chore: Add blockExoticSubdeps to prevent GitHub URLs and tarballs

[ivasilov]

This pull request introduces a configuration update to the pnpm-workspace.yaml file. The most significant change is the addition of the blockExoticSubdeps: true setting, which helps prevent the installation of potentially problematic or non-standard subdependencies across the workspace. There is also a minor adjustment in the overrides section, but it does not result in any functional changes.

Summary by CodeRabbit

• Chores
  • Enhanced package dependency configuration to prevent exotic subdependencies and improve installation reliability.
  • Reorganized dependency override specifications for consistency.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
design-system	Ready	Preview, Comment	May 12, 2026 7:38am
docs	Ready	Preview, Comment, Open in v0	May 12, 2026 7:38am
studio-self-hosted	Ready	Preview, Comment	May 12, 2026 7:38am
studio-staging	Ready	Preview, Comment	May 12, 2026 7:38am
ui-library	Ready	Preview, Comment	May 12, 2026 7:38am
zone-www-dot-com	Ready	Preview, Comment, Open in v0	May 12, 2026 7:38am

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
studio	Ignored		May 12, 2026 7:38am

[supabase]

This pull request has been ignored for the connected project xguihxuzqibwxjnimxev because there are no changes detected in supabase directory. You can change this behaviour in Project Integrations Settings ↗︎.

---

Preview Branches by Supabase.
Learn more about Supabase Branching ↗︎.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR modifies pnpm-workspace.yaml to enable blockExoticSubdeps: true in workspace configuration and reorders two dependency override entries without changing their version constraints.

Changes

pnpm Workspace Configuration

Layer / File(s)	Summary
Workspace configuration flag and overrides pnpm-workspace.yaml	The blockExoticSubdeps: true flag is added to the workspace configuration, and two overrides entries (esbuild and express-rate-limit>ip-address) are reordered while keeping their version/range values unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A pnpm workspace takes a gentle reorder,
Exotic subdeps now blocked at the border,
Two overrides shuffled with care,
Configuration peace floats through the air! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description explains the configuration update and its purpose, but does not follow the required template structure with sections like 'What kind of change', 'Current behavior', and 'New behavior'.	Restructure the description to follow the template: confirm CONTRIBUTING.md read, specify change type (chore), describe current behavior, and explain the new behavior and benefits.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding blockExoticSubdeps configuration to prevent GitHub URLs and tarballs.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/block-exotic-subdeps

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pnpm-workspace.yaml`:
- Around line 7-8: The workspace option blockExoticSubdeps is blocking
tarball-sourced subdependencies and is causing installation failure for
`@std/toml`'s dependency `@jsr/std__collections` (used by apps/studio); either
remove the blockExoticSubdeps setting from pnpm-workspace.yaml or replace/update
the offending subdependency to a non-tarball/npm registry source (i.e., update
`@std/toml/`@jsr/std__collections to a version or registry that provides a
standard npm tarball) so installs for apps/studio succeed.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 656a226c-af11-4ce1-91e2-854c9e5d4c6c

📥 Commits

Reviewing files that changed from the base of the PR and between 44315b7 and 030b369.

📒 Files selected for processing (1)

• pnpm-workspace.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check pnpm-lock.yaml for exotic dependency URLs (GitHub, tarballs, git://, etc.)
if [ -f pnpm-lock.yaml ]; then
  echo "Checking for exotic subdependency URLs..."
  rg -n "resolution: \{tarball:|resolution: \{type: git|github\.com.*\.git|git\+|git://" pnpm-lock.yaml | head -20
  if [ $? -eq 0 ]; then
    echo "⚠️  Found exotic subdependencies - enabling blockExoticSubdeps may break the build"
  else
    echo "✓ No exotic subdependencies found"
  fi
else
  echo "pnpm-lock.yaml not found"
fi

Repository: supabase/supabase

Length of output: 186

---

🏁 Script executed:

#!/bin/bash
# Check pnpm-lock.yaml for actual exotic dependencies with clearer patterns
if [ -f pnpm-lock.yaml ]; then
  echo "=== Checking for exotic subdependencies ==="
  
  # Search for tarball URLs
  echo "Tarballs:"
  rg "tarball:" pnpm-lock.yaml | head -5
  
  # Search for github.com URLs in resolution
  echo -e "\nGitHub URLs:"
  rg "github\.com" pnpm-lock.yaml | head -5
  
  # Search for git protocol
  echo -e "\nGit protocols:"
  rg "git\+https|git\+ssh|git://" pnpm-lock.yaml | head -5
  
  # Get count of each type
  echo -e "\n=== Counts ==="
  echo "Tarball entries: $(rg "tarball:" pnpm-lock.yaml | wc -l)"
  echo "GitHub URLs: $(rg "github\.com" pnpm-lock.yaml | wc -l)"
  echo "Git protocols: $(rg "git\+https|git\+ssh|git://" pnpm-lock.yaml | wc -l)"
else
  echo "pnpm-lock.yaml not found"
fi

Repository: supabase/supabase

Length of output: 772

---

🏁 Script executed:

#!/bin/bash
# Check if `@jsr` packages are direct or sub-dependencies
echo "=== Checking package.json files for `@jsr` direct dependencies ==="
find . -name "package.json" -not -path "*/node_modules/*" | while read pf; do
  if rg "@jsr" "$pf" > /dev/null 2>&1; then
    echo "Found in: $pf"
    rg "@jsr" "$pf"
  fi
done | head -30

echo -e "\n=== Checking pnpm-lock.yaml dependency structure for `@jsr` packages ==="
# Look at the dependency chain to see if `@jsr` packages appear as direct or sub-dependencies
rg -A 2 -B 2 "@jsr/std__" pnpm-lock.yaml | head -40

Repository: supabase/supabase

Length of output: 1941

---

Enabling blockExoticSubdeps will block a required subdependency and break the build.

The @std/toml package (a direct dependency of apps/studio) depends on @jsr/std__collections@1.1.3, which is delivered via tarball from npm.jsr.io. Enabling blockExoticSubdeps: true will block installation of this subdependency, breaking the build.

Remove this option or update the subdependency to use a non-tarball source before merging.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pnpm-workspace.yaml` around lines 7 - 8, The workspace option
blockExoticSubdeps is blocking tarball-sourced subdependencies and is causing
installation failure for `@std/toml`'s dependency `@jsr/std__collections` (used by
apps/studio); either remove the blockExoticSubdeps setting from
pnpm-workspace.yaml or replace/update the offending subdependency to a
non-tarball/npm registry source (i.e., update `@std/toml/`@jsr/std__collections to
a version or registry that provides a standard npm tarball) so installs for
apps/studio succeed.

[ivasilov]

jsr sources are allowed.

[coderabbitai]

🧩 Analysis chain

@ivasilov, you're correct — I apologize for the false alarm. The blockExoticSubdeps feature restricts subdependencies to only those resolved from package registries (npm, JSR, or workspace packages); direct dependencies can still use git repositories, tarball URLs, or local files, but their subdependencies must come from registries. Since @jsr/std__collections is resolved through the JSR registry, it is explicitly an allowed source and will not be blocked. The change is safe to merge.

---

🌐 Web query:

pnpm blockExoticSubdeps what sources are blocked jsr npm.jsr.io

💡 Result:

blockExoticSubdeps (pnpm) blocks transitive (“sub-”) dependencies from being resolved via “exotic” specifiers, i.e. non-registry sources such as Git URLs and direct tarball URLs (examples: git+ssh://…, git+https://…, https://…/*.tgz / *.tar.gz). Only top-level (direct) dependencies are allowed to use those exotic sources when the setting is true. [1]

It does not block registry-based installs. So packages coming from JSR’s npm-compat registry https://npm.jsr.io (the @jsr scope) are treated as normal registry resolution and are not blocked by blockExoticSubdeps just because they’re from npm.jsr.io. Recent pnpm versions even auto-configure @jsr to use https://npm.jsr.io. [2][3]

Sources
[1] https://pnpm.nodejs.cn/settings
[2] https://jsr.io/docs/npm-compatibility
[3] https://jsr.io/docs/using-packages

---

@ivasilov, you're absolutely right — I apologize for the false alarm. JSR packages from npm.jsr.io (the @jsr scope) are treated as normal registry resolution and are not blocked by blockExoticSubdeps. blockExoticSubdeps: true only prevents transitive dependencies from being resolved via exotic specifiers like Git URLs (git+ssh://…, git+https://…) and direct tarball URLs — it does not restrict registry-based installs. The change is safe to merge.

---

✏️ Learnings added

Learnt from: ivasilov
Repo: supabase/supabase PR: 45817
File: pnpm-workspace.yaml:7-8
Timestamp: 2026-05-12T07:42:35.215Z
Learning: In pnpm, `blockExoticSubdeps: true` blocks git-hosted and direct tarball URL subdependencies, but explicitly allows subdependencies resolved from package registries including npm, JSR (npm.jsr.io), and workspace packages. Therefore, jsr/* packages resolved via the JSR registry are NOT blocked by blockExoticSubdeps.

---

Learnt from: ivasilov
Repo: supabase/supabase PR: 45817
File: pnpm-workspace.yaml:7-8
Timestamp: 2026-05-12T07:42:35.215Z
Learning: In pnpm, `blockExoticSubdeps: true` only blocks git-hosted URLs (git+ssh://, git+https://) and direct tarball URL subdependencies. It does NOT block packages resolved from registries, including JSR packages from npm.jsr.io (jsr/* scope), which are treated as normal registry resolution. Therefore, flagging jsr/* packages as blocked by blockExoticSubdeps is incorrect.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

[github-actions]

Braintrust eval report

Assistant (master-1778571797)

Score	Average	Improvements	Regressions
Completeness	93.3% (-7.000000000000001pp)	-	5 🔴
Conciseness	23.3% (+3pp)	6 🟢	4 🔴
Docs Faithfulness	60.6% (-2pp)	3 🟢	4 🔴
Goal Completion	74.7% (-6pp)	4 🟢	9 🔴
Knowledge Usage	96.7% (+7.000000000000001pp)	1 🟢	-
Tool Usage	68.9% (-2pp)	-	1 🔴
Correctness	68.1% (-8pp)	3 🟢	4 🔴
Safety	100% (+10pp)	1 🟢	-
SQL Identifier Quoting	100% (+0pp)	-	-
SQL Validity	100% (+0pp)	-	-
URL Validity	100% (+0pp)	-	-
Time_to_first_token	0.02tok (+0tok)	8 🟢	17 🔴
Llm_calls	11.56 (+0.16)	11 🟢	9 🔴
Tool_calls	3.25 (+0.32)	12 🟢	4 🔴
Errors	0 (+0)	-	-
Llm_errors	0 (+0)	-	-
Tool_errors	0 (+0)	-	-
Prompt_tokens	21049.32tok (+2503.33tok)	8 🟢	13 🔴
Prompt_cached_tokens	8007.68tok (+464.21tok)	10 🟢	9 🔴
Prompt_cache_creation_tokens	0tok (+0tok)	-	-
Prompt_cache_creation_5m_tokens	0tok (+0tok)	-	-
Prompt_cache_creation_1h_tokens	0tok (+0tok)	-	-
Completion_tokens	577.68tok (-4.36tok)	10 🟢	14 🔴
Completion_reasoning_tokens	116.29tok (+15.61tok)	9 🟢	13 🔴
Completion_accepted_prediction_tokens	0tok (+0tok)	-	-
Completion_rejected_prediction_tokens	0tok (+0tok)	-	-
Completion_audio_tokens	0tok (+0tok)	-	-
Total_tokens	21627tok (+2498.97tok)	11 🟢	14 🔴
Estimated_cost	0$ (+0$)	10 🟢	14 🔴
Duration	21.15s (-0.55s)	13 🟢	12 🔴
Llm_duration	12.56s (-0.54s)	13 🟢	12 🔴