Skip to content

🔄 Sync with upstream changes#17

Open
h0lybyte wants to merge 560 commits into
mainfrom
upstream-main
Open

🔄 Sync with upstream changes#17
h0lybyte wants to merge 560 commits into
mainfrom
upstream-main

Conversation

@h0lybyte

Copy link
Copy Markdown
Member

Upstream Sync

This PR contains the latest changes from the upstream repository.

Changes included:

  • Synced from upstream/main
  • Auto-generated by upstream sync workflow

Review checklist:

  • Review the changes for any breaking changes
  • Check for conflicts with local modifications
  • Verify tests pass (if applicable)

This PR was automatically created by the upstream sync workflow

semantic-release-bot and others added 30 commits April 18, 2026 08:04
* feat: add PartitonedTables

Peep.Storage implementation using N ETS tables with optional tag-based routing.

Each metric write is routed to a specific table based on a `:routing_tag` option.
If the routing tag is present in the metric's tags, `:erlang.phash2/2` is used to
select the table. Otherwise, the first table is used.

This reduces lock contention by routing different tag values (e.g. different tenants)
to different ETS tables, without partitioning metrics within a table.
Co-authored-by: supabase-workflow-trigger[bot] <266661614+supabase-workflow-trigger[bot]@users.noreply.github.com>
Improve the local setup to make it straightforward to run the server:

```
mise run db-start
mix setup
mise run dev
```

- Introduce mise to manage tool versions, tasks, and envs
- Removed .tool-versions and Makefile in favor of mise.toml
- Introduce `Realtime.Env` to use in runtime.exs with tests and more
  validations to make it more resilient to avoid hard to debug errors in
  the server booting process
- Group all envs together in `runtime.exs` to have better
  discoverability, especially for docs (self-hosting) and config
- Break readme into dedicated docs to reduce noise in the main readme
  (easier to scan)
- Add Code of Conduct and Contributing guides based on
  https://github.com/supabase/.github and https://github.com/supabase/supabase
- Added env vars into ENVS.md: API_TOKEN_BLOCKLIST, CLUSTER_STRATEGIES,
  DB_MASTER_REGION, DB_HOST_REPLICA_FRA, DB_HOST_REPLICA_IAD,
  DB_HOST_REPLICA_SIN, DB_HOST_REPLICA_SJC, REGION, LOGS_ENGINE,
  LOGFLARE_LOGGER_BACKEND_URL, LOGFLARE_API_KEY, LOGFLARE_SOURCE_ID,
  JWT_CLAIM_VALIDATORS, METRICS_JWT_SECRET, METRICS_TOKEN_BLOCKLIST,
  MAX_GEN_RPC_CALL_CLIENTS, PROM_POLL_RATE, AWS_EXECUTION_ENV,
  JANITOR_MAX_CHILDREN, JANITOR_CHILDREN_TIMEOUT,
  LOG_THROTTLE_JANITOR_INTERVAL_IN_MS, MEASURE_TRAFFIC_INTERVAL_IN_MS,
  NO_CHANNEL_TIMEOUT_IN_MS, RPC_TIMEOUT
- Removed stale env vars from ENVS.md: DISCONNECT_SOCKET_ON_NO_CHANNELS_INTERVAL_IN_MS,
  JANITOR_CLEANUP_MAX_CHILDREN, JANITOR_CLEANUP_CHILDREN_TIMEOUT
Used Elixir 1.20 type system to identify violations.
now we can setup otel to track performance of each test and have properly defined spans per test
Co-authored-by: supabase-workflow-trigger[bot] <266661614+supabase-workflow-trigger[bot]@users.noreply.github.com>
Co-authored-by: supabase-workflow-trigger[bot] <266661614+supabase-workflow-trigger[bot]@users.noreply.github.com>
leandrocp and others added 30 commits June 26, 2026 09:55
---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Leandro Pereira <leandro@leandro.io>
---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Leandro Pereira <leandro@leandro.io>
---------

Co-authored-by: supabase-autofix-bot <noreply@supabase.com>
add back the log warning for ipv4 address
- Apply schema restrictions when supautils grants are available to avoid unintentional and unexpected changes to realtime schema that's supposed to be protected.
- Always connect as `db_user` and removes `db_user_realtime`. The restriction is controlled by migrations only.
- Remove feature flag `use_supabase_realtime_admin`

Ref REAL-25, REAL-527, REAL-630, REAL-631, REAL-773, REAL-778, SEC-562
* chore: update @supabase/supabase-js to v2.110.1

* chore: update nix node_modules hash

---------

Co-authored-by: supabase-workflow-trigger[bot] <266661614+supabase-workflow-trigger[bot]@users.noreply.github.com>
Co-authored-by: supabase-autofix-bot <noreply@supabase.com>
Bump mint, req, plug, decimal, etc

https://diff.hex.pm/diffs?diffs%5B%5D=castore:1.0.15:1.0.19&diffs%5B%5D=decimal:3.1.0:3.1.1&diffs%5B%5D=finch:0.20.0:0.23.0&diffs%5B%5D=hpax:1.0.3:1.0.4&diffs%5B%5D=mint:1.7.1:1.9.1&diffs%5B%5D=plug:1.19.3:1.20.2&diffs%5B%5D=req:0.5.15:0.6.2

mint 1.7.1 - EEF-CVE-2026-48861 (LOW)
  aka: CVE-2026-48861, GHSA-2pg6-44cx-c49v
  CRLF injection in HTTP/1 request line via unvalidated method in Mint
  https://osv.dev/vulnerability/EEF-CVE-2026-48861

mint 1.7.1 - EEF-CVE-2026-56810 (HIGH)
  aka: CVE-2026-56810, GHSA-c59h-fq4p-r36r
  mint buffers an entire chunked response chunk in memory in Mint.HTTP1.decode_body/5
  https://osv.dev/vulnerability/EEF-CVE-2026-56810

mint 1.7.1 - EEF-CVE-2026-49753 (MEDIUM)
  aka: CVE-2026-49753, GHSA-mjqx-c6f6-7rc2
  HTTP response smuggling in Mint HTTP/1 client via lenient Content-Length parsing
  https://osv.dev/vulnerability/EEF-CVE-2026-49753

mint 1.7.1 - EEF-CVE-2026-49754 (HIGH)
  aka: CVE-2026-49754, GHSA-2p26-p43x-fhp8
  HTTP/2 CONTINUATION flood in Mint client via unbounded header-block accumulation
  https://osv.dev/vulnerability/EEF-CVE-2026-49754

mint 1.7.1 - EEF-CVE-2026-48862 (HIGH)
  aka: CVE-2026-48862, GHSA-g586-ccqf-7x4r
  Unbounded conn.streams growth in Mint HTTP/2 client via unenforced PUSH_PROMISE concurrency
  https://osv.dev/vulnerability/EEF-CVE-2026-48862

req 0.5.15 - EEF-CVE-2026-49755 (HIGH)
  aka: CVE-2026-49755, GHSA-655f-mp8p-96gv
  Decompression bomb DoS in Req via auto-decoded archive and compressed response bodies
  https://osv.dev/vulnerability/EEF-CVE-2026-49755

req 0.5.15 - EEF-CVE-2026-49756 (LOW)
  aka: CVE-2026-49756, GHSA-px9f-whj3-246m
  Multipart form-data header injection in Req via unescaped name/filename/content_type
  https://osv.dev/vulnerability/EEF-CVE-2026-49756

hpax 1.0.3 - EEF-CVE-2026-58226 (HIGH)
  aka: CVE-2026-58226, GHSA-jj2p-32j7-whj2
  Unauthenticated denial-of-service via unbounded HPACK integer decoding in hpax
  https://osv.dev/vulnerability/EEF-CVE-2026-58226
* fix: role leak on apply_rls

Fix the `subscriptions` query in `apply_rls` to reset the role during
the FOR loop execution to avoid leaking the query to `working_role`
which 1) is not expected role and 2) might lack execution grants causing
supabase#2001

Ref REAL-902
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

9 participants