.local]` (previously they only saw the shell env). This is a pure Go-parity fix, but on an earlier build of this TS legacy shell it was inert — a stale `SUPABASE_YES=true` left in a project's `.env` will now silently auto-confirm these destructive prompts. - A linked project's `[remotes.<name>].auth.enabled` TOML value now correctly beats a `SUPABASE_AUTH_ENABLED` env var (previously the reverse). If anything relied on the env var overriding a remote block's explicit `auth.enabled`, that no longer happens. ## Test plan - `bun run test:core` — all unit + integration tests green (300 tests across the touched files, full suite unaffected). - `bun run check:all` — types/lint/fmt/knip clean. - New regression tests (integration, per this workspace's testing pyramid): - `signing-key.integration.test.ts` — project-`.env` `SUPABASE_YES` auto-confirms the overwrite even with a piped `n` (defensively clears any leaked shell `SUPABASE_YES` first). - `rm.integration.test.ts` — same, for the delete confirmation. - `buckets.integration.test.ts` — same, for the standalone `seed buckets` overwrite prompt. - `fetch.integration.test.ts` — same, for the migrations-dir overwrite prompt; plus a new test locking in the flag-conflict-before-env-read ordering fix (verified it fails without the reorder). - `legacy-db-config.toml-read.unit.test.ts` — 2 new unit tests for `auth.enabled`: a matched remote block beats the env var, and a control case where the env var still wins when the block omits the key. - Relocated one pre-existing test's fixture (`fetch.integration.test.ts`, "reports a write failure"): the file-collision now lives at `<workdir>/supabase/migrations` instead of `<workdir>/supabase` itself, since the latter would break the new project-`.env` read before ever reaching the `mkdir` under test. Verified this preserves the original test's coverage. ## Judgement calls deliberately left open - **`[y/N] y` echo doesn't say *why* it auto-confirmed.** `supabase-dx-reviewer` flagged that the prompt echo is byte-identical whether the answer came from `--yes`, the shell env, or a forgotten project `.env` value — but explicitly recommended *not* annotating it, since that would diverge from Go's byte-identical `console.PromptYesNo` output (this is a strict 1:1 port). Not changed here; a source annotation would need to land in the Go CLI first if ever desired. - **DB-bootstrap seam explicit `--experimental=false` forwarding.** `go-parity-auditor` flagged (but could not fully confirm, since it didn't trace the hidden `db __db-bootstrap` subprocess) that `legacy-db-bootstrap.seam.layer.ts` forwards `--experimental` to the Go child only when true, never an explicit false — for `db reset --experimental=false` with `SUPABASE_EXPERIMENTAL=true` inherited by the child, the child might re-resolve `true` independently. Flagged as a caveat, not a confirmed gap; out of scope here. - **`storage.enabled`/`realtime.enabled` don't read any `SUPABASE_*` env override at all** in `legacy-db-config.toml-read.ts`, unlike `auth.enabled`. This is a latent divergence noted by `go-parity-auditor` but is outside CLI-1878's 5 named items; left as a separate follow-up. 🤖 Generated with the `issue-autopilot` skill.
Implement an automated contribution gate that enforces the Supabase CLI contribution workflow for external pull requests. The gate requires PRs from external contributors to link to an open GitHub issue carrying the `open-for-contribution` label, while exempting maintainers and bots. ## Changes - **Contribution gate script** (`contribution-gate.ts`): Pure decision logic and GitHub I/O for evaluating PRs against the gate policy. Supports two modes: - Single-PR mode: reacts to individual PRs on `pull_request_target` events - All-PRs sweep mode: evaluates every open PR on-demand via `workflow_dispatch` - **Gate tests** (`contribution-gate.test.ts`): Comprehensive unit tests for the decision logic and orchestration, with injected I/O for network-free testing - **Workflow** (`contribution-gate.yml`): GitHub Actions workflow that runs the gate reactively on PR open/reopen/edit and supports manual sweeps with dry-run capability - **Documentation**: - `MAINTAINERS.md`: Internal guide for maintainers on applying the `open-for-contribution` label and running manual sweeps - Updated `CONTRIBUTING.md`: Contributor-facing workflow requiring issues to be opened first and labeled before PR submission - Updated issue templates and PR template: Guidance on the new workflow - Updated issue config: Link to contribution workflow ## Implementation details - Non-conforming PRs are auto-closed with explanatory comments directing contributors to the workflow - Cross-repository closing keywords are rejected as a security measure (contributors cannot control external repos) - Repository name matching is case-insensitive - Internal authors (OWNER, MEMBER, COLLABORATOR) and bots are exempt from the gate - The workflow checks out the base branch, ensuring only trusted code executes https://claude.ai/code/session_01YY1sNQLXPxaeN6JX1NFSWj --------- Co-authored-by: Claude <noreply@anthropic.com>
…ing (#5842) ## What kind of change does this PR introduce? Bug fix (Go-parity gap). ## What is the current behavior? `config push`'s secret-hashing logic (`config-sync/config-sync.secret.ts`) treats dotenvx `encrypted:` secret values (e.g. `[auth.captcha] secret = "encrypted:..."`) as unresolved: it hashes them to `""`, which silently gates them out of both the diff and the update-request body. The remote secret is left untouched with no error and no feedback — the user has no idea their encrypted secret was never pushed. Go decrypts every `config.Secret` field during `config.Load` (before any network call) and pushes the plaintext, or aborts the whole command with `failed to parse config: <cause>` if it can't decrypt. Fixes [CLI-1881](https://linear.app/supabase/issue/CLI-1881/config-push-decrypt-dotenvx-encrypted-secrets-instead-of-skipping). ## What is the new behavior? - `config-sync.secret.ts` (`secretHash`/`secretPlaintext`) now decrypts an `encrypted:` value with the existing `legacy-vault-decrypt.ts` decryptor (already used by `db push`/`db reset`/`migration up|down`) before hashing it for the diff or sending it as plaintext in the auth update body — the ciphertext itself is never pushed. - `push.handler.ts` now runs a document-wide "assert every `config.Secret` is decryptable" pre-check immediately after loading `config.toml`, before the cost-matrix call or any other network request — mirroring Go's `config.Load` timing, where the decrypt hook runs over the *whole* document (not just `auth.*`) regardless of which fields the current command actually reads. An undecryptable secret anywhere (even one `config push` never itself pushes, e.g. `studio.openai_api_key`) aborts with Go's exact `failed to parse config: <cause>` message and zero network calls. - Reused/exported `legacyAssertDecryptableSecrets` from `legacy-db-config.toml-read.ts` (previously private, used only by the db-config family) rather than duplicating the scan logic — its return type was generalized from a db-config-specific error class to a plain message string so each caller can wrap it in its own domain error. - Removed the now-stale "not implemented" note from `config push`'s `SIDE_EFFECTS.md` and documented the new `DOTENV_PRIVATE_KEY`(`_*`) env vars + the new abort exit condition. ## Test plan - New unit tests in `config-sync.secret.unit.test.ts` covering decrypt-before-hash, multi-key fallback, and the two failure messages (reusing the Go test vector from `apps/cli-go/pkg/config/secret_test.go` / `legacy-vault-decrypt.unit.test.ts`). - Three new `push.integration.test.ts` cases: - an `encrypted:` captcha secret decrypts and the **plaintext** (not ciphertext) reaches the `updateAuthServiceConfig` PATCH body; - an undecryptable `encrypted:` secret aborts with `failed to parse config: missing private key` and **zero** network calls, even with `auth.enabled = false` (proving the check isn't auth-gated); - an undecryptable `studio.openai_api_key` (a field `config push` never reads or pushes) also aborts before any network call, proving the pre-check is genuinely document-wide. - Full `apps/cli` `types:check`, `lint:check`, `fmt:check`, and the touched `unit`/`integration` Vitest projects (`config-sync.secret`, `auth.sync`, `legacy-vault-decrypt`, `legacy-db-config.toml-read`, `push.integration`) all pass. Parity confirmed against `apps/cli-go/pkg/config/secret.go` + `internal/config/push/push.go` via `go-parity-auditor` before implementation (abort timing before any network call, error-message format, `DOTENV_PRIVATE_KEY` env-loading order, and that Go always pushes decrypted plaintext, never ciphertext). Reviewed by `architect-reviewer`, `engineer-reviewer`, `security-reviewer`, and `supabase-dx-reviewer` (all APPROVE/SHIP IT) — every actionable finding from that pass is folded into this PR already (removed a dead defensive branch that broke 100%-branch-coverage, hardened a hex-decode error message so it can't echo malformed key fragments, clarified a shared helper's doc comment, added the `studio.openai_api_key` test, and tidied `SIDE_EFFECTS.md` wording). ## Judgement calls left open (deliberately, not blocking) - **Non-matching `[remotes.*]` blocks aren't covered by the document-wide pre-check.** `@supabase/config`'s `loadProjectConfig` strips the `remotes` key from its returned document once a block matches the target ref, so an undecryptable secret hiding in a *different, unused* remote block escapes the check (Go's decode hook would still abort on it, since it decodes the whole file). Narrow edge case — only matters with multiple remotes where the unused one has a broken secret — and safe-direction (we succeed where Go would abort; we never push ciphertext). Documented in `SIDE_EFFECTS.md`'s KNOWN GAPS and in the shared helper's doc comment. - **A secret reached via `env(VAR)` indirection where the referenced var only resolves through the wider env-file set `legacy-db-config.toml-read.ts`/Go's `loadNestedEnv` reads (not `@supabase/config`'s narrower `supabase/.env`/`.env.local`)** is a pre-existing, CLI-1489-adjacent asymmetry between the two env-resolution paths — out of scope here; the code takes the parity-correct (wider) source for the pre-check, consistent with the shared helper's other caller. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
The contribution gate identified internal maintainers solely from the PR's `author_association`, which GitHub only reports as `MEMBER` when a user's organization membership is public. A private org member (e.g. a `supabase/cli` team member who keeps membership private) is reported as `CONTRIBUTOR`/`NONE`, so the gate wrongly closed their PRs as "no-linked-issue" (see #5847). Resolve maintainer status from the author's effective repository permission (`admin`/`write`), which reflects team/org-granted access that `author_association` does not surface, falling back to it only when the cheap signals (bot, public internal association) are inconclusive. The permission endpoint needs just `Metadata: read`, already covered by the workflow's `contents: read`. Claude-Session: https://claude.ai/code/session_01D41gYiFBSU7adE4ppnUUKg --------- Co-authored-by: Claude <noreply@anthropic.com>
…n /apps/cli-go in the go-minor group across 1 directory (#5849) Bumps the go-minor group with 1 update in the /apps/cli-go directory: [github.com/posthog/posthog-go](https://github.com/posthog/posthog-go). Updates `github.com/posthog/posthog-go` from 1.17.2 to 1.17.4 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/posthog/posthog-go/releases">github.com/posthog/posthog-go's releases</a>.</em></p> <blockquote> <h2>1.17.4</h2> <h2>Unreleased</h2> <h2>1.17.3</h2> <h2>Unreleased</h2> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/PostHog/posthog-go/blob/main/CHANGELOG.md">github.com/posthog/posthog-go's changelog</a>.</em></p> <blockquote> <h2>1.17.4</h2> <h3>Patch Changes</h3> <ul> <li>25e43f8: Stop duplicating <code>distinct_id</code> inside <code>/flags</code> person properties.</li> </ul> <h2>1.17.3</h2> <h3>Patch Changes</h3> <ul> <li>dafed74: Retry remote feature flag requests after transient 502 and 504 responses.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/PostHog/posthog-go/commit/93b96811028c9203b26a2708d6998c7700083771"><code>93b9681</code></a> chore: release v1.17.4 [version bump] [skip ci]</li> <li><a href="https://github.com/PostHog/posthog-go/commit/25e43f8ecdc251dd07d2279408febd4dcdf838ec"><code>25e43f8</code></a> fix: stop duplicating distinct_id in flags person properties (<a href="https://redirect.github.com/posthog/posthog-go/issues/250">#250</a>)</li> <li><a href="https://github.com/PostHog/posthog-go/commit/01e60bf351811cc17b55983319d9c5f1be980691"><code>01e60bf</code></a> chore: release v1.17.3 [version bump] [skip ci]</li> <li><a href="https://github.com/PostHog/posthog-go/commit/dafed74b9e5ae43d6d5f47933870663cadf23218"><code>dafed74</code></a> fix: Retry flags requests on 502 and 504 (<a href="https://redirect.github.com/posthog/posthog-go/issues/251">#251</a>)</li> <li><a href="https://github.com/PostHog/posthog-go/commit/ed70fae25d9395d370ad17b79e81b81a63458096"><code>ed70fae</code></a> fix: make TCP drop recovery test deterministic (<a href="https://redirect.github.com/posthog/posthog-go/issues/248">#248</a>)</li> <li><a href="https://github.com/PostHog/posthog-go/commit/2b6e1878570f91ba7a155720923bbf3b98cc9216"><code>2b6e187</code></a> ci: update SDK harness to 0.9.0 (<a href="https://redirect.github.com/posthog/posthog-go/issues/247">#247</a>)</li> <li><a href="https://github.com/PostHog/posthog-go/commit/856a0d4668cce148d56b197cd08e3cd0d3ab50b8"><code>856a0d4</code></a> fix: satisfy SDK compliance harness 0.8.0 (<a href="https://redirect.github.com/posthog/posthog-go/issues/245">#245</a>)</li> <li>See full diff in <a href="https://github.com/posthog/posthog-go/compare/v1.17.2...v1.17.4">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the npm-major group with 7 updates: | Package | From | To | | --- | --- | --- | | [undici](https://github.com/nodejs/undici) | `8.5.0` | `8.6.0` | | [@anthropic-ai/claude-agent-sdk](https://github.com/anthropics/claude-agent-sdk-typescript) | `0.3.198` | `0.3.199` | | [@anthropic-ai/sdk](https://github.com/anthropics/anthropic-sdk-typescript) | `0.109.1` | `0.110.0` | | [posthog-node](https://github.com/PostHog/posthog-js/tree/HEAD/packages/node) | `5.39.2` | `5.39.4` | | [@typescript/native-preview](https://github.com/microsoft/typescript-go) | `7.0.0-dev.20260701.1` | `7.0.0-dev.20260702.3` | | [knip](https://github.com/webpro-nl/knip/tree/HEAD/packages/knip) | `6.23.0` | `6.24.0` | | [tldts](https://github.com/remusao/tldts) | `6.1.86` | `7.4.6` | Updates `undici` from 8.5.0 to 8.6.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/nodejs/undici/releases">undici's releases</a>.</em></p> <blockquote> <h2>v8.6.0</h2> <h2>What's Changed</h2> <ul> <li>build(deps-dev): bump proxy from 4.0.0 to 4.1.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/nodejs/undici/pull/5433">nodejs/undici#5433</a></li> <li>update accept-encoding header in fetch by <a href="https://github.com/KhafraDev"><code>@KhafraDev</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/5439">nodejs/undici#5439</a></li> <li>fix: drop response chunks after the response stream is destroyed (<a href="https://redirect.github.com/nodejs/undici/issues/5356">#5356</a>) by <a href="https://github.com/cesarvspr"><code>@cesarvspr</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/5357">nodejs/undici#5357</a></li> <li>fix: handle incomplete multi-byte UTF-8 sequences in setEncoding() by <a href="https://github.com/joecwu"><code>@joecwu</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/5003">nodejs/undici#5003</a></li> <li>fix(retry): keep flow-control wired to the active connection across resumes by <a href="https://github.com/bogomya"><code>@bogomya</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/5405">nodejs/undici#5405</a></li> <li>test: cover connect lookup option by <a href="https://github.com/vibhor-aggr"><code>@vibhor-aggr</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/5411">nodejs/undici#5411</a></li> <li>test: fail on unexpected reconnect disconnect by <a href="https://github.com/vibhor-aggr"><code>@vibhor-aggr</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/5412">nodejs/undici#5412</a></li> <li>build(deps-dev): bump esbuild from 0.28.0 to 0.28.1 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/nodejs/undici/pull/5419">nodejs/undici#5419</a></li> <li>fix(proxy): fail the request when the CONNECT tunnel drops instead of looping by <a href="https://github.com/cesarvspr"><code>@cesarvspr</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/5441">nodejs/undici#5441</a></li> <li>feat(docs): migrate to doc-kit by <a href="https://github.com/avivkeller"><code>@avivkeller</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/5438">nodejs/undici#5438</a></li> <li>build(deps-dev): bump undici from 6.25.0 to 6.27.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/nodejs/undici/pull/5445">nodejs/undici#5445</a></li> <li>fetch: fix issue 4058 by <a href="https://github.com/KhafraDev"><code>@KhafraDev</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/5456">nodejs/undici#5456</a></li> <li>docs: add Interceptors API reference page by <a href="https://github.com/enjoykumawat"><code>@enjoykumawat</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/5446">nodejs/undici#5446</a></li> <li>Document H1 keep-alive trust tradeoff by <a href="https://github.com/mcollina"><code>@mcollina</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/5457">nodejs/undici#5457</a></li> <li>fix(h2): deliver an early final response to an Expect: 100-continue request by <a href="https://github.com/jeswr"><code>@jeswr</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/5470">nodejs/undici#5470</a></li> <li>fix(types): correct deleteCookie attributes by <a href="https://github.com/Ram-blip"><code>@Ram-blip</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/5461">nodejs/undici#5461</a></li> <li>fix(h1): complete paused parser on socket end instead of crashing by <a href="https://github.com/ronag"><code>@ronag</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/5474">nodejs/undici#5474</a></li> <li>build(deps): bump github/codeql-action/init from 4.36.1 to 4.36.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/nodejs/undici/pull/5476">nodejs/undici#5476</a></li> <li>build(deps): bump github/codeql-action/upload-sarif from 4.36.1 to 4.36.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/nodejs/undici/pull/5481">nodejs/undici#5481</a></li> <li>build(deps): bump fastify/github-action-merge-dependabot from 3.12.0 to 3.15.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/nodejs/undici/pull/5480">nodejs/undici#5480</a></li> <li>build(deps): bump codecov/codecov-action from 6.0.1 to 7.0.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/nodejs/undici/pull/5478">nodejs/undici#5478</a></li> <li>build(deps): bump actions/checkout from 6.0.3 to 7.0.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/nodejs/undici/pull/5482">nodejs/undici#5482</a></li> <li>build(deps): bump github/codeql-action from 4.36.1 to 4.36.2 by <a href="https://github.com/trivikr"><code>@trivikr</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/5484">nodejs/undici#5484</a></li> <li>build(deps): bump github/codeql-action/analyze from 4.36.1 to 4.36.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/nodejs/undici/pull/5477">nodejs/undici#5477</a></li> <li>feat: support HTTP QUERY method (RFC 10008) by <a href="https://github.com/mcollina"><code>@mcollina</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/5459">nodejs/undici#5459</a></li> <li>fix: requeue h2 requests after goaway by <a href="https://github.com/mcollina"><code>@mcollina</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/5473">nodejs/undici#5473</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/joecwu"><code>@joecwu</code></a> made their first contribution in <a href="https://redirect.github.com/nodejs/undici/pull/5003">nodejs/undici#5003</a></li> <li><a href="https://github.com/bogomya"><code>@bogomya</code></a> made their first contribution in <a href="https://redirect.github.com/nodejs/undici/pull/5405">nodejs/undici#5405</a></li> <li><a href="https://github.com/enjoykumawat"><code>@enjoykumawat</code></a> made their first contribution in <a href="https://redirect.github.com/nodejs/undici/pull/5446">nodejs/undici#5446</a></li> <li><a href="https://github.com/jeswr"><code>@jeswr</code></a> made their first contribution in <a href="https://redirect.github.com/nodejs/undici/pull/5470">nodejs/undici#5470</a></li> <li><a href="https://github.com/Ram-blip"><code>@Ram-blip</code></a> made their first contribution in <a href="https://redirect.github.com/nodejs/undici/pull/5461">nodejs/undici#5461</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/nodejs/undici/compare/v8.5.0...v8.6.0">https://github.com/nodejs/undici/compare/v8.5.0...v8.6.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/nodejs/undici/commit/6f86196a0d4bbc8034c4e150a0aec4f6b2bf8742"><code>6f86196</code></a> Bumped v8.6.0 (<a href="https://redirect.github.com/nodejs/undici/issues/5491">#5491</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/61ddd8e1180cb0274207a35f15045da3691433be"><code>61ddd8e</code></a> fix: requeue h2 requests after goaway (<a href="https://redirect.github.com/nodejs/undici/issues/5473">#5473</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/c5085ef04534cd25e6e2601d0efc3c74ac62e82c"><code>c5085ef</code></a> feat: support HTTP QUERY method (RFC 10008) (<a href="https://redirect.github.com/nodejs/undici/issues/5459">#5459</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/c144fd60584b700dcbdd9e312bba4e40d4bab3a2"><code>c144fd6</code></a> build(deps): bump github/codeql-action/analyze from 4.36.1 to 4.36.2 (<a href="https://redirect.github.com/nodejs/undici/issues/5477">#5477</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/782ad387c8e82d66b52599b08dae49dff9b3b037"><code>782ad38</code></a> build(deps): bump github/codeql-action from 4.36.1 to 4.36.2 (<a href="https://redirect.github.com/nodejs/undici/issues/5484">#5484</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/c4e045a3dc5acfabd619d93d8af658fc600aef1e"><code>c4e045a</code></a> build(deps): bump actions/checkout from 6.0.3 to 7.0.0 (<a href="https://redirect.github.com/nodejs/undici/issues/5482">#5482</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/de960dbbdd5ec8e84184419f0eb8402c52113ee8"><code>de960db</code></a> build(deps): bump codecov/codecov-action from 6.0.1 to 7.0.0 (<a href="https://redirect.github.com/nodejs/undici/issues/5478">#5478</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/1132de86409e2f7d44c9faf4d82d7714fcc55204"><code>1132de8</code></a> build(deps): bump fastify/github-action-merge-dependabot (<a href="https://redirect.github.com/nodejs/undici/issues/5480">#5480</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/3acb7ba08ea89e76f02426c1f9308c4e945032d2"><code>3acb7ba</code></a> build(deps): bump github/codeql-action/upload-sarif (<a href="https://redirect.github.com/nodejs/undici/issues/5481">#5481</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/88c4254079a0b82a579b55230416b1ca213bde19"><code>88c4254</code></a> build(deps): bump github/codeql-action/init from 4.36.1 to 4.36.2 (<a href="https://redirect.github.com/nodejs/undici/issues/5476">#5476</a>)</li> <li>Additional commits viewable in <a href="https://github.com/nodejs/undici/compare/v8.5.0...v8.6.0">compare view</a></li> </ul> </details> <br /> Updates `@anthropic-ai/claude-agent-sdk` from 0.3.198 to 0.3.199 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/anthropics/claude-agent-sdk-typescript/releases">@anthropic-ai/claude-agent-sdk's releases</a>.</em></p> <blockquote> <h2>v0.3.199</h2> <h2>What's changed</h2> <ul> <li>Added <code>requestId</code> to <code>canUseTool</code> callback options for correlating out-of-band permission responses, and support for returning <code>null</code> to suppress the SDK's automatic control response</li> <li>Added <code>blocked</code> field to <code>workflow_agent</code> progress events indicating when an agent was blocked by the auto-mode safety classifier</li> <li>Added <code>mode:"mask"</code> and per-credential <code>injectHosts</code> to <code>sandbox.credentials</code> settings types for injecting masked credentials into sandboxed commands</li> </ul> <h2>Update</h2> <pre lang="sh"><code>npm install @anthropic-ai/claude-agent-sdk@0.3.199 # or yarn add @anthropic-ai/claude-agent-sdk@0.3.199 # or pnpm add @anthropic-ai/claude-agent-sdk@0.3.199 # or bun add @anthropic-ai/claude-agent-sdk@0.3.199 </code></pre> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/anthropics/claude-agent-sdk-typescript/blob/main/CHANGELOG.md">@anthropic-ai/claude-agent-sdk's changelog</a>.</em></p> <blockquote> <h2>0.3.199</h2> <ul> <li>Added <code>requestId</code> to <code>canUseTool</code> callback options for correlating out-of-band permission responses, and support for returning <code>null</code> to suppress the SDK's automatic control response</li> <li>Added <code>blocked</code> field to <code>workflow_agent</code> progress events indicating when an agent was blocked by the auto-mode safety classifier</li> <li>Added <code>mode:"mask"</code> and per-credential <code>injectHosts</code> to <code>sandbox.credentials</code> settings types for injecting masked credentials into sandboxed commands</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/anthropics/claude-agent-sdk-typescript/commit/a0c02d6d999582c360b11116c429d58dc6f17270"><code>a0c02d6</code></a> chore: Update CHANGELOG.md</li> <li>See full diff in <a href="https://github.com/anthropics/claude-agent-sdk-typescript/compare/v0.3.198...v0.3.199">compare view</a></li> </ul> </details> <br /> Updates `@anthropic-ai/sdk` from 0.109.1 to 0.110.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/anthropics/anthropic-sdk-typescript/releases">@anthropic-ai/sdk's releases</a>.</em></p> <blockquote> <h2>sdk: v0.110.0</h2> <h2>0.110.0 (2026-07-02)</h2> <p>Full Changelog: <a href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.109.1...sdk-v0.110.0">sdk-v0.109.1...sdk-v0.110.0</a></p> <h3>Features</h3> <ul> <li><strong>api:</strong> add agent-memory-2026-07-22 beta header (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/a470e10aaad12078e3e5f2bb9adf6c2652ea9ca0">a470e10</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/anthropics/anthropic-sdk-typescript/blob/main/CHANGELOG.md">@anthropic-ai/sdk's changelog</a>.</em></p> <blockquote> <h2>0.110.0 (2026-07-02)</h2> <p>Full Changelog: <a href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.109.1...sdk-v0.110.0">sdk-v0.109.1...sdk-v0.110.0</a></p> <h3>Features</h3> <ul> <li><strong>api:</strong> add agent-memory-2026-07-22 beta header (<a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/a470e10aaad12078e3e5f2bb9adf6c2652ea9ca0">a470e10</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/anthropics/anthropic-sdk-typescript/commit/4f2eb8071993780d79610b9eda26db96f7653843"><code>4f2eb80</code></a> chore: release main (<a href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/1107">#1107</a>)</li> <li>See full diff in <a href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.109.1...sdk-v0.110.0">compare view</a></li> </ul> </details> <br /> Updates `posthog-node` from 5.39.2 to 5.39.4 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/PostHog/posthog-js/releases">posthog-node's releases</a>.</em></p> <blockquote> <h2>posthog-node@5.39.4</h2> <h2>5.39.4</h2> <h3>Patch Changes</h3> <ul> <li><a href="https://redirect.github.com/PostHog/posthog-js/pull/4047">#4047</a> <a href="https://github.com/PostHog/posthog-js/commit/0c11747de9ca10a48f840fff1814c33c71742736"><code>0c11747</code></a> Thanks <a href="https://github.com/marandaneto"><code>@marandaneto</code></a>! - Stop duplicating <code>distinct_id</code> inside <code>/flags</code> person properties. (2026-07-02)</li> <li>Updated dependencies [<a href="https://github.com/PostHog/posthog-js/commit/5e7e132757682e4f91d40601506b635f346c7b67"><code>5e7e132</code></a>]: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.39.5</li> </ul> </li> </ul> <h2>posthog-node@5.39.3</h2> <h2>5.39.3</h2> <h3>Patch Changes</h3> <ul> <li><a href="https://redirect.github.com/PostHog/posthog-js/pull/4055">#4055</a> <a href="https://github.com/PostHog/posthog-js/commit/64e04ba043b25d1f88435c5885132000d3117bb0"><code>64e04ba</code></a> Thanks <a href="https://github.com/marandaneto"><code>@marandaneto</code></a>! - Retry <code>/flags</code> requests that receive HTTP 502 or 504 responses across SDKs that use the shared core flags client. (2026-07-02)</li> <li>Updated dependencies [<a href="https://github.com/PostHog/posthog-js/commit/64e04ba043b25d1f88435c5885132000d3117bb0"><code>64e04ba</code></a>]: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.39.4</li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/PostHog/posthog-js/blob/main/packages/node/CHANGELOG.md">posthog-node's changelog</a>.</em></p> <blockquote> <h2>5.39.4</h2> <h3>Patch Changes</h3> <ul> <li><a href="https://redirect.github.com/PostHog/posthog-js/pull/4047">#4047</a> <a href="https://github.com/PostHog/posthog-js/commit/0c11747de9ca10a48f840fff1814c33c71742736"><code>0c11747</code></a> Thanks <a href="https://github.com/marandaneto"><code>@marandaneto</code></a>! - Stop duplicating <code>distinct_id</code> inside <code>/flags</code> person properties. (2026-07-02)</li> <li>Updated dependencies [<a href="https://github.com/PostHog/posthog-js/commit/5e7e132757682e4f91d40601506b635f346c7b67"><code>5e7e132</code></a>]: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.39.5</li> </ul> </li> </ul> <h2>5.39.3</h2> <h3>Patch Changes</h3> <ul> <li><a href="https://redirect.github.com/PostHog/posthog-js/pull/4055">#4055</a> <a href="https://github.com/PostHog/posthog-js/commit/64e04ba043b25d1f88435c5885132000d3117bb0"><code>64e04ba</code></a> Thanks <a href="https://github.com/marandaneto"><code>@marandaneto</code></a>! - Retry <code>/flags</code> requests that receive HTTP 502 or 504 responses across SDKs that use the shared core flags client. (2026-07-02)</li> <li>Updated dependencies [<a href="https://github.com/PostHog/posthog-js/commit/64e04ba043b25d1f88435c5885132000d3117bb0"><code>64e04ba</code></a>]: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.39.4</li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/PostHog/posthog-js/commit/0ba87cb40e3f70428cbb8718dc4c012cfa4c5f30"><code>0ba87cb</code></a> chore: update versions and lockfile [version bump]</li> <li><a href="https://github.com/PostHog/posthog-js/commit/0c11747de9ca10a48f840fff1814c33c71742736"><code>0c11747</code></a> fix: stop duplicating distinct_id in flags person properties (<a href="https://github.com/PostHog/posthog-js/tree/HEAD/packages/node/issues/4047">#4047</a>)</li> <li><a href="https://github.com/PostHog/posthog-js/commit/4eb8b2189098ee1f09eaf66e2d0fa21bcafbe54b"><code>4eb8b21</code></a> chore: update versions and lockfile [version bump]</li> <li><a href="https://github.com/PostHog/posthog-js/commit/dd90e558b5fe6ec370b8dbd04da8faedba293421"><code>dd90e55</code></a> test(node): make local polling tests deterministic (<a href="https://github.com/PostHog/posthog-js/tree/HEAD/packages/node/issues/4043">#4043</a>)</li> <li>See full diff in <a href="https://github.com/PostHog/posthog-js/commits/posthog-node@5.39.4/packages/node">compare view</a></li> </ul> </details> <br /> Updates `@typescript/native-preview` from 7.0.0-dev.20260701.1 to 7.0.0-dev.20260702.3 <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/microsoft/typescript-go/commits">compare view</a></li> </ul> </details> <br /> Updates `knip` from 6.23.0 to 6.24.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/webpro-nl/knip/releases">knip's releases</a>.</em></p> <blockquote> <h2>Release 6.24.0</h2> <ul> <li>chore: update year in license (<a href="https://github.com/webpro-nl/knip/tree/HEAD/packages/knip/issues/1833">#1833</a>) (32bc844dfd3895884b11fea5ef94bf3fa1974946) - thanks <a href="https://github.com/trueberryless"><code>@trueberryless</code></a>!</li> <li>ci: pin github actions (<a href="https://github.com/webpro-nl/knip/tree/HEAD/packages/knip/issues/1835">#1835</a>) (82a8d0913105a637e9eeccfe3b785be90c873e2a) - thanks <a href="https://github.com/trueberryless"><code>@trueberryless</code></a>!</li> <li>Assume Node 24+/Bun and remove compilation step (d9ef038429bec06c37fdb520e5c7353c8cae6ce7)</li> <li>Don't report working-directory scripts as unlisted binaries (resolve <a href="https://github.com/webpro-nl/knip/tree/HEAD/packages/knip/issues/1834">#1834</a>) (aea7923438f0a8f459458578526f358b02497f77)</li> <li>Add <code>pnpm run lint</code> to CI workflow (ec9aa1cabb58c97b8ecc4815e6cdd6421fe2a89e)</li> <li>feat: add settings for Zed editor to use oxlint and oxfmt (<a href="https://github.com/webpro-nl/knip/tree/HEAD/packages/knip/issues/1836">#1836</a>) (111f2e0a17999e3ffdf4c097cd42ba08acd48508) - thanks <a href="https://github.com/trueberryless"><code>@trueberryless</code></a>!</li> <li>fix: remove format_on_save: true settings from Zed settings to respect user settings (<a href="https://github.com/webpro-nl/knip/tree/HEAD/packages/knip/issues/1838">#1838</a>) (dc2a64043035d426eb99a9d1e0eb873d02a09e7d) - thanks <a href="https://github.com/trueberryless"><code>@trueberryless</code></a>!</li> <li>feat: add Renovate for GitHub actions only (<a href="https://github.com/webpro-nl/knip/tree/HEAD/packages/knip/issues/1839">#1839</a>) (ffce88c86f95822ee2a7cf8407e987a3ec79b097) - thanks <a href="https://github.com/trueberryless"><code>@trueberryless</code></a>!</li> <li>Ignore import() in JSDoc examples (<a href="https://github.com/webpro-nl/knip/tree/HEAD/packages/knip/issues/1844">#1844</a>) (6f090f90f04e8202700ed68977faa1dc626ff235) - thanks <a href="https://github.com/cyphercodes"><code>@cyphercodes</code></a>!</li> <li>Don't report types used only in module augmentations as unused (resolve <a href="https://github.com/webpro-nl/knip/tree/HEAD/packages/knip/issues/1843">#1843</a>) (7901abd3c4b496f212445bff9768efc9548ded61)</li> <li>Restore CI intent (0d739beab2e224385f449d62d6cc7d904107946e)</li> <li>feat: add less, stylus compilers and astro, svelte, vue import resolution (<a href="https://github.com/webpro-nl/knip/tree/HEAD/packages/knip/issues/1845">#1845</a>) (5525759f33a5664e4882aebe239e9c17eeb29f92) - thanks <a href="https://github.com/trueberryless"><code>@trueberryless</code></a>!</li> <li>Don't report built-in compiler dependencies as unused (3c9d4adf369f0064399d9da7b4f11f0467180bf5)</li> <li>feat: add scss handling to stencil plugin (<a href="https://github.com/webpro-nl/knip/tree/HEAD/packages/knip/issues/1846">#1846</a>) (acba6b85ab05f70385228872fafea2b08290d0f6) - thanks <a href="https://github.com/johnjenkins"><code>@johnjenkins</code></a>!</li> <li>fix(reporters): always print the issue-type title for a single group (<a href="https://github.com/webpro-nl/knip/tree/HEAD/packages/knip/issues/1848">#1848</a>) (cf997b2408cc0814c2d310d1e8c8680340153fa1) - thanks <a href="https://github.com/morgan-coded"><code>@morgan-coded</code></a>!</li> <li>Export Issue, IssueRecords and IssueType types (resolve <a href="https://github.com/webpro-nl/knip/tree/HEAD/packages/knip/issues/1840">#1840</a>) (260f19230f42c9dceaac97d55bf34d17902c5b38)</li> <li>Squeeze every bit of perf out around compilers (bb0eeb6e33d050dab736134b5b692a3d6413f358)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/webpro-nl/knip/commit/2979803b8c929dcd6254e1cea174101fb16820e4"><code>2979803</code></a> Release knip@6.24.0</li> <li><a href="https://github.com/webpro-nl/knip/commit/bb0eeb6e33d050dab736134b5b692a3d6413f358"><code>bb0eeb6</code></a> Squeeze every bit of perf out around compilers</li> <li><a href="https://github.com/webpro-nl/knip/commit/260f19230f42c9dceaac97d55bf34d17902c5b38"><code>260f192</code></a> Export Issue, IssueRecords and IssueType types (resolve <a href="https://github.com/webpro-nl/knip/tree/HEAD/packages/knip/issues/1840">#1840</a>)</li> <li><a href="https://github.com/webpro-nl/knip/commit/cf997b2408cc0814c2d310d1e8c8680340153fa1"><code>cf997b2</code></a> fix(reporters): always print the issue-type title for a single group (<a href="https://github.com/webpro-nl/knip/tree/HEAD/packages/knip/issues/1848">#1848</a>)</li> <li><a href="https://github.com/webpro-nl/knip/commit/acba6b85ab05f70385228872fafea2b08290d0f6"><code>acba6b8</code></a> feat: add scss handling to stencil plugin (<a href="https://github.com/webpro-nl/knip/tree/HEAD/packages/knip/issues/1846">#1846</a>)</li> <li><a href="https://github.com/webpro-nl/knip/commit/3c9d4adf369f0064399d9da7b4f11f0467180bf5"><code>3c9d4ad</code></a> Don't report built-in compiler dependencies as unused</li> <li><a href="https://github.com/webpro-nl/knip/commit/5525759f33a5664e4882aebe239e9c17eeb29f92"><code>5525759</code></a> feat: add less, stylus compilers and astro, svelte, vue import resolution (<a href="https://github.com/webpro-nl/knip/tree/HEAD/packages/knip/issues/1">#1</a>...</li> <li><a href="https://github.com/webpro-nl/knip/commit/7901abd3c4b496f212445bff9768efc9548ded61"><code>7901abd</code></a> Don't report types used only in module augmentations as unused (resolve <a href="https://github.com/webpro-nl/knip/tree/HEAD/packages/knip/issues/1843">#1843</a>)</li> <li><a href="https://github.com/webpro-nl/knip/commit/6f090f90f04e8202700ed68977faa1dc626ff235"><code>6f090f9</code></a> Ignore import() in JSDoc examples (<a href="https://github.com/webpro-nl/knip/tree/HEAD/packages/knip/issues/1844">#1844</a>)</li> <li><a href="https://github.com/webpro-nl/knip/commit/aea7923438f0a8f459458578526f358b02497f77"><code>aea7923</code></a> Don't report working-directory scripts as unlisted binaries (resolve <a href="https://github.com/webpro-nl/knip/tree/HEAD/packages/knip/issues/1834">#1834</a>)</li> <li>See full diff in <a href="https://github.com/webpro-nl/knip/commits/knip@6.24.0/packages/knip">compare view</a></li> </ul> </details> <br /> Updates `tldts` from 6.1.86 to 7.4.6 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/remusao/tldts/releases">tldts's releases</a>.</em></p> <blockquote> <h2>v7.4.6</h2> <h4>:scroll: Update Public Suffix List</h4> <ul> <li><code>tldts-experimental</code>, <code>tldts</code> <ul> <li>Update upstream public suffix list <a href="https://redirect.github.com/remusao/tldts/pull/2626">#2626</a> (<a href="https://github.com/remusao"><code>@remusao</code></a>)</li> </ul> </li> </ul> <h4>:nut_and_bolt: Dependencies</h4> <ul> <li>Bump sigstore from 4.1.0 to 4.1.1 <a href="https://redirect.github.com/remusao/tldts/pull/2629">#2629</a> (<a href="https://github.com/dependabot%5Bbot%5D"><code>@dependabot[bot]</code></a>)</li> <li>Bump <code>@babel/core</code> from 7.24.7 to 7.29.7 <a href="https://redirect.github.com/remusao/tldts/pull/2618">#2618</a> (<a href="https://github.com/dependabot%5Bbot%5D"><code>@dependabot[bot]</code></a>)</li> <li>Bump form-data from 4.0.5 to 4.0.6 <a href="https://redirect.github.com/remusao/tldts/pull/2611">#2611</a> (<a href="https://github.com/dependabot%5Bbot%5D"><code>@dependabot[bot]</code></a>)</li> <li>Bump rollup from 4.61.1 to 4.62.2 <a href="https://redirect.github.com/remusao/tldts/pull/2612">#2612</a> (<a href="https://github.com/dependabot%5Bbot%5D"><code>@dependabot[bot]</code></a>)</li> <li>Bump rollup-plugin-sourcemaps2 from 0.5.7 to 0.5.8 <a href="https://redirect.github.com/remusao/tldts/pull/2619">#2619</a> (<a href="https://github.com/dependabot%5Bbot%5D"><code>@dependabot[bot]</code></a>)</li> <li>Bump typescript-eslint from 8.60.1 to 8.62.1 <a href="https://redirect.github.com/remusao/tldts/pull/2624">#2624</a> (<a href="https://github.com/dependabot%5Bbot%5D"><code>@dependabot[bot]</code></a>)</li> <li>Bump <code>@sigstore/core</code> from 3.1.0 to 3.2.1 <a href="https://redirect.github.com/remusao/tldts/pull/2625">#2625</a> (<a href="https://github.com/dependabot%5Bbot%5D"><code>@dependabot[bot]</code></a>)</li> <li>Bump <code>@sigstore/verify</code> from 3.1.0 to 3.1.1 <a href="https://redirect.github.com/remusao/tldts/pull/2628">#2628</a> (<a href="https://github.com/dependabot%5Bbot%5D"><code>@dependabot[bot]</code></a>)</li> <li><code>tldts-core</code>, <code>tldts-experimental</code>, <code>tldts-icann</code>, <code>tldts-tests</code>, <code>tldts-utils</code>, <code>tldts</code> <ul> <li>Bump <code>@types/node</code> from 25.9.1 to 26.1.0 <a href="https://redirect.github.com/remusao/tldts/pull/2627">#2627</a> (<a href="https://github.com/dependabot%5Bbot%5D"><code>@dependabot[bot]</code></a>)</li> </ul> </li> </ul> <h4>Authors: 2</h4> <ul> <li><a href="https://github.com/dependabot%5Bbot%5D"><code>@dependabot[bot]</code></a></li> <li>Rémi (<a href="https://github.com/remusao"><code>@remusao</code></a>)</li> </ul> <h2>v7.4.5</h2> <h4>:scroll: Update Public Suffix List</h4> <ul> <li><code>tldts-experimental</code>, <code>tldts</code> <ul> <li>Update upstream public suffix list <a href="https://redirect.github.com/remusao/tldts/pull/2617">#2617</a> (<a href="https://github.com/remusao"><code>@remusao</code></a>)</li> </ul> </li> </ul> <h4>Authors: 1</h4> <ul> <li>Rémi (<a href="https://github.com/remusao"><code>@remusao</code></a>)</li> </ul> <h2>v7.4.4</h2> <h4>:scroll: Update Public Suffix List</h4> <ul> <li><code>tldts-experimental</code>, <code>tldts</code> <ul> <li>Update upstream public suffix list <a href="https://redirect.github.com/remusao/tldts/pull/2614">#2614</a> (<a href="https://github.com/remusao"><code>@remusao</code></a>)</li> </ul> </li> </ul> <h4>Authors: 1</h4> <ul> <li>Rémi (<a href="https://github.com/remusao"><code>@remusao</code></a>)</li> </ul> <h2>v7.4.3</h2> <h4>:scroll: Update Public Suffix List</h4> <ul> <li><code>tldts-experimental</code>, <code>tldts</code> <ul> <li>Update upstream public suffix list <a href="https://redirect.github.com/remusao/tldts/pull/2605">#2605</a> (<a href="https://github.com/remusao"><code>@remusao</code></a>)</li> </ul> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/remusao/tldts/blob/master/CHANGELOG.md">tldts's changelog</a>.</em></p> <blockquote> <h1>v7.4.6 (Thu Jul 02 2026)</h1> <h4>:scroll: Update Public Suffix List</h4> <ul> <li><code>tldts-experimental</code>, <code>tldts</code> <ul> <li>Update upstream public suffix list <a href="https://redirect.github.com/remusao/tldts/pull/2626">#2626</a> (<a href="https://github.com/remusao"><code>@remusao</code></a>)</li> </ul> </li> </ul> <h4>:nut_and_bolt: Dependencies</h4> <ul> <li>Bump sigstore from 4.1.0 to 4.1.1 <a href="https://redirect.github.com/remusao/tldts/pull/2629">#2629</a> (<a href="https://github.com/dependabot%5Bbot%5D"><code>@dependabot[bot]</code></a>)</li> <li>Bump <code>@babel/core</code> from 7.24.7 to 7.29.7 <a href="https://redirect.github.com/remusao/tldts/pull/2618">#2618</a> (<a href="https://github.com/dependabot%5Bbot%5D"><code>@dependabot[bot]</code></a>)</li> <li>Bump form-data from 4.0.5 to 4.0.6 <a href="https://redirect.github.com/remusao/tldts/pull/2611">#2611</a> (<a href="https://github.com/dependabot%5Bbot%5D"><code>@dependabot[bot]</code></a>)</li> <li>Bump rollup from 4.61.1 to 4.62.2 <a href="https://redirect.github.com/remusao/tldts/pull/2612">#2612</a> (<a href="https://github.com/dependabot%5Bbot%5D"><code>@dependabot[bot]</code></a>)</li> <li>Bump rollup-plugin-sourcemaps2 from 0.5.7 to 0.5.8 <a href="https://redirect.github.com/remusao/tldts/pull/2619">#2619</a> (<a href="https://github.com/dependabot%5Bbot%5D"><code>@dependabot[bot]</code></a>)</li> <li>Bump typescript-eslint from 8.60.1 to 8.62.1 <a href="https://redirect.github.com/remusao/tldts/pull/2624">#2624</a> (<a href="https://github.com/dependabot%5Bbot%5D"><code>@dependabot[bot]</code></a>)</li> <li>Bump <code>@sigstore/core</code> from 3.1.0 to 3.2.1 <a href="https://redirect.github.com/remusao/tldts/pull/2625">#2625</a> (<a href="https://github.com/dependabot%5Bbot%5D"><code>@dependabot[bot]</code></a>)</li> <li>Bump <code>@sigstore/verify</code> from 3.1.0 to 3.1.1 <a href="https://redirect.github.com/remusao/tldts/pull/2628">#2628</a> (<a href="https://github.com/dependabot%5Bbot%5D"><code>@dependabot[bot]</code></a>)</li> <li><code>tldts-core</code>, <code>tldts-experimental</code>, <code>tldts-icann</code>, <code>tldts-tests</code>, <code>tldts-utils</code>, <code>tldts</code> <ul> <li>Bump <code>@types/node</code> from 25.9.1 to 26.1.0 <a href="https://redirect.github.com/remusao/tldts/pull/2627">#2627</a> (<a href="https://github.com/dependabot%5Bbot%5D"><code>@dependabot[bot]</code></a>)</li> </ul> </li> </ul> <h4>Authors: 2</h4> <ul> <li><a href="https://github.com/dependabot%5Bbot%5D"><code>@dependabot[bot]</code></a></li> <li>Rémi (<a href="https://github.com/remusao"><code>@remusao</code></a>)</li> </ul> <hr /> <h1>v7.4.5 (Sun Jun 28 2026)</h1> <h4>:scroll: Update Public Suffix List</h4> <ul> <li><code>tldts-experimental</code>, <code>tldts</code> <ul> <li>Update upstream public suffix list <a href="https://redirect.github.com/remusao/tldts/pull/2617">#2617</a> (<a href="https://github.com/remusao"><code>@remusao</code></a>)</li> </ul> </li> </ul> <h4>Authors: 1</h4> <ul> <li>Rémi (<a href="https://github.com/remusao"><code>@remusao</code></a>)</li> </ul> <hr /> <h1>v7.4.4 (Tue Jun 23 2026)</h1> <h4>:scroll: Update Public Suffix List</h4> <ul> <li><code>tldts-experimental</code>, <code>tldts</code> <ul> <li>Update upstream public suffix list <a href="https://redirect.github.com/remusao/tldts/pull/2614">#2614</a> (<a href="https://github.com/remusao"><code>@remusao</code></a>)</li> </ul> </li> </ul> <h4>Authors: 1</h4> <ul> <li>Rémi (<a href="https://github.com/remusao"><code>@remusao</code></a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/remusao/tldts/commit/92ee2b31e72433487577a6c027ad7ec69aa8c8fe"><code>92ee2b3</code></a> Bump version to: v7.4.6 [skip ci]</li> <li><a href="https://github.com/remusao/tldts/commit/cd23a4106ee0ed11cecf7ec7ed9bc308743d99ca"><code>cd23a41</code></a> Update CHANGELOG.md [skip ci]</li> <li><a href="https://github.com/remusao/tldts/commit/11b91adfef769de8dbd8c87b1ed0809e0371e9a2"><code>11b91ad</code></a> Update upstream public suffix list (<a href="https://redirect.github.com/remusao/tldts/issues/2626">#2626</a>)</li> <li><a href="https://github.com/remusao/tldts/commit/3136742bd2a089b2c9592cbbcc3de6c229bba5a9"><code>3136742</code></a> Bump sigstore from 4.1.0 to 4.1.1 (<a href="https://redirect.github.com/remusao/tldts/issues/2629">#2629</a>)</li> <li><a href="https://github.com/remusao/tldts/commit/258820f15ee126878921c2359921d27efef4ca31"><code>258820f</code></a> Bump <code>@babel/core</code> from 7.24.7 to 7.29.7 (<a href="https://redirect.github.com/remusao/tldts/issues/2618">#2618</a>)</li> <li><a href="https://github.com/remusao/tldts/commit/e32bbb0fbece80aab696ce8abc89a22d5d4f6ee3"><code>e32bbb0</code></a> Bump form-data from 4.0.5 to 4.0.6 (<a href="https://redirect.github.com/remusao/tldts/issues/2611">#2611</a>)</li> <li><a href="https://github.com/remusao/tldts/commit/8b65da192769c0f1abc96ffe7d8b0a872fce80a8"><code>8b65da1</code></a> Bump rollup from 4.61.1 to 4.62.2 (<a href="https://redirect.github.com/remusao/tldts/issues/2612">#2612</a>)</li> <li><a href="https://github.com/remusao/tldts/commit/496e7f4cc06e5a85ad71dd040963a243b61962f5"><code>496e7f4</code></a> Bump rollup-plugin-sourcemaps2 from 0.5.7 to 0.5.8 (<a href="https://redirect.github.com/remusao/tldts/issues/2619">#2619</a>)</li> <li><a href="https://github.com/remusao/tldts/commit/0adcc645852f4ebacf3db76eaa62da4c79f4c9bf"><code>0adcc64</code></a> Bump typescript-eslint from 8.60.1 to 8.62.1 (<a href="https://redirect.github.com/remusao/tldts/issues/2624">#2624</a>)</li> <li><a href="https://github.com/remusao/tldts/commit/6401b1448e797716c13778679bc7d2eb022126a8"><code>6401b14</code></a> Bump <code>@sigstore/core</code> from 3.1.0 to 3.2.1 (<a href="https://redirect.github.com/remusao/tldts/issues/2625">#2625</a>)</li> <li>Additional commits viewable in <a href="https://github.com/remusao/tldts/compare/v6.1.86...v7.4.6">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~GitHub%20Actions">GitHub Actions</a>, a new releaser for tldts since your current version.</p> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…s-major group (#5852) Bumps the actions-major group with 1 update: [docker/login-action](https://github.com/docker/login-action). Updates `docker/login-action` from 4.3.0 to 4.4.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/docker/login-action/releases">docker/login-action's releases</a>.</em></p> <blockquote> <h2>v4.4.0</h2> <ul> <li>Skip empty <code>registry-auth</code> secret mask by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/login-action/pull/1035">docker/login-action#1035</a></li> <li>Bump <code>@aws-sdk/client-ecr</code> and <code>@aws-sdk/client-ecr-public</code> to 3.1077.0 <a href="https://redirect.github.com/docker/login-action/pull/1034">docker/login-action#1034</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/login-action/compare/v4.3.0...v4.4.0">https://github.com/docker/login-action/compare/v4.3.0...v4.4.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/docker/login-action/commit/af1e73f918a031802d376d3c8bbc3fe56130a9b0"><code>af1e73f</code></a> Merge pull request <a href="https://redirect.github.com/docker/login-action/issues/1034">#1034</a> from docker/dependabot/npm_and_yarn/aws-sdk-dependen...</li> <li><a href="https://github.com/docker/login-action/commit/da722bde43bacb027adfc67d42dbaa4c0f9e550b"><code>da722bd</code></a> [dependabot skip] chore: update generated content</li> <li><a href="https://github.com/docker/login-action/commit/2916ad60bd5cb72f07aa54c69fdcc61749c09b7a"><code>2916ad6</code></a> build(deps): bump the aws-sdk-dependencies group across 1 directory with 2 up...</li> <li><a href="https://github.com/docker/login-action/commit/ca0a662f786e4cfddce972005bd68f3dafc3a903"><code>ca0a662</code></a> Merge pull request <a href="https://redirect.github.com/docker/login-action/issues/1035">#1035</a> from crazy-max/fix-registry-auth-empty-mask</li> <li><a href="https://github.com/docker/login-action/commit/c455755a579833bf0d2e4e54e3beb413ef10cc80"><code>c455755</code></a> chore: update generated content</li> <li><a href="https://github.com/docker/login-action/commit/48351901f89581a7c12870c787d3f06d1f498438"><code>4835190</code></a> skip empty registry-auth secret mask</li> <li><a href="https://github.com/docker/login-action/commit/992421c6e6806a7f6df609d1bfff374f9eca3004"><code>992421c</code></a> Merge pull request <a href="https://redirect.github.com/docker/login-action/issues/1033">#1033</a> from docker/dependabot/github_actions/docker/bake-ac...</li> <li><a href="https://github.com/docker/login-action/commit/b249b43765525dd7951068267a34cf63f22ab4f0"><code>b249b43</code></a> Merge pull request <a href="https://redirect.github.com/docker/login-action/issues/1032">#1032</a> from docker/dependabot/github_actions/docker/bake-ac...</li> <li><a href="https://github.com/docker/login-action/commit/1b67977736863551a88ff218642a2d7628b10520"><code>1b67977</code></a> build(deps): bump docker/bake-action from 7.2.0 to 7.3.0</li> <li><a href="https://github.com/docker/login-action/commit/9d49d6a3234c78daa10c3c12183ef7b6caa8e69e"><code>9d49d6a</code></a> build(deps): bump docker/bake-action/subaction/matrix</li> <li>See full diff in <a href="https://github.com/docker/login-action/compare/c99871dec2022cc055c062a10cc1a1310835ceb4...af1e73f918a031802d376d3c8bbc3fe56130a9b0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…emplates with 3 updates (#5851) Bumps the docker-minor group in /apps/cli-go/pkg/config/templates with 3 updates: supabase/realtime, supabase/storage-api and supabase/logflare. Updates `supabase/realtime` from v2.112.9 to v2.112.10 Updates `supabase/storage-api` from v1.64.1 to v1.66.2 Updates `supabase/logflare` from 1.46.0 to 1.47.0 Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…te error on parse failures (CLI-1901) (#5844) ## What kind of change does this PR introduce? Bug fix (legacy shell shared CLI runtime). ## What is the current behavior? Fixes [CLI-1901](https://linear.app/supabase/issue/CLI-1901/legacy-cli-required-flagchoice-parse-errors-double-print-and-dump-help), originally surfaced as a side-finding during #5803's review (CLI-1859, `gen bearer-jwt --role required`). Any legacy command whose flag parsing fails with a `CliError.ShowHelp`-wrapped error carrying a non-empty `errors` array (missing required flag, invalid `Flag.choice` value, unrecognized flag, etc.) printed a broken, non-Go-parity error: ``` $ supabase sso add --project-ref <ref> DESCRIPTION Add and configure a new connection to a SSO identity provider... USAGE supabase sso add [flags] FLAGS ... [... 20-30 line help doc, printed to STDOUT ...] ERROR Missing required flag: --type Error: required flag(s) "type" not set Try rerunning the command with --debug to troubleshoot the error. ``` Root cause: the vendored `effect@4.0.0-beta.93` CLI library's `Command.runWith` (`.repos/effect/packages/effect/src/unstable/cli/Command.ts`) always dumps the full help doc via `Console.log` and, when `errors.length > 0`, also `Console.error`s the same errors — before this repo's own Go-parity renderer (`normalize-error.ts` + `run.ts`'s `handledProgram`) renders its own line for the same failure. This breaks stdout-piping scripts (e.g. `TOKEN=$(supabase gen bearer-jwt --role "$ROLE")` with an empty `$ROLE`) and violates this repo's own Go-parity contract (`apps/cli/CLAUDE.md`). ## What is the new behavior? `run.ts` gains `withoutParseErrorHelpDump`, which wraps `Command.runWith(rootCommand, ...)(args)` with a buffering `Console.Console` and, once the run's outcome is known, disposes of the buffered writes per `classifyParseErrorConsoleOutput` — a three-way split that mirrors Go cobra's *actual* behavior (verified directly against the built `apps/cli-go/supabase-go` binary, not just assumed): - **`drop`** — a missing required flag (`MissingOption`). Go's `PersistentPreRunE` sets `SilenceUsage = true` (`cmd/root.go:97`) *before* `ValidateRequiredFlags` runs, so this is a single clean stderr line, nothing on stdout. - **`flush-help-doc-to-stderr`** — every other genuine parse/validation failure (unrecognized flag, invalid `Flag.choice` value, missing positional argument, unknown subcommand). These are raised during `ParseFlags`/`ValidateArgs`, *before* `SilenceUsage` is set — Go still shows a usage block for these, always on stderr, never stdout. The library's help doc isn't byte-identical to cobra's shorter usage template (see judgement calls below), but it's now on the right stream with no duplicate. - **`flush-unchanged`** — success, `--help`, `--version`, `--completions`, and the bare-group-command help dump (`errors: []`, exit 0) — all untouched. In every genuine-failure case, the library's own duplicate `Console.error` render is dropped; this repo's own `handledProgram` + `normalizeCause` render the single Go-parity line instead. `normalize-error.ts`'s `ShowHelp`-envelope unwrap was also extended: since the library's duplicate render is now gone, a wrapped inner error with no Go-parity-specific mapping (`UnrecognizedOption`, `DuplicateOption`, `MissingArgument`, `UnknownSubcommand`, or a non-doubled-prefix `InvalidValue`) now falls back to that inner error's own `.message` instead of the useless generic "Help requested" envelope text — otherwise removing the duplicate would have silently regressed those tags from "informative, but printed twice" to "printed once, uselessly." Tests: pure-predicate unit tests for the three-way classifier (`run.unit.test.ts`), integration tests exercising the real buffering/flush wiring against `legacyBranchesCommand` and a synthetic required-flag command via a `Console.Console` test double (`run.integration.test.ts` — not `vi.spyOn`, which reliably breaks call detection when spying `console.log` and `console.error` in the same test under this repo's Bun+Vitest combination), and e2e tests proving the real subprocess stdout/stderr streams against `branches --bogus-flag` and `sso add` (missing/invalid `--type`, the issue's own named repro target). ### Judgement calls left open - **Wording, not structure**: some of this repo's existing error wording still differs from Go's exact text for these paths (e.g. Go's bare `required flag(s) "type" not set` vs this repo's `Error: required flag(s) "type" not set` with an extra `Error: ` prefix; Go's `invalid argument "bogus" for "-t, --type" flag: must be one of [ saml ]` vs this repo's `Invalid value for flag --type: "bogus". Expected "saml", got "bogus"`). Both pre-date this fix and are unrelated to the stdout-pollution/duplicate-print bug it targets — flagged by review as a possible follow-up, not fixed here to keep this PR's diff focused. - **Usage-block content, not stream**: the help/usage text now correctly lands on stderr (never stdout) for the `flush-help-doc-to-stderr` class, but its *content* is this library's own (longer) help doc, not cobra's shorter usage template. True byte-parity there would need a second, purpose-built "usage-only" formatter — out of scope for this fix. - **Pre-existing terminal-escape echo**: user-supplied argv tokens (e.g. an unrecognized flag name) are echoed verbatim into error messages with no control-character stripping. Unaffected in kind by this change (just relocated/de-duplicated); flagged by security review as low-priority and better suited to its own issue if the team wants to harden it. - The issue's secondary, explicitly-optional finding (`internal/command.ts:243` misreporting `Flag.optional` status in `--output-format json` help docs) is a separate, unrelated code path in the same vendored module — deliberately left unaddressed here to keep this PR scoped to the double-print/stdout-dump bug.
…numFlag parity) (#5855) ## What changed Go's `isEnumFlag` (`apps/cli-go/cmd/root_analytics.go:110-116`) unconditionally reports the value of any `*utils.EnumFlag`-backed pflag verbatim in `cli_command_executed` telemetry — no per-flag annotation needed. `--output`, `--dns-resolver`, and `--agent` are all registered as `*utils.EnumFlag` on `rootCmd.PersistentFlags()` (`cmd/root.go:330,331,333`), so Go always sends their real value. The TS port's `withLegacyCommandInstrumentation` already auto-detects `Flag.choice` flags declared in a command's own `config` (CLI-1866), and already resolves global/persistent flag values as a fallback when a command doesn't declare that CLI name locally (CLI-1896). But CLI-1896 deliberately scoped out the 3 global *choice* flags — nothing taught the global-fallback path that a resolved value might itself be a safe enum, so `--output`/`--dns-resolver`/`--agent` always fell through to `"<redacted>"`. This adds `GLOBAL_CHOICE_FLAG_NAMES` (`legacy-command-instrumentation.ts`), derived from `LEGACY_GLOBAL_FLAGS` by reusing the existing `getChoiceFlagNames` helper (so the choice-detection predicate has exactly one home), and consults it only on the global-fallback path — i.e. only when the invoking command's own `flags` record doesn't already declare that CLI name. A command that registers its own differently-typed local flag under the same CLI name (`db diff`'s local string `output: Flag.string("output")`, `cmd/db.go:622`) still shadows the global and stays redacted, matching Go's `isEnumFlag` type-asserting that command's own non-enum flag object instead of root's persistent `EnumFlag`. Verified this is the real wiring, not a hypothetical: `db diff` passes `output` in its own `flags` record with no matching `config` entry, so `isFromHandler` is structurally `true` for it and the new global set is never consulted. Also verified Go's separate `output_format` telemetry property (`PropOutputFormat`) is independent of the generic `flags.output` entry — both already fire in Go too, so no double-counting concern from un-redacting `flags.output`. Fixes CLI-1904. ## Why Found during CLI-1866's review as a pre-existing gap in the same problem class, tracked separately since it was out of scope for that PR's diff, then explicitly deferred again by CLI-1896 ("the 3 global choice flags ... remain redacted — that gap is the already-tracked CLI-1904, not this ticket"). ## Reviewer-relevant context - All 4 `review-changes` agents (architect, engineer, security, DX) reviewed this diff and approved with no blocking findings. Two converging nits were fixed in a follow-up commit: deduped the choice-detection predicate (`GLOBAL_CHOICE_FLAG_NAMES` now derives from `getChoiceFlagNames` instead of re-implementing it) and clarified the two `AGENTS.md` telemetry bullets. - One deliberately-deferred judgement call from engineer-reviewer: no command's own `*.integration.test.ts` today exercises `withLegacyCommandInstrumentation`'s PostHog-capture behavior for *any* flag (that coverage is entirely the job of `legacy-command-instrumentation.unit.test.ts`'s own scenario suite) — this is a pre-existing, repo-wide pattern, not something this PR narrows or regresses. Adding integration-tier telemetry assertions to `db diff`/`db query` specifically would set a new cross-cutting test precedent well beyond this fix's scope, so left as a possible future hardening rather than folded in here.
… globbing (#5856) ## Current Behavior `legacyMatchPattern` (the glob matcher backing `[db.seed].sql_paths` and `db reset --version`) treated a leading `!` inside a `[...]` bracket class the same as `^` — shell/fnmatch-style negation. Go's `path.Match` (which `apps/cli-go`'s `fs.Glob`/`afero.Glob` actually use for this) only negates on `^`; `!` is an ordinary literal class member. So a pattern like `[!a].sql` matched `b.sql` in the TS port where the Go CLI would not, meaning `db push --include-seed` / `db reset` could read, hash, and execute seed SQL outside the set the user's Go-compatible config intended. Verified directly against the real Go stdlib source (`$GOROOT/src/path/match.go`) available on this machine, and against `apps/cli-go/pkg/config/config.go` (`fs.Glob`) and `apps/cli-go/internal/migration/repair/repair.go` (`GetMigrationFile` / `afero.Glob`) — both go through the same `path.Match` grammar. ## New Behavior Rather than patching the bug in place, this fixes it by deleting the duplicate: `apps/cli/src/legacy/shared/legacy-path-match.ts` (`legacyPathMatch`) is already a byte-faithful, already-tested port of Go's `path.Match` — introduced earlier for the sibling `db new`/migration seed pipeline (`legacy-seed.ts`) — with correct `^`-only negation, escapes, and malformed-pattern (`ErrBadPattern`) detection. `legacyMatchPattern` and its `matchClass`/`match` helpers are removed, and both call sites are rewired onto `legacyPathMatch`: - `legacy-seed-ops.ts`'s own seed glob (`globOne`) - `reset.handler.ts`'s `--version` migration-file glob (behavior-identical here — `v` is validated as digits-only before the glob ever runs, so no bracket syntax is reachable on this path) A follow-up commit closes a related gap all four `review-changes` reviewers independently flagged: `legacyGlobSeedFiles` was discarding `legacyPathMatch`'s `badPattern` signal, so a malformed pattern (e.g. an unterminated `[` class) fell through to the generic `no files matched pattern` warning instead of Go's `failed to glob files: syntax error in pattern` (`fs.Glob`'s up-front `Match(pattern, "")` validation). The sibling pipeline (`legacy-seed.ts:resolveSeedFiles`) already did this correctly — mirrored it here now that both pipelines share `legacyPathMatch`. **Behavior change worth calling out for release notes:** any existing `[db.seed].sql_paths` config relying on `[!x]` as shell-style negation will now select a different (Go-correct) set of seed files with no error — e.g. `[!0-9]` now means "the literal characters `!`, `0`-`9`", not "not a digit". Use `[^x]` for negation, matching Go/the real Go CLI. This is a correctness fix (the legacy shell's contract is strict Go parity), but it is a silent behavior change for anyone who had unknowingly depended on the old, non-Go-compatible negation. ## Related Issue(s) Fixes https://linear.app/supabase/issue/CLI-1880 ## Notes for reviewers `review-changes` (architect/engineer/security/DX, run against the first commit) all returned APPROVE/SHIP IT. Judgement calls deliberately left open rather than expanded into this PR: - The two seed pipelines (`legacy-seed-ops.ts` and `legacy-seed.ts`) still duplicate the outer `fs.Glob`-style directory-walk/dedup logic (both now delegate the leaf matcher to `legacyPathMatch`, but the surrounding glob-resolution code is still two separate ports). Flagged by the architect reviewer as a good candidate for a follow-up consolidation, out of scope for this fix. - `sql_paths`' glob dialect (Go `path.Match` semantics, `^`-only negation, no POSIX classes) isn't documented anywhere user-facing (`packages/config/src/db.ts`). Flagged by the DX reviewer as worth a docs follow-up, not blocking.
…in /apps/cli-go in the go-minor group across 1 directory (#5858) Bumps the go-minor group with 1 update in the /apps/cli-go directory: [github.com/stripe/pg-schema-diff](https://github.com/stripe/pg-schema-diff). Updates `github.com/stripe/pg-schema-diff` from 1.0.5 to 1.0.7 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/stripe/pg-schema-diff/releases">github.com/stripe/pg-schema-diff's releases</a>.</em></p> <blockquote> <h2>v1.0.7</h2> <h2>Security fixes</h2> <p>Fixes two additional SQL injection sinks identified via the same root cause as v1.0.6 (enum labels, <a href="https://redirect.github.com/stripe/pg-schema-diff/issues/295">#295</a>). Schema-derived values were re-emitted into generated DDL without proper escaping.</p> <h3>Policy role names (<code>policy_sql_generator.go</code>)</h3> <p><code>AppliesTo</code> role names (sourced from <code>pg_roles.rolname</code>) were interpolated raw into <code>CREATE POLICY ... TO</code> and <code>ALTER POLICY ... TO</code> statements. A user with <code>CREATEROLE</code> privilege could plant a role whose name contains an embedded double-quote to inject arbitrary SQL during plan execution.</p> <p><strong>Fix</strong>: Added <code>escapeRoleNames()</code> helper that applies <code>EscapeIdentifier</code> to each role name, preserving <code>PUBLIC</code> as an unquoted SQL keyword.</p> <h3>Function/procedure names (<code>schema.go</code> <code>buildProcName</code>)</h3> <p>The function used hand-rolled quoting (<code>fmt.Sprintf("\"%s\"(%s)", name, ...)</code>) that did not double embedded double-quotes. A user with <code>CREATE FUNCTION</code> privilege could create a function with <code>"</code> in its name to inject SQL when <code>DROP FUNCTION</code>/<code>DROP PROCEDURE</code> statements are generated.</p> <p><strong>Fix</strong>: Replaced the hand-rolled quoting with <code>EscapeIdentifier(name)</code>.</p> <h2>What's Changed</h2> <ul> <li>fix: escape policy role names and function/procedure names in generated SQL (<a href="https://redirect.github.com/stripe/pg-schema-diff/issues/296">#296</a>)</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/stripe/pg-schema-diff/compare/v1.0.6...v1.0.7">https://github.com/stripe/pg-schema-diff/compare/v1.0.6...v1.0.7</a></p> <h2>v1.0.6</h2> <h2>Security fix</h2> <p>Escapes enum labels in generated SQL to prevent a second-order SQL injection.</p> <p>Enum labels were interpolated into generated DDL using raw <code>fmt.Sprintf("'%s'", val)</code>. A label containing a single quote could break out of the string literal and inject arbitrary SQL, which then executes with the plan runner's (often superuser) privileges when <code>pg-schema-diff</code> generates migration SQL — enabling RCE via <code>COPY ... TO PROGRAM</code>.</p> <p>All three enum sinks (<code>CREATE TYPE ... AS ENUM</code>, <code>ALTER TYPE ... ADD VALUE</code>, and the <code>BEFORE</code> ordering clause) now route through a new <code>EscapeLiteral</code> helper that doubles single quotes and strips null bytes.</p> <p>See <a href="https://redirect.github.com/stripe/pg-schema-diff/issues/295">#295</a> for details and test evidence.</p> <p><strong>Recommendation:</strong> upgrade to <code>v1.0.6</code>, especially if you run <code>pg-schema-diff</code> against databases where lower-privileged users can create enum types.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/stripe/pg-schema-diff/commit/6208f8f3ceccae8ca634055dc47907a6a864cb76"><code>6208f8f</code></a> fix: escape policy role names and function names in generated SQL (<a href="https://redirect.github.com/stripe/pg-schema-diff/issues/296">#296</a>)</li> <li><a href="https://github.com/stripe/pg-schema-diff/commit/4ff84db14685190757157e2c08026aa4e3b7e859"><code>4ff84db</code></a> fix: escape enum labels in generated SQL to prevent SQL injection (<a href="https://redirect.github.com/stripe/pg-schema-diff/issues/295">#295</a>)</li> <li>See full diff in <a href="https://github.com/stripe/pg-schema-diff/compare/v1.0.5...v1.0.7">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the npm-major group with 3 updates: [@anthropic-ai/claude-agent-sdk](https://github.com/anthropics/claude-agent-sdk-typescript), [@clack/prompts](https://github.com/bombshell-dev/clack/tree/HEAD/packages/prompts) and [@typescript/native-preview](https://github.com/microsoft/typescript-go). Updates `@anthropic-ai/claude-agent-sdk` from 0.3.199 to 0.3.201 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/anthropics/claude-agent-sdk-typescript/releases">@anthropic-ai/claude-agent-sdk's releases</a>.</em></p> <blockquote> <h2>v0.3.201</h2> <h2>What's changed</h2> <ul> <li>Updated to parity with Claude Code v2.1.201</li> </ul> <h2>Update</h2> <pre lang="sh"><code>npm install @anthropic-ai/claude-agent-sdk@0.3.201 # or yarn add @anthropic-ai/claude-agent-sdk@0.3.201 # or pnpm add @anthropic-ai/claude-agent-sdk@0.3.201 # or bun add @anthropic-ai/claude-agent-sdk@0.3.201 </code></pre> <h2>v0.3.200</h2> <h2>What's changed</h2> <ul> <li>Added <code>'manual'</code> as an accepted alias for the <code>'default'</code> permission mode in SDK inputs</li> <li>Fixed <code>onSetPermissionMode</code> callback not firing for SDK-hosted Remote Control sessions</li> <li>Fixed <code>set_model</code> control request accepting unrecognized model strings; invalid models are now rejected before latching</li> </ul> <h2>Update</h2> <pre lang="sh"><code>npm install @anthropic-ai/claude-agent-sdk@0.3.200 # or yarn add @anthropic-ai/claude-agent-sdk@0.3.200 # or pnpm add @anthropic-ai/claude-agent-sdk@0.3.200 # or bun add @anthropic-ai/claude-agent-sdk@0.3.200 </code></pre> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/anthropics/claude-agent-sdk-typescript/blob/main/CHANGELOG.md">@anthropic-ai/claude-agent-sdk's changelog</a>.</em></p> <blockquote> <h2>0.3.201</h2> <ul> <li>Updated to parity with Claude Code v2.1.201</li> </ul> <h2>0.3.200</h2> <ul> <li>Added <code>'manual'</code> as an accepted alias for the <code>'default'</code> permission mode in SDK inputs</li> <li>Fixed <code>onSetPermissionMode</code> callback not firing for SDK-hosted Remote Control sessions</li> <li>Fixed <code>set_model</code> control request accepting unrecognized model strings; invalid models are now rejected before latching</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/anthropics/claude-agent-sdk-typescript/commit/6809c4ca30f74667391c1f30dc5023e518110326"><code>6809c4c</code></a> chore: Update CHANGELOG.md</li> <li><a href="https://github.com/anthropics/claude-agent-sdk-typescript/commit/8d7e23f1ff86a20eed96ba64e2ac1ed44b68af14"><code>8d7e23f</code></a> chore: Update CHANGELOG.md</li> <li>See full diff in <a href="https://github.com/anthropics/claude-agent-sdk-typescript/compare/v0.3.199...v0.3.201">compare view</a></li> </ul> </details> <br /> Updates `@clack/prompts` from 1.6.0 to 1.7.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/bombshell-dev/clack/releases">@clack/prompts's releases</a>.</em></p> <blockquote> <h2><code>@clack/prompts</code><a href="https://github.com/1"><code>@1</code></a>.7.0</h2> <h3>Minor Changes</h3> <ul> <li><a href="https://redirect.github.com/bombshell-dev/clack/pull/574">#574</a> <a href="https://github.com/bombshell-dev/clack/commit/8f1c380683cfb5fb7a094610342046ae1603e28e"><code>8f1c380</code></a> Thanks <a href="https://github.com/dreyfus92"><code>@dreyfus92</code></a>! - Add <code>showInstructions</code> option to <code>select</code>, <code>multiselect</code>, and <code>groupMultiselect</code>. Keyboard hints remain shown by default; pass <code>showInstructions: false</code> to hide them.</li> </ul> <h3>Patch Changes</h3> <ul> <li> <p><a href="https://redirect.github.com/bombshell-dev/clack/pull/582">#582</a> <a href="https://github.com/bombshell-dev/clack/commit/4b249539e28eecc16c13b3a1bd0ba447e9f38d06"><code>4b24953</code></a> Thanks <a href="https://github.com/43081j"><code>@43081j</code></a>! - Handle empty arrays in various prompts and utilities.</p> </li> <li> <p>Updated dependencies [<a href="https://github.com/bombshell-dev/clack/commit/4b249539e28eecc16c13b3a1bd0ba447e9f38d06"><code>4b24953</code></a>]:</p> <ul> <li><code>@clack/core</code><a href="https://github.com/1"><code>@1</code></a>.4.3</li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/bombshell-dev/clack/blob/main/packages/prompts/CHANGELOG.md">@clack/prompts's changelog</a>.</em></p> <blockquote> <h2>1.7.0</h2> <h3>Minor Changes</h3> <ul> <li><a href="https://redirect.github.com/bombshell-dev/clack/pull/574">#574</a> <a href="https://github.com/bombshell-dev/clack/commit/8f1c380683cfb5fb7a094610342046ae1603e28e"><code>8f1c380</code></a> Thanks <a href="https://github.com/dreyfus92"><code>@dreyfus92</code></a>! - Add <code>showInstructions</code> option to <code>select</code>, <code>multiselect</code>, and <code>groupMultiselect</code>. Keyboard hints remain shown by default; pass <code>showInstructions: false</code> to hide them.</li> </ul> <h3>Patch Changes</h3> <ul> <li> <p><a href="https://redirect.github.com/bombshell-dev/clack/pull/582">#582</a> <a href="https://github.com/bombshell-dev/clack/commit/4b249539e28eecc16c13b3a1bd0ba447e9f38d06"><code>4b24953</code></a> Thanks <a href="https://github.com/43081j"><code>@43081j</code></a>! - Handle empty arrays in various prompts and utilities.</p> </li> <li> <p>Updated dependencies [<a href="https://github.com/bombshell-dev/clack/commit/4b249539e28eecc16c13b3a1bd0ba447e9f38d06"><code>4b24953</code></a>]:</p> <ul> <li><code>@clack/core</code><a href="https://github.com/1"><code>@1</code></a>.4.3</li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/bombshell-dev/clack/commit/dc5bce8aae84a57b5863124adfaa839c1db1fa23"><code>dc5bce8</code></a> [ci] release (<a href="https://github.com/bombshell-dev/clack/tree/HEAD/packages/prompts/issues/575">#575</a>)</li> <li><a href="https://github.com/bombshell-dev/clack/commit/4b249539e28eecc16c13b3a1bd0ba447e9f38d06"><code>4b24953</code></a> chore: enable strict index checks (<a href="https://github.com/bombshell-dev/clack/tree/HEAD/packages/prompts/issues/582">#582</a>)</li> <li><a href="https://github.com/bombshell-dev/clack/commit/8f1c380683cfb5fb7a094610342046ae1603e28e"><code>8f1c380</code></a> feat(prompts): add showInstructions opt-out (<a href="https://github.com/bombshell-dev/clack/tree/HEAD/packages/prompts/issues/574">#574</a>)</li> <li><a href="https://github.com/bombshell-dev/clack/commit/06c16c7b65b69dee44301e7e6c8f1110c6da4149"><code>06c16c7</code></a> chore: update license copyright to Bombshell contributors (<a href="https://github.com/bombshell-dev/clack/tree/HEAD/packages/prompts/issues/572">#572</a>)</li> <li>See full diff in <a href="https://github.com/bombshell-dev/clack/commits/@clack/prompts@1.7.0/packages/prompts">compare view</a></li> </ul> </details> <br /> Updates `@typescript/native-preview` from 7.0.0-dev.20260702.3 to 7.0.0-dev.20260703.1 <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/microsoft/typescript-go/commits">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…n /apps/cli-go in the go-minor group across 1 directory (#5865) Bumps the go-minor group with 1 update in the /apps/cli-go directory: [github.com/posthog/posthog-go](https://github.com/posthog/posthog-go). Updates `github.com/posthog/posthog-go` from 1.17.4 to 1.17.5 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/posthog/posthog-go/releases">github.com/posthog/posthog-go's releases</a>.</em></p> <blockquote> <h2>1.17.5</h2> <h2>Unreleased</h2> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/PostHog/posthog-go/blob/main/CHANGELOG.md">github.com/posthog/posthog-go's changelog</a>.</em></p> <blockquote> <h2>1.17.5</h2> <h3>Patch Changes</h3> <ul> <li>fe66557: Change the default capture delivery budget from 10 attempts to 4 (<code>DefaultMaxAttempts</code>) when <code>Config.MaxRetries</code> is unset, aligning with the cross-SDK Capture V1 parity standard (posthog-rs uses the same envelope). This affects <strong>both</strong> the v0 (<code>/batch/</code>) and v1 send paths, since they share the attempt budget. Callers that set <code>MaxRetries</code> explicitly are unaffected.</li> <li>3d8404a: Unify the capture retry backoff ceiling at 30s. <code>DefaultBackoff</code>'s cap changes from 10s to 30s (default only — override via <code>Config.RetryAfter</code>), and the Capture V1 send now clamps a server <code>Retry-After</code> to the same 30s so a hostile or buggy header cannot park a batch goroutine. <code>Retry-After</code> still acts as a minimum; the configured backoff is never truncated. This aligns the default retry behavior with posthog-rs and posthog-python.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/PostHog/posthog-go/commit/d7f8a22426389425e7874d302cedfbe86731a179"><code>d7f8a22</code></a> chore: release v1.17.5 [version bump] [skip ci]</li> <li><a href="https://github.com/PostHog/posthog-go/commit/fe66557ddc3141ada0c1d9538186037c641614d9"><code>fe66557</code></a> feat(capture): default to 4 delivery attempts (down from 10) (<a href="https://redirect.github.com/posthog/posthog-go/issues/256">#256</a>)</li> <li><a href="https://github.com/PostHog/posthog-go/commit/3d8404afd554d1557a57c45deba05501a8288d44"><code>3d8404a</code></a> fix(capture): unify retry backoff ceiling at 30s (<a href="https://redirect.github.com/posthog/posthog-go/issues/255">#255</a>)</li> <li><a href="https://github.com/PostHog/posthog-go/commit/6affc1549498bbd8f8ee3fe5beaaab6da5d13ca1"><code>6affc15</code></a> ci: Standardize SDK release failure telemetry (<a href="https://redirect.github.com/posthog/posthog-go/issues/252">#252</a>)</li> <li>See full diff in <a href="https://github.com/posthog/posthog-go/compare/v1.17.4...v1.17.5">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
….2.2 in the actions-major group (#5871) Bumps the actions-major group with 1 update: [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials). Updates `aws-actions/configure-aws-credentials` from 6.2.1 to 6.2.2 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/aws-actions/configure-aws-credentials/releases">aws-actions/configure-aws-credentials's releases</a>.</em></p> <blockquote> <h2>v6.2.2</h2> <h2><a href="https://github.com/aws-actions/configure-aws-credentials/compare/v6.2.1...v6.2.2">6.2.2</a> (2026-07-07)</h2> <h3>Miscellaneous Chores</h3> <ul> <li>release 6.2.2 (<a href="https://github.com/aws-actions/configure-aws-credentials/commit/d01d678e65d6d2bd9d5ca7a95d6f07b00e25f2c2">d01d678</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/aws-actions/configure-aws-credentials/blob/main/CHANGELOG.md">aws-actions/configure-aws-credentials's changelog</a>.</em></p> <blockquote> <h1>Changelog</h1> <p>All notable changes to this project will be documented in this file. See <a href="https://github.com/conventional-changelog/standard-version">standard-version</a> for commit guidelines.</p> <h2><a href="https://github.com/aws-actions/configure-aws-credentials/compare/v6.2.1...v6.2.2">6.2.2</a> (2026-07-07)</h2> <h3>Miscellaneous Chores</h3> <ul> <li>release 6.2.2 (<a href="https://github.com/aws-actions/configure-aws-credentials/commit/d01d678e65d6d2bd9d5ca7a95d6f07b00e25f2c2">d01d678</a>)</li> </ul> <h2><a href="https://github.com/aws-actions/configure-aws-credentials/compare/v6.2.0...v6.2.1">6.2.1</a> (2026-06-26)</h2> <h3>Bug Fixes</h3> <ul> <li>enforce allowed-account-ids on all auth paths (<a href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1847">#1847</a>) (<a href="https://github.com/aws-actions/configure-aws-credentials/commit/4d281fbc56a82e63c3fc14f2cc22361f34c97493">4d281fb</a>)</li> </ul> <h2><a href="https://github.com/aws-actions/configure-aws-credentials/compare/v6.1.3...v6.2.0">6.2.0</a> (2026-06-01)</h2> <h3>Features</h3> <ul> <li>add additional session tags by default (<a href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1775">#1775</a>) (<a href="https://github.com/aws-actions/configure-aws-credentials/commit/e0ba7685077379a14a82d01fefd511490344ebfc">e0ba768</a>)</li> <li>add more retry logic and better logging (<a href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1764">#1764</a>) (<a href="https://github.com/aws-actions/configure-aws-credentials/commit/540d0c13aedb8d55501d220bd2f0b3cdedfe84e8">540d0c1</a>)</li> <li>add regex validation to role-session-name (<a href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1765">#1765</a>) (<a href="https://github.com/aws-actions/configure-aws-credentials/commit/e35449909c6ede5083a48ba4b8bbfaaa1cf09ba1">e354499</a>)</li> <li>Allow custom session tags to be passed when assuming a role (<a href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1759">#1759</a>) (<a href="https://github.com/aws-actions/configure-aws-credentials/commit/61f50f630f383628add73c1eab3f1935ba07da2b">61f50f6</a>)</li> <li>expose run id in STS client user-agent (<a href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1774">#1774</a>) (<a href="https://github.com/aws-actions/configure-aws-credentials/commit/29d1be30273e7ef371d59fccf6ec54572c64ec89">29d1be3</a>)</li> <li>support custom STS endpoints (<a href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1762">#1762</a>) (<a href="https://github.com/aws-actions/configure-aws-credentials/commit/8d52d05d7a4521fa52b39de50cb6114b12e5c332">8d52d05</a>)</li> </ul> <h3>Bug Fixes</h3> <ul> <li>skip credential check on output-env-credentials: false (<a href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1778">#1778</a>) (<a href="https://github.com/aws-actions/configure-aws-credentials/commit/58e7c47adf77846879008deadfeeef8a6969fe6c">58e7c47</a>)</li> <li>assumeRole failing from session tag size too large (<a href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1808">#1808</a>) (<a href="https://github.com/aws-actions/configure-aws-credentials/commit/d6f5dc331b44474b19a52caaf85fa4d637b13c8e">d6f5dc3</a>)</li> </ul> <h2><a href="https://github.com/aws-actions/configure-aws-credentials/compare/v6.1.2...v6.1.3">6.1.3</a> (2026-05-28)</h2> <h3>Bug Fixes</h3> <ul> <li>fix: allow kubelet token symlink in <a href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1805">#1805</a></li> </ul> <h2><a href="https://github.com/aws-actions/configure-aws-credentials/compare/v6.1.1...v6.1.2">6.1.2</a> (2026-05-26)</h2> <h3>Bug Fixes</h3> <ul> <li>additional filesystem checks (<a href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1799">#1799</a>) (<a href="https://github.com/aws-actions/configure-aws-credentials/commit/c39f282697aca8a78c522ecf1f7da9899a31432c">c39f282</a>)</li> </ul> <h2><a href="https://github.com/aws-actions/configure-aws-credentials/compare/v6.1.0...v6.1.1">6.1.1</a> (2026-05-05)</h2> <h3>Miscellaneous Chores</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/aws-actions/configure-aws-credentials/commit/517a711dbcd0e402f90c77e7e2f81e849156e31d"><code>517a711</code></a> chore(main): release 6.2.2 (<a href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1876">#1876</a>)</li> <li><a href="https://github.com/aws-actions/configure-aws-credentials/commit/d01d678e65d6d2bd9d5ca7a95d6f07b00e25f2c2"><code>d01d678</code></a> chore: release 6.2.2</li> <li><a href="https://github.com/aws-actions/configure-aws-credentials/commit/8efa52b2848773c500aa10726e251480b1a9eef6"><code>8efa52b</code></a> chore(deps-dev): bump vitest dependencies (<a href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1874">#1874</a>)</li> <li><a href="https://github.com/aws-actions/configure-aws-credentials/commit/8e1eed5c14c0831e3e8d3e79a355207770cfc534"><code>8e1eed5</code></a> chore(deps-dev): bump <code>@smithy/property-provider</code> from 4.4.4 to 4.4.6 (<a href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1869">#1869</a>)</li> <li><a href="https://github.com/aws-actions/configure-aws-credentials/commit/112421a93aaa67421f2d14d7c469df0e5ca60e47"><code>112421a</code></a> chore(deps-dev): bump <code>@biomejs/biome</code> from 2.5.1 to 2.5.2 (<a href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1868">#1868</a>)</li> <li><a href="https://github.com/aws-actions/configure-aws-credentials/commit/fbc01c6585c59a56334d4803ca1f3f249a5fba3f"><code>fbc01c6</code></a> chore(deps-dev): bump <code>@types/node</code> from 26.0.1 to 26.1.0 (<a href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1871">#1871</a>)</li> <li><a href="https://github.com/aws-actions/configure-aws-credentials/commit/b12ca875eb3037b4cfbc4aa347bd62e1b475d439"><code>b12ca87</code></a> chore(deps-dev): bump memfs from 4.57.8 to 4.58.0 (<a href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1873">#1873</a>)</li> <li><a href="https://github.com/aws-actions/configure-aws-credentials/commit/d314f7f43d28771d47678a1ad87f05976e241846"><code>d314f7f</code></a> chore: Update dist</li> <li><a href="https://github.com/aws-actions/configure-aws-credentials/commit/a53b65b84a3cea262b96b50376e409283f6f818b"><code>a53b65b</code></a> chore(deps): bump <code>@aws-sdk/client-sts</code> from 3.1076.0 to 3.1080.0 (<a href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1867">#1867</a>)</li> <li><a href="https://github.com/aws-actions/configure-aws-credentials/commit/338d2c18392e9b3ace741e4547b315bda30f7b02"><code>338d2c1</code></a> chore(deps-dev): bump sigstore from 4.1.0 to 4.1.1 (<a href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1864">#1864</a>)</li> <li>Additional commits viewable in <a href="https://github.com/aws-actions/configure-aws-credentials/compare/254c19bd240aabef8777f48595e9d2d7b972184b...517a711dbcd0e402f90c77e7e2f81e849156e31d">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 249b9ec577
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| const args = [ | ||
| "db", | ||
| "__db-bootstrap", | ||
| ...modeArgs, | ||
| ...networkArgs, | ||
| ...profileArgs, | ||
| ...experimentalArgs, | ||
| ]; |
There was a problem hiding this comment.
Forward explicit workdir into the bootstrap child
When db start or local db reset is invoked with an explicit --workdir/SUPABASE_WORKDIR, this seam starts the hidden Go child with only cwd: cliConfig.workdir and does not pass that workdir as a flag/env. In the Go child, ChangeWorkDir falls back to getProjectRoot(CurrentDirAbs) whenever WORKDIR is unset (apps/cli-go/internal/utils/misc.go:239-242), so an explicit workdir that intentionally has no supabase/config.toml can be replaced by an ancestor project. The child can then load the ancestor config/project id and create/reset/cleanup the wrong local containers; pass the resolved workdir through to the child.
Useful? React with 👍 / 👎.
| const projectId = legacyResolveLocalProjectId( | ||
| Option.getOrUndefined(cliConfig.projectId), | ||
| Option.getOrUndefined(tomlProjectId), | ||
| cliConfig.workdir, |
There was a problem hiding this comment.
Include project dotenv when deriving the db container
When SUPABASE_PROJECT_ID is defined only in project dotenv files, Go sees it because config Load calls loadNestedEnv before AutomaticEnv/validation (apps/cli-go/pkg/config/config.go:786-790). This preflight lookup only uses the ambient cliConfig.projectId plus TOML/workdir, so it inspects supabase_db_<wrong id> and misses an already-running stack that was started with the dotenv project id; db start then enters the bootstrap path instead of returning "already running". Resolve the project env here before deriving the container id.
Useful? React with 👍 / 👎.