Skip to content

chore: production deploy#5874

Open
supabase-cli-releaser[bot] wants to merge 62 commits into
mainfrom
develop
Open

chore: production deploy#5874
supabase-cli-releaser[bot] wants to merge 62 commits into
mainfrom
develop

Conversation

@supabase-cli-releaser

Copy link
Copy Markdown
Contributor

Coly010 and others added 30 commits July 7, 2026 10:13
… parity) (#5794)

## Current Behavior

Go's overwrite-confirmation prompt for `gen signing-key` reads piped
stdin even in non-TTY mode (`internal/utils/console.go`'s
`PromptYesNo`/`ReadLine`, racing a 100ms timeout) and honors an explicit
y/n answer. The TS port's `signing-key.handler.ts` had its own local
`confirmOverwrite` that returned `true` unconditionally in non-TTY mode
without reading stdin at all, so `echo n | supabase gen signing-key`
silently overwrote the existing key file instead of canceling — a
data-loss risk for scripted/CI usage.

## Expected Behavior

- Deletes the local `confirmOverwrite` and switches the call site to the
shared `legacyPromptYesNo` helper (already used by `seed buckets`,
`config push`, `logout`, `storage rm`, `db pull`), which already
correctly implements Go's non-TTY read-with-timeout-and-parse behavior.
- Swaps `LegacyYesFlag` for `legacyResolveYes` (matching those same five
callers), so `gen signing-key` now also honors `SUPABASE_YES` and an
explicit `--yes=false`, matching Go's `viper.GetBool("YES")`.
- Fails the overwrite closed (rather than silently defaulting to yes)
when a real interactive TTY requests a non-text `--output-format` — this
command has no structured json/stream-json payload (SIDE_EFFECTS.md),
and the shared helper's own default-on-non-text short-circuit would
otherwise silently overwrite irrecoverable key material with no prompt
at all. A non-TTY caller (piped or not) is unaffected by this guard.

Fixes CLI-1865
…5813)

## What kind of change does this PR introduce?

Docs fix — Legacy port SIDE_EFFECTS.md / AGENTS.md accuracy (F3-F10, F12
from the parity audit).

## What is the current behavior?

11 `SIDE_EFFECTS.md` files and `AGENTS.md` contained factual errors
where the code was already correct but the documentation was wrong —
wrong file paths, a fabricated stdout message, an inverted claim about
whether a command writes the linked-project cache, a missing
json/stream-json output envelope, a fictitious subprocess name, a
backwards project-ref claim, and a fabricated telemetry-identity call.
Each claim was independently re-verified against `apps/cli-go/` (and,
for the `completion` exit-code claim, against the actual compiled Go
binary and the actual TS CLI) before editing.

## What is the new behavior?

- **F3**: `db/branch/{create,delete,list,switch}` — corrected the
current-branch file path to `supabase/.branches/_current_branch`,
matching `internal/utils/misc.go:99`.
- **F4**: `db/remote/commit` — removed the false claim it prints
`Finished supabase db pull.` (that belongs only to `db pull`).
- **F5**: `db/lint` — corrected: it DOES write the linked-project cache
on `--linked`, matching Go's `ensureProjectGroupsCached`.
- **F6**: `db/schema/declarative/generate` — corrected: it has a real
json/stream-json success envelope.
- **F7**: `db/schema/declarative/sync` — replaced a fictitious
`migration up --local` subprocess with the real `db reset --local`
recovery-path subprocess.
- **F8**: `completion` — the doc's exit-code claim was backwards. Go
exits `0` on both bare `completion` and an unrecognized shell subcommand
(verified against the compiled binary); the legacy TS shell currently
exits `1` for both — a genuine, systemic exit-code bug in the shared CLI
harness, not `completion`-specific (it reproduces on any
bare/unrecognized group-command invocation, e.g. `branches`). Rather
than fixing the code here or describing the bug as intended, the doc now
states Go's true behavior and flags the current TS divergence, filed
separately as CLI-1906.
- **F9**: `config/push` + `AGENTS.md` — corrected the
linked-project-cache path (was a fabricated `~/.supabase/<hash>/...`,
real path is `<workdir>/supabase/.temp/linked-project.json`) and fixed
an adjacent conflation where the project-ref-fallback file was wrongly
attributed to the same cache file, when it's actually a separate file
(`<workdir>/supabase/.temp/project-ref`).
- **F10**: `branches/update` — corrected: the upgrade-suggest call uses
the branch's own resolved ref, not the parent `--project-ref`.
- **F12**: `AGENTS.md` telemetry table — removed a fabricated
`analytics.identify(gotrueId)` claim from the `login` row; Go's
`StitchLogin` only aliases.

A second, wider pre-existing doc bug was found during F9's verification
(the same fabricated linked-project-cache path is copy-pasted across 29
other `SIDE_EFFECTS.md` files not touched here) — filed separately as
CLI-1907 rather than expanding this diff.

Docs-only change; no `.ts`/`.go` files touched. `pnpm check:all` passes.
…r references (#5811)

## What kind of change does this PR introduce?

Docs fix — Legacy port SIDE_EFFECTS.md accuracy.

## What is the current behavior?

Two systemic env-var documentation errors across
`src/legacy/**/SIDE_EFFECTS.md`, found in the parity audit:

- **~36 files** document `SUPABASE_API_URL` as a real override for the
Management API base URL. No such env var exists in Go:
`SetEnvPrefix("SUPABASE")` + `AutomaticEnv()` never binds `API_URL`,
there's no `os.Getenv("SUPABASE_API_URL")` anywhere, and the
`Profile.api_url` field loads on a separate, unbound `viper.New()`
instance (`internal/utils/profile.go:99`). The real override is
`SUPABASE_PROFILE` (built-in name or a path to a YAML profile file).
- **~18 files** document bare `PROJECT_ID` as if it were itself a
settable env var. It's Go's internal viper key name — the real,
user-facing env var is `SUPABASE_PROJECT_ID`
(`viper.GetString("PROJECT_ID")` under the global
`SetEnvPrefix("SUPABASE")` singleton,
`internal/utils/flags/project_ref.go:62`).

Both claims were independently verified against the real Go source and,
for the viper-specific mechanics, a compiled test program against the
exact pinned `github.com/spf13/viper v1.21.0`.

## What is the new behavior?

- Removed the fabricated `SUPABASE_API_URL` rows; where a file didn't
already document `SUPABASE_PROFILE`, added a real row for it (including
the persisted `~/.supabase/profile` fallback step in the resolution
chain, matching `legacy-cli-config.layer.ts`).
- Corrected every bare `PROJECT_ID` mention (Environment Variables
tables, Files Read "When" columns, and prose) to `SUPABASE_PROJECT_ID`,
converging on the dominant convention already used correctly across ~15
sibling files.
- Left `db/advisors/SIDE_EFFECTS.md` untouched — it already correctly
documents that `SUPABASE_API_URL` is not honored.
- Filed follow-ups for two related-but-out-of-scope findings surfaced
during review: CLI-1904 (global choice-flag telemetry gap, unrelated)
and CLI-1905 (bare `DB_PASSWORD` has the same bug class as this PR's F2,
in a set of files this PR doesn't touch).

Docs-only change; no `.ts` files touched. `pnpm check:all` passes.
…5715)

Ports the `db push`, `db reset`, and `db start` commands of the legacy
CLI shell from Go-binary proxies to native TypeScript (CLI-1325), and
introduces a hidden Go seam for the container-bootstrap primitives that
aren't ported.

## What changed

**`db push`** — fully native: pending-migration reconciliation,
seed-file ops with `seed_files` hash tracking, `[db.vault]` upsert,
`--include-roles`/`--include-seed`/`--dry-run`, against local / linked /
`--db-url`.

**`db reset`** — native on both legs:
- Remote (`--linked` / remote `--db-url`): drop user schemas → vault
upsert → migrate + seed, `--version`/`--last`, and the Go-parity
`--sql-paths` seed override (merged from develop, mutually exclusive
with `--no-seed`).
- Local (`--local` / local `--db-url`): running check, `Resetting local
database…`, container recreate + migrate + seed via the seam,
storage-gated bucket seeding (reuses the ported `seed buckets` core),
and the `Finished … on branch <branch>.` line.
- Only the niche `--experimental` remote schema-files path still
delegates to the Go binary.

**`db start`** — native: config validation, the
`AssertSupabaseDbIsRunning` check (prints Go's "already running" line),
else container bootstrap via the seam. No status table and no
`cli_stack_started` — those belong to the top-level `supabase start`,
not `db start`.

**Hidden Go seam (`db __db-bootstrap`)** — mirrors the existing `db
__shadow` seam. Exposes the un-ported container primitives
(`StartDatabase` + `DockerRemoveAll` cleanup, the PG14/PG15 reset
recreate, the storage health gate) behind `--mode
{start|recreate|await-storage}`. The TS side orchestrates everything
else (messages, version resolution, bucket seeding, the git-branch line,
telemetry, `--output-format` shaping); the seam runs with telemetry
disabled and stderr inherited, like `__shadow`.

**Config loading (review follow-ups)** — `db push` / `db reset` / `db
start` load `config.toml` through the legacy Go-parity reader
(`legacyCheckDbToml`, Go's `flags.LoadConfig` → `config.Load` +
`Validate`) rather than `@supabase/config`, so their config semantics
match the Go CLI exactly:
- Go-style env-reference booleans (e.g. `[db.seed] enabled =
"env(SEED_ENABLED)"`) load like Go (env-expand → `strconv.ParseBool`)
instead of failing with a parse error.
- a matched `[remotes.<ref>]` block's `db.migrations.enabled` /
`db.seed.enabled` beats the `SUPABASE_DB_*_ENABLED` env var (Go's
`v.Set` override tier sits above AutomaticEnv), closing the last
remote-vs-env precedence gap.
- `encrypted:` `[db.vault]` secrets are decrypted at config-load time
with the shell **and** project-`.env` `DOTENV_PRIVATE_KEY*` keys and
fail fast (before any connect / schema drop) on an undecryptable value,
matching Go's `DecryptSecretHookFunc`.
- seed `sql_paths` (config and `--sql-paths`) resolve once to Go's
config-load form; `db start` validates config before the already-running
check.

Malformed config now surfaces the reader's Go message (`failed to load
config`), consistent with `db diff` / `dump` / `pull` / `migration`.

## Why

`db start` / `db reset --local` need container lifecycle
(create/recreate, image pull, health checks, init schema, service
restarts) that is impractical to reimplement in TS. The seam keeps that
lifecycle in Go while moving orchestration, output parity, telemetry,
and `--output-format` handling to native TS — matching the approach
already used for `db diff` / `db pull`.

## Reviewer notes

- The seam is the only `db reset`/`db start` boundary the in-process
integration suites mock; it's covered end-to-end by the cli-e2e live
suite (`db-reset-start.live.e2e.test.ts`, run via `pnpm --filter
@supabase/cli-e2e test:e2e:live`), which exercises the local leg against
a real Docker socket and the remote `db reset` leg against the staging
session pooler. Both `describe`s skip the `ts-next` target (the next
shell has no `db` group).
- `db reset --local` recreate forwards `--no-seed` / `--sql-paths` to
the seam, which applies them via the same `applyDbResetSeedFlags` helper
`db reset` uses, so seed handling stays identical across local and
remote.
- The bundled `supabase-go` binary must be rebuilt (`pnpm
build:go-sidecar` copies it into `dist/`) since the seam adds the `db
__db-bootstrap` command.
- `docs/go-cli-porting-status.md` flips `db push` / `db reset` / `db
start` to `ported`; each command's `SIDE_EFFECTS.md` documents the
files, subprocesses, DB mutations, env vars, and exit codes.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude <noreply@anthropic.com>
…rity) (#5797)

## What kind of change does this PR introduce?

Bug fix (Go parity).

## What is the current behavior?

`supabase functions deploy --jobs` diverges from the Go CLI in two
related ways:

1. The `--jobs` guard only errored when local bundling
(Docker/legacy-bundle) was active, so `--use-docker=false --jobs 2` (no
`--use-api`) silently passed in TS while Go rejects it. The error text
also differed from Go's wording.
2. `useLocalBundler` decided Docker-vs-API routing based on whether
`--use-api` was *typed* on the command line (`explicitUseApi`), not its
*resolved* value — so `--use-api=false` alone silently forced the API
bundler instead of falling through to Docker, contrary to Go's `if
useApi { useDocker = false }` (which only fires when the resolved value
is true).

Go's only guard (`apps/cli-go/cmd/functions.go:79-82`) is:
```go
if useApi {
    useDocker = false
} else if maxJobs > 1 {
    return errors.New("--jobs must be used together with --use-api")
}
```

## What is the new behavior?

- `--jobs > 1` is now rejected whenever `--use-api`'s resolved value is
`false`, regardless of `--use-docker`/`--legacy-bundle`, with the exact
Go error text: `--jobs must be used together with --use-api`.
- Bundler routing (`useLocalBundler`) now keys off the same resolved
`flags.useApi` value, so `--use-api=false` alone falls through to
Docker/legacy-bundle instead of silently switching to the API path.
- Both fixes land in the shared `deployFunctions()` used by both the
`legacy` and `next` shells, with regression coverage added in both.

Fixes CLI-1861.
…mFlag parity) (#5810)

## What kind of change does this PR introduce?

Bug fix (Go CLI parity).

## What is the current behavior?

Go's telemetry (`cmd/root_analytics.go:110-116`, `isEnumFlag`)
unconditionally treats any enum/choice flag as telemetry-safe — the
value is sent verbatim to PostHog, no per-flag opt-in required. The TS
legacy port's `withLegacyCommandInstrumentation` only exempted booleans
and explicit `safeFlags` entries, so every `Flag.choice` value was
silently redacted to `<redacted>` unless someone remembered to hand-list
it — which had already happened inconsistently across the 14 commands
using `Flag.choice`. `gen signing-key`'s `algorithm` and `gen types`'s
`lang`/`swift-access-control` had no exemption at all; several other
commands had partial coverage via ad-hoc `safeFlags`.

## What is the new behavior?

- `withLegacyCommandInstrumentation` now accepts a `config` option (the
command's own flag config record, the same object passed to
`Command.make`). Any flag built with
`Flag.choice`/`Flag.choiceWithValue` is auto-detected and treated as
telemetry-safe, covering every current and future enum flag on that
command without hand-maintaining a `safeFlags` list.
- The detection unwraps `Map`/`Transform`/`Optional`/`Variadic` wrapper
params down to the underlying `Single` the same way `--help` rendering
does internally, reimplemented using only type-visible public `effect`
API (the library's own internal helpers for this exact purpose exist in
the compiled JS but are absent from the published `.d.ts`, so calling
them directly isn't possible without an `as` cast).
- Wired `config` into all 14 commands with choice flags. Removed 3
files' now-redundant hand-listed `safeFlags` entries where every listed
name was already choice-typed.
- Filed CLI-1904 to track a related, pre-existing, out-of-scope gap:
global/root flags (`--output`, `--dns-resolver`, `--agent`) aren't wired
into any command's `config`, so they're not covered by this fix even
though Go's equivalents are also `EnumFlag`.

Fixes CLI-1866
This PR was automatically created to sync the generated `@supabase/api`
package with the latest Management API OpenAPI document.

Changes were detected in the upstream OpenAPI document exposed by
`https://api.supabase.com/api/v1-json`.

Co-authored-by: jgoux <1443499+jgoux@users.noreply.github.com>
…ploy/download (#5804)

## What kind of change does this PR introduce?

Bug fix (Go-parity divergence).

## What is the current behavior?

Go's cobra emits a fixed template for `MarkFlagsMutuallyExclusive`
violations (`flag_groups.go:204`): the full group in registration order,
plus the subset of flags actually set, sorted alphabetically. `functions
deploy`/`functions download` emitted a custom TS string instead ("flags
--use-api, --use-docker are mutually exclusive"), diverging on wording
and dash usage. `download`'s check also branched on flag *truthiness*
rather than whether the flag was explicitly *changed* on the command
line, so `--use-api --use-docker=false` was silently allowed even though
cobra's real `pflag.Changed` semantics reject it.

## What is the new behavior?

Both commands now emit cobra's exact error text (verified byte-for-byte
against the real compiled Go binary), and `download`'s mutex check now
detects "explicitly changed" the same way `deploy`'s already did,
closing the `--use-docker=false` gap.

While fixing this, found the same cobra-template string duplicated in
two other places during a review pass — `db dump` (own inline copy of
the message format) and `gen types` (its own private
`hasExplicitLongFlag` plus a *second* copy of the message template that
had a real, independently-verified bug: it joined the violating-flag set
in check order instead of sorting it, so `gen types --local --linked`
printed `[local linked]` while the actual Go binary prints `[linked
local]`). Hoisted the two generic helpers to
`shared/cli/cobra-flag-groups.ts` and pointed all three call sites at
them, fixing the `gen types` sort-order bug as a direct consequence.

Filed two follow-ups discovered during review: CLI-1902 (`sso update`'s
`--domains`/`--add-domains`/`--remove-domains` mutex has the same class
of bug, different flag family, out of scope here) and CLI-1903 (`next/`
inherits the same byte-exact cobra text via the shared validator, even
though it isn't bound by the Go-parity contract — worth a friendlier
message there, but that's additive UX work, not a parity fix).

Reviewed via a 4-way parallel pass (architect/engineer/security/DX), all
approved. Architect's finding (the two generic helpers were hoisted into
a functions-specific file despite having zero functions-domain logic,
evidenced by the two duplicate implementations above) is what prompted
the `shared/cli/` relocation and dedup in this PR.
…t ref (#5802)

## What kind of change does this PR introduce?

Bug fix (Go-parity divergence).

## What is the current behavior?

On a malformed linked project ref, Go's `services` command validates the
ref (`flags.LoadProjectRef`) but only warns to stderr on failure and
still proceeds to call the remote tenant lookup with the bad ref
(`cmd/services.go`, `internal/services/services.go:61-62`). The
TypeScript port silently skipped the remote lookup on a malformed ref
with no warning at all, and `services/SIDE_EFFECTS.md` mis-attributed
that silent skip to Go.

Fixes CLI-1872.

## What is the new behavior?

TS now prints the same warning Go would print (`Invalid project ref
format. Must be like \`abcdefghijklmnopqrst\`.`, reusing the constant
already exported from `legacy-project-ref.service.ts`), matching Go's
stderr ordering. Unlike Go, TS deliberately does **not** then proceed
with the malformed ref — the ref gets embedded unescaped into the tenant
gateway hostname in `fetchLinkedServiceVersions`, so proceeding would
let a malformed/tampered ref redirect the service-role key to an
attacker-controlled host. This is an intentional, documented TS-only
divergence (SSRF hardening), not a parity bug — see the updated
`SIDE_EFFECTS.md` and the new "Behavioral divergences" section in
`docs/go-cli-porting-status.md`.

Reviewed via a 4-way parallel pass (architect/engineer/security/DX);
security and engineer approved outright, architect approved after
closing a branch-coverage gap on the exact code this PR restructured,
and DX surfaced that the identical Go idiom (`flags.LoadProjectRef`'s
warn-and-continue) is also unhandled in `projects list` and a few
`resolveOptional` callers — filed as CLI-1900 for its own dedicated
audit, since each caller needs independent verification against its Go
counterpart rather than a blanket fix.
…#5793)

## Current Behavior

Go defaults `--use-docker` to `true` on `functions download`
(`cmd/functions.go:181`); the TS port omitted the default, so it
resolved to `false`. This flipped the default download path (native HTTP
vs. Docker-proxied) whenever no flags were passed, and once fixed
naively, the mutex check between
`--use-api`/`--use-docker`/`--legacy-bundle` (truthiness-based) would
start misfiring on the new default-true value, and `--use-api` alone
would keep routing to Docker instead of overriding it the way Go's `if
useApi { useDocker = false }` does.

## Expected Behavior

- `useDocker` now defaults to `true` via `Flag.withDefault(true)`,
matching Go.
- The mutex check (`validateDownloadFlags`) now scans raw argv for
explicit flag presence (`hasExplicitLongFlag`, hoisted out of
`deploy.ts` into the shared `functions.shared.ts` family root, since
it's now used by two commands) instead of checking parsed boolean
truthiness — mirroring Go's `pflag.Changed`-based
`MarkFlagsMutuallyExclusive`.
- `downloadFunctions` gates the Docker/legacy-bundle proxy branch on
`!flags.useApi`, mirroring Go's value-based `if useApi { useDocker =
false }` override (`cmd/functions.go:51-53`) — not presence, so
`--use-api=false` still proxies to Docker like an unpassed `--use-api`
would.
- The Go-proxy arg builder (`makeGoProxyDownloadArgs`) now forwards at
most one of `--use-docker`/`--legacy-bundle` — previously it could
forward both once `useDocker` defaults true, which the Go binary's own
mutex check would then reject.
- Slug validation now runs unconditionally, before the proxy-dispatch
branch, so a malformed/traversal-shaped function name is rejected before
ever reaching the Go proxy's argv.
- The delegated Go call now runs with `SUPABASE_TELEMETRY_DISABLED=1`
(mirrors `db pull`/`db diff`'s delegated-call pattern), and in
`--output-format json|stream-json` its stdout is captured/discarded via
`execCapture` instead of inherited, with `downloadFunctions` emitting
the `Output` envelope itself — the Docker/legacy-bundle proxy branch is
now safe as the default path for both telemetry accuracy and
machine-output correctness (CLI-1546), not just opt-in flags.
- `rawArgs` is threaded through `DownloadFunctionsDependencies` from the
`Stdio.Stdio` service in both the legacy and next shell handlers (the
shared `downloadFunctions` helper is used by both); `next`'s own
`--use-docker` default is intentionally left unchanged — this is a
legacy/Go-parity-only fix.

## Known follow-ups (not fixed here)

- Go's own server-side unbundle extractor (`saveFile` in
`apps/cli-go/internal/functions/download/download.go`) lacks the
path-containment checks the native TS downloader already has —
pre-existing Go CLI behavior, now reachable by default rather than via
opt-in flags. Tracked as CLI-1891.
- `hasExplicitLongFlag` detects flag token presence, not resolved value,
so `--use-docker=false` isn't treated as disabling Docker in the mutex
check. Pre-existing pattern shared with `deploy.ts`.

Closes CLI-1862
… (Go parity) (#5809)

## What kind of change does this PR introduce?

Bug fix (Go CLI parity).

## What is the current behavior?

Go marks `--project-ref` telemetry-safe on all four `functions` leaf
commands (`cmd/functions.go:151,153,165,178`) — `list`, `delete`,
`deploy`, `download` — so the flag value is recorded verbatim in the
`cli_command_executed` PostHog event instead of being redacted.

The TS legacy port only did this for `list` and `deploy`. `functions
delete` and `functions download` were both redacting `--project-ref`,
diverging from Go and from their own sibling commands.

## What is the new behavior?

- Added `safeFlags` for `--project-ref` to `functions delete` and
`functions download`, matching `list`/`deploy` and Go.
- Hoisted the `["project-ref"]` safe-flags list into a shared
`FUNCTIONS_PROJECT_REF_SAFE_FLAGS` constant in
`shared/functions/functions.shared.ts`, now referenced by all four
commands instead of being duplicated inline.
- Exported each command's composed handler
(`legacyFunctionsDeleteHandler`, `legacyFunctionsDownloadHandler`) so
integration tests can drive the exact effect `Command.withHandler` wires
up, rather than re-testing the generic instrumentation wrapper in
isolation.
- Corrected stale/missing rows in `delete`/`download`'s
`SIDE_EFFECTS.md` (missing `Files Written`/`Files Read`/`Environment
Variables` rows, a stale `SUPABASE_API_URL` claim, and a new `Telemetry
Events Fired` section), reconciled against `list`'s already-accurate
doc.

Fixes CLI-1864
…5796)

## Current Behavior

Go's `secrets set` (`internal/secrets/set/set.go:20-24`) swallows a
malformed `supabase/config.toml` parse error to the debug logger and
proceeds with empty `EdgeRuntime.Secrets` — env-file and positional-arg
secrets still apply. `secrets set` has no
`--linked`/`--local`/`--db-url` flag, so the root PreRun never loads the
config first either; this is the only load. The TS port instead let the
parse error propagate as a fatal `LegacySecretsConfigParseError`,
aborting the whole command even when the user only wanted to set a
secret via CLI arg or env-file.

## Expected Behavior

- Catches `ProjectConfigParseError`, logs it to the debug logger, and
continues with no config-declared secrets, matching Go.
- The logged message is truncated before any blank-line-separated source
snippet: `smol-toml`'s `TomlError` (and some schema-decode errors) embed
a codeblock of the surrounding file lines in their message, which for
this file's `[edge_runtime.secrets]` section can include literal secret
values. Go's equivalent log line (`DecodeError.Error()`) is a short,
content-free message — its verbose `.String()` with the snippet is never
called by `set.go`. Truncating avoids echoing a user's own secret value
into `--debug` output next to an unrelated syntax error.
- Deletes the now-unused `LegacySecretsConfigParseError` (no remaining
references).
- Threads `LegacyDebugLogger` into the shared
`legacyManagementApiRuntimeLayer` (used by many legacy commands) since
the layer was already building the same instance internally for
`cliConfig`/`httpClient`/`credentials` but never exposed it at the top
level — the file's own doc comment describes this as the sanctioned way
to add a new commonly-needed top-level service.

Fixes CLI-1867
…oggle consent (#5798)

## What kind of change does this PR introduce?

Bug fix (Go parity).

## What is the current behavior?

Go's `cli_command_executed` telemetry event is gated on a consent
snapshot read once at process start (`PersistentPreRunE`,
`apps/cli-go/cmd/root.go:131-138`), before a command's own handler runs,
and fired after the handler completes (`:171-181`) based on that
snapshot — not on any value the handler itself just wrote. This applies
uniformly to every command, including `telemetry enable`/`disable`
themselves.

The TS legacy port instead unconditionally suppressed this event for
both `telemetry enable` and `telemetry disable` via `analytics: false`,
so neither command ever fired it, regardless of prior telemetry state.

## What is the new behavior?

`analytics: false` is removed from both commands. The existing
`legacyAnalyticsLayer`/`telemetryRuntimeLayer` machinery already reads
consent from disk once, at Effect layer-construction time — before
either handler mutates `telemetry.json` — so this reproduces Go's
snapshot semantics without any new bespoke logic:

- Running `disable` while telemetry is enabled fires the event one last
time (using the pre-toggle, still-enabled snapshot); running it while
already disabled stays silent.
- Running `enable` while telemetry is already enabled (a
redundant/idempotent invocation) fires the event; the common case
(enabling from disabled) stays silent.

This is intentionally broader than the original report's "disable only"
framing — tracing Go's actual gate (`internal/telemetry/service.go`'s
`canSend()`) showed it's symmetric and state-based, not command-based,
so scoping the fix to `disable` alone would have left a real (if narrow)
parity gap for the redundant-`enable` case.

Also documents a previously-unmentioned side effect: when the event
fires, the command now waits (bounded, ~5s) for a PostHog flush attempt
before exiting, since the analytics client's shutdown is a finalizer
around the whole command run.

Closes CLI-1868
…#5821)

Bumps the go-minor group with 1 update in the /apps/cli-go directory:
[google.golang.org/grpc](https://github.com/grpc/grpc-go).
Bumps the go-minor group with 1 update in the /apps/cli-go/pkg
directory: [google.golang.org/grpc](https://github.com/grpc/grpc-go).

Updates `google.golang.org/grpc` from 1.81.1 to 1.82.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/grpc/grpc-go/releases">google.golang.org/grpc's
releases</a>.</em></p>
<blockquote>
<h2>Release 1.82.0</h2>
<h1>Behavior Changes</h1>
<ul>
<li>server: Remove support for
<code>GRPC_GO_EXPERIMENTAL_DISABLE_STRICT_PATH_CHECKING</code>
environment varibale. Strict incoming RPC path validation (which has
been the default since <code>v1.79.3</code>) can no longer be disabled.
(<a
href="https://redirect.github.com/grpc/grpc-go/issues/9112">#9112</a>)</li>
<li>transport: Add environment variable to change the default max header
list size from <code>16MB</code> to <code>8KB</code>. This may be
enabled by setting
<code>GRPC_GO_EXPERIMENTAL_ENABLE_8KB_DEFAULT_HEADER_LIST_SIZE=true</code>.
This will be enabled by default in a subsequent release. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9019">#9019</a>)</li>
<li>balancer: Load Balancing policy registry is now case-sensitive. Set
<code>GRPC_GO_EXPERIMENTAL_CASE_SENSITIVE_BALANCER_REGISTRIES=false</code>
(and file an issue) to revert to case-insensitive behavior. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9017">#9017</a>)</li>
</ul>
<h1>New Features</h1>
<ul>
<li>experimental/stats: Expose a new API,
<code>NewContextWithLabelCallback</code>, to register a callback that is
invoked when telemetry labels are added. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/8877">#8877</a>)
<ul>
<li>Special Thanks: <a
href="https://github.com/seth-epps"><code>@​seth-epps</code></a></li>
</ul>
</li>
<li>client: Return a portion of the response body in the error message,
when the client receives an unexpected non-gRPC HTTP response, to make
debugging easier. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/8929">#8929</a>)
<ul>
<li>Special Thanks: <a
href="https://github.com/chengxilo"><code>@​chengxilo</code></a></li>
</ul>
</li>
<li>server: Add environment variable
<code>GRPC_GO_SERVER_GOROUTINE_LABELS</code> that controls setting
<code>runtime/pprof.Labels</code> on goroutines spawned by the server.
Set <code>GRPC_GO_SERVER_GOROUTINE_LABELS=grpc.method=true</code> to add
the <code>grpc.method</code> label on goroutines spawned to handle
incoming requests. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9082">#9082</a>)
<ul>
<li>Special Thanks: <a
href="https://github.com/dfinkel"><code>@​dfinkel</code></a></li>
</ul>
</li>
</ul>
<h1>Bug Fixes</h1>
<ul>
<li>xds/server: Fix a memory leak of HTTP filter instances occurring
when route configurations are updated in-place during a Route Discovery
Service (RDS) update. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9138">#9138</a>)</li>
<li>grpc: In the deprecated <code>gzip</code> Compressor (used via the
deprecated <code>WithCompressor</code> dial option), enforce the
<code>MaxRecvMsgSize</code> limit on the decompressed message buffer,
preventing excessive memory allocation from highly compressed payloads.
(<a
href="https://redirect.github.com/grpc/grpc-go/issues/9114">#9114</a>)
<ul>
<li>Special Thanks: <a
href="https://github.com/evilgensec"><code>@​evilgensec</code></a></li>
</ul>
</li>
<li>stats/opentelemetry: Record retry attempts,
<code>grpc.previous-rpc-attempts</code>, at the call level and not the
attempt level. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/8923">#8923</a>)</li>
<li>encoding: Ensure <code>Close()</code> is always called on readers
returned from <code>Compressor.Decompress</code> if possible. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9135">#9135</a>)</li>
<li>channelz: Fix the <code>LastMessageSentTimestamp</code> and
<code>LastMessageReceivedTimestamp</code> fields in
<code>SocketMetrics</code> to ensure they contain correct timestamp
values. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9109">#9109</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/grpc/grpc-go/commit/bd239854f0ab7f1ee63457d47f7c1d2675e1f736"><code>bd23985</code></a>
Change version to 1.82.0 (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9170">#9170</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/0f3086db7a755b6af83a90809471dd7f645b345a"><code>0f3086d</code></a>
Fix minor issues not covered by PR <a
href="https://redirect.github.com/grpc/grpc-go/issues/9137">#9137</a>
(<a
href="https://redirect.github.com/grpc/grpc-go/issues/9147">#9147</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/fef07fbb2b94b668e8daca1f6b70433dcd36c1c8"><code>fef07fb</code></a>
internal: Split v3procservicepb import into pb and grpc for extproc (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9163">#9163</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/91dd64f4b83cb5134e279d1126ebb1ccf47d4d31"><code>91dd64f</code></a>
transport: surface subsequent data when receiving non-gRPC header (<a
href="https://redirect.github.com/grpc/grpc-go/issues/8929">#8929</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/adc97de9521a9f377dab5e911039842dc4de23e5"><code>adc97de</code></a>
test/kokoro: add config for regional-td test (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9158">#9158</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/57c9ff14e05b535ee6995ba49bc882b287a175de"><code>57c9ff1</code></a>
xds: ensure full-string matching for RBAC Filter rules (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9148">#9148</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/b58f32d9ff07c612d64e677bd826bcbec88af9bd"><code>b58f32d</code></a>
server: Set a pprof label on new stream goroutines (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9082">#9082</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/6c98be31ce0aec1592b783b0edb16916eb5acd89"><code>6c98be3</code></a>
refactor(transport): extract shared stream state handling logic in
`loopyWrit...</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/bcaa6f4df4546c86e12ef3e95852c7baf7a08d67"><code>bcaa6f4</code></a>
rls: only reset backoff on recovery from TRANSIENT_FAILURE (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9137">#9137</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/429e6e06363a01f0dd9f9b6b9cf0c0e6617cda12"><code>429e6e0</code></a>
balancer: expose endpoint weight and hostname as experimental APIs (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9074">#9074</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/grpc/grpc-go/compare/v1.81.1...v1.82.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `google.golang.org/grpc` from 1.81.1 to 1.82.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/grpc/grpc-go/releases">google.golang.org/grpc's
releases</a>.</em></p>
<blockquote>
<h2>Release 1.82.0</h2>
<h1>Behavior Changes</h1>
<ul>
<li>server: Remove support for
<code>GRPC_GO_EXPERIMENTAL_DISABLE_STRICT_PATH_CHECKING</code>
environment varibale. Strict incoming RPC path validation (which has
been the default since <code>v1.79.3</code>) can no longer be disabled.
(<a
href="https://redirect.github.com/grpc/grpc-go/issues/9112">#9112</a>)</li>
<li>transport: Add environment variable to change the default max header
list size from <code>16MB</code> to <code>8KB</code>. This may be
enabled by setting
<code>GRPC_GO_EXPERIMENTAL_ENABLE_8KB_DEFAULT_HEADER_LIST_SIZE=true</code>.
This will be enabled by default in a subsequent release. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9019">#9019</a>)</li>
<li>balancer: Load Balancing policy registry is now case-sensitive. Set
<code>GRPC_GO_EXPERIMENTAL_CASE_SENSITIVE_BALANCER_REGISTRIES=false</code>
(and file an issue) to revert to case-insensitive behavior. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9017">#9017</a>)</li>
</ul>
<h1>New Features</h1>
<ul>
<li>experimental/stats: Expose a new API,
<code>NewContextWithLabelCallback</code>, to register a callback that is
invoked when telemetry labels are added. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/8877">#8877</a>)
<ul>
<li>Special Thanks: <a
href="https://github.com/seth-epps"><code>@​seth-epps</code></a></li>
</ul>
</li>
<li>client: Return a portion of the response body in the error message,
when the client receives an unexpected non-gRPC HTTP response, to make
debugging easier. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/8929">#8929</a>)
<ul>
<li>Special Thanks: <a
href="https://github.com/chengxilo"><code>@​chengxilo</code></a></li>
</ul>
</li>
<li>server: Add environment variable
<code>GRPC_GO_SERVER_GOROUTINE_LABELS</code> that controls setting
<code>runtime/pprof.Labels</code> on goroutines spawned by the server.
Set <code>GRPC_GO_SERVER_GOROUTINE_LABELS=grpc.method=true</code> to add
the <code>grpc.method</code> label on goroutines spawned to handle
incoming requests. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9082">#9082</a>)
<ul>
<li>Special Thanks: <a
href="https://github.com/dfinkel"><code>@​dfinkel</code></a></li>
</ul>
</li>
</ul>
<h1>Bug Fixes</h1>
<ul>
<li>xds/server: Fix a memory leak of HTTP filter instances occurring
when route configurations are updated in-place during a Route Discovery
Service (RDS) update. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9138">#9138</a>)</li>
<li>grpc: In the deprecated <code>gzip</code> Compressor (used via the
deprecated <code>WithCompressor</code> dial option), enforce the
<code>MaxRecvMsgSize</code> limit on the decompressed message buffer,
preventing excessive memory allocation from highly compressed payloads.
(<a
href="https://redirect.github.com/grpc/grpc-go/issues/9114">#9114</a>)
<ul>
<li>Special Thanks: <a
href="https://github.com/evilgensec"><code>@​evilgensec</code></a></li>
</ul>
</li>
<li>stats/opentelemetry: Record retry attempts,
<code>grpc.previous-rpc-attempts</code>, at the call level and not the
attempt level. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/8923">#8923</a>)</li>
<li>encoding: Ensure <code>Close()</code> is always called on readers
returned from <code>Compressor.Decompress</code> if possible. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9135">#9135</a>)</li>
<li>channelz: Fix the <code>LastMessageSentTimestamp</code> and
<code>LastMessageReceivedTimestamp</code> fields in
<code>SocketMetrics</code> to ensure they contain correct timestamp
values. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9109">#9109</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/grpc/grpc-go/commit/bd239854f0ab7f1ee63457d47f7c1d2675e1f736"><code>bd23985</code></a>
Change version to 1.82.0 (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9170">#9170</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/0f3086db7a755b6af83a90809471dd7f645b345a"><code>0f3086d</code></a>
Fix minor issues not covered by PR <a
href="https://redirect.github.com/grpc/grpc-go/issues/9137">#9137</a>
(<a
href="https://redirect.github.com/grpc/grpc-go/issues/9147">#9147</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/fef07fbb2b94b668e8daca1f6b70433dcd36c1c8"><code>fef07fb</code></a>
internal: Split v3procservicepb import into pb and grpc for extproc (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9163">#9163</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/91dd64f4b83cb5134e279d1126ebb1ccf47d4d31"><code>91dd64f</code></a>
transport: surface subsequent data when receiving non-gRPC header (<a
href="https://redirect.github.com/grpc/grpc-go/issues/8929">#8929</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/adc97de9521a9f377dab5e911039842dc4de23e5"><code>adc97de</code></a>
test/kokoro: add config for regional-td test (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9158">#9158</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/57c9ff14e05b535ee6995ba49bc882b287a175de"><code>57c9ff1</code></a>
xds: ensure full-string matching for RBAC Filter rules (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9148">#9148</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/b58f32d9ff07c612d64e677bd826bcbec88af9bd"><code>b58f32d</code></a>
server: Set a pprof label on new stream goroutines (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9082">#9082</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/6c98be31ce0aec1592b783b0edb16916eb5acd89"><code>6c98be3</code></a>
refactor(transport): extract shared stream state handling logic in
`loopyWrit...</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/bcaa6f4df4546c86e12ef3e95852c7baf7a08d67"><code>bcaa6f4</code></a>
rls: only reset backoff on recovery from TRANSIENT_FAILURE (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9137">#9137</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/429e6e06363a01f0dd9f9b6b9cf0c0e6617cda12"><code>429e6e0</code></a>
balancer: expose endpoint weight and hostname as experimental APIs (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9074">#9074</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/grpc/grpc-go/compare/v1.81.1...v1.82.0">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the actions-major group with 2 updates:
[docker/build-push-action](https://github.com/docker/build-push-action)
and
[docker/setup-qemu-action](https://github.com/docker/setup-qemu-action).

Updates `docker/build-push-action` from 7.2.0 to 7.3.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/docker/build-push-action/releases">docker/build-push-action's
releases</a>.</em></p>
<blockquote>
<h2>v7.3.0</h2>
<ul>
<li>Preserve names in esbuild bundle by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/build-push-action/pull/1567">docker/build-push-action#1567</a></li>
<li>Bump <code>@​docker/actions-toolkit</code> from 0.90.0 to 0.92.0 in
<a
href="https://redirect.github.com/docker/build-push-action/pull/1545">docker/build-push-action#1545</a>
<a
href="https://redirect.github.com/docker/build-push-action/pull/1572">docker/build-push-action#1572</a></li>
<li>Bump <code>@​sigstore/core</code> from 3.1.0 to 3.2.1 in <a
href="https://redirect.github.com/docker/build-push-action/pull/1568">docker/build-push-action#1568</a></li>
<li>Bump js-yaml from 4.1.1 to 4.3.0 in <a
href="https://redirect.github.com/docker/build-push-action/pull/1566">docker/build-push-action#1566</a></li>
<li>Bump tmp from 0.2.5 to 0.2.7 in <a
href="https://redirect.github.com/docker/build-push-action/pull/1547">docker/build-push-action#1547</a></li>
<li>Bump undici from 6.24.1 to 6.27.0 in <a
href="https://redirect.github.com/docker/build-push-action/pull/1564">docker/build-push-action#1564</a></li>
<li>Bump vite from 7.3.2 to 7.3.6 in <a
href="https://redirect.github.com/docker/build-push-action/pull/1563">docker/build-push-action#1563</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/docker/build-push-action/compare/v7.2.0...v7.3.0">https://github.com/docker/build-push-action/compare/v7.2.0...v7.3.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/docker/build-push-action/commit/53b7df96c91f9c12dcc8a07bcb9ccacbed38856a"><code>53b7df9</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/build-push-action/issues/1572">#1572</a>
from docker/dependabot/npm_and_yarn/docker/actions-t...</li>
<li><a
href="https://github.com/docker/build-push-action/commit/154298c1ca89be1c0e019084f0611ddca621aafc"><code>154298c</code></a>
[dependabot skip] chore: update generated content</li>
<li><a
href="https://github.com/docker/build-push-action/commit/cb1238b9c9eb453d106b4e4142a5bd9cde710040"><code>cb1238b</code></a>
chore(deps): Bump <code>@​docker/actions-toolkit</code> from 0.91.0 to
0.92.0</li>
<li><a
href="https://github.com/docker/build-push-action/commit/24f845d5cbe75d2d350a984fd0e18cb7a3f29c1c"><code>24f845d</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/build-push-action/issues/1566">#1566</a>
from docker/dependabot/npm_and_yarn/js-yaml-4.2.0</li>
<li><a
href="https://github.com/docker/build-push-action/commit/9c6973007b52c322651c38915d5e8824cea95c50"><code>9c69730</code></a>
[dependabot skip] chore: update generated content</li>
<li><a
href="https://github.com/docker/build-push-action/commit/bc3a3a5f72a6dca16c2c2468d1dfc55ee66d2193"><code>bc3a3a5</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/build-push-action/issues/1574">#1574</a>
from docker/dependabot/github_actions/aws-actions/co...</li>
<li><a
href="https://github.com/docker/build-push-action/commit/a82c504a2387bb8bedc50072f9c554ae2a7dab5d"><code>a82c504</code></a>
chore(deps): Bump js-yaml from 4.1.1 to 4.3.0</li>
<li><a
href="https://github.com/docker/build-push-action/commit/0285a75190c039d6dac52b7711abcef3f5d8f6f6"><code>0285a75</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/build-push-action/issues/1573">#1573</a>
from docker/dependabot/github_actions/actions/cache-...</li>
<li><a
href="https://github.com/docker/build-push-action/commit/c6ad2a3f9644680619de938b97c8a10a87b2a88d"><code>c6ad2a3</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/build-push-action/issues/1575">#1575</a>
from docker/dependabot/github_actions/actions/checko...</li>
<li><a
href="https://github.com/docker/build-push-action/commit/d37484fb9737c5442a257e2f0ae5a8d756ed7d92"><code>d37484f</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/build-push-action/issues/1564">#1564</a>
from docker/dependabot/npm_and_yarn/undici-6.27.0</li>
<li>Additional commits viewable in <a
href="https://github.com/docker/build-push-action/compare/f9f3042f7e2789586610d6e8b85c8f03e5195baf...53b7df96c91f9c12dcc8a07bcb9ccacbed38856a">compare
view</a></li>
</ul>
</details>
<br />

Updates `docker/setup-qemu-action` from 4.1.0 to 4.2.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/docker/setup-qemu-action/releases">docker/setup-qemu-action's
releases</a>.</em></p>
<blockquote>
<h2>v4.2.0</h2>
<ul>
<li>Preserve names in esbuild bundle by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/311">docker/setup-qemu-action#311</a></li>
<li>Bump <code>@​actions/core</code> from 3.0.0 to 3.0.1 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/295">docker/setup-qemu-action#295</a></li>
<li>Bump <code>@​docker/actions-toolkit</code> from 0.91.0 to 0.92.0 in
<a
href="https://redirect.github.com/docker/setup-qemu-action/pull/315">docker/setup-qemu-action#315</a></li>
<li>Bump <code>@​sigstore/core</code> from 3.1.0 to 3.2.1 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/312">docker/setup-qemu-action#312</a></li>
<li>Bump js-yaml from 4.1.1 to 4.2.0 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/310">docker/setup-qemu-action#310</a></li>
<li>Bump tmp from 0.2.6 to 0.2.7 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/304">docker/setup-qemu-action#304</a></li>
<li>Bump undici from 6.26.0 to 6.27.0 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/308">docker/setup-qemu-action#308</a></li>
<li>Bump vite from 7.3.2 to 7.3.6 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/307">docker/setup-qemu-action#307</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/docker/setup-qemu-action/compare/v4.1.0...v4.2.0">https://github.com/docker/setup-qemu-action/compare/v4.1.0...v4.2.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/96fe6ef7f33517b61c61be40b68a1882f3264fb8"><code>96fe6ef</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-qemu-action/issues/315">#315</a>
from docker/dependabot/npm_and_yarn/docker/actions-to...</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/31f08d3fc9186dbe4b4550696f2e32e9aa7f9465"><code>31f08d3</code></a>
[dependabot skip] chore: update generated content</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/4e7017a474d2cf3912bb0437f7fafec6d5fb6c52"><code>4e7017a</code></a>
build(deps): bump <code>@​docker/actions-toolkit</code> from 0.91.0 to
0.92.0</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/0eca235293ca1939b58c082f69bdc981ccce8c94"><code>0eca235</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-qemu-action/issues/314">#314</a>
from crazy-max/fix-yarn-preapprove-actions-toolkit</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/ea66a4130b037e7961e14a0e5b155836e797cced"><code>ea66a41</code></a>
chore: allow actions-toolkit to bypass yarn age gate</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/451542b03ae7946b7082a398b11c8c315a0e4e80"><code>451542b</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-qemu-action/issues/308">#308</a>
from docker/dependabot/npm_and_yarn/undici-6.27.0</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/532ae0057542ec2102e2d19e9feccf85f1f69013"><code>532ae00</code></a>
[dependabot skip] chore: update generated content</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/b6f5af659afad3f9931b782668dee4595ae7e841"><code>b6f5af6</code></a>
build(deps): bump undici from 6.26.0 to 6.27.0</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/cf96b86294b57480ac6d330bd177fca87eac95bc"><code>cf96b86</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-qemu-action/issues/304">#304</a>
from docker/dependabot/npm_and_yarn/tmp-0.2.7</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/f0ba643f78dc96bc931fb83e5dadc39628e10047"><code>f0ba643</code></a>
[dependabot skip] chore: update generated content</li>
<li>Additional commits viewable in <a
href="https://github.com/docker/setup-qemu-action/compare/06116385d9baf250c9f4dcb4858b16962ea869c3...96fe6ef7f33517b61c61be40b68a1882f3264fb8">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the npm-major group with 6 updates:

| Package | From | To |
| --- | --- | --- |
|
[@supabase/supabase-js](https://github.com/supabase/supabase-js/tree/HEAD/packages/core/supabase-js)
| `2.108.2` | `2.110.0` |
|
[@anthropic-ai/claude-agent-sdk](https://github.com/anthropics/claude-agent-sdk-typescript)
| `0.3.196` | `0.3.197` |
|
[@anthropic-ai/sdk](https://github.com/anthropics/anthropic-sdk-typescript)
| `0.107.0` | `0.109.0` |
|
[posthog-node](https://github.com/PostHog/posthog-js/tree/HEAD/packages/node)
| `5.38.8` | `5.39.1` |
|
[@typescript/native-preview](https://github.com/microsoft/typescript-go)
| `7.0.0-dev.20260629.1` | `7.0.0-dev.20260630.1` |
| [oxlint-tsgolint](https://github.com/oxc-project/tsgolint) | `0.23.0`
| `0.24.0` |

Updates `@supabase/supabase-js` from 2.108.2 to 2.110.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/supabase/supabase-js/releases">@​supabase/supabase-js's
releases</a>.</em></p>
<blockquote>
<h2>v2.110.0</h2>
<h2>2.110.0 (2026-06-30)</h2>
<h3>🚀 Features</h3>
<ul>
<li><strong>repo:</strong> drop Node.js 20 support (<a
href="https://redirect.github.com/supabase/supabase-js/pull/2482">#2482</a>)</li>
</ul>
<h3>❤️ Thank You</h3>
<ul>
<li>Katerina Skroumpelou <a
href="https://github.com/mandarini"><code>@​mandarini</code></a></li>
</ul>
<h2>v2.110.0-canary.0</h2>
<h2>2.110.0-canary.0 (2026-06-30)</h2>
<h3>🚀 Features</h3>
<ul>
<li><strong>repo:</strong> drop Node.js 20 support (<a
href="https://redirect.github.com/supabase/supabase-js/pull/2482">#2482</a>)</li>
</ul>
<h3>❤️ Thank You</h3>
<ul>
<li>Katerina Skroumpelou <a
href="https://github.com/mandarini"><code>@​mandarini</code></a></li>
</ul>
<h2>v2.109.0</h2>
<h2>2.109.0 (2026-06-30)</h2>
<h3>🚀 Features</h3>
<ul>
<li><strong>auth:</strong> add custom_claims_allowlist to custom
providers admin API (<a
href="https://redirect.github.com/supabase/supabase-js/pull/2473">#2473</a>)</li>
<li><strong>realtime:</strong> add postgres_changes filter builder, new
operators and select (<a
href="https://redirect.github.com/supabase/supabase-js/pull/2463">#2463</a>)</li>
<li><strong>storage:</strong> expose purgeCache for buckets and single
objects (<a
href="https://redirect.github.com/supabase/supabase-js/pull/2429">#2429</a>)</li>
</ul>
<h3>🩹 Fixes</h3>
<ul>
<li><strong>functions:</strong> honor a caller's Content-Type override
regardless of casing (<a
href="https://redirect.github.com/supabase/supabase-js/pull/2455">#2455</a>)</li>
<li><strong>realtime:</strong> pin <code>@​supabase/phoenix</code> and
browser test CDN deps (<a
href="https://redirect.github.com/supabase/supabase-js/pull/2457">#2457</a>)</li>
<li><strong>realtime:</strong> add replication connection system message
option (<a
href="https://redirect.github.com/supabase/supabase-js/pull/2470">#2470</a>)</li>
<li><strong>storage:</strong> keep sortBy defaults when list() is given
a partial sortBy (<a
href="https://redirect.github.com/supabase/supabase-js/pull/2454">#2454</a>)</li>
</ul>
<h3>❤️ Thank You</h3>
<ul>
<li>Anubhav Anand <a
href="https://github.com/i-anubhav-anand"><code>@​i-anubhav-anand</code></a></li>
<li>Cemal Kılıç <a
href="https://github.com/cemalkilic"><code>@​cemalkilic</code></a></li>
<li>Claude Opus 4.8 (1M context)</li>
<li>Filipe Cabaço <a
href="https://github.com/filipecabaco"><code>@​filipecabaco</code></a></li>
<li>Katerina Skroumpelou <a
href="https://github.com/mandarini"><code>@​mandarini</code></a></li>
<li>Lenny</li>
<li>Rodrigo Mansueli <a
href="https://github.com/mansueli"><code>@​mansueli</code></a></li>
</ul>
<h2>v2.108.3-canary.2</h2>
<h2>2.108.3-canary.2 (2026-06-19)</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/supabase/supabase-js/blob/master/packages/core/supabase-js/CHANGELOG.md">@​supabase/supabase-js's
changelog</a>.</em></p>
<blockquote>
<h2>2.110.0 (2026-06-30)</h2>
<h3>🚀 Features</h3>
<ul>
<li><strong>repo:</strong> drop Node.js 20 support (<a
href="https://redirect.github.com/supabase/supabase-js/pull/2482">#2482</a>)</li>
</ul>
<h3>❤️ Thank You</h3>
<ul>
<li>Katerina Skroumpelou <a
href="https://github.com/mandarini"><code>@​mandarini</code></a></li>
</ul>
<h2>2.109.0 (2026-06-30)</h2>
<h3>🩹 Fixes</h3>
<ul>
<li><strong>realtime:</strong> pin <code>@​supabase/phoenix</code> and
browser test CDN deps (<a
href="https://redirect.github.com/supabase/supabase-js/pull/2457">#2457</a>)</li>
</ul>
<h3>❤️ Thank You</h3>
<ul>
<li>Katerina Skroumpelou <a
href="https://github.com/mandarini"><code>@​mandarini</code></a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/supabase/supabase-js/commit/c3d5e6d2949b0248de8ba97991e4484f0b57c83f"><code>c3d5e6d</code></a>
feat(repo): drop Node.js 20 support (<a
href="https://github.com/supabase/supabase-js/tree/HEAD/packages/core/supabase-js/issues/2482">#2482</a>)</li>
<li><a
href="https://github.com/supabase/supabase-js/commit/b2e02b997aaf81b4c09dcc67966629296b96f681"><code>b2e02b9</code></a>
chore(release): version 2.109.0 changelogs (<a
href="https://github.com/supabase/supabase-js/tree/HEAD/packages/core/supabase-js/issues/2481">#2481</a>)</li>
<li><a
href="https://github.com/supabase/supabase-js/commit/dd2d4c270f0d6b84e61f3fa80330c42966783f87"><code>dd2d4c2</code></a>
fix(realtime): pin <code>@​supabase/phoenix</code> and browser test CDN
deps (<a
href="https://github.com/supabase/supabase-js/tree/HEAD/packages/core/supabase-js/issues/2457">#2457</a>)</li>
<li><a
href="https://github.com/supabase/supabase-js/commit/a25062e9285fa8e3bd702c59ddda0d87ad1fcc27"><code>a25062e</code></a>
chore(release): version 2.108.2 changelogs (<a
href="https://github.com/supabase/supabase-js/tree/HEAD/packages/core/supabase-js/issues/2449">#2449</a>)</li>
<li><a
href="https://github.com/supabase/supabase-js/commit/b3e5f2d7a312eff971dfd9c7226c9c4edbc0de0f"><code>b3e5f2d</code></a>
chore(ci): unpin realtime version (<a
href="https://github.com/supabase/supabase-js/tree/HEAD/packages/core/supabase-js/issues/2432">#2432</a>)</li>
<li>See full diff in <a
href="https://github.com/supabase/supabase-js/commits/v2.110.0/packages/core/supabase-js">compare
view</a></li>
</ul>
</details>
<br />

Updates `@anthropic-ai/claude-agent-sdk` from 0.3.196 to 0.3.197
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/anthropics/claude-agent-sdk-typescript/releases">@​anthropic-ai/claude-agent-sdk's
releases</a>.</em></p>
<blockquote>
<h2>v0.3.197</h2>
<h2>What's changed</h2>
<ul>
<li>Updated to parity with Claude Code v2.1.197</li>
</ul>
<h2>Update</h2>
<pre lang="sh"><code>npm install @anthropic-ai/claude-agent-sdk@0.3.197
# or
yarn add @anthropic-ai/claude-agent-sdk@0.3.197
# or
pnpm add @anthropic-ai/claude-agent-sdk@0.3.197
# or
bun add @anthropic-ai/claude-agent-sdk@0.3.197
</code></pre>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/anthropics/claude-agent-sdk-typescript/blob/main/CHANGELOG.md">@​anthropic-ai/claude-agent-sdk's
changelog</a>.</em></p>
<blockquote>
<h2>0.3.197</h2>
<ul>
<li>Updated to parity with Claude Code v2.1.197</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/anthropics/claude-agent-sdk-typescript/commit/ccd90af1279349d9d1cf641eec8a43664c94ebdf"><code>ccd90af</code></a>
chore: Update CHANGELOG.md</li>
<li>See full diff in <a
href="https://github.com/anthropics/claude-agent-sdk-typescript/compare/v0.3.196...v0.3.197">compare
view</a></li>
</ul>
</details>
<br />

Updates `@anthropic-ai/sdk` from 0.107.0 to 0.109.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/anthropics/anthropic-sdk-typescript/releases">@​anthropic-ai/sdk's
releases</a>.</em></p>
<blockquote>
<h2>sdk: v0.109.0</h2>
<h2>0.109.0 (2026-06-30)</h2>
<p>Full Changelog: <a
href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.108.0...sdk-v0.109.0">sdk-v0.108.0...sdk-v0.109.0</a></p>
<h3>Features</h3>
<ul>
<li><strong>api:</strong> add support for Managed Agents event delta
streaming, agent overrides, reverse pagination, vault credential
injection scoping, and agent and deployment webhook events (<a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/7f3211b4886053d25e98b91edc90fedc199ef186">7f3211b</a>)</li>
</ul>
<h2>sdk: v0.108.0</h2>
<h2>0.108.0 (2026-06-30)</h2>
<p>Full Changelog: <a
href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.107.0...sdk-v0.108.0">sdk-v0.107.0...sdk-v0.108.0</a></p>
<h3>Features</h3>
<ul>
<li><strong>api:</strong> add support for claude-sonnet-5 (<a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/4588db01eccd7529a5d2e99b8e5da3af1acdbbc8">4588db0</a>)</li>
</ul>
<h3>Bug Fixes</h3>
<ul>
<li><strong>agent-toolset:</strong> allow absolute paths that resolve
inside workdir (<a
href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/112">#112</a>)
(<a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/e951fb2ed70f8d6cd0113ae1642a795404e1cc9a">e951fb2</a>)</li>
</ul>
<h3>Chores</h3>
<ul>
<li>format README.md (<a
href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/176">#176</a>)
(<a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/98dcff71b632a92e0e1dff19ca4a95439a5fe447">98dcff7</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/anthropics/anthropic-sdk-typescript/blob/main/CHANGELOG.md">@​anthropic-ai/sdk's
changelog</a>.</em></p>
<blockquote>
<h2>0.109.0 (2026-06-30)</h2>
<p>Full Changelog: <a
href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.108.0...sdk-v0.109.0">sdk-v0.108.0...sdk-v0.109.0</a></p>
<h3>Features</h3>
<ul>
<li><strong>api:</strong> add support for Managed Agents event delta
streaming, agent overrides, reverse pagination, vault credential
injection scoping, and agent and deployment webhook events (<a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/7f3211b4886053d25e98b91edc90fedc199ef186">7f3211b</a>)</li>
</ul>
<h2>0.108.0 (2026-06-30)</h2>
<p>Full Changelog: <a
href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.107.0...sdk-v0.108.0">sdk-v0.107.0...sdk-v0.108.0</a></p>
<h3>Features</h3>
<ul>
<li><strong>api:</strong> add support for claude-sonnet-5 (<a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/4588db01eccd7529a5d2e99b8e5da3af1acdbbc8">4588db0</a>)</li>
</ul>
<h3>Bug Fixes</h3>
<ul>
<li><strong>agent-toolset:</strong> allow absolute paths that resolve
inside workdir (<a
href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/112">#112</a>)
(<a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/e951fb2ed70f8d6cd0113ae1642a795404e1cc9a">e951fb2</a>)</li>
</ul>
<h3>Chores</h3>
<ul>
<li>format README.md (<a
href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/176">#176</a>)
(<a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/98dcff71b632a92e0e1dff19ca4a95439a5fe447">98dcff7</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/cb829c764293963665481f0b2a60f2e0923270ac"><code>cb829c7</code></a>
chore: release main</li>
<li><a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/fd0341dfe7a77f28678c9e474485bc7331e426d4"><code>fd0341d</code></a>
feat(api): add support for Managed Agents event delta streaming, agent
overri...</li>
<li><a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/90f767ae9078ac808c758670aac408267fa2c49f"><code>90f767a</code></a>
codegen metadata</li>
<li><a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/ed986cd68c9ca8674ac2548be479a1d4c6a282b6"><code>ed986cd</code></a>
chore: release main</li>
<li><a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/d3ffad4927b0da3baffde66b1372f8f0b4a7c434"><code>d3ffad4</code></a>
chore: format README.md (<a
href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/176">#176</a>)</li>
<li><a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/6b46ad31ff2682376f6e9f4c732ed35d3c45693b"><code>6b46ad3</code></a>
feat(api): add support for claude-sonnet-5</li>
<li><a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/8200ffac10fab553883efae64cf24a514add2b04"><code>8200ffa</code></a>
feat(vertex): bump google-auth-library to ^10.2.0 (SDK-91) (<a
href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/30">#30</a>)</li>
<li><a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/fa06d36ccb07b32a7098b71d40713add611548cc"><code>fa06d36</code></a>
feat(bedrock): pass client logger to AWS credential provider chain
(SDK-90) (...</li>
<li><a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/0fff7faad710ffaf2ceeb7f7f05139bbec72e6cc"><code>0fff7fa</code></a>
fix(agent-toolset): allow absolute paths that resolve inside workdir (<a
href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/112">#112</a>)</li>
<li>See full diff in <a
href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.107.0...sdk-v0.109.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `posthog-node` from 5.38.8 to 5.39.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/PostHog/posthog-js/releases">posthog-node's
releases</a>.</em></p>
<blockquote>
<h2>posthog-node@5.39.1</h2>
<h2>5.39.1</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p><a
href="https://redirect.github.com/PostHog/posthog-js/pull/4029">#4029</a>
<a
href="https://github.com/PostHog/posthog-js/commit/b36b1cc2bf771bc944a304c9523d0991a31a5fbd"><code>b36b1cc</code></a>
Thanks <a
href="https://github.com/marandaneto"><code>@​marandaneto</code></a>! -
Call <code>before_send</code> for identify, group identify, and alias
events.
(2026-06-30)</p>
</li>
<li>
<p><a
href="https://redirect.github.com/PostHog/posthog-js/pull/4027">#4027</a>
<a
href="https://github.com/PostHog/posthog-js/commit/ab118d278856e5f995229ab476987fcac936a25a"><code>ab118d2</code></a>
Thanks <a
href="https://github.com/marandaneto"><code>@​marandaneto</code></a>! -
Safely serialize event batches with circular property references instead
of crashing during flush.
(2026-06-30)</p>
</li>
<li>
<p>Updated dependencies [<a
href="https://github.com/PostHog/posthog-js/commit/ab118d278856e5f995229ab476987fcac936a25a"><code>ab118d2</code></a>]:</p>
<ul>
<li><code>@​posthog/core</code><a
href="https://github.com/1"><code>@​1</code></a>.39.2</li>
</ul>
</li>
</ul>
<h2>posthog-node@5.39.0</h2>
<h2>5.39.0</h2>
<h3>Minor Changes</h3>
<ul>
<li><a
href="https://redirect.github.com/PostHog/posthog-js/pull/4006">#4006</a>
<a
href="https://github.com/PostHog/posthog-js/commit/0063128fc443158e44c9b6bab623420fc04d8c4c"><code>0063128</code></a>
Thanks <a
href="https://github.com/apps/github-actions"><code>@​github-actions</code></a>!
- Add <code>groupIdentifyImmediate()</code> to await the network request
when identifying a group, mirroring
<code>captureImmediate</code>/<code>identifyImmediate</code>/<code>aliasImmediate</code>.
Useful in edge/serverless environments where the background queue may
not flush. The Convex integration now uses it directly instead of
routing <code>$groupidentify</code> through
<code>captureImmediate</code>.
(2026-06-30)</li>
</ul>
<h3>Patch Changes</h3>
<ul>
<li>Updated dependencies [<a
href="https://github.com/PostHog/posthog-js/commit/0063128fc443158e44c9b6bab623420fc04d8c4c"><code>0063128</code></a>]:
<ul>
<li><code>@​posthog/core</code><a
href="https://github.com/1"><code>@​1</code></a>.39.0</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/PostHog/posthog-js/blob/main/packages/node/CHANGELOG.md">posthog-node's
changelog</a>.</em></p>
<blockquote>
<h2>5.39.1</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p><a
href="https://redirect.github.com/PostHog/posthog-js/pull/4029">#4029</a>
<a
href="https://github.com/PostHog/posthog-js/commit/b36b1cc2bf771bc944a304c9523d0991a31a5fbd"><code>b36b1cc</code></a>
Thanks <a
href="https://github.com/marandaneto"><code>@​marandaneto</code></a>! -
Call <code>before_send</code> for identify, group identify, and alias
events.
(2026-06-30)</p>
</li>
<li>
<p><a
href="https://redirect.github.com/PostHog/posthog-js/pull/4027">#4027</a>
<a
href="https://github.com/PostHog/posthog-js/commit/ab118d278856e5f995229ab476987fcac936a25a"><code>ab118d2</code></a>
Thanks <a
href="https://github.com/marandaneto"><code>@​marandaneto</code></a>! -
Safely serialize event batches with circular property references instead
of crashing during flush.
(2026-06-30)</p>
</li>
<li>
<p>Updated dependencies [<a
href="https://github.com/PostHog/posthog-js/commit/ab118d278856e5f995229ab476987fcac936a25a"><code>ab118d2</code></a>]:</p>
<ul>
<li><code>@​posthog/core</code><a
href="https://github.com/1"><code>@​1</code></a>.39.2</li>
</ul>
</li>
</ul>
<h2>5.39.0</h2>
<h3>Minor Changes</h3>
<ul>
<li><a
href="https://redirect.github.com/PostHog/posthog-js/pull/4006">#4006</a>
<a
href="https://github.com/PostHog/posthog-js/commit/0063128fc443158e44c9b6bab623420fc04d8c4c"><code>0063128</code></a>
Thanks <a
href="https://github.com/apps/github-actions"><code>@​github-actions</code></a>!
- Add <code>groupIdentifyImmediate()</code> to await the network request
when identifying a group, mirroring
<code>captureImmediate</code>/<code>identifyImmediate</code>/<code>aliasImmediate</code>.
Useful in edge/serverless environments where the background queue may
not flush. The Convex integration now uses it directly instead of
routing <code>$groupidentify</code> through
<code>captureImmediate</code>.
(2026-06-30)</li>
</ul>
<h3>Patch Changes</h3>
<ul>
<li>Updated dependencies [<a
href="https://github.com/PostHog/posthog-js/commit/0063128fc443158e44c9b6bab623420fc04d8c4c"><code>0063128</code></a>]:
<ul>
<li><code>@​posthog/core</code><a
href="https://github.com/1"><code>@​1</code></a>.39.0</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/PostHog/posthog-js/commit/a5181ba36f64cf69108be2f0fbf1e68dbeb4e827"><code>a5181ba</code></a>
chore: update versions and lockfile [version bump]</li>
<li><a
href="https://github.com/PostHog/posthog-js/commit/b36b1cc2bf771bc944a304c9523d0991a31a5fbd"><code>b36b1cc</code></a>
fix(node): run before_send for all captured events (<a
href="https://github.com/PostHog/posthog-js/tree/HEAD/packages/node/issues/4029">#4029</a>)</li>
<li><a
href="https://github.com/PostHog/posthog-js/commit/ab118d278856e5f995229ab476987fcac936a25a"><code>ab118d2</code></a>
fix(node): handle circular event properties during flush (<a
href="https://github.com/PostHog/posthog-js/tree/HEAD/packages/node/issues/4027">#4027</a>)</li>
<li><a
href="https://github.com/PostHog/posthog-js/commit/0c95bce7a2b01707691783a41730ec89699cb429"><code>0c95bce</code></a>
fix: satisfy SDK compliance harness 0.8.0 (<a
href="https://github.com/PostHog/posthog-js/tree/HEAD/packages/node/issues/3998">#3998</a>)</li>
<li><a
href="https://github.com/PostHog/posthog-js/commit/254c5b15597ea06c7cd9967708b11b49707267ae"><code>254c5b1</code></a>
chore: update versions and lockfile [version bump]</li>
<li><a
href="https://github.com/PostHog/posthog-js/commit/0063128fc443158e44c9b6bab623420fc04d8c4c"><code>0063128</code></a>
feat: Add groupIdentifyImmediate() method to Node.js SDK (<a
href="https://github.com/PostHog/posthog-js/tree/HEAD/packages/node/issues/4006">#4006</a>)</li>
<li>See full diff in <a
href="https://github.com/PostHog/posthog-js/commits/posthog-node@5.39.1/packages/node">compare
view</a></li>
</ul>
</details>
<br />

Updates `@typescript/native-preview` from 7.0.0-dev.20260629.1 to
7.0.0-dev.20260630.1
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/microsoft/typescript-go/commits">compare
view</a></li>
</ul>
</details>
<br />

Updates `oxlint-tsgolint` from 0.23.0 to 0.24.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/oxc-project/tsgolint/releases">oxlint-tsgolint's
releases</a>.</em></p>
<blockquote>
<h2>v0.24.0</h2>
<h2>What's Changed</h2>
<ul>
<li>ci: run windows e2e pnpm commands outside workspace by <a
href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/969">oxc-project/tsgolint#969</a></li>
<li>test(no-deprecated): add test for only <code>allow</code> by <a
href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/970">oxc-project/tsgolint#970</a></li>
<li>fix(no-deprecated): report contextual object literal properties by
<a href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/944">oxc-project/tsgolint#944</a></li>
<li>Update README with PRs note on new rules by <a
href="https://github.com/camchenry"><code>@​camchenry</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/972">oxc-project/tsgolint#972</a></li>
<li>fix(strict-boolean-expressions): guard invalid predicate indexes by
<a href="https://github.com/camchenry"><code>@​camchenry</code></a> in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/971">oxc-project/tsgolint#971</a></li>
<li>fix(no-deprecated): fix crash when getting prop name for non-literal
by <a href="https://github.com/camchenry"><code>@​camchenry</code></a>
in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/973">oxc-project/tsgolint#973</a></li>
<li>test(no-deprecated): add non-literal computed key regression by <a
href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/974">oxc-project/tsgolint#974</a></li>
<li>test(no-floating-promises): sync tests with typescript-eslint by <a
href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/975">oxc-project/tsgolint#975</a></li>
<li>fix(no-floating-promises): handle spread arguments before rejection
handlers by <a
href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/976">oxc-project/tsgolint#976</a></li>
<li>chore(deps): update crate-ci/typos action to v1.46.2 by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/979">oxc-project/tsgolint#979</a></li>
<li>refactor: remove unneeded <code>nil</code> checks in
<code>strict-boolean-expressions</code> by <a
href="https://github.com/camchenry"><code>@​camchenry</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/980">oxc-project/tsgolint#980</a></li>
<li>perf(no-unsafe-assignment): add fast-path for sender type by <a
href="https://github.com/camchenry"><code>@​camchenry</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/981">oxc-project/tsgolint#981</a></li>
<li>feat: add per-rule debug timings by <a
href="https://github.com/camchenry"><code>@​camchenry</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/960">oxc-project/tsgolint#960</a></li>
<li>chore: update typescript-go submodule by <a
href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/982">oxc-project/tsgolint#982</a></li>
<li>chore(deps): update dprint plugins by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/984">oxc-project/tsgolint#984</a></li>
<li>chore(deps): update github actions by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/985">oxc-project/tsgolint#985</a></li>
<li>chore(deps): update gomod by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/986">oxc-project/tsgolint#986</a></li>
<li>chore(deps): update crate-ci/typos action to v1.46.3 by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/988">oxc-project/tsgolint#988</a></li>
<li>test(no-deprecated): cover call and jsx deprecated properties by <a
href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/989">oxc-project/tsgolint#989</a></li>
<li>chore: update typescript-go submodule by <a
href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/991">oxc-project/tsgolint#991</a></li>
<li>chore(deps): update github actions by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/993">oxc-project/tsgolint#993</a></li>
<li>chore(deps): update crate-ci/typos action to v1.47.0 by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/995">oxc-project/tsgolint#995</a></li>
<li>chore(deps): update module github.com/dlclark/regexp2/v2 to v2.1.1
by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/994">oxc-project/tsgolint#994</a></li>
<li>fix(prefer-optional-chain): suggest unsafe nullish rewrite by <a
href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/996">oxc-project/tsgolint#996</a></li>
<li>chore(deps): update pnpm to v11.4.0 by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/997">oxc-project/tsgolint#997</a></li>
<li>refactor: cache suppress program diagnostics env by <a
href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/999">oxc-project/tsgolint#999</a></li>
<li>refactor: use <code>sync.OnceValue</code> for logLevel by <a
href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1000">oxc-project/tsgolint#1000</a></li>
<li>test(no-unnecessary-type-assertion): sync tests with
typescript-eslint by <a
href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/998">oxc-project/tsgolint#998</a></li>
<li>fix(no-unnecessary-type-assertion): enable skipped upstream cases by
<a href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1001">oxc-project/tsgolint#1001</a></li>
<li>fix(justfile): use --ignore-workspace for e2e pnpm commands by <a
href="https://github.com/swandir"><code>@​swandir</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/983">oxc-project/tsgolint#983</a></li>
<li>test(no-unnecessary-type-arguments): sync tests with
typescript-eslint by <a
href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1003">oxc-project/tsgolint#1003</a></li>
<li>test(no-unnecessary-type-assertion): cover nullable literal
assertion by <a
href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1002">oxc-project/tsgolint#1002</a></li>
<li>fix(no-unnecessary-type-arguments): preserve constructor inference
by <a href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1004">oxc-project/tsgolint#1004</a></li>
<li>refactor: remove <code>OXLINT_TSGOLINT_TIMINGS</code> env var by <a
href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1005">oxc-project/tsgolint#1005</a></li>
<li>chore: update typescript-go submodule by <a
href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1007">oxc-project/tsgolint#1007</a></li>
<li>fix(prefer-optional-chain): optional chain type assertion handling
by <a href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1009">oxc-project/tsgolint#1009</a></li>
<li>chore(deps): update typos to v1.47.1 by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1010">oxc-project/tsgolint#1010</a></li>
<li>chore(deps): update typos to v1.47.2 by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1012">oxc-project/tsgolint#1012</a></li>
<li>chore(deps): update github actions by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1013">oxc-project/tsgolint#1013</a></li>
<li>chore(deps): update gomod by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1014">oxc-project/tsgolint#1014</a></li>
<li>chore(deps): update github actions to v2.81.5 by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1015">oxc-project/tsgolint#1015</a></li>
<li>chore: update typescript-go submodule by <a
href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1016">oxc-project/tsgolint#1016</a></li>
<li>chore(deps): update github actions by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1017">oxc-project/tsgolint#1017</a></li>
<li>chore(deps): update gomod to v0.46.0 by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1018">oxc-project/tsgolint#1018</a></li>
<li>chore(deps): update gomod to v2.2.2 by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1021">oxc-project/tsgolint#1021</a></li>
<li>chore(deps): update github actions to v2.82.0 by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1023">oxc-project/tsgolint#1023</a></li>
<li>chore(deps): update dprint plugins to v0.22.0 by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1022">oxc-project/tsgolint#1022</a></li>
<li>chore(deps): update github actions to v7 by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1024">oxc-project/tsgolint#1024</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/oxc-project/tsgolint/commit/5a37e8902f65440900be1436b814919fcdb4e3d4"><code>5a37e89</code></a>
fix(dot-notation): determine the relevant accessor (<a
href="https://redirect.github.com/oxc-project/tsgolint/issues/1028">#1028</a>)</li>
<li><a
href="https://github.com/oxc-project/tsgolint/commit/67a281f613312a30665e7d39dfb47f5c15b0ca60"><code>67a281f</code></a>
perf(consistent-return): defer per-function type resolution (<a
href="https://redirect.github.com/oxc-project/tsgolint/issues/1031">#1031</a>)</li>
<li><a
href="https://github.com/oxc-project/tsgolint/commit/a5e2ff0be1102d9082e13ec35f1f0e4ca7fa65ad"><code>a5e2ff0</code></a>
perf(no-unnecessary-qualifier): skip symbol resolution outside
namespaces. (#...</li>
<li><a
href="https://github.com/oxc-project/tsgolint/commit/a8fc6685df0a817e7c5045a4e3e141d342839959"><code>a8fc668</code></a>
perf(no-confusing-void-expression): check ancestor position before type
query...</li>
<li><a
href="https://github.com/oxc-project/tsgolint/commit/03158cc4c0a0ef2c8bdccab71e6d2723fcc1c4f2"><code>03158cc</code></a>
perf(no-unnecessary-type-conversion): hoist constant builtin-name slices
(<a
href="https://redirect.github.com/oxc-project/tsgolint/issues/1040">#1040</a>)</li>
<li><a
href="https://github.com/oxc-project/tsgolint/commit/d9e645c266b6c4b4671b0a3dc5d3935dbda3a5ef"><code>d9e645c</code></a>
perf(prefer-optional-chain): lazily allocate chain-processor caches (<a
href="https://redirect.github.com/oxc-project/tsgolint/issues/1041">#1041</a>)</li>
<li><a
href="https://github.com/oxc-project/tsgolint/commit/63f578abe093d7a7e8cb523a1e5e96aacf06b220"><code>63f578a</code></a>
refactor(no-unnecessary-condition): remove dead
containsUnguardedElementAcces...</li>
<li><a
href="https://github.com/oxc-project/tsgolint/commit/f174876a906e0350aff2b75d5607775529c9f845"><code>f174876</code></a>
chore(deps): update gomod (<a
href="https://redirect.github.com/oxc-project/tsgolint/issues/1035">#1035</a>)</li>
<li><a
href="https://github.com/oxc-project/tsgolint/commit/47de9cfea53da0ae274bc78d47388e3bdd5b7341"><code>47de9cf</code></a>
chore(deps): update github actions (<a
href="https://redirect.github.com/oxc-project/tsgolint/issues/1036">#1036</a>)</li>
<li><a
href="https://github.com/oxc-project/tsgolint/commit/e209b5b27f5fd22810735bfbfdb0785cbc5d4215"><code>e209b5b</code></a>
chore(deps): update actions/cache action to v6 (<a
href="https://redirect.github.com/oxc-project/tsgolint/issues/1037">#1037</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/oxc-project/tsgolint/compare/v0.23.0...v0.24.0">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…cli-go/pkg (#5825)

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from
0.50.0 to 0.52.0.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/crypto/commit/a1c0d9929856c8aba2b31f079340f00578eda803"><code>a1c0d99</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="https://github.com/golang/crypto/commit/3c7c86938f4541c333d506f719388d9c42d4763d"><code>3c7c869</code></a>
ssh: fix deadlock on unexpected channel responses</li>
<li><a
href="https://github.com/golang/crypto/commit/533fb3f7e4a5ae23f69d1837cd851d35ff5b76ce"><code>533fb3f</code></a>
ssh: fix source-address critical option bypass</li>
<li><a
href="https://github.com/golang/crypto/commit/abbc44d451a6f9236a2bbd26cbcd4d0fec473da3"><code>abbc44d</code></a>
ssh: fix incorrect operator order</li>
<li><a
href="https://github.com/golang/crypto/commit/e052873987615dc96fe67607a9a6adb76311344f"><code>e052873</code></a>
ssh: fix infinite loop on large channel writes due to integer
overflow</li>
<li><a
href="https://github.com/golang/crypto/commit/b61cf853a89d82cad68da5e12a6beca2116f8456"><code>b61cf85</code></a>
ssh: enforce user presence verification for security keys</li>
<li><a
href="https://github.com/golang/crypto/commit/9c2cd33e8d96a96133fd6ff732510ebba539c2bd"><code>9c2cd33</code></a>
ssh: enforce strict limits on DSA key parameters</li>
<li><a
href="https://github.com/golang/crypto/commit/890731877d85f71cfdc9554e7a27fec4684fc4c4"><code>8907318</code></a>
ssh: reject RSA keys with excessively large moduli</li>
<li><a
href="https://github.com/golang/crypto/commit/ffd87b4878fa98ca2908ec534e1a410bf095a35e"><code>ffd87b4</code></a>
ssh: fix panic when authority callbacks are nil</li>
<li><a
href="https://github.com/golang/crypto/commit/4e7a7384ecbc8d519f6f4c11b36fa9d761fc8946"><code>4e7a738</code></a>
ssh: fix deadlock on unexpected global responses</li>
<li>Additional commits viewable in <a
href="https://github.com/golang/crypto/compare/v0.50.0...v0.52.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=golang.org/x/crypto&package-manager=go_modules&previous-version=0.50.0&new-version=0.52.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts page](https://github.com/supabase/cli/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
## TL;DR

adds Colima rootless docker socket fallback to vector start

## Ref

- closes #5073
…emplates with 3 updates (#5822)

Bumps the docker-minor group in /apps/cli-go/pkg/config/templates with 3
updates: supabase/studio, supabase/realtime and supabase/storage-api.

Updates `supabase/studio` from 2026.07.06-sha-66cf431 to
2026.07.07-sha-a6a04f2

Updates `supabase/realtime` from v2.112.6 to v2.112.9

Updates `supabase/storage-api` from v1.62.5 to v1.63.1


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
)

## What kind of change does this PR introduce?

Bug fix (Go parity).

## What is the current behavior?

Go's `--size` flag on `projects create`
(`apps/cli-go/cmd/projects.go:34-55`) is a single shared 18-value
`EnumFlag` reused by `branches create`
(`apps/cli-go/cmd/branches.go:212`), and does not include `"nano"` (or
`"pico"`). The TS legacy port's `INSTANCE_SIZES`
(`projects/create/create.command.ts`) and `BRANCH_SIZES`
(`branches/create/create.command.ts`) both included `"nano"` as a valid
`Flag.choice` value, so `--size nano` silently succeeded in TS while Go
rejects it.

Verified directly against the real, compiled Go binary (`apps/cli-go`)
rather than just reading source — `projects create --size nano`
genuinely errors with `invalid argument "nano" for "--size" flag: must
be one of [...]`, confirming this is current, shipped Go behavior and
not a stale enum.

Note: the live Management API contract
(`packages/api/src/generated/contracts.ts`) does list `"nano"`/`"pico"`
as accepted `desired_instance_size` values, and `next/`'s
independently-authored `branches create` already exposes both. Neither
the Go CLI nor this legacy port surfaces them as CLI options, though —
that's a separate product question (filed as CLI-1897) about whether
these tiers should eventually be CLI-selectable, not a reason to keep an
option the legacy shell's own Go-parity contract says should be
rejected.

## What is the new behavior?

`--size nano` is now rejected identically on both `projects create` and
`branches create`, matching Go's 18-value enum exactly.

Fixes CLI-1869. See also CLI-1897 (product decision on nano/pico) and
CLI-1898 (unrelated pre-existing bug in `effect`'s `Flag.choice`
error-message formatting, found during this PR's review).
…#5800)

## What kind of change does this PR introduce?

Docs update (Go parity disclosure) + telemetry-list correctness fix.

## What is the current behavior?

`--high-availability` on `projects create` has no Go CLI equivalent —
Go's `cmd/projects.go` never registers such a flag, and its `RunE`
closure never sets `HighAvailability` on the create request body even
though the underlying Management API field exists. Unlike `--reveal` on
`projects api-keys` (which explicitly documents itself as a TS-only
addition, in a code comment, `SIDE_EFFECTS.md`, and
`docs/go-cli-porting-status.md`'s "Flag divergences" list),
`--high-availability` was undisclosed everywhere.

It was also listed in `safeFlags: ["org-id", "high-availability"]`,
implying Go-parity telemetry-safety that doesn't exist (Go's
`markFlagTelemetrySafe` only covers `org-id`). Since it's a boolean
flag, this had no actual runtime effect — boolean flag values are always
logged verbatim by the instrumentation regardless of `safeFlags`
membership — but the array wrongly implied otherwise.

The linked ticket (CLI-1870) offered two valid resolutions: remove the
flag for strict parity, or disclose it as TS-only. This PR disclosure,
since `--high-availability` is a real, working, user-facing capability
that Go's CLI simply never got around to exposing (not a Go bug being
ported forward) — removing it would regress anyone currently relying on
it.

## What is the new behavior?

`--high-availability` is now disclosed as TS-only in a code comment,
`SIDE_EFFECTS.md`, and `docs/go-cli-porting-status.md`'s "Flag
divergences" list, matching the `--reveal` precedent exactly. Removed
from `safeFlags` (now just `["org-id"]`) to match Go's actual
telemetry-safe set.

Fixes CLI-1870.
…chema declarative (#5828)

## What changed

`db schema declarative generate`/`sync` ran their mutual-exclusivity
flag check (`db-url`/`linked`/`local`, `apply`/`no-apply`) BEFORE the
pg-delta/`--experimental` gate (`legacyRequirePgDelta`). Go's cobra runs
`PersistentPreRunE` (the gate) before `ValidateFlagGroups` (mutex check)
— confirmed against `apps/cli-go/cmd/db_schema_declarative.go` and the
actual `cobra@v1.10.2` source — so invoking either command with
conflicting flags and no `--experimental` surfaced the wrong error in
the TS shell vs Go.

Same bug class already fixed for `storage ls/cp/mv/rm` in CLI-1855
(#5768); this mirrors that precedent as closely as the code structure
allows. Declarative's gate needs a config read (`legacyReadDbToml`) that
storage's didn't, so the check lives inline in each handler's body
rather than at the `.command.ts` level — moving the config read ahead of
the mutex check as part of the same reorder is also more correct (Go's
`PersistentPreRunE` loads config unconditionally before validating flag
groups too).

Swaps the order in both handlers, fixes misleading ordering comments
(and two stale Go line-number citations found nearby), documents the
precedence in both commands' `SIDE_EFFECTS.md`, and adds regression
coverage for the "mutex conflict without `--experimental`" case in both
`generate` and `sync`.

Fixes CLI-1876
)

## What changed

Invoking a legacy-shell group command that has subcommands but is itself
not runnable — e.g. `supabase branches`, `supabase completion` — with no
subcommand and no `--help` exited **1** in the TS legacy shell. Go's
cobra CLI exits **0** for the identical invocation: a non-`Runnable()`
command with no `RunE` internally returns `flag.ErrHelp`, which cobra's
`ExecuteC()` maps to "print help, return nil error". Only explicit
`--help` got exit 0 before this fix; the bare/missing-subcommand form
did not, even though the printed help text was identical in both cases.

`CliError.ShowHelp` (in `effect/unstable/cli`) already declares the
correct exit code via Effect's own `Runtime.errorExitCode` marker (`0`
for a clean `ShowHelp` with no errors, `1` otherwise) —
`apps/cli/src/shared/cli/run.ts` now delegates to
`Runtime.getErrorExitCode(Cause.squash(cause))` instead of hand-rolling
`ShowHelp` classification, which is simpler and tracks the library's own
source of truth for any future `CliError` additions.

Also added an integration test driving the real `legacyBranchesCommand`
through `Command.runWith` (confirming the actual `ShowHelp` cause
shape), and an e2e test asserting the real compiled-binary exit code,
since this bug is specifically about the real OS process exit code.

## Known related (not fixed here)

A typo'd subcommand under a group (e.g. `supabase branches bogus`) still
exits 1 where Go cobra exits 0 for a non-root command — this is
pre-existing on `develop`, not a regression from this change, and out of
scope for this fix. Filed as a follow-up.

Fixes CLI-1906
#5765)

## Summary

Ports `supabase stop` and `supabase status` from Go-proxy stubs to
native TypeScript in the legacy CLI shell (CLI-1324).

- Both commands now talk directly to Docker/Podman via subprocess,
replicating Go's label-filtering and container-naming scheme
byte-for-byte. Legacy `start` is still Go-proxied, so this intentionally
does **not** route through `@supabase/stack/effect`'s daemon-based
orchestration model — that substrate manages a different set of
containers than the ones Go's binary actually creates, and using it
would silently no-op against a real running stack.
- New shared infrastructure (`legacy-docker-lifecycle`, `legacy-go-jwt`,
`legacy-local-config-values`, `legacy-api-url`) is reused by both
commands, matching Go's local-dev defaults exactly — including a
Go-byte-exact JWT signer, since `@supabase/stack`'s own JWT generator
uses a different issuer/claim order than what Go prints for local dev
keys.
- Adds `*.live.test.ts` as a documented test category (`AGENTS.md`)
alongside unit/integration/e2e: black-box subprocess tests run by the
`cli-e2e-ci` harness against a real platform. `stop`/`status` don't call
the Management API, so their live tests spin up a real local Docker
stack instead and verify against it directly (e.g. confirming Docker
itself has no containers left after `stop`, not just trusting the CLI's
exit code).

## Notable review findings fixed along the way

- Table/status output was colorizing based on `stderr`'s TTY status
while writing to `stdout` — piping stdout while stderr stayed a TTY
(`supabase status | less`) would have corrupted output with ANSI escapes
(the same bug class CLI-1546 fixed once before).
- `--override-name` was leaking into pretty-mode output; Go's
`PrettyPrint` rebuilds a fresh, un-overridden view and ignores it there.
- `--backup`/`--no-backup`: Go's `--backup` flag is dead code (declared,
never bound to a variable in `cmd/stop.go`) — the port now matches that
exactly instead of an intended-but-never-true semantic.
- Docker/Podman-both-missing errors now name the actual root cause
instead of a generic "failed to ..." string.

## Post-review hardening: scoping and consolidation

Two structural fixes on top of the port, addressing drift introduced
while iterating on review feedback:

- **`next/` no longer inherits Go-parity config semantics.** The four
viper-compat behaviors added during review (unconditional `[remotes.*]`
project-id checks, the deprecated-provider WARN, the widened `env()`
reference pattern, and comma-split coercion into array-typed fields) are
now gated behind an opt-in `goViperCompat` flag on
`LoadProjectConfigOptions` — default off restores the pre-review
behavior for `next/`, `packages/stack`, and other non-parity consumers,
following the same opt-in pattern as `tomlOnly`/`skipEnvLocal`. Only
legacy-shell callers opt in. Regression tests pin the default-off
behavior, including the `next start` config-load path that would
otherwise have started hard-failing on a malformed
`[remotes.*].project_id`.
- **Go's `Config.Validate` now has exactly one TS home.**
`legacy/shared/legacy-config-validate.ts` replaces the validation
orchestration previously duplicated between
`legacy-db-config.toml-read.ts` (db/migration family) and
`legacy-local-config-values.ts` (status/stop); both callers build a
normalized `LegacyConfigValidationInput` from their own pipelines and
call the shared validator, and a cross-caller parity test feeds
identical broken configs through both real pipelines asserting identical
error strings. Consolidating surfaced and fixed three real divergences
between the two copies: `db.major_version = 0` now emits Go's `Missing
required field in config: db.major_version` (the db loader previously
emitted a non-Go message), and the captcha provider-enum and email
`content`-vs-`content_path` checks are now present in both paths.

CLOSES CLI-1324
Bumps the npm-major group with 6 updates:

| Package | From | To |
| --- | --- | --- |
|
[@anthropic-ai/claude-agent-sdk](https://github.com/anthropics/claude-agent-sdk-typescript)
| `0.3.197` | `0.3.198` |
|
[@anthropic-ai/sdk](https://github.com/anthropics/anthropic-sdk-typescript)
| `0.109.0` | `0.109.1` |
|
[posthog-node](https://github.com/PostHog/posthog-js/tree/HEAD/packages/node)
| `5.39.1` | `5.39.2` |
| [next](https://github.com/vercel/next.js) | `16.2.9` | `16.2.10` |
|
[@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)
| `26.0.1` | `26.1.0` |
|
[@typescript/native-preview](https://github.com/microsoft/typescript-go)
| `7.0.0-dev.20260630.1` | `7.0.0-dev.20260701.1` |

Updates `@anthropic-ai/claude-agent-sdk` from 0.3.197 to 0.3.198
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/anthropics/claude-agent-sdk-typescript/releases">@​anthropic-ai/claude-agent-sdk's
releases</a>.</em></p>
<blockquote>
<h2>v0.3.198</h2>
<h2>What's changed</h2>
<ul>
<li>Added a runtime warning when <code>canUseTool</code> is configured
alongside <code>allowedTools</code> or <code>bypassPermissions</code>,
which shadow the callback</li>
<li>Added per-server <code>request_timeout_ms</code> option to
<code>mcp_set_servers</code> control request</li>
<li>Fixed <code>SDKUserMessage.isSynthetic</code> not being mapped to
<code>isMeta</code> on ingestion, which could cause synthetic messages
to be treated as real user messages</li>
<li>Fixed workflow progress events silently dropping earliest agents
from the list while the phase counter remained correct</li>
</ul>
<h2>Update</h2>
<pre lang="sh"><code>npm install @anthropic-ai/claude-agent-sdk@0.3.198
# or
yarn add @anthropic-ai/claude-agent-sdk@0.3.198
# or
pnpm add @anthropic-ai/claude-agent-sdk@0.3.198
# or
bun add @anthropic-ai/claude-agent-sdk@0.3.198
</code></pre>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/anthropics/claude-agent-sdk-typescript/blob/main/CHANGELOG.md">@​anthropic-ai/claude-agent-sdk's
changelog</a>.</em></p>
<blockquote>
<h2>0.3.198</h2>
<ul>
<li>Added a runtime warning when <code>canUseTool</code> is configured
alongside <code>allowedTools</code> or <code>bypassPermissions</code>,
which shadow the callback</li>
<li>Added per-server <code>request_timeout_ms</code> option to
<code>mcp_set_servers</code> control request</li>
<li>Fixed <code>SDKUserMessage.isSynthetic</code> not being mapped to
<code>isMeta</code> on ingestion, which could cause synthetic messages
to be treated as real user messages</li>
<li>Fixed workflow progress events silently dropping earliest agents
from the list while the phase counter remained correct</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/anthropics/claude-agent-sdk-typescript/commit/23c685c51e5bf95ebf0aa3bd0e319a82d0cc39f9"><code>23c685c</code></a>
chore: Update CHANGELOG.md</li>
<li>See full diff in <a
href="https://github.com/anthropics/claude-agent-sdk-typescript/compare/v0.3.197...v0.3.198">compare
view</a></li>
</ul>
</details>
<br />

Updates `@anthropic-ai/sdk` from 0.109.0 to 0.109.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/anthropics/anthropic-sdk-typescript/releases">@​anthropic-ai/sdk's
releases</a>.</em></p>
<blockquote>
<h2>sdk: v0.109.1</h2>
<h2>0.109.1 (2026-07-01)</h2>
<p>Full Changelog: <a
href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.109.0...sdk-v0.109.1">sdk-v0.109.0...sdk-v0.109.1</a></p>
<h3>Chores</h3>
<ul>
<li><strong>api:</strong> remove some nonfunctional types from the SDKs
(<a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/cc4dd4e257cc3354f14e263b0d2441ddae71759e">cc4dd4e</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/anthropics/anthropic-sdk-typescript/blob/main/CHANGELOG.md">@​anthropic-ai/sdk's
changelog</a>.</em></p>
<blockquote>
<h2>0.109.1 (2026-07-01)</h2>
<p>Full Changelog: <a
href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.109.0...sdk-v0.109.1">sdk-v0.109.0...sdk-v0.109.1</a></p>
<h3>Chores</h3>
<ul>
<li><strong>api:</strong> remove some nonfunctional types from the SDKs
(<a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/cc4dd4e257cc3354f14e263b0d2441ddae71759e">cc4dd4e</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/96d1a991b64b1692b70d16435babe9c5d702ad8d"><code>96d1a99</code></a>
chore: release main (<a
href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/1106">#1106</a>)</li>
<li>See full diff in <a
href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.109.0...sdk-v0.109.1">compare
view</a></li>
</ul>
</details>
<br />

Updates `posthog-node` from 5.39.1 to 5.39.2
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/PostHog/posthog-js/releases">posthog-node's
releases</a>.</em></p>
<blockquote>
<h2>posthog-node@5.39.2</h2>
<h2>5.39.2</h2>
<h3>Patch Changes</h3>
<ul>
<li><a
href="https://redirect.github.com/PostHog/posthog-js/pull/4028">#4028</a>
<a
href="https://github.com/PostHog/posthog-js/commit/a664b815dd074c8eed87830904fa182306d07e6b"><code>a664b81</code></a>
Thanks <a
href="https://github.com/marandaneto"><code>@​marandaneto</code></a>! -
Make Node <code>flush()</code> wait for pending asynchronous SDK work
before draining the event queue, so events produced by helpers like
<code>captureException()</code> are not missed. Pending work rejections
no longer prevent queued events from flushing.
(2026-07-01)</li>
<li>Updated dependencies [<a
href="https://github.com/PostHog/posthog-js/commit/a664b815dd074c8eed87830904fa182306d07e6b"><code>a664b81</code></a>]:
<ul>
<li><code>@​posthog/core</code><a
href="https://github.com/1"><code>@​1</code></a>.39.3</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/PostHog/posthog-js/blob/main/packages/node/CHANGELOG.md">posthog-node's
changelog</a>.</em></p>
<blockquote>
<h2>5.39.2</h2>
<h3>Patch Changes</h3>
<ul>
<li><a
href="https://redirect.github.com/PostHog/posthog-js/pull/4028">#4028</a>
<a
href="https://github.com/PostHog/posthog-js/commit/a664b815dd074c8eed87830904fa182306d07e6b"><code>a664b81</code></a>
Thanks <a
href="https://github.com/marandaneto"><code>@​marandaneto</code></a>! -
Make Node <code>flush()</code> wait for pending asynchronous SDK work
before draining the event queue, so events produced by helpers like
<code>captureException()</code> are not missed. Pending work rejections
no longer prevent queued events from flushing.
(2026-07-01)</li>
<li>Updated dependencies [<a
href="https://github.com/PostHog/posthog-js/commit/a664b815dd074c8eed87830904fa182306d07e6b"><code>a664b81</code></a>]:
<ul>
<li><code>@​posthog/core</code><a
href="https://github.com/1"><code>@​1</code></a>.39.3</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/PostHog/posthog-js/commit/d1e6df86ddbdbc3a9a542995986080e7e7c2cd4e"><code>d1e6df8</code></a>
chore: update versions and lockfile [version bump]</li>
<li><a
href="https://github.com/PostHog/posthog-js/commit/a664b815dd074c8eed87830904fa182306d07e6b"><code>a664b81</code></a>
fix: make flush wait for pending async work (<a
href="https://github.com/PostHog/posthog-js/tree/HEAD/packages/node/issues/4028">#4028</a>)</li>
<li>See full diff in <a
href="https://github.com/PostHog/posthog-js/commits/posthog-node@5.39.2/packages/node">compare
view</a></li>
</ul>
</details>
<br />

Updates `next` from 16.2.9 to 16.2.10
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/vercel/next.js/releases">next's
releases</a>.</em></p>
<blockquote>
<h2>v16.2.10</h2>
<p>Contains no changes except publishing <code>@next/swc-wasm-web</code>
which was accidentally not published since 16.2.4.</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/vercel/next.js/commit/9dadfd693c5d26bb3c85d1c17802f49dde244b3e"><code>9dadfd6</code></a>
v16.2.10</li>
<li><a
href="https://github.com/vercel/next.js/commit/534d9c144ca342ff9ee5569241a814539d6eadb9"><code>534d9c1</code></a>
[16.2.x] Release pipeline updates (<a
href="https://redirect.github.com/vercel/next.js/issues/95160">#95160</a>)</li>
<li><a
href="https://github.com/vercel/next.js/commit/98941fc427213b0b2770ac40e24a1855ea0ae349"><code>98941fc</code></a>
backport: docs fixes 16.2.x (<a
href="https://redirect.github.com/vercel/next.js/issues/94935">#94935</a>)</li>
<li><a
href="https://github.com/vercel/next.js/commit/6e1a94de7c4e68892de4b1e28262be5970358458"><code>6e1a94d</code></a>
[16.2.x][ci]: fix release script to not strip newlines (<a
href="https://redirect.github.com/vercel/next.js/issues/94640">#94640</a>)</li>
<li>See full diff in <a
href="https://github.com/vercel/next.js/compare/v16.2.9...v16.2.10">compare
view</a></li>
</ul>
</details>
<br />

Updates `@types/node` from 26.0.1 to 26.1.0
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare
view</a></li>
</ul>
</details>
<br />

Updates `@typescript/native-preview` from 7.0.0-dev.20260630.1 to
7.0.0-dev.20260701.1
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/microsoft/typescript-go/commits">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the actions-major group with 4 updates:
[github/codeql-action/init](https://github.com/github/codeql-action),
[github/codeql-action/analyze](https://github.com/github/codeql-action),
[docker/login-action](https://github.com/docker/login-action) and
[docker/setup-buildx-action](https://github.com/docker/setup-buildx-action).

Updates `github/codeql-action/init` from 4.36.2 to 4.36.3
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/releases">github/codeql-action/init's
releases</a>.</em></p>
<blockquote>
<h2>v4.36.3</h2>
<p>No user facing changes.</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action/init's
changelog</a>.</em></p>
<blockquote>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<h2>[UNRELEASED]</h2>
<p>No user facing changes.</p>
<h2>4.37.0 - 08 Jul 2026</h2>
<ul>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.26.0">2.26.0</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3995">#3995</a></li>
<li>In addition to the existing input format, the
<code>config-file</code> input for the <code>codeql-action/init</code>
step will soon support a new <code>[owner/]repo[@ref][:path]</code>
format. All components except the repository name are optional. If
omitted, <code>owner</code> defaults to the same owner as the repository
the analysis is running for, <code>ref</code> to <code>main</code>, and
<code>path</code> to <code>.github/codeql-action.yaml</code>. Support
for this format ships in this version of the CodeQL Action, but will
only be enabled over the coming weeks. <a
href="https://redirect.github.com/github/codeql-action/pull/3973">#3973</a></li>
</ul>
<h2>4.36.3 - 01 Jul 2026</h2>
<p>No user facing changes.</p>
<h2>4.36.2 - 04 Jun 2026</h2>
<ul>
<li>Cache CodeQL CLI version information across Actions steps. <a
href="https://redirect.github.com/github/codeql-action/pull/3943">#3943</a></li>
<li>Reduce requests while waiting for analysis processing by using
exponential backoff when polling SARIF processing status. <a
href="https://redirect.github.com/github/codeql-action/pull/3937">#3937</a></li>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.6">2.25.6</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3948">#3948</a></li>
</ul>
<h2>4.36.1 - 02 Jun 2026</h2>
<p>No user facing changes.</p>
<h2>4.36.0 - 22 May 2026</h2>
<ul>
<li><em>Breaking change</em>: Bump the minimum required CodeQL bundle
version to 2.19.4. <a
href="https://redirect.github.com/github/codeql-action/pull/3894">#3894</a></li>
<li>Add support for SHA-256 Git object IDs. <a
href="https://redirect.github.com/github/codeql-action/pull/3893">#3893</a></li>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.5">2.25.5</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3926">#3926</a></li>
</ul>
<h2>4.35.5 - 15 May 2026</h2>
<ul>
<li>We have improved how the JavaScript bundles for the CodeQL Action
are generated to avoid duplication across bundles and reduce the size of
the repository by around 70%. This should have no effect on the runtime
behaviour of the CodeQL Action. <a
href="https://redirect.github.com/github/codeql-action/pull/3899">#3899</a></li>
<li>For performance and accuracy reasons, <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a> will now only be enabled on a pull request when
diff-informed analysis is also enabled for that run. If diff-informed
analysis is unavailable (for example, because the PR diff ranges could
not be computed), the action will fall back to a full analysis. <a
href="https://redirect.github.com/github/codeql-action/pull/3791">#3791</a></li>
<li>If multiple inputs are provided for the GitHub-internal
<code>analysis-kinds</code> input, only <code>code-scanning</code> will
be enabled. The <code>analysis-kinds</code> input is experimental, for
GitHub-internal use only, and may change without notice at any time. <a
href="https://redirect.github.com/github/codeql-action/pull/3892">#3892</a></li>
<li>Added an experimental change which, when running a Code Scanning
analysis for a PR with <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a> enabled, prefers CodeQL CLI versions that have
a cached overlay-base database for the configured languages. This speeds
up analysis for a repository when there is not yet a cached overlay-base
database for the latest CLI version. We expect to roll this change out
to everyone in May. <a
href="https://redirect.github.com/github/codeql-action/pull/3880">#3880</a></li>
</ul>
<h2>4.35.4 - 07 May 2026</h2>
<ul>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.4">2.25.4</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3881">#3881</a></li>
</ul>
<h2>4.35.3 - 01 May 2026</h2>
<ul>
<li><em>Upcoming breaking change</em>: Add a deprecation warning for
customers using CodeQL version 2.19.3 and earlier. These versions of
CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise
Server 3.15, and will be unsupported by the next minor release of the
CodeQL Action. <a
href="https://redirect.github.com/github/codeql-action/pull/3837">#3837</a></li>
<li>Configurations for private registries that use Cloudsmith or GCP
OIDC are now accepted. <a
href="https://redirect.github.com/github/codeql-action/pull/3850">#3850</a></li>
<li>Best-effort connection tests for private registries now use
<code>GET</code> requests instead of <code>HEAD</code> for better
compatibility with various registry implementations. For NuGet feeds,
the test is now always performed against the service index. <a
href="https://redirect.github.com/github/codeql-action/pull/3853">#3853</a></li>
<li>Fixed a bug where two diagnostics produced within the same
millisecond could overwrite each other on disk, causing one of them to
be lost. <a
href="https://redirect.github.com/github/codeql-action/pull/3852">#3852</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/github/codeql-action/commit/54f647b7e1bb85c95cddabcd46b0c578ec92bc1a"><code>54f647b</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3984">#3984</a>
from github/update-v4.36.3-1f34ec164</li>
<li><a
href="https://github.com/github/codeql-action/commit/e78819e05527766c3c5919e3177647e280c6cb83"><code>e78819e</code></a>
Trigger checks</li>
<li><a
href="https://github.com/github/codeql-action/commit/2c9d3d63eb4941734e2d29468953529a56f5ff1c"><code>2c9d3d6</code></a>
Update changelog for v4.36.3</li>
<li><a
href="https://github.com/github/codeql-action/commit/1f34ec16430d82636d18716acc7aaa6d843b35a9"><code>1f34ec1</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3983">#3983</a>
from github/mbg/repo-props/ff-for-config-file-prop</li>
<li><a
href="https://github.com/github/codeql-action/commit/d5f0145480025b49d8b08c3f6b36e6ad41a68c90"><code>d5f0145</code></a>
Log when repository property has a value but is ignored</li>
<li><a
href="https://github.com/github/codeql-action/commit/f27f56386a3c745af8d7bbfb806098c714a5e32a"><code>f27f563</code></a>
Add test for when the FF is off</li>
<li><a
href="https://github.com/github/codeql-action/commit/0025d0f2b5676fde748a0be9725dcce18dd9f986"><code>0025d0f</code></a>
Use FF</li>
<li><a
href="https://github.com/github/codeql-action/commit/f7fa18f05d107ff6735857c3510fbff190c9a1eb"><code>f7fa18f</code></a>
Add FF for config file repo property</li>
<li><a
href="https://github.com/github/codeql-action/commit/628fc3f124e68b0151f0d2a5d81e864ee1e42335"><code>628fc3f</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3979">#3979</a>
from github/henrymercer/overlay-db-cleanup-size-tele...</li>
<li><a
href="https://github.com/github/codeql-action/commit/9cfb67bab9b32441237f92d4ba29a7f3ccff259f"><code>9cfb67b</code></a>
Add clarifying comments</li>
<li>Additional commits viewable in <a
href="https://github.com/github/codeql-action/compare/8aad20d150bbac5944a9f9d289da16a4b0d87c1e...54f647b7e1bb85c95cddabcd46b0c578ec92bc1a">compare
view</a></li>
</ul>
</details>
<br />

Updates `github/codeql-action/analyze` from 4.36.2 to 4.36.3
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/releases">github/codeql-action/analyze's
releases</a>.</em></p>
<blockquote>
<h2>v4.36.3</h2>
<p>No user facing changes.</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action/analyze's
changelog</a>.</em></p>
<blockquote>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<h2>[UNRELEASED]</h2>
<p>No user facing changes.</p>
<h2>4.37.0 - 08 Jul 2026</h2>
<ul>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.26.0">2.26.0</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3995">#3995</a></li>
<li>In addition to the existing input format, the
<code>config-file</code> input for the <code>codeql-action/init</code>
step will soon support a new <code>[owner/]repo[@ref][:path]</code>
format. All components except the repository name are optional. If
omitted, <code>owner</code> defaults to the same owner as the repository
the analysis is running for, <code>ref</code> to <code>main</code>, and
<code>path</code> to <code>.github/codeql-action.yaml</code>. Support
for this format ships in this version of the CodeQL Action, but will
only be enabled over the coming weeks. <a
href="https://redirect.github.com/github/codeql-action/pull/3973">#3973</a></li>
</ul>
<h2>4.36.3 - 01 Jul 2026</h2>
<p>No user facing changes.</p>
<h2>4.36.2 - 04 Jun 2026</h2>
<ul>
<li>Cache CodeQL CLI version information across Actions steps. <a
href="https://redirect.github.com/github/codeql-action/pull/3943">#3943</a></li>
<li>Reduce requests while waiting for analysis processing by using
exponential backoff when polling SARIF processing status. <a
href="https://redirect.github.com/github/codeql-action/pull/3937">#3937</a></li>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.6">2.25.6</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3948">#3948</a></li>
</ul>
<h2>4.36.1 - 02 Jun 2026</h2>
<p>No user facing changes.</p>
<h2>4.36.0 - 22 May 2026</h2>
<ul>
<li><em>Breaking change</em>: Bump the minimum required CodeQL bundle
version to 2.19.4. <a
href="https://redirect.github.com/github/codeql-action/pull/3894">#3894</a></li>
<li>Add support for SHA-256 Git object IDs. <a
href="https://redirect.github.com/github/codeql-action/pull/3893">#3893</a></li>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.5">2.25.5</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3926">#3926</a></li>
</ul>
<h2>4.35.5 - 15 May 2026</h2>
<ul>
<li>We have improved how the JavaScript bundles for the CodeQL Action
are generated to avoid duplication across bundles and reduce the size of
the repository by around 70%. This should have no effect on the runtime
behaviour of the CodeQL Action. <a
href="https://redirect.github.com/github/codeql-action/pull/3899">#3899</a></li>
<li>For performance and accuracy reasons, <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a> will now only be enabled on a pull request when
diff-informed analysis is also enabled for that run. If diff-informed
analysis is unavailable (for example, because the PR diff ranges could
not be computed), the action will fall back to a full analysis. <a
href="https://redirect.github.com/github/codeql-action/pull/3791">#3791</a></li>
<li>If multiple inputs are provided for the GitHub-internal
<code>analysis-kinds</code> input, only <code>code-scanning</code> will
be enabled. The <code>analysis-kinds</code> input is experimental, for
GitHub-internal use only, and may change without notice at any time. <a
href="https://redirect.github.com/github/codeql-action/pull/3892">#3892</a></li>
<li>Added an experimental change which, when running a Code Scanning
analysis for a PR with <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a> enabled, prefers CodeQL CLI versions that have
a cached overlay-base database for the configured languages. This speeds
up analysis for a repository when there is not yet a cached overlay-base
database for the latest CLI version. We expect to roll this change out
to everyone in May. <a
href="https://redirect.github.com/github/codeql-action/pull/3880">#3880</a></li>
</ul>
<h2>4.35.4 - 07 May 2026</h2>
<ul>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.4">2.25.4</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3881">#3881</a></li>
</ul>
<h2>4.35.3 - 01 May 2026</h2>
<ul>
<li><em>Upcoming breaking change</em>: Add a deprecation warning for
customers using CodeQL version 2.19.3 and earlier. These versions of
CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise
Server 3.15, and will be unsupported by the next minor release of the
CodeQL Action. <a
href="https://redirect.github.com/github/codeql-action/pull/3837">#3837</a></li>
<li>Configurations for private registries that use Cloudsmith or GCP
OIDC are now accepted. <a
href="https://redirect.github.com/github/codeql-action/pull/3850">#3850</a></li>
<li>Best-effort connection tests for private registries now use
<code>GET</code> requests instead of <code>HEAD</code> for better
compatibility with various registry implementations. For NuGet feeds,
the test is now always performed against the service index. <a
href="https://redirect.github.com/github/codeql-action/pull/3853">#3853</a></li>
<li>Fixed a bug where two diagnostics produced within the same
millisecond could overwrite each other on disk, causing one of them to
be lost. <a
href="https://redirect.github.com/github/codeql-action/pull/3852">#3852</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/github/codeql-action/commit/54f647b7e1bb85c95cddabcd46b0c578ec92bc1a"><code>54f647b</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3984">#3984</a>
from github/update-v4.36.3-1f34ec164</li>
<li><a
href="https://github.com/github/codeql-action/commit/e78819e05527766c3c5919e3177647e280c6cb83"><code>e78819e</code></a>
Trigger checks</li>
<li><a
href="https://github.com/github/codeql-action/commit/2c9d3d63eb4941734e2d29468953529a56f5ff1c"><code>2c9d3d6</code></a>
Update changelog for v4.36.3</li>
<li><a
href="https://github.com/github/codeql-action/commit/1f34ec16430d82636d18716acc7aaa6d843b35a9"><code>1f34ec1</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3983">#3983</a>
from github/mbg/repo-props/ff-for-config-file-prop</li>
<li><a
href="https://github.com/github/codeql-action/commit/d5f0145480025b49d8b08c3f6b36e6ad41a68c90"><code>d5f0145</code></a>
Log when repository property has a value but is ignored</li>
<li><a
href="https://github.com/github/codeql-action/commit/f27f56386a3c745af8d7bbfb806098c714a5e32a"><code>f27f563</code></a>
Add test for when the FF is off</li>
<li><a
href="https://github.com/github/codeql-action/commit/0025d0f2b5676fde748a0be9725dcce18dd9f986"><code>0025d0f</code></a>
Use FF</li>
<li><a
href="https://github.com/github/codeql-action/commit/f7fa18f05d107ff6735857c3510fbff190c9a1eb"><code>f7fa18f</code></a>
Add FF for config file repo property</li>
<li><a
href="https://github.com/github/codeql-action/commit/628fc3f124e68b0151f0d2a5d81e864ee1e42335"><code>628fc3f</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3979">#3979</a>
from github/henrymercer/overlay-db-cleanup-size-tele...</li>
<li><a
href="https://github.com/github/codeql-action/commit/9cfb67bab9b32441237f92d4ba29a7f3ccff259f"><code>9cfb67b</code></a>
Add clarifying comments</li>
<li>Additional commits viewable in <a
href="https://github.com/github/codeql-action/compare/8aad20d150bbac5944a9f9d289da16a4b0d87c1e...54f647b7e1bb85c95cddabcd46b0c578ec92bc1a">compare
view</a></li>
</ul>
</details>
<br />

Updates `docker/login-action` from 4.2.0 to 4.3.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/docker/login-action/releases">docker/login-action's
releases</a>.</em></p>
<blockquote>
<h2>v4.3.0</h2>
<ul>
<li>Preserve names in esbuild bundle by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/login-action/pull/1022">docker/login-action#1022</a></li>
<li>Bump <code>@​aws-sdk/client-ecr</code> and
<code>@​aws-sdk/client-ecr-public</code> to 3.1076.0 <a
href="https://redirect.github.com/docker/login-action/pull/999">docker/login-action#999</a>
<a
href="https://redirect.github.com/docker/login-action/pull/1030">docker/login-action#1030</a></li>
<li>Bump <code>@​docker/actions-toolkit</code> from 0.90.0 to 0.92.0 in
<a
href="https://redirect.github.com/docker/login-action/pull/1004">docker/login-action#1004</a>
<a
href="https://redirect.github.com/docker/login-action/pull/1027">docker/login-action#1027</a></li>
<li>Bump <code>@​sigstore/core</code> from 3.1.0 to 3.2.1 in <a
href="https://redirect.github.com/docker/login-action/pull/1023">docker/login-action#1023</a></li>
<li>Bump <code>@​sigstore/verify</code> from 3.1.0 to 3.1.1 in <a
href="https://redirect.github.com/docker/login-action/pull/1029">docker/login-action#1029</a></li>
<li>Bump http-proxy-agent and https-proxy-agent to 9.1.0 in <a
href="https://redirect.github.com/docker/login-action/pull/1017">docker/login-action#1017</a></li>
<li>Bump js-yaml from 4.1.1 to 5.2.0 in <a
href="https://redirect.github.com/docker/login-action/pull/1028">docker/login-action#1028</a></li>
<li>Bump sigstore from 4.1.0 to 4.1.1 in <a
href="https://redirect.github.com/docker/login-action/pull/1031">docker/login-action#1031</a></li>
<li>Bump tmp from 0.2.5 to 0.2.7 in <a
href="https://redirect.github.com/docker/login-action/pull/1002">docker/login-action#1002</a></li>
<li>Bump undici from 6.24.1 to 6.27.0 in <a
href="https://redirect.github.com/docker/login-action/pull/1020">docker/login-action#1020</a></li>
<li>Bump vite from 7.3.3 to 7.3.6 in <a
href="https://redirect.github.com/docker/login-action/pull/1019">docker/login-action#1019</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/docker/login-action/compare/v4.2.0...v4.3.0">https://github.com/docker/login-action/compare/v4.2.0...v4.3.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/docker/login-action/commit/c99871dec2022cc055c062a10cc1a1310835ceb4"><code>c99871d</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/login-action/issues/1030">#1030</a>
from docker/dependabot/npm_and_yarn/aws-sdk-dependen...</li>
<li><a
href="https://github.com/docker/login-action/commit/b43355553d3ea8fb194053c74a883544c9fc25b1"><code>b433555</code></a>
[dependabot skip] chore: update generated content</li>
<li><a
href="https://github.com/docker/login-action/commit/678a46a45e920924c7b07d6209b4d02a3031d403"><code>678a46a</code></a>
build(deps): bump the aws-sdk-dependencies group across 1 directory with
2 up...</li>
<li><a
href="https://github.com/docker/login-action/commit/f9a0aea0f208193fd8b1c2cffdf4be3b345d3e8a"><code>f9a0aea</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/login-action/issues/1031">#1031</a>
from docker/dependabot/npm_and_yarn/sigstore-4.1.1</li>
<li><a
href="https://github.com/docker/login-action/commit/cc1e4cb459afd4c2ed14dd1998c217908162b52b"><code>cc1e4cb</code></a>
build(deps): bump sigstore from 4.1.0 to 4.1.1</li>
<li><a
href="https://github.com/docker/login-action/commit/02e17303690804fb3ed891da7cd98e78c249fc3e"><code>02e1730</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/login-action/issues/1029">#1029</a>
from docker/dependabot/npm_and_yarn/sigstore/verify-...</li>
<li><a
href="https://github.com/docker/login-action/commit/b5485183742f9c17a05828cc9a655d45bcf24b31"><code>b548518</code></a>
build(deps): bump <code>@​sigstore/verify</code> from 3.1.0 to
3.1.1</li>
<li><a
href="https://github.com/docker/login-action/commit/a244be39449bb9d5bcc834770924d8c3f72806ab"><code>a244be3</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/login-action/issues/1027">#1027</a>
from docker/dependabot/npm_and_yarn/docker/actions-t...</li>
<li><a
href="https://github.com/docker/login-action/commit/ee0d698156bca198952822c0f8ef652bc58ab218"><code>ee0d698</code></a>
[dependabot skip] chore: update generated content</li>
<li><a
href="https://github.com/docker/login-action/commit/127dc2c62e49cc3f37601f40b7bbf4fe7051fac4"><code>127dc2c</code></a>
build(deps): bump <code>@​docker/actions-toolkit</code> from 0.91.0 to
0.92.0</li>
<li>Additional commits viewable in <a
href="https://github.com/docker/login-action/compare/650006c6eb7dba73a995cc03b0b2d7f5ca915bee...c99871dec2022cc055c062a10cc1a1310835ceb4">compare
view</a></li>
</ul>
</details>
<br />

Updates `docker/setup-buildx-action` from 4.1.0 to 4.2.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/docker/setup-buildx-action/releases">docker/setup-buildx-action's
releases</a>.</em></p>
<blockquote>
<h2>v4.2.0</h2>
<ul>
<li>Preserve names in esbuild bundle by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/setup-buildx-action/pull/572">docker/setup-buildx-action#572</a></li>
<li>Bump <code>@​actions/core</code> from 3.0.0 to 3.0.1 in <a
href="https://redirect.github.com/docker/setup-buildx-action/pull/551">docker/setup-buildx-action#551</a></li>
<li>Bump <code>@​docker/actions-toolkit</code> from 0.90.0 to 0.92.0 in
<a
href="https://redirect.github.com/docker/setup-buildx-action/pull/557">docker/setup-buildx-action#557</a>
<a
href="https://redirect.github.com/docker/setup-buildx-action/pull/580">docker/setup-buildx-action#580</a></li>
<li>Bump <code>@​sigstore/core</code> from 3.1.0 to 3.2.1 in <a
href="https://redirect.github.com/docker/setup-buildx-action/pull/573">docker/setup-buildx-action#573</a></li>
<li>Bump <code>@​sigstore/verify</code> from 3.1.0 to 3.1.1 in <a
href="https://redirect.github.com/docker/setup-buildx-action/pull/576">docker/setup-buildx-action#576</a></li>
<li>Bump js-yaml from 4.1.1 to 5.2.0 in <a
href="https://redirect.github.com/docker/setup-buildx-action/pull/562">docker/setup-buildx-action#562</a></li>
<li>Bump sigstore from 4.1.0 to 4.1.1 in <a
href="https://redirect.github.com/docker/setup-buildx-action/pull/577">docker/setup-buildx-action#577</a></li>
<li>Bump tmp from 0.2.5 to 0.2.7 in <a
href="https://redirect.github.com/docker/setup-buildx-action/pull/556">docker/setup-buildx-action#556</a></li>
<li>Bump undici from 6.25.0 to 6.27.0 in <a
href="https://redirect.github.com/docker/setup-buildx-action/pull/570">docker/setup-buildx-action#570</a></li>
<li>Bump vite from 7.3.2 to 7.3.6 in <a
href="https://redirect.github.com/docker/setup-buildx-action/pull/569">docker/setup-buildx-action#569</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/docker/setup-buildx-action/compare/v4.1.0...v4.2.0">https://github.com/docker/setup-buildx-action/compare/v4.1.0...v4.2.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/bb05f3f5519dd87d3ba754cc423b652a5edd6d2c"><code>bb05f3f</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-buildx-action/issues/580">#580</a>
from docker/dependabot/npm_and_yarn/docker/actions-to...</li>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/321c814cb51fbe4af8eca00249525cc0973ea66f"><code>321c814</code></a>
[dependabot skip] chore: update generated content</li>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/b9a36ef79ba42cfc611885a1e8c388fbf8b8cb3f"><code>b9a36ef</code></a>
build(deps): bump <code>@​docker/actions-toolkit</code> from 0.91.0 to
0.92.0</li>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/ebeab241289497cd564ac98b3cfc9e64607bb276"><code>ebeab24</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-buildx-action/issues/570">#570</a>
from docker/dependabot/npm_and_yarn/undici-6.27.0</li>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/5c7b8ae78cec97a3215d4d86679b1d072eaa80cb"><code>5c7b8ae</code></a>
[dependabot skip] chore: update generated content</li>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/037e618cd98e95e81525b15ff0e9c96f507e6a0e"><code>037e618</code></a>
build(deps): bump undici from 6.25.0 to 6.27.0</li>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/66080e5802281ec2e72b7f3108915643e702db85"><code>66080e5</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-buildx-action/issues/577">#577</a>
from docker/dependabot/npm_and_yarn/sigstore-4.1.1</li>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/409aef0aa3f48f0a742e7dec4e0e04ab19afe93c"><code>409aef0</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-buildx-action/issues/562">#562</a>
from docker/dependabot/npm_and_yarn/js-yaml-4.2.0</li>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/49c6e42949280fa0d70fb327633591be54efbfb6"><code>49c6e42</code></a>
build(deps): bump sigstore from 4.1.0 to 4.1.1</li>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/2211273e8121ecf9ecb7d6c7c0fcd55526d530c7"><code>2211273</code></a>
[dependabot skip] chore: update generated content</li>
<li>Additional commits viewable in <a
href="https://github.com/docker/setup-buildx-action/compare/d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5...bb05f3f5519dd87d3ba754cc423b652a5edd6d2c">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Julien Goux <hi@jgoux.dev>
…ps/cli-go/pkg/config/templates in the docker-minor group (#5834)

Bumps the docker-minor group in /apps/cli-go/pkg/config/templates with 1
update: supabase/storage-api.

Updates `supabase/storage-api` from v1.63.1 to v1.64.1


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=supabase/storage-api&package-manager=docker&previous-version=v1.63.1&new-version=v1.64.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…/primitive errors (#5831)

## What changed

Any `Flag.choice(...)`/`Flag.choiceWithValue(...)`-backed flag (`--size`
on
`projects create`/`branches create`, `--dns-resolver`,
`--output-format`,
`--output`/`-o`, `--agent`) showed a doubled "Expected: Expected ..."
prefix
when given an invalid value, e.g.:

```
Invalid value for flag --size: "nano". Expected: Expected "micro" | "small" | ... , got "nano"
```

Root cause: several `Primitive`s under `effect@4.0.0-beta.93`'s
`effect/unstable/cli` (`choice` — used by
`Flag.choice`/`Flag.choiceWithValue`
— plus the schema-backed `integer`, `float`, `boolean`, and `date`) fail
with
a raw message that already starts with the word "Expected" (e.g.
`` `Expected ${validChoices}, got ${value}` `` for `choice`, or
`Expected a valid date, got Invalid Date` for `date`), and
`CliError.InvalidValue`'s own `message` getter (`CliError.ts:359-364`)
independently prepends its own `"Expected: "` label on top of that —
producing the doubling for any flag or argument backed by one of these
primitives. This is a bug in the vendored `effect` beta package itself,
not
in this repo's code.

Workaround (until upstream `effect` is fixed) added to the shared CLI
error-formatting layer (`subcommand-flag-suggestions.ts`), which already
carries similar per-tag rewrites for
`UnrecognizedOption`/`UnknownSubcommand`:
collapse the literal `"Expected: Expected "` substring down to a single
`"Expected "` whenever it appears in an `InvalidValue` error's rendered
message. Collapsing the exact doubled substring (rather than rebuilding
the
surrounding "Invalid value for ..." template ourselves) keeps the fix
tied
to the precise defect, covers every affected primitive uniformly, and
lets
every other part of the message keep tracking upstream's own wording if
it
changes.

Verified against `go-parity-auditor`: Go's real CLI shows a completely
different message for the same scenario (`Error: invalid argument
"bogus"
for "--size" flag: must be one of [ large | medium | ... ]`, from
`apps/cli-go/internal/utils/enum.go` wrapped by cobra/pflag). Full
byte-parity with Go's wording is out of scope here — this ticket is
specifically about the doubled-prefix defect in the TS/Effect-native
message, not a "TS wording differs from Go" report; rewriting every
`Flag.choice` flag's phrasing to match Go's template would be a
separate,
larger change.

## Known related (not fixed here)

The underlying `Primitive.choice` failure text also appends a redundant
`, got "X"` suffix, so the invalid value still appears twice in the
final
message (once right after the flag name, once after "got"). That's a
pre-existing wart in the same vendored `effect` failure string, not
something this fix introduces, and collapsing it would mean
post-processing
`effect`'s `expected` string further — bigger than this "doubled prefix"
ticket calls for. Left as-is.

Fixes CLI-1898
…5830)

## What changed

Go's `changedFlags(cmd)` (`apps/cli-go/cmd/root_analytics.go:52-76`)
walks `cmd.Parent()` at every ancestor collecting `PersistentFlags()`
(global/root flags: `--debug`, `--yes`, `--experimental`,
`--create-ticket`, `--output`, `--dns-resolver`, `--agent`, `--profile`,
`--workdir`, `--network-id`) in addition to a command's own flags, then
reports booleans and enum-typed flags verbatim in `cli_command_executed`
telemetry.

The TS port's `withLegacyCommandInstrumentation` had no way to resolve
*any* global/persistent flag's value — only the invoking command's own
locally-declared `flags` option was ever consulted. So a changed global
flag always fell back to the literal string `"<redacted>"`, even a
boolean like `--debug`, diverging from Go's `flags: {debug: true}`.

This adds `legacyGlobalFlagValues` (`shared/legacy/global-flags.ts`) to
resolve every global flag's live value via `Effect.serviceOption` (a
no-op outside the real CLI tree, so it adds no `R` requirement and no
per-command wiring), and threads it into `buildFlagsMap` as a fallback
used only when a changed CLI flag name isn't already declared in the
invoking command's own `flags` record — mirroring Go's ancestor-walk
precedence (a command's own flag always wins on a name collision, e.g.
`db diff`'s local `--output` file-path flag shadowing the global
`--output` enum, exactly as it does in Go's cobra tree).

`safeFlags`/`config`-based safety classification is now restricted to
values that actually came from the handler's own `flags` record, so a
future per-command safe/choice annotation can never be misapplied to an
unrelated global flag's value purely by CLI-name collision (raised in
review).

Scope is deliberately narrow: this fixes the 4 boolean globals
(`--debug`, `--yes`, `--experimental`, `--create-ticket`) immediately.
The 3 global choice flags (`--output`, `--dns-resolver`, `--agent`)
remain redacted — that gap is the already-tracked CLI-1904, not this
ticket.

Fixes CLI-1896.

## Why

Found during CLI-1868's review (architect-reviewer finding) as a
systemic gap affecting all ~73 `withLegacyCommandInstrumentation({ flags
})` call sites — it was previously unreachable for `telemetry
enable`/`disable` specifically (hardcoded to `analytics: false`), but
CLI-1868 made it reachable there, surfacing the gap.

## Reviewer-relevant context

- One judgement call deliberately left open: global choice flags
(`--output`/`--dns-resolver`/`--agent`) still redact. This is
intentional — CLI-1904 already tracks teaching the safety pipeline about
global `EnumFlag`s, and folding it into this change would blur two
independent tickets.
- Heads-up for whoever owns the CLI PostHog dashboards: `flags.debug`
(and `yes`/`experimental`/`create-ticket`) will now emit real booleans
going forward instead of the literal string `"<redacted>"` for these
four flags specifically. Any saved insight/funnel doing exact-string
matching on `"<redacted>"` for these keys will stop matching after this
ships.
#5832)

## What kind of change does this PR introduce?

Bug fix (Go-parity divergence).

## What is the current behavior?

`sso update`'s `--domains`/`--add-domains`/`--remove-domains` mutex
checks emitted custom, hand-written messages (`"only one of --domains or
--add-domains may be set"`) instead of cobra's real
`validateExclusiveFlagGroups` template (`flag_groups.go:204`), and gated
"is this flag set" on the *parsed value's* `.length > 0` rather than
cobra's actual `pflag.Changed` semantics — so `--domains=` (explicit but
empty) was silently treated as unset, the same "changed vs truthy" class
of bug CLI-1860 fixed for `functions download`'s `--use-docker`.

Fixes
[CLI-1902](https://linear.app/supabase/issue/CLI-1902/sso-update-use-cobras-mutual-exclusivity-error-template-for-domains).

## What is the new behavior?

Reuses the `hasExplicitLongFlag`/`cobraMutuallyExclusiveErrorMessage`
helpers already hoisted to `shared/cli/cobra-flag-groups.ts` (#5804) so
`sso update` emits cobra's byte-exact error text for
`--domains`/`--add-domains`/`--remove-domains`, keyed off raw argv
rather than the parsed flag value.

While reviewing, three independent reviewer passes
(architect/engineer/DX) converged on two more in-scope gaps in the same
handler that were cheap to close alongside the ticket's stated fix:

- `--metadata-file`/`--metadata-url` had the identical divergence (Go
also registers this pair with `MarkFlagsMutuallyExclusive`,
`cmd/sso.go:178`) — folded into the same cobra-parity check rather than
leaving one mutex group byte-exact and the other hand-written in the
same command.
- The mutex checks ran *after* the provider-ID UUID validation, but
cobra runs `ValidateFlagGroups` before `RunE` (`command.go:1010,1014`)
while Go's UUID check lives inside `RunE` (`cmd/sso.go:90-91`) — so a
flag-group violation must win over an invalid provider ID when both
apply. Reordered to match.

Added regression tests for the exact cobra error text (both `--domains`
groups and the metadata group), the changed-vs-truthy gap, the
two-groups-not-a-3-way-group behavior, the group-check ordering when all
three domain flags collide, and the mutex-before-UUID precedence — plus
a flag-parser unit test proving `--domains=` really resolves to `[]`.

`update.handler.ts`'s pre-existing branch-coverage gaps (GET/PUT
network-failure paths, `--skip-url-validation`, no-access-token,
malformed GET body) are unrelated to this change and were left alone;
independently verified via `git stash` that none of them were introduced
by this diff.
dependabot Bot added 3 commits July 11, 2026 00:12
Bumps the npm-major group with 3 updates:
[@anthropic-ai/claude-agent-sdk](https://github.com/anthropics/claude-agent-sdk-typescript),
[@clack/prompts](https://github.com/bombshell-dev/clack/tree/HEAD/packages/prompts)
and
[@typescript/native-preview](https://github.com/microsoft/typescript-go).

Updates `@anthropic-ai/claude-agent-sdk` from 0.3.199 to 0.3.201
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/anthropics/claude-agent-sdk-typescript/releases">@​anthropic-ai/claude-agent-sdk's
releases</a>.</em></p>
<blockquote>
<h2>v0.3.201</h2>
<h2>What's changed</h2>
<ul>
<li>Updated to parity with Claude Code v2.1.201</li>
</ul>
<h2>Update</h2>
<pre lang="sh"><code>npm install @anthropic-ai/claude-agent-sdk@0.3.201
# or
yarn add @anthropic-ai/claude-agent-sdk@0.3.201
# or
pnpm add @anthropic-ai/claude-agent-sdk@0.3.201
# or
bun add @anthropic-ai/claude-agent-sdk@0.3.201
</code></pre>
<h2>v0.3.200</h2>
<h2>What's changed</h2>
<ul>
<li>Added <code>'manual'</code> as an accepted alias for the
<code>'default'</code> permission mode in SDK inputs</li>
<li>Fixed <code>onSetPermissionMode</code> callback not firing for
SDK-hosted Remote Control sessions</li>
<li>Fixed <code>set_model</code> control request accepting unrecognized
model strings; invalid models are now rejected before latching</li>
</ul>
<h2>Update</h2>
<pre lang="sh"><code>npm install @anthropic-ai/claude-agent-sdk@0.3.200
# or
yarn add @anthropic-ai/claude-agent-sdk@0.3.200
# or
pnpm add @anthropic-ai/claude-agent-sdk@0.3.200
# or
bun add @anthropic-ai/claude-agent-sdk@0.3.200
</code></pre>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/anthropics/claude-agent-sdk-typescript/blob/main/CHANGELOG.md">@​anthropic-ai/claude-agent-sdk's
changelog</a>.</em></p>
<blockquote>
<h2>0.3.201</h2>
<ul>
<li>Updated to parity with Claude Code v2.1.201</li>
</ul>
<h2>0.3.200</h2>
<ul>
<li>Added <code>'manual'</code> as an accepted alias for the
<code>'default'</code> permission mode in SDK inputs</li>
<li>Fixed <code>onSetPermissionMode</code> callback not firing for
SDK-hosted Remote Control sessions</li>
<li>Fixed <code>set_model</code> control request accepting unrecognized
model strings; invalid models are now rejected before latching</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/anthropics/claude-agent-sdk-typescript/commit/6809c4ca30f74667391c1f30dc5023e518110326"><code>6809c4c</code></a>
chore: Update CHANGELOG.md</li>
<li><a
href="https://github.com/anthropics/claude-agent-sdk-typescript/commit/8d7e23f1ff86a20eed96ba64e2ac1ed44b68af14"><code>8d7e23f</code></a>
chore: Update CHANGELOG.md</li>
<li>See full diff in <a
href="https://github.com/anthropics/claude-agent-sdk-typescript/compare/v0.3.199...v0.3.201">compare
view</a></li>
</ul>
</details>
<br />

Updates `@clack/prompts` from 1.6.0 to 1.7.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/bombshell-dev/clack/releases">@​clack/prompts's
releases</a>.</em></p>
<blockquote>
<h2><code>@​clack/prompts</code><a
href="https://github.com/1"><code>@​1</code></a>.7.0</h2>
<h3>Minor Changes</h3>
<ul>
<li><a
href="https://redirect.github.com/bombshell-dev/clack/pull/574">#574</a>
<a
href="https://github.com/bombshell-dev/clack/commit/8f1c380683cfb5fb7a094610342046ae1603e28e"><code>8f1c380</code></a>
Thanks <a
href="https://github.com/dreyfus92"><code>@​dreyfus92</code></a>! - Add
<code>showInstructions</code> option to <code>select</code>,
<code>multiselect</code>, and <code>groupMultiselect</code>. Keyboard
hints remain shown by default; pass <code>showInstructions: false</code>
to hide them.</li>
</ul>
<h3>Patch Changes</h3>
<ul>
<li>
<p><a
href="https://redirect.github.com/bombshell-dev/clack/pull/582">#582</a>
<a
href="https://github.com/bombshell-dev/clack/commit/4b249539e28eecc16c13b3a1bd0ba447e9f38d06"><code>4b24953</code></a>
Thanks <a href="https://github.com/43081j"><code>@​43081j</code></a>! -
Handle empty arrays in various prompts and utilities.</p>
</li>
<li>
<p>Updated dependencies [<a
href="https://github.com/bombshell-dev/clack/commit/4b249539e28eecc16c13b3a1bd0ba447e9f38d06"><code>4b24953</code></a>]:</p>
<ul>
<li><code>@​clack/core</code><a
href="https://github.com/1"><code>@​1</code></a>.4.3</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/bombshell-dev/clack/blob/main/packages/prompts/CHANGELOG.md">@​clack/prompts's
changelog</a>.</em></p>
<blockquote>
<h2>1.7.0</h2>
<h3>Minor Changes</h3>
<ul>
<li><a
href="https://redirect.github.com/bombshell-dev/clack/pull/574">#574</a>
<a
href="https://github.com/bombshell-dev/clack/commit/8f1c380683cfb5fb7a094610342046ae1603e28e"><code>8f1c380</code></a>
Thanks <a
href="https://github.com/dreyfus92"><code>@​dreyfus92</code></a>! - Add
<code>showInstructions</code> option to <code>select</code>,
<code>multiselect</code>, and <code>groupMultiselect</code>. Keyboard
hints remain shown by default; pass <code>showInstructions: false</code>
to hide them.</li>
</ul>
<h3>Patch Changes</h3>
<ul>
<li>
<p><a
href="https://redirect.github.com/bombshell-dev/clack/pull/582">#582</a>
<a
href="https://github.com/bombshell-dev/clack/commit/4b249539e28eecc16c13b3a1bd0ba447e9f38d06"><code>4b24953</code></a>
Thanks <a href="https://github.com/43081j"><code>@​43081j</code></a>! -
Handle empty arrays in various prompts and utilities.</p>
</li>
<li>
<p>Updated dependencies [<a
href="https://github.com/bombshell-dev/clack/commit/4b249539e28eecc16c13b3a1bd0ba447e9f38d06"><code>4b24953</code></a>]:</p>
<ul>
<li><code>@​clack/core</code><a
href="https://github.com/1"><code>@​1</code></a>.4.3</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/bombshell-dev/clack/commit/dc5bce8aae84a57b5863124adfaa839c1db1fa23"><code>dc5bce8</code></a>
[ci] release (<a
href="https://github.com/bombshell-dev/clack/tree/HEAD/packages/prompts/issues/575">#575</a>)</li>
<li><a
href="https://github.com/bombshell-dev/clack/commit/4b249539e28eecc16c13b3a1bd0ba447e9f38d06"><code>4b24953</code></a>
chore: enable strict index checks (<a
href="https://github.com/bombshell-dev/clack/tree/HEAD/packages/prompts/issues/582">#582</a>)</li>
<li><a
href="https://github.com/bombshell-dev/clack/commit/8f1c380683cfb5fb7a094610342046ae1603e28e"><code>8f1c380</code></a>
feat(prompts): add showInstructions opt-out (<a
href="https://github.com/bombshell-dev/clack/tree/HEAD/packages/prompts/issues/574">#574</a>)</li>
<li><a
href="https://github.com/bombshell-dev/clack/commit/06c16c7b65b69dee44301e7e6c8f1110c6da4149"><code>06c16c7</code></a>
chore: update license copyright to Bombshell contributors (<a
href="https://github.com/bombshell-dev/clack/tree/HEAD/packages/prompts/issues/572">#572</a>)</li>
<li>See full diff in <a
href="https://github.com/bombshell-dev/clack/commits/@clack/prompts@1.7.0/packages/prompts">compare
view</a></li>
</ul>
</details>
<br />

Updates `@typescript/native-preview` from 7.0.0-dev.20260702.3 to
7.0.0-dev.20260703.1
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/microsoft/typescript-go/commits">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…n /apps/cli-go in the go-minor group across 1 directory (#5865)

Bumps the go-minor group with 1 update in the /apps/cli-go directory:
[github.com/posthog/posthog-go](https://github.com/posthog/posthog-go).

Updates `github.com/posthog/posthog-go` from 1.17.4 to 1.17.5
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/posthog/posthog-go/releases">github.com/posthog/posthog-go's
releases</a>.</em></p>
<blockquote>
<h2>1.17.5</h2>
<h2>Unreleased</h2>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/PostHog/posthog-go/blob/main/CHANGELOG.md">github.com/posthog/posthog-go's
changelog</a>.</em></p>
<blockquote>
<h2>1.17.5</h2>
<h3>Patch Changes</h3>
<ul>
<li>fe66557: Change the default capture delivery budget from 10 attempts
to 4 (<code>DefaultMaxAttempts</code>) when
<code>Config.MaxRetries</code> is unset, aligning with the cross-SDK
Capture V1 parity standard (posthog-rs uses the same envelope). This
affects <strong>both</strong> the v0 (<code>/batch/</code>) and v1 send
paths, since they share the attempt budget. Callers that set
<code>MaxRetries</code> explicitly are unaffected.</li>
<li>3d8404a: Unify the capture retry backoff ceiling at 30s.
<code>DefaultBackoff</code>'s cap changes from 10s to 30s (default only
— override via <code>Config.RetryAfter</code>), and the Capture V1 send
now clamps a server <code>Retry-After</code> to the same 30s so a
hostile or buggy header cannot park a batch goroutine.
<code>Retry-After</code> still acts as a minimum; the configured backoff
is never truncated. This aligns the default retry behavior with
posthog-rs and posthog-python.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/PostHog/posthog-go/commit/d7f8a22426389425e7874d302cedfbe86731a179"><code>d7f8a22</code></a>
chore: release v1.17.5 [version bump] [skip ci]</li>
<li><a
href="https://github.com/PostHog/posthog-go/commit/fe66557ddc3141ada0c1d9538186037c641614d9"><code>fe66557</code></a>
feat(capture): default to 4 delivery attempts (down from 10) (<a
href="https://redirect.github.com/posthog/posthog-go/issues/256">#256</a>)</li>
<li><a
href="https://github.com/PostHog/posthog-go/commit/3d8404afd554d1557a57c45deba05501a8288d44"><code>3d8404a</code></a>
fix(capture): unify retry backoff ceiling at 30s (<a
href="https://redirect.github.com/posthog/posthog-go/issues/255">#255</a>)</li>
<li><a
href="https://github.com/PostHog/posthog-go/commit/6affc1549498bbd8f8ee3fe5beaaab6da5d13ca1"><code>6affc15</code></a>
ci: Standardize SDK release failure telemetry (<a
href="https://redirect.github.com/posthog/posthog-go/issues/252">#252</a>)</li>
<li>See full diff in <a
href="https://github.com/posthog/posthog-go/compare/v1.17.4...v1.17.5">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/posthog/posthog-go&package-manager=go_modules&previous-version=1.17.4&new-version=1.17.5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
….2.2 in the actions-major group (#5871)

Bumps the actions-major group with 1 update:
[aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials).

Updates `aws-actions/configure-aws-credentials` from 6.2.1 to 6.2.2
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/aws-actions/configure-aws-credentials/releases">aws-actions/configure-aws-credentials's
releases</a>.</em></p>
<blockquote>
<h2>v6.2.2</h2>
<h2><a
href="https://github.com/aws-actions/configure-aws-credentials/compare/v6.2.1...v6.2.2">6.2.2</a>
(2026-07-07)</h2>
<h3>Miscellaneous Chores</h3>
<ul>
<li>release 6.2.2 (<a
href="https://github.com/aws-actions/configure-aws-credentials/commit/d01d678e65d6d2bd9d5ca7a95d6f07b00e25f2c2">d01d678</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/aws-actions/configure-aws-credentials/blob/main/CHANGELOG.md">aws-actions/configure-aws-credentials's
changelog</a>.</em></p>
<blockquote>
<h1>Changelog</h1>
<p>All notable changes to this project will be documented in this file.
See <a
href="https://github.com/conventional-changelog/standard-version">standard-version</a>
for commit guidelines.</p>
<h2><a
href="https://github.com/aws-actions/configure-aws-credentials/compare/v6.2.1...v6.2.2">6.2.2</a>
(2026-07-07)</h2>
<h3>Miscellaneous Chores</h3>
<ul>
<li>release 6.2.2 (<a
href="https://github.com/aws-actions/configure-aws-credentials/commit/d01d678e65d6d2bd9d5ca7a95d6f07b00e25f2c2">d01d678</a>)</li>
</ul>
<h2><a
href="https://github.com/aws-actions/configure-aws-credentials/compare/v6.2.0...v6.2.1">6.2.1</a>
(2026-06-26)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>enforce allowed-account-ids on all auth paths (<a
href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1847">#1847</a>)
(<a
href="https://github.com/aws-actions/configure-aws-credentials/commit/4d281fbc56a82e63c3fc14f2cc22361f34c97493">4d281fb</a>)</li>
</ul>
<h2><a
href="https://github.com/aws-actions/configure-aws-credentials/compare/v6.1.3...v6.2.0">6.2.0</a>
(2026-06-01)</h2>
<h3>Features</h3>
<ul>
<li>add additional session tags by default (<a
href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1775">#1775</a>)
(<a
href="https://github.com/aws-actions/configure-aws-credentials/commit/e0ba7685077379a14a82d01fefd511490344ebfc">e0ba768</a>)</li>
<li>add more retry logic and better logging (<a
href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1764">#1764</a>)
(<a
href="https://github.com/aws-actions/configure-aws-credentials/commit/540d0c13aedb8d55501d220bd2f0b3cdedfe84e8">540d0c1</a>)</li>
<li>add regex validation to role-session-name (<a
href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1765">#1765</a>)
(<a
href="https://github.com/aws-actions/configure-aws-credentials/commit/e35449909c6ede5083a48ba4b8bbfaaa1cf09ba1">e354499</a>)</li>
<li>Allow custom session tags to be passed when assuming a role (<a
href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1759">#1759</a>)
(<a
href="https://github.com/aws-actions/configure-aws-credentials/commit/61f50f630f383628add73c1eab3f1935ba07da2b">61f50f6</a>)</li>
<li>expose run id in STS client user-agent (<a
href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1774">#1774</a>)
(<a
href="https://github.com/aws-actions/configure-aws-credentials/commit/29d1be30273e7ef371d59fccf6ec54572c64ec89">29d1be3</a>)</li>
<li>support custom STS endpoints (<a
href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1762">#1762</a>)
(<a
href="https://github.com/aws-actions/configure-aws-credentials/commit/8d52d05d7a4521fa52b39de50cb6114b12e5c332">8d52d05</a>)</li>
</ul>
<h3>Bug Fixes</h3>
<ul>
<li>skip credential check on output-env-credentials: false (<a
href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1778">#1778</a>)
(<a
href="https://github.com/aws-actions/configure-aws-credentials/commit/58e7c47adf77846879008deadfeeef8a6969fe6c">58e7c47</a>)</li>
<li>assumeRole failing from session tag size too large (<a
href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1808">#1808</a>)
(<a
href="https://github.com/aws-actions/configure-aws-credentials/commit/d6f5dc331b44474b19a52caaf85fa4d637b13c8e">d6f5dc3</a>)</li>
</ul>
<h2><a
href="https://github.com/aws-actions/configure-aws-credentials/compare/v6.1.2...v6.1.3">6.1.3</a>
(2026-05-28)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>fix: allow kubelet token symlink in <a
href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1805">#1805</a></li>
</ul>
<h2><a
href="https://github.com/aws-actions/configure-aws-credentials/compare/v6.1.1...v6.1.2">6.1.2</a>
(2026-05-26)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>additional filesystem checks (<a
href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1799">#1799</a>)
(<a
href="https://github.com/aws-actions/configure-aws-credentials/commit/c39f282697aca8a78c522ecf1f7da9899a31432c">c39f282</a>)</li>
</ul>
<h2><a
href="https://github.com/aws-actions/configure-aws-credentials/compare/v6.1.0...v6.1.1">6.1.1</a>
(2026-05-05)</h2>
<h3>Miscellaneous Chores</h3>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/aws-actions/configure-aws-credentials/commit/517a711dbcd0e402f90c77e7e2f81e849156e31d"><code>517a711</code></a>
chore(main): release 6.2.2 (<a
href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1876">#1876</a>)</li>
<li><a
href="https://github.com/aws-actions/configure-aws-credentials/commit/d01d678e65d6d2bd9d5ca7a95d6f07b00e25f2c2"><code>d01d678</code></a>
chore: release 6.2.2</li>
<li><a
href="https://github.com/aws-actions/configure-aws-credentials/commit/8efa52b2848773c500aa10726e251480b1a9eef6"><code>8efa52b</code></a>
chore(deps-dev): bump vitest dependencies (<a
href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1874">#1874</a>)</li>
<li><a
href="https://github.com/aws-actions/configure-aws-credentials/commit/8e1eed5c14c0831e3e8d3e79a355207770cfc534"><code>8e1eed5</code></a>
chore(deps-dev): bump <code>@​smithy/property-provider</code> from 4.4.4
to 4.4.6 (<a
href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1869">#1869</a>)</li>
<li><a
href="https://github.com/aws-actions/configure-aws-credentials/commit/112421a93aaa67421f2d14d7c469df0e5ca60e47"><code>112421a</code></a>
chore(deps-dev): bump <code>@​biomejs/biome</code> from 2.5.1 to 2.5.2
(<a
href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1868">#1868</a>)</li>
<li><a
href="https://github.com/aws-actions/configure-aws-credentials/commit/fbc01c6585c59a56334d4803ca1f3f249a5fba3f"><code>fbc01c6</code></a>
chore(deps-dev): bump <code>@​types/node</code> from 26.0.1 to 26.1.0
(<a
href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1871">#1871</a>)</li>
<li><a
href="https://github.com/aws-actions/configure-aws-credentials/commit/b12ca875eb3037b4cfbc4aa347bd62e1b475d439"><code>b12ca87</code></a>
chore(deps-dev): bump memfs from 4.57.8 to 4.58.0 (<a
href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1873">#1873</a>)</li>
<li><a
href="https://github.com/aws-actions/configure-aws-credentials/commit/d314f7f43d28771d47678a1ad87f05976e241846"><code>d314f7f</code></a>
chore: Update dist</li>
<li><a
href="https://github.com/aws-actions/configure-aws-credentials/commit/a53b65b84a3cea262b96b50376e409283f6f818b"><code>a53b65b</code></a>
chore(deps): bump <code>@​aws-sdk/client-sts</code> from 3.1076.0 to
3.1080.0 (<a
href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1867">#1867</a>)</li>
<li><a
href="https://github.com/aws-actions/configure-aws-credentials/commit/338d2c18392e9b3ace741e4547b315bda30f7b02"><code>338d2c1</code></a>
chore(deps-dev): bump sigstore from 4.1.0 to 4.1.1 (<a
href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1864">#1864</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/aws-actions/configure-aws-credentials/compare/254c19bd240aabef8777f48595e9d2d7b972184b...517a711dbcd0e402f90c77e7e2f81e849156e31d">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=aws-actions/configure-aws-credentials&package-manager=github_actions&previous-version=6.2.1&new-version=6.2.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@supabase-cli-releaser
supabase-cli-releaser Bot requested a review from a team as a code owner July 14, 2026 03:09
@supabase-cli-releaser supabase-cli-releaser Bot added the do not merge Approve to apply; do not merge. label Jul 14, 2026
Comment thread apps/cli/src/legacy/commands/config/push/config-sync/config-sync.secret.ts Dismissed

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 249b9ec577

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment on lines +91 to +98
const args = [
"db",
"__db-bootstrap",
...modeArgs,
...networkArgs,
...profileArgs,
...experimentalArgs,
];

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Forward explicit workdir into the bootstrap child

When db start or local db reset is invoked with an explicit --workdir/SUPABASE_WORKDIR, this seam starts the hidden Go child with only cwd: cliConfig.workdir and does not pass that workdir as a flag/env. In the Go child, ChangeWorkDir falls back to getProjectRoot(CurrentDirAbs) whenever WORKDIR is unset (apps/cli-go/internal/utils/misc.go:239-242), so an explicit workdir that intentionally has no supabase/config.toml can be replaced by an ancestor project. The child can then load the ancestor config/project id and create/reset/cleanup the wrong local containers; pass the resolved workdir through to the child.

Useful? React with 👍 / 👎.

Comment on lines +178 to +181
const projectId = legacyResolveLocalProjectId(
Option.getOrUndefined(cliConfig.projectId),
Option.getOrUndefined(tomlProjectId),
cliConfig.workdir,

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Include project dotenv when deriving the db container

When SUPABASE_PROJECT_ID is defined only in project dotenv files, Go sees it because config Load calls loadNestedEnv before AutomaticEnv/validation (apps/cli-go/pkg/config/config.go:786-790). This preflight lookup only uses the ambient cliConfig.projectId plus TOML/workdir, so it inspects supabase_db_<wrong id> and misses an already-running stack that was started with the dotenv project id; db start then enters the bootstrap path instead of returning "already running". Resolve the project env here before deriving the container id.

Useful? React with 👍 / 👎.

dependabot Bot and others added 3 commits July 15, 2026 00:16
Bumps the actions-major group with 2 updates:
[github/codeql-action/init](https://github.com/github/codeql-action) and
[github/codeql-action/analyze](https://github.com/github/codeql-action).

Updates `github/codeql-action/init` from 4.36.3 to 4.37.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/releases">github/codeql-action/init's
releases</a>.</em></p>
<blockquote>
<h2>v4.37.0</h2>
<ul>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.26.0">2.26.0</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3995">#3995</a></li>
<li>In addition to the existing input format, the
<code>config-file</code> input for the <code>codeql-action/init</code>
step will soon support a new <code>[owner/]repo[@ref][:path]</code>
format. All components except the repository name are optional. If
omitted, <code>owner</code> defaults to the same owner as the repository
the analysis is running for, <code>ref</code> to <code>main</code>, and
<code>path</code> to <code>.github/codeql-action.yaml</code>. Support
for this format ships in this version of the CodeQL Action, but will
only be enabled over the coming weeks. <a
href="https://redirect.github.com/github/codeql-action/pull/3973">#3973</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action/init's
changelog</a>.</em></p>
<blockquote>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<h2>[UNRELEASED]</h2>
<ul>
<li><em>Upcoming breaking change</em>: Add a deprecation warning for
customers using CodeQL version 2.20.6 and earlier. These versions of
CodeQL were discontinued on 1 July 2026 alongside GitHub Enterprise
Server 3.16, and will be unsupported by the next minor release of the
CodeQL Action. <a
href="https://redirect.github.com/github/codeql-action/pull/3956">#3956</a></li>
</ul>
<h2>4.37.0 - 08 Jul 2026</h2>
<ul>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.26.0">2.26.0</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3995">#3995</a></li>
<li>In addition to the existing input format, the
<code>config-file</code> input for the <code>codeql-action/init</code>
step will soon support a new <code>[owner/]repo[@ref][:path]</code>
format. All components except the repository name are optional. If
omitted, <code>owner</code> defaults to the same owner as the repository
the analysis is running for, <code>ref</code> to <code>main</code>, and
<code>path</code> to <code>.github/codeql-action.yaml</code>. Support
for this format ships in this version of the CodeQL Action, but will
only be enabled over the coming weeks. <a
href="https://redirect.github.com/github/codeql-action/pull/3973">#3973</a></li>
</ul>
<h2>4.36.3 - 01 Jul 2026</h2>
<p>No user facing changes.</p>
<h2>4.36.2 - 04 Jun 2026</h2>
<ul>
<li>Cache CodeQL CLI version information across Actions steps. <a
href="https://redirect.github.com/github/codeql-action/pull/3943">#3943</a></li>
<li>Reduce requests while waiting for analysis processing by using
exponential backoff when polling SARIF processing status. <a
href="https://redirect.github.com/github/codeql-action/pull/3937">#3937</a></li>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.6">2.25.6</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3948">#3948</a></li>
</ul>
<h2>4.36.1 - 02 Jun 2026</h2>
<p>No user facing changes.</p>
<h2>4.36.0 - 22 May 2026</h2>
<ul>
<li><em>Breaking change</em>: Bump the minimum required CodeQL bundle
version to 2.19.4. <a
href="https://redirect.github.com/github/codeql-action/pull/3894">#3894</a></li>
<li>Add support for SHA-256 Git object IDs. <a
href="https://redirect.github.com/github/codeql-action/pull/3893">#3893</a></li>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.5">2.25.5</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3926">#3926</a></li>
</ul>
<h2>4.35.5 - 15 May 2026</h2>
<ul>
<li>We have improved how the JavaScript bundles for the CodeQL Action
are generated to avoid duplication across bundles and reduce the size of
the repository by around 70%. This should have no effect on the runtime
behaviour of the CodeQL Action. <a
href="https://redirect.github.com/github/codeql-action/pull/3899">#3899</a></li>
<li>For performance and accuracy reasons, <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a> will now only be enabled on a pull request when
diff-informed analysis is also enabled for that run. If diff-informed
analysis is unavailable (for example, because the PR diff ranges could
not be computed), the action will fall back to a full analysis. <a
href="https://redirect.github.com/github/codeql-action/pull/3791">#3791</a></li>
<li>If multiple inputs are provided for the GitHub-internal
<code>analysis-kinds</code> input, only <code>code-scanning</code> will
be enabled. The <code>analysis-kinds</code> input is experimental, for
GitHub-internal use only, and may change without notice at any time. <a
href="https://redirect.github.com/github/codeql-action/pull/3892">#3892</a></li>
<li>Added an experimental change which, when running a Code Scanning
analysis for a PR with <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a> enabled, prefers CodeQL CLI versions that have
a cached overlay-base database for the configured languages. This speeds
up analysis for a repository when there is not yet a cached overlay-base
database for the latest CLI version. We expect to roll this change out
to everyone in May. <a
href="https://redirect.github.com/github/codeql-action/pull/3880">#3880</a></li>
</ul>
<h2>4.35.4 - 07 May 2026</h2>
<ul>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.4">2.25.4</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3881">#3881</a></li>
</ul>
<h2>4.35.3 - 01 May 2026</h2>
<ul>
<li><em>Upcoming breaking change</em>: Add a deprecation warning for
customers using CodeQL version 2.19.3 and earlier. These versions of
CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise
Server 3.15, and will be unsupported by the next minor release of the
CodeQL Action. <a
href="https://redirect.github.com/github/codeql-action/pull/3837">#3837</a></li>
<li>Configurations for private registries that use Cloudsmith or GCP
OIDC are now accepted. <a
href="https://redirect.github.com/github/codeql-action/pull/3850">#3850</a></li>
<li>Best-effort connection tests for private registries now use
<code>GET</code> requests instead of <code>HEAD</code> for better
compatibility with various registry implementations. For NuGet feeds,
the test is now always performed against the service index. <a
href="https://redirect.github.com/github/codeql-action/pull/3853">#3853</a></li>
<li>Fixed a bug where two diagnostics produced within the same
millisecond could overwrite each other on disk, causing one of them to
be lost. <a
href="https://redirect.github.com/github/codeql-action/pull/3852">#3852</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/github/codeql-action/commit/99df26d4f13ea111d4ec1a7dddef6063f76b97e9"><code>99df26d</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3996">#3996</a>
from github/update-v4.37.0-c7c896d71</li>
<li><a
href="https://github.com/github/codeql-action/commit/31c27074fda95256cda077009907f8a6022dd7c0"><code>31c2707</code></a>
Add changenote for <a
href="https://redirect.github.com/github/codeql-action/issues/3973">#3973</a></li>
<li><a
href="https://github.com/github/codeql-action/commit/72df2181aac054d1f4b44264399d2aac12cf11c6"><code>72df218</code></a>
Update changelog for v4.37.0</li>
<li><a
href="https://github.com/github/codeql-action/commit/c7c896d71b3055d36f2aff93b16bcc6c69923b91"><code>c7c896d</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3995">#3995</a>
from github/update-bundle/codeql-bundle-v2.26.0</li>
<li><a
href="https://github.com/github/codeql-action/commit/3f34ff0ea3f5153c96071437b7cbf71ea3757146"><code>3f34ff0</code></a>
Add changelog note</li>
<li><a
href="https://github.com/github/codeql-action/commit/43bec09f1dc368b430cab4b5d69799bc904079d1"><code>43bec09</code></a>
Update default bundle to codeql-bundle-v2.26.0</li>
<li><a
href="https://github.com/github/codeql-action/commit/f58f0d11ebf5dedd870fab2f999275f7602cfa46"><code>f58f0d1</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3973">#3973</a>
from github/mbg/repo-props/config-file-shorthands</li>
<li><a
href="https://github.com/github/codeql-action/commit/7dc37cbb5b3e37f0e1cd1f18b61e0ea849898fb8"><code>7dc37cb</code></a>
Merge remote-tracking branch 'origin/main' into
mbg/repo-props/config-file-sh...</li>
<li><a
href="https://github.com/github/codeql-action/commit/8e22350a7e28c34c82a5a499fc241923301c2c4f"><code>8e22350</code></a>
Thread <code>ActionState</code> to <code>initConfig</code></li>
<li><a
href="https://github.com/github/codeql-action/commit/69c9e8c7d918cf2fee13b8b72fdde15883ff155b"><code>69c9e8c</code></a>
Mark some <code>status-report</code> imports as <code>type</code>-only
to avoid circular dependencies</li>
<li>Additional commits viewable in <a
href="https://github.com/github/codeql-action/compare/54f647b7e1bb85c95cddabcd46b0c578ec92bc1a...99df26d4f13ea111d4ec1a7dddef6063f76b97e9">compare
view</a></li>
</ul>
</details>
<br />

Updates `github/codeql-action/analyze` from 4.36.3 to 4.37.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/releases">github/codeql-action/analyze's
releases</a>.</em></p>
<blockquote>
<h2>v4.37.0</h2>
<ul>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.26.0">2.26.0</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3995">#3995</a></li>
<li>In addition to the existing input format, the
<code>config-file</code> input for the <code>codeql-action/init</code>
step will soon support a new <code>[owner/]repo[@ref][:path]</code>
format. All components except the repository name are optional. If
omitted, <code>owner</code> defaults to the same owner as the repository
the analysis is running for, <code>ref</code> to <code>main</code>, and
<code>path</code> to <code>.github/codeql-action.yaml</code>. Support
for this format ships in this version of the CodeQL Action, but will
only be enabled over the coming weeks. <a
href="https://redirect.github.com/github/codeql-action/pull/3973">#3973</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action/analyze's
changelog</a>.</em></p>
<blockquote>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<h2>[UNRELEASED]</h2>
<ul>
<li><em>Upcoming breaking change</em>: Add a deprecation warning for
customers using CodeQL version 2.20.6 and earlier. These versions of
CodeQL were discontinued on 1 July 2026 alongside GitHub Enterprise
Server 3.16, and will be unsupported by the next minor release of the
CodeQL Action. <a
href="https://redirect.github.com/github/codeql-action/pull/3956">#3956</a></li>
</ul>
<h2>4.37.0 - 08 Jul 2026</h2>
<ul>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.26.0">2.26.0</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3995">#3995</a></li>
<li>In addition to the existing input format, the
<code>config-file</code> input for the <code>codeql-action/init</code>
step will soon support a new <code>[owner/]repo[@ref][:path]</code>
format. All components except the repository name are optional. If
omitted, <code>owner</code> defaults to the same owner as the repository
the analysis is running for, <code>ref</code> to <code>main</code>, and
<code>path</code> to <code>.github/codeql-action.yaml</code>. Support
for this format ships in this version of the CodeQL Action, but will
only be enabled over the coming weeks. <a
href="https://redirect.github.com/github/codeql-action/pull/3973">#3973</a></li>
</ul>
<h2>4.36.3 - 01 Jul 2026</h2>
<p>No user facing changes.</p>
<h2>4.36.2 - 04 Jun 2026</h2>
<ul>
<li>Cache CodeQL CLI version information across Actions steps. <a
href="https://redirect.github.com/github/codeql-action/pull/3943">#3943</a></li>
<li>Reduce requests while waiting for analysis processing by using
exponential backoff when polling SARIF processing status. <a
href="https://redirect.github.com/github/codeql-action/pull/3937">#3937</a></li>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.6">2.25.6</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3948">#3948</a></li>
</ul>
<h2>4.36.1 - 02 Jun 2026</h2>
<p>No user facing changes.</p>
<h2>4.36.0 - 22 May 2026</h2>
<ul>
<li><em>Breaking change</em>: Bump the minimum required CodeQL bundle
version to 2.19.4. <a
href="https://redirect.github.com/github/codeql-action/pull/3894">#3894</a></li>
<li>Add support for SHA-256 Git object IDs. <a
href="https://redirect.github.com/github/codeql-action/pull/3893">#3893</a></li>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.5">2.25.5</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3926">#3926</a></li>
</ul>
<h2>4.35.5 - 15 May 2026</h2>
<ul>
<li>We have improved how the JavaScript bundles for the CodeQL Action
are generated to avoid duplication across bundles and reduce the size of
the repository by around 70%. This should have no effect on the runtime
behaviour of the CodeQL Action. <a
href="https://redirect.github.com/github/codeql-action/pull/3899">#3899</a></li>
<li>For performance and accuracy reasons, <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a> will now only be enabled on a pull request when
diff-informed analysis is also enabled for that run. If diff-informed
analysis is unavailable (for example, because the PR diff ranges could
not be computed), the action will fall back to a full analysis. <a
href="https://redirect.github.com/github/codeql-action/pull/3791">#3791</a></li>
<li>If multiple inputs are provided for the GitHub-internal
<code>analysis-kinds</code> input, only <code>code-scanning</code> will
be enabled. The <code>analysis-kinds</code> input is experimental, for
GitHub-internal use only, and may change without notice at any time. <a
href="https://redirect.github.com/github/codeql-action/pull/3892">#3892</a></li>
<li>Added an experimental change which, when running a Code Scanning
analysis for a PR with <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a> enabled, prefers CodeQL CLI versions that have
a cached overlay-base database for the configured languages. This speeds
up analysis for a repository when there is not yet a cached overlay-base
database for the latest CLI version. We expect to roll this change out
to everyone in May. <a
href="https://redirect.github.com/github/codeql-action/pull/3880">#3880</a></li>
</ul>
<h2>4.35.4 - 07 May 2026</h2>
<ul>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.4">2.25.4</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3881">#3881</a></li>
</ul>
<h2>4.35.3 - 01 May 2026</h2>
<ul>
<li><em>Upcoming breaking change</em>: Add a deprecation warning for
customers using CodeQL version 2.19.3 and earlier. These versions of
CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise
Server 3.15, and will be unsupported by the next minor release of the
CodeQL Action. <a
href="https://redirect.github.com/github/codeql-action/pull/3837">#3837</a></li>
<li>Configurations for private registries that use Cloudsmith or GCP
OIDC are now accepted. <a
href="https://redirect.github.com/github/codeql-action/pull/3850">#3850</a></li>
<li>Best-effort connection tests for private registries now use
<code>GET</code> requests instead of <code>HEAD</code> for better
compatibility with various registry implementations. For NuGet feeds,
the test is now always performed against the service index. <a
href="https://redirect.github.com/github/codeql-action/pull/3853">#3853</a></li>
<li>Fixed a bug where two diagnostics produced within the same
millisecond could overwrite each other on disk, causing one of them to
be lost. <a
href="https://redirect.github.com/github/codeql-action/pull/3852">#3852</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/github/codeql-action/commit/99df26d4f13ea111d4ec1a7dddef6063f76b97e9"><code>99df26d</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3996">#3996</a>
from github/update-v4.37.0-c7c896d71</li>
<li><a
href="https://github.com/github/codeql-action/commit/31c27074fda95256cda077009907f8a6022dd7c0"><code>31c2707</code></a>
Add changenote for <a
href="https://redirect.github.com/github/codeql-action/issues/3973">#3973</a></li>
<li><a
href="https://github.com/github/codeql-action/commit/72df2181aac054d1f4b44264399d2aac12cf11c6"><code>72df218</code></a>
Update changelog for v4.37.0</li>
<li><a
href="https://github.com/github/codeql-action/commit/c7c896d71b3055d36f2aff93b16bcc6c69923b91"><code>c7c896d</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3995">#3995</a>
from github/update-bundle/codeql-bundle-v2.26.0</li>
<li><a
href="https://github.com/github/codeql-action/commit/3f34ff0ea3f5153c96071437b7cbf71ea3757146"><code>3f34ff0</code></a>
Add changelog note</li>
<li><a
href="https://github.com/github/codeql-action/commit/43bec09f1dc368b430cab4b5d69799bc904079d1"><code>43bec09</code></a>
Update default bundle to codeql-bundle-v2.26.0</li>
<li><a
href="https://github.com/github/codeql-action/commit/f58f0d11ebf5dedd870fab2f999275f7602cfa46"><code>f58f0d1</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3973">#3973</a>
from github/mbg/repo-props/config-file-shorthands</li>
<li><a
href="https://github.com/github/codeql-action/commit/7dc37cbb5b3e37f0e1cd1f18b61e0ea849898fb8"><code>7dc37cb</code></a>
Merge remote-tracking branch 'origin/main' into
mbg/repo-props/config-file-sh...</li>
<li><a
href="https://github.com/github/codeql-action/commit/8e22350a7e28c34c82a5a499fc241923301c2c4f"><code>8e22350</code></a>
Thread <code>ActionState</code> to <code>initConfig</code></li>
<li><a
href="https://github.com/github/codeql-action/commit/69c9e8c7d918cf2fee13b8b72fdde15883ff155b"><code>69c9e8c</code></a>
Mark some <code>status-report</code> imports as <code>type</code>-only
to avoid circular dependencies</li>
<li>Additional commits viewable in <a
href="https://github.com/github/codeql-action/compare/54f647b7e1bb85c95cddabcd46b0c578ec92bc1a...99df26d4f13ea111d4ec1a7dddef6063f76b97e9">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
## TL;DR

docker-based deploys could finish bundling and then fail with `failed to
open eszip: ENOENT ... output.eszip` <br>the [Go CLI wrote bundle output
to project-local
`supabase/.temp`](<https://github.com/supabase/cli/blob/249b9ec577f178350c686e1a581469d680e054ba/apps/cli-go/internal/functions/deploy/bundle.go#L36>)

but the [TypeScript port moved it to the host OS temporary
directory](<https://github.com/supabase/cli/blob/249b9ec577f178350c686e1a581469d680e054ba/apps/cli/src/shared/functions/deploy.ts#L1337-L1340>)
<br>typically under `/var/folders/...`, which may not be shared with
Docker Desktop's VM

this restores the Go CLI's project local output behavior while retaining
unique bundle directories & cleanup...

## ref:

* towards: #5735
* follow up to:
<br>[https://github.com/supabase/cli/pull/5755](<https://github.com/supabase/cli/pull/5755>)
<br>[https://github.com/supabase/cli/pull/5747](<https://github.com/supabase/cli/pull/5747>)
## TL;DR

`supabase gen types typescript --local` started requiring
`supabase/config.toml` after the ts port,
although the previous one used embedded defaults when the file was
absent

now it again uses the config schema defaults for the config-less
`--local` path,
restoring the previous behavior..

## ref

- Closes #5879
- Follow-up to #5514

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 51836e43ed

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread packages/config/src/io.ts
Comment on lines +286 to +288
if (goViperCompat) {
yield* checkDuplicateRemoteProjectIds(remotes);
yield* checkRemoteProjectIdFormat(interpolatedRemotes ?? remotes);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Honor viper env overrides when validating remotes

When a Go-parity caller runs with SUPABASE_REMOTES_<NAME>_PROJECT_ID overriding a placeholder or invalid [remotes.<name>].project_id, Go accepts the config because SetEnvPrefix("SUPABASE")/AutomaticEnv() is installed before the struct is validated (apps/cli-go/pkg/config/config.go:582-586, then :996-1001). This new check validates only the TOML/env(...) document, so the newly ported status/stop/config-loading paths using goViperCompat: true now reject Go-valid configs before doing any work. Apply the same SUPABASE_REMOTES_<NAME>_PROJECT_ID override before the duplicate/format checks.

Useful? React with 👍 / 👎.

Comment on lines +156 to +158
const loadOptions: LoadProjectConfigOptions =
projectRef !== "" ? { projectRef, goViperCompat: true } : { goViperCompat: true };
const loaded = yield* loadProjectConfig(cliConfig.workdir, loadOptions).pipe(

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Load bucket config with Go's project env context

In this new native seed buckets path, the config load only receives projectRef/goViperCompat, even though Go reaches buckets.Run after ParseDatabaseConfig has loaded the full nested dotenv set (apps/cli-go/cmd/root.go:118, pkg/config/config.go:1220-1256). If a bucket field such as objects_path or file_size_limit uses env(...) backed by a project-root or SUPABASE_ENV-selected dotenv file, this reload only sees @supabase/config's narrower env set and can reject a Go-valid config or seed from an unresolved env(...) path; pass the preloaded project env (and the exact Go workdir/toml-only options) into this load.

Useful? React with 👍 / 👎.

This PR was automatically created to sync API types from the
infrastructure repository.

Changes were detected in the generated API code after syncing with the
latest spec from infrastructure.

Co-authored-by: supabase-cli-releaser[bot] <246109035+supabase-cli-releaser[bot]@users.noreply.github.com>
This PR was automatically created to sync API types from the
infrastructure repository.

Changes were detected in the generated API code after syncing with the
latest spec from infrastructure.

Co-authored-by: supabase-cli-releaser[bot] <246109035+supabase-cli-releaser[bot]@users.noreply.github.com>
This PR was automatically created to sync API types from the
infrastructure repository.

Changes were detected in the generated API code after syncing with the
latest spec from infrastructure.

Co-authored-by: supabase-cli-releaser[bot] <246109035+supabase-cli-releaser[bot]@users.noreply.github.com>

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7f1d939c8f

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

// `db reset` (local path) drives the bootstrap seam, which holds SIGINT/SIGTERM/SIGHUP with
// no-op listeners while the Go child recreates the container; the global handler would
// otherwise race that and cut off the child's Docker cleanup / status propagation.
["db", "reset"],

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Restore signal handling for remote db reset

This excludes every db reset invocation from the global SIGINT/SIGTERM wrapper, but only the local/bootstrap paths install their own holdSignals; native remote resets such as db reset --linked --version ... or a non-local --db-url path do not. In those cases Ctrl-C falls back to the runtime's default process termination, so the Effect.ensuring finalizers in reset.handler.ts and the scoped DB connection cleanup can be skipped instead of exiting through the normal 130 path. Narrow this exemption to the local/bootstrap child path or add equivalent signal handling around the native remote path.

Useful? React with 👍 / 👎.


permissions:
pull-requests: write
issues: read

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Grant issue write permission to close gated PRs

The gate's makeCloser implementation posts to /issues/{pr}/comments and then PATCHes /issues/{pr} to close the PR, but the workflow only grants issues: read. GitHub's REST issue mutations require issue write access, so the first external PR that fails the gate will hit a 403 instead of being commented on and closed; change this to issues: write (while keeping pull-requests: write only if another call needs it).

Useful? React with 👍 / 👎.

## TL;DR

`db advisors --local` silently missed API exposure lints when
`pgrst.db_schemas` was unset in its direct database session

This defaults the missing setting to PostgREST's `public` schema while
preserving explicitly configured and empty schema values.

## ref

- closes #5868
- follows supabase/splinter#168

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3383214304

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment on lines +21 to +22
- [ ] Tests added or updated for the change.
- [ ] `pnpm check:all` and `pnpm test` pass for the workspace(s) I touched.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Remove validation checklist entries

These checklist entries will be copied into every PR description, but the repo’s AGENTS.md Pull Requests guidance explicitly says not to include validation, test plans, or lists of checks in PR descriptions. In contexts using this template, contributors will be nudged to add exactly the content CI policy asks them to omit; remove these validation/check entries from the template.

Useful? React with 👍 / 👎.

Comment on lines +181 to +185
legacyAssertDecryptableSecrets(loaded.document, secretEnvLookup, dotenvPrivateKeys) ??
legacyAssertDecryptableSecrets(
{ auth: { external: loaded.removedDeprecatedExternalProviders ?? {} } },
secretEnvLookup,
dotenvPrivateKeys,

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Scan stripped remotes before pushing config

When config push selects a matching [remotes.*] block, loadProjectConfig returns loaded.document with remotes stripped, but Go's config load still decodes c.Remotes and runs DecryptSecretHookFunc on those Secret fields. With a target prod remote plus a non-selected staging remote containing an undecryptable auth.external.github.secret = "encrypted:...", Go aborts before the cost matrix/API calls, while this scan only sees the merged document and proceeds to push remote config; preserve the pre-merge remotes or re-read them for this decrypt-or-abort pass.

Useful? React with 👍 / 👎.

This PR was automatically created to sync the generated `@supabase/api`
package with the latest Management API OpenAPI document.

Changes were detected in the upstream OpenAPI document exposed by
`https://api.supabase.com/api/v1-json`.

---------

Co-authored-by: jgoux <1443499+jgoux@users.noreply.github.com>
Co-authored-by: avallete <andrew.valleteau@supabase.io>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2cb2d6e83a

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread packages/config/src/io.ts
Comment on lines +290 to +294
const name = Object.entries(remotes).find(([, remote]) => {
const projectId =
isObject(remote) && typeof remote["project_id"] === "string" ? remote["project_id"] : "";
return projectRef !== undefined && projectId === projectRef;
})?.[0];

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Apply env overrides when selecting remotes

When goViperCompat callers select a remote whose [remotes.<name>].project_id is supplied by SUPABASE_REMOTES_<NAME>_PROJECT_ID, this matching loop still compares only the TOML value, so the remote block is not merged even though Go's viper lookup would select it. Fresh evidence beyond the earlier validation comment: this selection path independently reads remote["project_id"], so fixing duplicate/format validation alone would still make config push/functions deploy/linked storage config loads operate on the base config instead of the env-selected remote.

Useful? React with 👍 / 👎.

Comment on lines +355 to +359
Effect.catchTag("LegacySeedConfigLoadError", (error) =>
output.raw(
`${legacyYellow("WARNING:")} skipped seeding storage buckets: ${error.message}\n`,
"stderr",
),

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Stop swallowing bucket config failures

When local db reset reaches bucket seeding with a real bucket-config error, this catch converts it into a warning after seam.recreateDatabase has already dropped/rebuilt the database and then reports reset success. This is not limited to the narrower env-file-set gap described above; legacySeedBucketsRun also raises LegacySeedConfigLoadError for invalid storage settings such as an unparseable storage.file_size_limit or per-bucket file_size_limit, while Go's config load parses those before resetDatabase runs and would fail before doing destructive work. Narrow this catch to the env-resolution compatibility case or pre-validate the same bucket fields before recreating the DB.

Useful? React with 👍 / 👎.

…tes (#5885)

Bumps the go-minor group with 2 updates in the /apps/cli-go directory:
[golang.org/x/mod](https://github.com/golang/mod) and
[golang.org/x/net](https://github.com/golang/net).
Bumps the go-minor group with 1 update in the /apps/cli-go/pkg
directory: [golang.org/x/mod](https://github.com/golang/mod).

Updates `golang.org/x/mod` from 0.37.0 to 0.38.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/mod/commit/792ac169a90372d88fb14e712cb793061ba0c104"><code>792ac16</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="https://github.com/golang/mod/commit/fe2ec04f7c3c3aa6fad97631aafcff6e49e2d1db"><code>fe2ec04</code></a>
all: fix some comments to improve readability</li>
<li>See full diff in <a
href="https://github.com/golang/mod/compare/v0.37.0...v0.38.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `golang.org/x/net` from 0.56.0 to 0.57.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/net/commit/b8f09f6f062ceb4531b7af4bd17a5c8fe9c4b2b5"><code>b8f09f6</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="https://github.com/golang/net/commit/f05f21be5927155a88b371674c298ada54b71cf5"><code>f05f21b</code></a>
idna: reject all-ASCII xn-- labels on all Go versions</li>
<li><a
href="https://github.com/golang/net/commit/0f748cfbba95084c87723e3b7eb7dad9241fc2dd"><code>0f748cf</code></a>
internal/http3: clean up stream I/O methods usages in tests</li>
<li><a
href="https://github.com/golang/net/commit/0bb961e45132c680e2a0117e1df951538a19da61"><code>0bb961e</code></a>
internal/http3: add net/http.ResponseController support</li>
<li><a
href="https://github.com/golang/net/commit/0ca694d2a5adcce7f36d4d65e5f8d72390d94051"><code>0ca694d</code></a>
webdav: document Dir's lack of defense against filesystem
modification</li>
<li><a
href="https://github.com/golang/net/commit/bd5f1dcf71cf0d6d2424021d0a04f191396a46a7"><code>bd5f1dc</code></a>
http2: initialize Transport on NewClientConn</li>
<li><a
href="https://github.com/golang/net/commit/488ff63197ffddbcef2d01107f8a89906a4f28d1"><code>488ff63</code></a>
bpf: add security considerations to package docs</li>
<li><a
href="https://github.com/golang/net/commit/93d1f25be95961edfdf488b9398e53fb9f05f193"><code>93d1f25</code></a>
xsrftoken: avoid token collisions</li>
<li><a
href="https://github.com/golang/net/commit/5a3baee349e65853c34b4377bebe7676a64dbc87"><code>5a3baee</code></a>
internal/http3: prevent panic in QPACK decoder due to overflow</li>
<li>See full diff in <a
href="https://github.com/golang/net/compare/v0.56.0...v0.57.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `golang.org/x/term` from 0.44.0 to 0.45.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/term/commit/9f69229da31ca6a34b522f59dbe07cad5ea21587"><code>9f69229</code></a>
go.mod: update golang.org/x dependencies</li>
<li>See full diff in <a
href="https://github.com/golang/term/compare/v0.44.0...v0.45.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `golang.org/x/mod` from 0.37.0 to 0.38.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/mod/commit/792ac169a90372d88fb14e712cb793061ba0c104"><code>792ac16</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="https://github.com/golang/mod/commit/fe2ec04f7c3c3aa6fad97631aafcff6e49e2d1db"><code>fe2ec04</code></a>
all: fix some comments to improve readability</li>
<li>See full diff in <a
href="https://github.com/golang/mod/compare/v0.37.0...v0.38.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `golang.org/x/mod` from 0.37.0 to 0.38.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/mod/commit/792ac169a90372d88fb14e712cb793061ba0c104"><code>792ac16</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="https://github.com/golang/mod/commit/fe2ec04f7c3c3aa6fad97631aafcff6e49e2d1db"><code>fe2ec04</code></a>
all: fix some comments to improve readability</li>
<li>See full diff in <a
href="https://github.com/golang/mod/compare/v0.37.0...v0.38.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `golang.org/x/mod` from 0.37.0 to 0.38.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/mod/commit/792ac169a90372d88fb14e712cb793061ba0c104"><code>792ac16</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="https://github.com/golang/mod/commit/fe2ec04f7c3c3aa6fad97631aafcff6e49e2d1db"><code>fe2ec04</code></a>
all: fix some comments to improve readability</li>
<li>See full diff in <a
href="https://github.com/golang/mod/compare/v0.37.0...v0.38.0">compare
view</a></li>
</ul>
</details>
<br />

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 770d7cc1a7

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

// which reads the resolved flag value, not `pflag.Changed`. Gate on
// `flags.useApi` directly so `--use-api=false` still routes through the
// Docker/legacy-bundle proxy, matching Go.
if (!flags.useApi && (flags.useDocker || flags.legacyBundle)) {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Validate API-listed slugs on the native download path

When --use-api is used without a function name, this new routing bypasses the Go proxy and falls through to the native all-functions download path, but that path still trusts slugs returned by v1ListAllFunctions. The Go implementation explicitly validates each listed slug before dispatching downloads (apps/cli-go/internal/functions/download/download.go:176-188); without the same check here, a corrupted/MITM API response containing a slug like ../functions/other is joined into the extraction destination and can write into a different directory under supabase/functions. Validate API-listed slugs before native downloads (and before reporting them in machine output).

Useful? React with 👍 / 👎.

This PR was automatically created to sync API types from the
infrastructure repository.

Changes were detected in the generated API code after syncing with the
latest spec from infrastructure.

Co-authored-by: supabase-cli-releaser[bot] <246109035+supabase-cli-releaser[bot]@users.noreply.github.com>

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a3925ee0ea

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

mcpUrl: apiUrlWithPath(apiExternalUrl, "/mcp"),
studioUrl: `http://${hostname}:${studioPort}`,
mailpitUrl: `http://${hostname}:${mailpitPort}`,
dbUrl: `postgresql://postgres:${DEFAULT_DB_PASSWORD}@${hostname}:${dbPort}/postgres`,

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Use the configured local DB password in status

When the local stack was started with a custom SUPABASE_DB_PASSWORD from the shell or project dotenv files, Go's status builds DB_URL from utils.Config.Db.Password after Config.Load, so it reports the actual password clients need. This hardcoded postgres value ignores the same env/dotenv override that start uses for the database container, causing supabase status -o env/json to hand users and scripts an unusable connection URL for those projects; resolve the DB password through the Go-parity env/config path instead of always using the default.

Useful? React with 👍 / 👎.

7ttp and others added 2 commits July 17, 2026 08:07
## TL;DR

fixes project keys being written to CLI traces, matching the Go cli's
behavior...

## Problem

The Go-cli use to send keys through the `apikey` header:


https://github.com/supabase/cli/blob/2cb2d6e83a3f7d65ebdab905c35b8f8257e685dc/apps/cli-go/pkg/fetcher/gateway.go#L22-L33

Its debug transport only logs the request method and URL:


https://github.com/supabase/cli/blob/2cb2d6e83a3f7d65ebdab905c35b8f8257e685dc/apps/cli-go/internal/debug/http.go#L14-L16

Effect tracing captures request headers, but `apikey` is not included in
its default redaction list...
this allowed values to be written to local traces...

## sol

exclude `apikey` header attributes at the tracing boundary....
requests and all other telemetry remain unchanged, while NDJSON and
debug output no longer contain project keys....

## ref:

- reported in: #5890
This PR was automatically created to sync the generated `@supabase/api`
package with the latest Management API OpenAPI document.

Changes were detected in the upstream OpenAPI document exposed by
`https://api.supabase.com/api/v1-json`.

Co-authored-by: jgoux <1443499+jgoux@users.noreply.github.com>

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4e99f37dd9

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment on lines +300 to +301
if (expected === "array") {
return goViperCompat ? coerceLeaf(substituted, expected) : substituted;

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Coerce plain scalar strings in viper mode

When goViperCompat callers load a Go-valid config that quotes a scalar, e.g. api.enabled = "false" or db.port = "54321", Go's v.UnmarshalExact still decodes those strings through weak bool/number parsing, but this new viper-mode special case only applies unconditional string coercion to arrays and then the unchanged scalar string returns without coerceLeaf. Native paths such as status, stop, and config push now reject those Go-valid configs before doing any work; apply the same goViperCompat treatment to number/boolean string literals, not just env(...) substitutions.

Useful? React with 👍 / 👎.

const experimentalInput: LegacyExperimentalInput = {
pgdeltaFormatOptions: formatOptionsExpanded,
};
const validationInput: LegacyConfigValidationInput = {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Include API validation in db TOML checks

On the db/migration paths this validationInput omits the api section, so legacyValidateResolvedConfig never runs Go's Config.Validate checks for api.enabled/api.port/api.tls.* even though Go's flags.LoadConfig does so before commands like db reset or db push touch the database. For example, a config with [api] port = 0 is rejected by Go with Missing required field in config: api.port, but the native reset path reaches the destructive work because only db/storage/auth/etc. are passed here; include the API-derived validation input (with the same defaults/env overrides) in this object.

Useful? React with 👍 / 👎.

Comment on lines +270 to +274
containerCliExitCode(spawner, ["stop", id], {
stdin: "ignore",
stdout: "ignore",
stderr: "ignore",
}).pipe(Effect.result),

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Ignore already-stopped containers during stop

When a matching Supabase container is already stopped (for example after a partial/failed previous stop), this path lists all containers with all: true and then invokes the Docker CLI stop command on each one. The Docker CLI docs describe docker container stop as stopping running containers, and the Go implementation explicitly ignores the Engine API's already-stopped/not-modified error (apps/cli-go/internal/utils/docker.go:108-113); here a nonzero stop result aborts before prune removes the stale container/volumes. Filter the stop phase to running containers or ignore the already-stopped case before failing.

Useful? React with 👍 / 👎.

…dates (#5876)

Bumps the docker-minor group with 6 updates in the
/apps/cli-go/pkg/config/templates directory:

| Package | From | To |
| --- | --- | --- |
| postgrest/postgrest | `v14.14` | `v14.15` |
| supabase/studio | `2026.07.07-sha-a6a04f2` | `2026.07.13-sha-b5ada96`
|
| supabase/gotrue | `v2.192.0` | `v2.193.0` |
| supabase/realtime | `v2.112.10` | `v2.113.4` |
| supabase/storage-api | `v1.66.2` | `v1.66.4` |
| supabase/logflare | `1.47.0` | `1.47.1` |


Updates `postgrest/postgrest` from v14.14 to v14.15

Updates `supabase/studio` from 2026.07.07-sha-a6a04f2 to
2026.07.13-sha-b5ada96

Updates `supabase/gotrue` from v2.192.0 to v2.193.0

Updates `supabase/realtime` from v2.112.10 to v2.113.4

Updates `supabase/storage-api` from v1.66.2 to v1.66.4

Updates `supabase/logflare` from 1.47.0 to 1.47.1


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Julien Goux <hi@jgoux.dev>

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 377d47576e

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment on lines +190 to +193
const loadedConfig = yield* loadProjectConfig(runtimeInfo.cwd, {
projectRef: ref,
goViperCompat: true,
}).pipe(

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Pass Go-style project env when loading remote secrets

When secrets set --project-ref <remote> relies on a selected [remotes.*].edge_runtime.secrets entry such as FOO = "env(FOO)", this remote-aware load still lets @supabase/config resolve env references using only ambient plus supabase/.env/.env.local; the later loadProjectEnvironment call uses the same narrower file set. Go's flags.LoadConfig runs loadNestedEnv before DecryptSecretHookFunc, so values from project-root or SUPABASE_ENV-selected dotenv files are hashed and uploaded. Here they remain literal env(...), fail the Redacted.isRedacted check, and the command silently omits those configured remote secrets.

Useful? React with 👍 / 👎.

Comment on lines +89 to +90
args.push(`--yes=${yes}`);
return args;

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Forward --experimental to the delegated reset

When db reset --linked --experimental (or a remote --db-url) delegates the versionless experimental path, this rebuilt argv never forwards the explicit global --experimental flag and the delegate only sets SUPABASE_TELEMETRY_DISABLED. The parent selects this branch because its own resolved experimental is true, but the Go child then sees viper.GetBool("EXPERIMENTAL") == false and apply.MigrateAndSeed applies migration files instead of the schema-file path the user requested, leaving the remote database reset to the wrong source of truth. Forward --experimental or set SUPABASE_EXPERIMENTAL=true for this child when the parent flag enabled delegation.

Useful? React with 👍 / 👎.

// `SUPABASE_YES` / `SUPABASE_EXPERIMENTAL` set only in `supabase/.env` is honored. Load the
// project env first and resolve both gates against it, as `db pull` does for `yes`.
const projectEnv = yield* legacyLoadProjectEnv(fs, path, workdir);
const yes = yield* legacyResolveYesWithProjectEnv(projectEnv);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Preserve a shell SUPABASE_YES=false guard

When the shell exports SUPABASE_YES=false but the project dotenv contains SUPABASE_YES=true, Go's godotenv.Load keeps the existing shell value and viper.GetBool("YES") remains false, so remote resets still prompt. This new project-env-aware path calls legacyResolveYesWithProjectEnv, which ORs the shell and project values, letting the dotenv true override the explicit shell false; db reset --linked/--db-url can therefore auto-confirm and reset the remote database even though the user set a false guard. Resolve SUPABASE_YES with existence/precedence semantics instead of boolean OR before using it here.

Useful? React with 👍 / 👎.

…tes (#5886)

Bumps the npm-major group with 19 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [undici](https://github.com/nodejs/undici) | `8.6.0` | `8.7.0` |
|
[@supabase/supabase-js](https://github.com/supabase/supabase-js/tree/HEAD/packages/core/supabase-js)
| `2.110.0` | `2.110.2` |
|
[@anthropic-ai/claude-agent-sdk](https://github.com/anthropics/claude-agent-sdk-typescript)
| `0.3.201` | `0.3.206` |
|
[posthog-node](https://github.com/PostHog/posthog-js/tree/HEAD/packages/node)
| `5.39.4` | `5.40.0` |
| [fumadocs-core](https://github.com/fuma-nama/fumadocs) | `16.10.7` |
`16.11.1` |
| [fumadocs-mdx](https://github.com/fuma-nama/fumadocs) | `15.0.13` |
`15.1.0` |
| [fumadocs-ui](https://github.com/fuma-nama/fumadocs) | `16.10.7` |
`16.11.1` |
| [typescript](https://github.com/microsoft/TypeScript) | `6.0.3` |
`7.0.2` |
|
[@effect/atom-react](https://github.com/Effect-TS/effect-smol/tree/HEAD/packages/atom/react)
| `4.0.0-beta.93` | `4.0.0-beta.94` |
|
[@effect/platform-bun](https://github.com/Effect-TS/effect/tree/HEAD/packages/platform-bun)
| `4.0.0-beta.93` | `4.0.0-beta.94` |
|
[@effect/platform-node](https://github.com/Effect-TS/effect/tree/HEAD/packages/platform-node)
| `4.0.0-beta.93` | `4.0.0-beta.94` |
|
[@effect/sql-pg](https://github.com/Effect-TS/effect/tree/HEAD/packages/sql-pg)
| `4.0.0-beta.93` | `4.0.0-beta.94` |
|
[@effect/vitest](https://github.com/Effect-TS/effect/tree/HEAD/packages/vitest)
| `4.0.0-beta.93` | `4.0.0-beta.97` |
|
[@typescript/native-preview](https://github.com/microsoft/typescript-go)
| `7.0.0-dev.20260703.1` | `7.0.0-dev.20260707.2` |
|
[@vitest/coverage-istanbul](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-istanbul)
| `4.1.9` | `4.1.10` |
|
[effect](https://github.com/Effect-TS/effect/tree/HEAD/packages/effect)
| `4.0.0-beta.93` | `4.0.0-beta.97` |
| [oxfmt](https://github.com/oxc-project/oxc/tree/HEAD/npm/oxfmt) |
`0.57.0` | `0.58.0` |
| [tldts](https://github.com/remusao/tldts) | `6.1.86` | `7.4.8` |
|
[vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest)
| `4.1.9` | `4.1.10` |


Updates `undici` from 8.6.0 to 8.7.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/nodejs/undici/releases">undici's
releases</a>.</em></p>
<blockquote>
<h2>v8.7.0</h2>
<h2>What's Changed</h2>
<ul>
<li>test: guard balanced-pool error port lookup by <a
href="https://github.com/mcollina"><code>@​mcollina</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/5463">nodejs/undici#5463</a></li>
<li>perf: optimize http/2 request hot path by <a
href="https://github.com/mcollina"><code>@​mcollina</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/5483">nodejs/undici#5483</a></li>
<li>fix: do not reject open-ended Range values in simpleRangeHeaderValue
by <a href="https://github.com/spokodev"><code>@​spokodev</code></a> in
<a
href="https://redirect.github.com/nodejs/undici/pull/5490">nodejs/undici#5490</a></li>
<li>fix(eventsource): set use-URL-credentials flag by <a
href="https://github.com/Ram-blip"><code>@​Ram-blip</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/5489">nodejs/undici#5489</a></li>
<li>test: deflake connect-timeout watchdog by <a
href="https://github.com/mcollina"><code>@​mcollina</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/5197">nodejs/undici#5197</a></li>
<li>docs: correct npm script name and JSON syntax in examples by <a
href="https://github.com/lenoxfernando"><code>@​lenoxfernando</code></a>
in <a
href="https://redirect.github.com/nodejs/undici/pull/5496">nodejs/undici#5496</a></li>
<li>fix: reject non-ascii octets in validateCookiePath by <a
href="https://github.com/spokodev"><code>@​spokodev</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/5452">nodejs/undici#5452</a></li>
<li>fix(readable): ignore late consume chunks by <a
href="https://github.com/marko1olo"><code>@​marko1olo</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/5375">nodejs/undici#5375</a></li>
<li>fix(h2): destroy the stream on abort instead of relying on close()
by <a href="https://github.com/staylor"><code>@​staylor</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/5462">nodejs/undici#5462</a></li>
<li>fix: ignore an unparseable Set-Cookie Expires attribute by <a
href="https://github.com/spokodev"><code>@​spokodev</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/5488">nodejs/undici#5488</a></li>
<li>docs: add reproduction guide and update bug report template by <a
href="https://github.com/mcollina"><code>@​mcollina</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/5451">nodejs/undici#5451</a></li>
<li>fix(h2): guard onResponse against a 'response' event delivered after
completion by <a
href="https://github.com/staylor"><code>@​staylor</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/5440">nodejs/undici#5440</a></li>
<li>fix(h2): requeue request on GOAWAY'd session instead of crashing by
<a href="https://github.com/staylor"><code>@​staylor</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/5453">nodejs/undici#5453</a></li>
<li>fix: add static buildDispatch method to RedirectHandler type
definition by <a
href="https://github.com/matthieusieben"><code>@​matthieusieben</code></a>
in <a
href="https://redirect.github.com/nodejs/undici/pull/5442">nodejs/undici#5442</a></li>
<li>fix: auto-detect HTTP proxy tunneling by <a
href="https://github.com/mcollina"><code>@​mcollina</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/5116">nodejs/undici#5116</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/spokodev"><code>@​spokodev</code></a>
made their first contribution in <a
href="https://redirect.github.com/nodejs/undici/pull/5490">nodejs/undici#5490</a></li>
<li><a
href="https://github.com/lenoxfernando"><code>@​lenoxfernando</code></a>
made their first contribution in <a
href="https://redirect.github.com/nodejs/undici/pull/5496">nodejs/undici#5496</a></li>
<li><a href="https://github.com/staylor"><code>@​staylor</code></a> made
their first contribution in <a
href="https://redirect.github.com/nodejs/undici/pull/5462">nodejs/undici#5462</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/nodejs/undici/compare/v8.6.0...v8.7.0">https://github.com/nodejs/undici/compare/v8.6.0...v8.7.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/nodejs/undici/commit/cb4c2f1f7231d82bd699aa3a09efb5a235faaa3b"><code>cb4c2f1</code></a>
Bumped v8.7.0 (<a
href="https://redirect.github.com/nodejs/undici/issues/5501">#5501</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/a8d1a95bae4d2502831b5cde35310ad45e42e88e"><code>a8d1a95</code></a>
fix: auto-detect HTTP proxy tunneling (<a
href="https://redirect.github.com/nodejs/undici/issues/5116">#5116</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/cb30e58b45d7c92b03fa9ee0b4a54b5fde1e0573"><code>cb30e58</code></a>
fix: add static buildDispatch method to RedirectHandler type definition
(<a
href="https://redirect.github.com/nodejs/undici/issues/5442">#5442</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/0c08579ebdf3712290803b03cb5b5986e284874b"><code>0c08579</code></a>
fix(h2): requeue request on GOAWAY'd session instead of crashing (<a
href="https://redirect.github.com/nodejs/undici/issues/5453">#5453</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/e5b3364ddc620c0d1c61424d1278fc0965207477"><code>e5b3364</code></a>
fix(h2): guard onResponse against a 'response' event delivered after
completi...</li>
<li><a
href="https://github.com/nodejs/undici/commit/c0007f4b7998c5547ead5eda39e0dfd18a545639"><code>c0007f4</code></a>
docs: add reproduction guide and update bug report template (<a
href="https://redirect.github.com/nodejs/undici/issues/5451">#5451</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/e529cabb88e3cf315cf3007af15db195fb649a45"><code>e529cab</code></a>
fix: ignore an unparseable Set-Cookie Expires attribute (<a
href="https://redirect.github.com/nodejs/undici/issues/5488">#5488</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/754742ce63e7373f6c61a3b5052150e365bf9d54"><code>754742c</code></a>
fix(h2): destroy the stream on abort instead of relying on close() (<a
href="https://redirect.github.com/nodejs/undici/issues/5462">#5462</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/db34f5ffa4b40f71c43dfbde1046040a350767e8"><code>db34f5f</code></a>
fix(readable): ignore late consume chunks (<a
href="https://redirect.github.com/nodejs/undici/issues/5375">#5375</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/4ea05a899203cab2f4e87fe3e5dc76b64048e101"><code>4ea05a8</code></a>
fix: reject non-ascii octets in validateCookiePath (<a
href="https://redirect.github.com/nodejs/undici/issues/5452">#5452</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/nodejs/undici/compare/v8.6.0...v8.7.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `@supabase/supabase-js` from 2.110.0 to 2.110.2
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/supabase/supabase-js/releases">@​supabase/supabase-js's
releases</a>.</em></p>
<blockquote>
<h2>v2.110.2</h2>
<h2>2.110.2 (2026-07-09)</h2>
<h3>🩹 Fixes</h3>
<ul>
<li><strong>auth:</strong> clear local session on signout failures (<a
href="https://redirect.github.com/supabase/supabase-js/pull/2504">#2504</a>)</li>
</ul>
<h3>❤️ Thank You</h3>
<ul>
<li>Luc Peng</li>
</ul>
<h2>v2.110.2-canary.0</h2>
<h2>2.110.2-canary.0 (2026-07-07)</h2>
<h3>🩹 Fixes</h3>
<ul>
<li><strong>auth:</strong> clear local session on signout failures (<a
href="https://redirect.github.com/supabase/supabase-js/pull/2504">#2504</a>)</li>
</ul>
<h3>❤️ Thank You</h3>
<ul>
<li>Luc Peng</li>
</ul>
<h2>v2.110.1</h2>
<h2>2.110.1 (2026-07-07)</h2>
<h3>🩹 Fixes</h3>
<ul>
<li><strong>auth:</strong> defer init-time notifications until
initializePromise resolves (<a
href="https://redirect.github.com/supabase/supabase-js/pull/2498">#2498</a>)</li>
<li><strong>realtime:</strong> suppress disconnected status from
onHeartbeat consumers (<a
href="https://redirect.github.com/supabase/supabase-js/pull/2496">#2496</a>)</li>
</ul>
<h3>❤️ Thank You</h3>
<ul>
<li>Katerina Skroumpelou <a
href="https://github.com/mandarini"><code>@​mandarini</code></a></li>
</ul>
<h2>v2.110.1-canary.0</h2>
<h2>2.110.1-canary.0 (2026-07-07)</h2>
<h3>🩹 Fixes</h3>
<ul>
<li><strong>auth:</strong> defer init-time notifications until
initializePromise resolves (<a
href="https://redirect.github.com/supabase/supabase-js/pull/2498">#2498</a>)</li>
<li><strong>realtime:</strong> suppress disconnected status from
onHeartbeat consumers (<a
href="https://redirect.github.com/supabase/supabase-js/pull/2496">#2496</a>)</li>
</ul>
<h3>❤️ Thank You</h3>
<ul>
<li>Katerina Skroumpelou <a
href="https://github.com/mandarini"><code>@​mandarini</code></a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/supabase/supabase-js/blob/master/packages/core/supabase-js/CHANGELOG.md">@​supabase/supabase-js's
changelog</a>.</em></p>
<blockquote>
<h2>2.110.2 (2026-07-09)</h2>
<p>This was a version bump only for <code>@​supabase/supabase-js</code>
to align it with other projects, there were no code changes.</p>
<h2>2.110.1 (2026-07-07)</h2>
<p>This was a version bump only for <code>@​supabase/supabase-js</code>
to align it with other projects, there were no code changes.</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/supabase/supabase-js/commit/559dfb0cc3c9567b493856ca8daa6b77bff550fa"><code>559dfb0</code></a>
chore(release): version 2.110.1 changelogs (<a
href="https://github.com/supabase/supabase-js/tree/HEAD/packages/core/supabase-js/issues/2505">#2505</a>)</li>
<li><a
href="https://github.com/supabase/supabase-js/commit/b05dc294b92ede4c9ee6a5d69c75d56325a38004"><code>b05dc29</code></a>
docs(repo): register custom typedoc tags and clean up jsdoc warnings (<a
href="https://github.com/supabase/supabase-js/tree/HEAD/packages/core/supabase-js/issues/2500">#2500</a>)</li>
<li><a
href="https://github.com/supabase/supabase-js/commit/291dfc8a568195a7120efeb57284ba99ce1da36f"><code>291dfc8</code></a>
chore(release): version 2.110.0 changelogs (<a
href="https://github.com/supabase/supabase-js/tree/HEAD/packages/core/supabase-js/issues/2483">#2483</a>)</li>
<li>See full diff in <a
href="https://github.com/supabase/supabase-js/commits/v2.110.2/packages/core/supabase-js">compare
view</a></li>
</ul>
</details>
<br />

Updates `@anthropic-ai/claude-agent-sdk` from 0.3.201 to 0.3.206
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/anthropics/claude-agent-sdk-typescript/releases">@​anthropic-ai/claude-agent-sdk's
releases</a>.</em></p>
<blockquote>
<h2>v0.3.206</h2>
<h2>What's changed</h2>
<ul>
<li>Added <code>command_lifecycle</code> frames to stream-json and SDK
sessions, reporting each uuid-stamped message's terminal state
(<code>queued</code>/<code>started</code>/<code>completed</code>/<code>cancelled</code>/<code>discarded</code>);
zero-API results no longer report stale
<code>duration_api_ms</code></li>
</ul>
<h2>Update</h2>
<pre lang="sh"><code>npm install @anthropic-ai/claude-agent-sdk@0.3.206
# or
yarn add @anthropic-ai/claude-agent-sdk@0.3.206
# or
pnpm add @anthropic-ai/claude-agent-sdk@0.3.206
# or
bun add @anthropic-ai/claude-agent-sdk@0.3.206
</code></pre>
<h2>v0.3.205</h2>
<h2>What's changed</h2>
<ul>
<li>Interrupt control responses now include <code>still_queued</code>
(UUIDs of queued async messages that will still run),
<code>Query.interrupt()</code> returns the typed receipt, and
<code>system/init</code> advertises an <code>interrupt_receipt_v1</code>
capability for feature detection</li>
<li>Added structured <code>name</code> and <code>body</code> fields to
peer-message session events, exposing the sender display name and
decoded message body</li>
</ul>
<h2>Update</h2>
<pre lang="sh"><code>npm install @anthropic-ai/claude-agent-sdk@0.3.205
# or
yarn add @anthropic-ai/claude-agent-sdk@0.3.205
# or
pnpm add @anthropic-ai/claude-agent-sdk@0.3.205
# or
bun add @anthropic-ai/claude-agent-sdk@0.3.205
</code></pre>
<h2>v0.3.204</h2>
<h2>What's changed</h2>
<ul>
<li>Updated to parity with Claude Code v2.1.204</li>
</ul>
<h2>Update</h2>
<pre lang="sh"><code>npm install @anthropic-ai/claude-agent-sdk@0.3.204
# or
yarn add @anthropic-ai/claude-agent-sdk@0.3.204
# or
pnpm add @anthropic-ai/claude-agent-sdk@0.3.204
# or
bun add @anthropic-ai/claude-agent-sdk@0.3.204
&lt;/tr&gt;&lt;/table&gt; 
</code></pre>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/anthropics/claude-agent-sdk-typescript/blob/main/CHANGELOG.md">@​anthropic-ai/claude-agent-sdk's
changelog</a>.</em></p>
<blockquote>
<h2>0.3.206</h2>
<ul>
<li>Added <code>command_lifecycle</code> frames to stream-json and SDK
sessions, reporting each uuid-stamped message's terminal state
(<code>queued</code>/<code>started</code>/<code>completed</code>/<code>cancelled</code>/<code>discarded</code>);
zero-API results no longer report stale
<code>duration_api_ms</code></li>
</ul>
<h2>0.3.205</h2>
<ul>
<li>Interrupt control responses now include <code>still_queued</code>
(UUIDs of queued async messages that will still run),
<code>Query.interrupt()</code> returns the typed receipt, and
<code>system/init</code> advertises an <code>interrupt_receipt_v1</code>
capability for feature detection</li>
<li>Added structured <code>name</code> and <code>body</code> fields to
peer-message session events, exposing the sender display name and
decoded message body</li>
</ul>
<h2>0.3.204</h2>
<ul>
<li>Added <code>terminal_reason</code> values
<code>tool_deferred_unavailable</code> (deferred tool resume found the
tool gone — previously an <code>is_error</code> result with no reason,
read as a clean completion by lifecycle sweeps) and
<code>turn_setup_failed</code> (the turn-input builder threw before the
turn started). Both classify as dead turns, so commands consumed by them
report <code>command_lifecycle</code> state <code>cancelled</code></li>
<li>Fixed the post-merge cancel backstop cancelling every member of a
coalesced prompt batch when a cancel named only one: uncancelled
siblings now re-merge and run (previously they were reported
<code>cancelled</code> — on remote transports that acknowledged them as
processed, silently dropping messages nobody cancelled)</li>
<li>Added <code>terminal_reason</code> values <code>api_error</code>,
<code>malformed_tool_use_exhausted</code>,
<code>budget_exhausted</code>, and
<code>structured_output_retry_exhausted</code>. Turns that die on an
exhausted-API-retry or malformed-tool-use give-up previously reported
<code>completed</code>; budget and structured-output exhaustion results
previously omitted <code>terminal_reason</code>. Commands consumed by
such turns now report <code>command_lifecycle</code> state
<code>cancelled</code> instead of <code>completed</code>
(dup-over-loss)</li>
<li>Updated to parity with Claude Code v2.1.204</li>
</ul>
<h2>0.3.203</h2>
<ul>
<li>Added a <code>background_tasks_changed</code> system message with
the full set of live background tasks on every membership change, so
consumers can track background activity as a level instead of pairing
<code>task_started</code>/<code>task_notification</code> edges</li>
<li>Fixed stable releases shipping a <code>sdk.d.ts</code> with
unresolved type references that broke consumer typechecking with
<code>skipLibCheck</code> disabled</li>
</ul>
<h2>0.3.202</h2>
<ul>
<li>Added <code>parent_agent_id</code> field to subagent session
messages for building depth-2+ agent trees from disk-persisted
metadata</li>
<li>Fixed <code>apply_flag_settings</code> with a non-object settings
value crashing the session instead of returning a control error</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/anthropics/claude-agent-sdk-typescript/commit/9fc7ea5ff6a2caa382fceabca2fde7e53064e5a9"><code>9fc7ea5</code></a>
chore: Update CHANGELOG.md</li>
<li><a
href="https://github.com/anthropics/claude-agent-sdk-typescript/commit/95e94bf8ba194fc956262ed77d83ce41a70d9e6d"><code>95e94bf</code></a>
chore: Update CHANGELOG.md</li>
<li><a
href="https://github.com/anthropics/claude-agent-sdk-typescript/commit/0aed196f5a99e8923f616810309bb1a0e2b122aa"><code>0aed196</code></a>
chore: Update CHANGELOG.md</li>
<li><a
href="https://github.com/anthropics/claude-agent-sdk-typescript/commit/7feb85d8294d681028c651f284480c635134042a"><code>7feb85d</code></a>
chore: Update CHANGELOG.md</li>
<li><a
href="https://github.com/anthropics/claude-agent-sdk-typescript/commit/eb18b2a6deaca8314389bb245e8198e49d49c58e"><code>eb18b2a</code></a>
chore: Update CHANGELOG.md</li>
<li><a
href="https://github.com/anthropics/claude-agent-sdk-typescript/commit/46d7df98eb69b8ef550d7299f3dfb53e5fb0a144"><code>46d7df9</code></a>
chore: Update CHANGELOG.md</li>
<li>See full diff in <a
href="https://github.com/anthropics/claude-agent-sdk-typescript/compare/v0.3.201...v0.3.206">compare
view</a></li>
</ul>
</details>
<br />

Updates `posthog-node` from 5.39.4 to 5.40.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/PostHog/posthog-js/releases">posthog-node's
releases</a>.</em></p>
<blockquote>
<h2>posthog-node@5.40.0</h2>
<h2>5.40.0</h2>
<h3>Minor Changes</h3>
<ul>
<li><a
href="https://redirect.github.com/PostHog/posthog-js/pull/4060">#4060</a>
<a
href="https://github.com/PostHog/posthog-js/commit/0b49a4cc6e76285b6164a4a3e596049bb5b5d4ae"><code>0b49a4c</code></a>
Thanks <a
href="https://github.com/turnipdabeets"><code>@​turnipdabeets</code></a>!
- Add <code>secretKey</code> config as the canonical alias for the
deprecated <code>personalApiKey</code> (accepts a Personal API Key or
Project Secret API Key).
(2026-07-07)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/PostHog/posthog-js/blob/main/packages/node/CHANGELOG.md">posthog-node's
changelog</a>.</em></p>
<blockquote>
<h2>5.40.0</h2>
<h3>Minor Changes</h3>
<ul>
<li><a
href="https://redirect.github.com/PostHog/posthog-js/pull/4060">#4060</a>
<a
href="https://github.com/PostHog/posthog-js/commit/0b49a4cc6e76285b6164a4a3e596049bb5b5d4ae"><code>0b49a4c</code></a>
Thanks <a
href="https://github.com/turnipdabeets"><code>@​turnipdabeets</code></a>!
- Add <code>secretKey</code> config as the canonical alias for the
deprecated <code>personalApiKey</code> (accepts a Personal API Key or
Project Secret API Key).
(2026-07-07)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/PostHog/posthog-js/commit/954919d1070090fb6b3893bbb2dcbf3c503ec020"><code>954919d</code></a>
chore: update versions and lockfile [version bump]</li>
<li><a
href="https://github.com/PostHog/posthog-js/commit/0b49a4cc6e76285b6164a4a3e596049bb5b5d4ae"><code>0b49a4c</code></a>
feat(node): add secretKey config, deprecate personalApiKey (<a
href="https://github.com/PostHog/posthog-js/tree/HEAD/packages/node/issues/4060">#4060</a>)</li>
<li><a
href="https://github.com/PostHog/posthog-js/commit/859fd4400168d93cb93b12b3eb3efb7c6c7c19c2"><code>859fd44</code></a>
chore(deps): weekly safe npm updates · 10 packages (<a
href="https://github.com/PostHog/posthog-js/tree/HEAD/packages/node/issues/4087">#4087</a>)</li>
<li>See full diff in <a
href="https://github.com/PostHog/posthog-js/commits/posthog-node@5.40.0/packages/node">compare
view</a></li>
</ul>
</details>
<br />

Updates `fumadocs-core` from 16.10.7 to 16.11.1
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/ab09f500cb0c7904b9e7fcf25debb8f53f54ded8"><code>ab09f50</code></a>
Version Packages (<a
href="https://redirect.github.com/fuma-nama/fumadocs/issues/3405">#3405</a>)</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/889a296d06f669308a51af994ddf5e62783f6b3c"><code>889a296</code></a>
docs: update stale content</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/a5c081d0c6ba6e4d57fdfeaa982925bdf9941215"><code>a5c081d</code></a>
fix: UI inconsistencies</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/9a269030dff857982d848aac5b4944abf30cfb77"><code>9a26903</code></a>
Version Packages</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/3e33f4362f257741f68806c9db96fe7f0828a2df"><code>3e33f43</code></a>
perf(satteri): reduce clones</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/3597c9d1e6b1a038cf3b52c5aed448ef13fbe5e5"><code>3597c9d</code></a>
perf(satteri): persist results</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/0f389cf3def8f8188316c13af7ec9e2adcd206c3"><code>0f389cf</code></a>
feat(satteri): decouple imports/exports from <code>compile()</code></li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/4611f97d49f000c23600e09619bd13ae97d298b7"><code>4611f97</code></a>
feat(satteri): full rehype-toc functionality</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/d09530076098b3a297e1d90f295dd1ab7c6564d6"><code>d095300</code></a>
fix(satteri): workaround common issues</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/0297e25477d3120c9e4da796f244ab2866b61292"><code>0297e25</code></a>
configure pretrust</li>
<li>Additional commits viewable in <a
href="https://github.com/fuma-nama/fumadocs/compare/fumadocs@16.10.7...fumadocs@16.11.1">compare
view</a></li>
</ul>
</details>
<br />

Updates `fumadocs-mdx` from 15.0.13 to 15.1.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/fuma-nama/fumadocs/releases">fumadocs-mdx's
releases</a>.</em></p>
<blockquote>
<h2>fumadocs-mdx@15.1.0</h2>
<h3>Default to Base UI</h3>
<p>Internal packages &amp; templates now use Base UI rather than Radix
UI.</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/9a269030dff857982d848aac5b4944abf30cfb77"><code>9a26903</code></a>
Version Packages</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/3e33f4362f257741f68806c9db96fe7f0828a2df"><code>3e33f43</code></a>
perf(satteri): reduce clones</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/3597c9d1e6b1a038cf3b52c5aed448ef13fbe5e5"><code>3597c9d</code></a>
perf(satteri): persist results</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/0f389cf3def8f8188316c13af7ec9e2adcd206c3"><code>0f389cf</code></a>
feat(satteri): decouple imports/exports from <code>compile()</code></li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/4611f97d49f000c23600e09619bd13ae97d298b7"><code>4611f97</code></a>
feat(satteri): full rehype-toc functionality</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/d09530076098b3a297e1d90f295dd1ab7c6564d6"><code>d095300</code></a>
fix(satteri): workaround common issues</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/0297e25477d3120c9e4da796f244ab2866b61292"><code>0297e25</code></a>
configure pretrust</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/02c242b0daf08dee4f498bfd787604d039f3fa80"><code>02c242b</code></a>
chore(satteri): clean code</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/3d80b8b24221ef3cf788fe3f4f1e48fc9e0aefe1"><code>3d80b8b</code></a>
fix(mdx): ensure satteri integration is optional</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/0ec19af8682cf9c2149a3ea3e04af1fe4fe9cc0e"><code>0ec19af</code></a>
feat(satteri): more tests &amp; move remark-include</li>
<li>Additional commits viewable in <a
href="https://github.com/fuma-nama/fumadocs/compare/fumadocs-mdx@15.0.13...fumadocs-mdx@15.1.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `fumadocs-ui` from 16.10.7 to 16.11.1
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/ab09f500cb0c7904b9e7fcf25debb8f53f54ded8"><code>ab09f50</code></a>
Version Packages (<a
href="https://redirect.github.com/fuma-nama/fumadocs/issues/3405">#3405</a>)</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/889a296d06f669308a51af994ddf5e62783f6b3c"><code>889a296</code></a>
docs: update stale content</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/a5c081d0c6ba6e4d57fdfeaa982925bdf9941215"><code>a5c081d</code></a>
fix: UI inconsistencies</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/9a269030dff857982d848aac5b4944abf30cfb77"><code>9a26903</code></a>
Version Packages</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/3e33f4362f257741f68806c9db96fe7f0828a2df"><code>3e33f43</code></a>
perf(satteri): reduce clones</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/3597c9d1e6b1a038cf3b52c5aed448ef13fbe5e5"><code>3597c9d</code></a>
perf(satteri): persist results</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/0f389cf3def8f8188316c13af7ec9e2adcd206c3"><code>0f389cf</code></a>
feat(satteri): decouple imports/exports from <code>compile()</code></li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/4611f97d49f000c23600e09619bd13ae97d298b7"><code>4611f97</code></a>
feat(satteri): full rehype-toc functionality</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/d09530076098b3a297e1d90f295dd1ab7c6564d6"><code>d095300</code></a>
fix(satteri): workaround common issues</li>
<li><a
href="https://github.com/fuma-nama/fumadocs/commit/0297e25477d3120c9e4da796f244ab2866b61292"><code>0297e25</code></a>
configure pretrust</li>
<li>Additional commits viewable in <a
href="https://github.com/fuma-nama/fumadocs/compare/fumadocs@16.10.7...fumadocs@16.11.1">compare
view</a></li>
</ul>
</details>
<br />

Updates `typescript` from 6.0.3 to 7.0.2
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/microsoft/TypeScript/commits">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by <a
href="https://www.npmjs.com/~microsoft1es">microsoft1es</a>, a new
releaser for typescript since your current version.</p>
</details>
<br />

Updates `@effect/atom-react` from 4.0.0-beta.93 to 4.0.0-beta.94
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/Effect-TS/effect-smol/releases">@​effect/atom-react's
releases</a>.</em></p>
<blockquote>
<h2><code>@​effect/atom-react</code><a
href="https://github.com/4"><code>@​4</code></a>.0.0-beta.94</h2>
<h3>Patch Changes</h3>
<ul>
<li>Updated dependencies [<a
href="https://github.com/Effect-TS/effect-smol/commit/95a0e9bb62797af0e81c9998773405f248f218c5"><code>95a0e9b</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/a0a3490bbce765f199d8e077aceac504f0462e63"><code>a0a3490</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/f11ce73af60823754dc24194f4ffc561b9ea1c2d"><code>f11ce73</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/ff30b6e7c2c63ffc56a4c5818d6d86b01b5ad528"><code>ff30b6e</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/1caab3cc30f626efbf15e59d74f539a487e5c85c"><code>1caab3c</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/aa80c4775a04db87553e5568764cab7e32a72814"><code>aa80c47</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/c2ae4fce2f03a4cd1861c2b1179da7df656e662d"><code>c2ae4fc</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/a0a3490bbce765f199d8e077aceac504f0462e63"><code>a0a3490</code></a>]:
<ul>
<li>effect@4.0.0-beta.94</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/Effect-TS/effect-smol/blob/main/packages/atom/react/CHANGELOG.md">@​effect/atom-react's
changelog</a>.</em></p>
<blockquote>
<h2>4.0.0-beta.94</h2>
<h3>Patch Changes</h3>
<ul>
<li>Updated dependencies [<a
href="https://github.com/Effect-TS/effect-smol/commit/95a0e9bb62797af0e81c9998773405f248f218c5"><code>95a0e9b</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/a0a3490bbce765f199d8e077aceac504f0462e63"><code>a0a3490</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/f11ce73af60823754dc24194f4ffc561b9ea1c2d"><code>f11ce73</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/ff30b6e7c2c63ffc56a4c5818d6d86b01b5ad528"><code>ff30b6e</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/1caab3cc30f626efbf15e59d74f539a487e5c85c"><code>1caab3c</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/aa80c4775a04db87553e5568764cab7e32a72814"><code>aa80c47</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/c2ae4fce2f03a4cd1861c2b1179da7df656e662d"><code>c2ae4fc</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/a0a3490bbce765f199d8e077aceac504f0462e63"><code>a0a3490</code></a>]:
<ul>
<li>effect@4.0.0-beta.94</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/Effect-TS/effect-smol/commit/82951e58d341d79b6fcb51bb9c122ced02f01b38"><code>82951e5</code></a>
Version Packages (beta) (<a
href="https://github.com/Effect-TS/effect-smol/tree/HEAD/packages/atom/react/issues/2525">#2525</a>)</li>
<li>See full diff in <a
href="https://github.com/Effect-TS/effect-smol/commits/@effect/atom-react@4.0.0-beta.94/packages/atom/react">compare
view</a></li>
</ul>
</details>
<br />

Updates `@effect/platform-bun` from 4.0.0-beta.93 to 4.0.0-beta.94
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/Effect-TS/effect/blob/main/packages/platform-bun/CHANGELOG.md">@​effect/platform-bun's
changelog</a>.</em></p>
<blockquote>
<h2>4.0.0-beta.94</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p><a
href="https://redirect.github.com/Effect-TS/effect-smol/pull/2537">#2537</a>
<a
href="https://github.com/Effect-TS/effect-smol/commit/6d2c614fab3da932afbb52e849c2663cf32d7d57"><code>6d2c614</code></a>
Thanks <a
href="https://github.com/tim-smart"><code>@​tim-smart</code></a>! -
optimize bun stream reading</p>
</li>
<li>
<p>Updated dependencies [<a
href="https://github.com/Effect-TS/effect-smol/commit/95a0e9bb62797af0e81c9998773405f248f218c5"><code>95a0e9b</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/a0a3490bbce765f199d8e077aceac504f0462e63"><code>a0a3490</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/f11ce73af60823754dc24194f4ffc561b9ea1c2d"><code>f11ce73</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/ff30b6e7c2c63ffc56a4c5818d6d86b01b5ad528"><code>ff30b6e</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/1caab3cc30f626efbf15e59d74f539a487e5c85c"><code>1caab3c</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/aa80c4775a04db87553e5568764cab7e32a72814"><code>aa80c47</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/c2ae4fce2f03a4cd1861c2b1179da7df656e662d"><code>c2ae4fc</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/a0a3490bbce765f199d8e077aceac504f0462e63"><code>a0a3490</code></a>]:</p>
<ul>
<li>effect@4.0.0-beta.94</li>
<li><code>@​effect/platform-node-shared</code><a
href="https://github.com/4"><code>@​4</code></a>.0.0-beta.94</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/Effect-TS/effect/commit/82951e58d341d79b6fcb51bb9c122ced02f01b38"><code>82951e5</code></a>
Version Packages (beta) (<a
href="https://github.com/Effect-TS/effect/tree/HEAD/packages/platform-bun/issues/2525">#2525</a>)</li>
<li><a
href="https://github.com/Effect-TS/effect/commit/6d2c614fab3da932afbb52e849c2663cf32d7d57"><code>6d2c614</code></a>
optimize bun stream reading (<a
href="https://github.com/Effect-TS/effect/tree/HEAD/packages/platform-bun/issues/2537">#2537</a>)</li>
<li>See full diff in <a
href="https://github.com/Effect-TS/effect/commits/@effect/platform-bun@4.0.0-beta.94/packages/platform-bun">compare
view</a></li>
</ul>
</details>
<br />

Updates `@effect/platform-node` from 4.0.0-beta.93 to 4.0.0-beta.94
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/Effect-TS/effect/blob/main/packages/platform-node/CHANGELOG.md">@​effect/platform-node's
changelog</a>.</em></p>
<blockquote>
<h2>4.0.0-beta.94</h2>
<h3>Patch Changes</h3>
<ul>
<li>Updated dependencies [<a
href="https://github.com/Effect-TS/effect-smol/commit/95a0e9bb62797af0e81c9998773405f248f218c5"><code>95a0e9b</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/a0a3490bbce765f199d8e077aceac504f0462e63"><code>a0a3490</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/f11ce73af60823754dc24194f4ffc561b9ea1c2d"><code>f11ce73</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/ff30b6e7c2c63ffc56a4c5818d6d86b01b5ad528"><code>ff30b6e</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/1caab3cc30f626efbf15e59d74f539a487e5c85c"><code>1caab3c</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/aa80c4775a04db87553e5568764cab7e32a72814"><code>aa80c47</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/c2ae4fce2f03a4cd1861c2b1179da7df656e662d"><code>c2ae4fc</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/a0a3490bbce765f199d8e077aceac504f0462e63"><code>a0a3490</code></a>]:
<ul>
<li>effect@4.0.0-beta.94</li>
<li><code>@​effect/platform-node-shared</code><a
href="https://github.com/4"><code>@​4</code></a>.0.0-beta.94</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/Effect-TS/effect/commit/82951e58d341d79b6fcb51bb9c122ced02f01b38"><code>82951e5</code></a>
Version Packages (beta) (<a
href="https://github.com/Effect-TS/effect/tree/HEAD/packages/platform-node/issues/2525">#2525</a>)</li>
<li>See full diff in <a
href="https://github.com/Effect-TS/effect/commits/@effect/platform-node@4.0.0-beta.94/packages/platform-node">compare
view</a></li>
</ul>
</details>
<br />

Updates `@effect/sql-pg` from 4.0.0-beta.93 to 4.0.0-beta.94
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/Effect-TS/effect/commits/@effect/sql-pg@4.0.0-beta.94/packages/sql-pg">compare
view</a></li>
</ul>
</details>
<br />

Updates `@effect/vitest` from 4.0.0-beta.93 to 4.0.0-beta.97
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/Effect-TS/effect/blob/main/packages/vitest/CHANGELOG.md">@​effect/vitest's
changelog</a>.</em></p>
<blockquote>
<h2>4.0.0-beta.97</h2>
<h3>Patch Changes</h3>
<ul>
<li>Updated dependencies []:
<ul>
<li>effect@4.0.0-beta.97</li>
</ul>
</li>
</ul>
<h2>4.0.0-beta.96</h2>
<h3>Patch Changes</h3>
<ul>
<li>Updated dependencies [<a
href="https://github.com/Effect-TS/effect-smol/commit/1503f45cb5bb2a74f4705252ec505a1f0ade7e62"><code>1503f45</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/57fe79316ffbc380b30626a168981fb26ae97459"><code>57fe793</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/0c2f78f695ec474e1ff5474da183577975e418f5"><code>0c2f78f</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/0c2f78f695ec474e1ff5474da183577975e418f5"><code>0c2f78f</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/0c2f78f695ec474e1ff5474da183577975e418f5"><code>0c2f78f</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/97f29df457f7ffd07cfb4b379315c12c086af805"><code>97f29df</code></a>]:
<ul>
<li>effect@4.0.0-beta.96</li>
</ul>
</li>
</ul>
<h2>4.0.0-beta.95</h2>
<h3>Patch Changes</h3>
<ul>
<li>Updated dependencies [<a
href="https://github.com/Effect-TS/effect-smol/commit/a482442abdeb490e9652b854ec3495e4aa7273e7"><code>a482442</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/fbefa850fab2f0a302c20614496aeaaa2a8b5590"><code>fbefa85</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/0b4a32f4260f0d8500942a133001b0d349328102"><code>0b4a32f</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/18a49e1786679456258002ff9397faf02f678c2d"><code>18a49e1</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/266cb90bb2c17aabc40563c32db334f09ba3d74b"><code>266cb90</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/912f095a34572bbd3cedf6edb27878443e3e4a95"><code>912f095</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/a6718f9e00a15ca903b0732da46116cbf3d6aca7"><code>a6718f9</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/bef51540a243aa2f872a00c01d0cd58b7a769baa"><code>bef5154</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/18e0564bd0f8ebbdfcaf1e2c21529948e9e4a81d"><code>18e0564</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/fb50f14fc3657c1973785aa5b72ecf0b0d28e0b2"><code>fb50f14</code></a>]:
<ul>
<li>effect@4.0.0-beta.95</li>
</ul>
</li>
</ul>
<h2>4.0.0-beta.94</h2>
<h3>Patch Changes</h3>
<ul>
<li>Updated dependencies [<a
href="https://github.com/Effect-TS/effect-smol/commit/95a0e9bb62797af0e81c9998773405f248f218c5"><code>95a0e9b</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/a0a3490bbce765f199d8e077aceac504f0462e63"><code>a0a3490</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/f11ce73af60823754dc24194f4ffc561b9ea1c2d"><code>f11ce73</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/ff30b6e7c2c63ffc56a4c5818d6d86b01b5ad528"><code>ff30b6e</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/1caab3cc30f626efbf15e59d74f539a487e5c85c"><code>1caab3c</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/aa80c4775a04db87553e5568764cab7e32a72814"><code>aa80c47</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/c2ae4fce2f03a4cd1861c2b1179da7df656e662d"><code>c2ae4fc</code></a>,
<a
href="https://github.com/Effect-TS/effect-smol/commit/a0a3490bbce765f199d8e077aceac504f0462e63"><code>a0a3490</code></a>]:
<ul>
<li>effect@4.0.0-beta.94</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/Effect-TS/effect/commit/8e6f66adf1bcfa842829bf787aef26c1d7979991"><code>8e6f66a</code></a>
Version Packages (beta) (<a
href="https://github.com/Effect-TS/effect/tree/HEAD/packages/vitest/issues/2571">#2571</a>)</li>
<li><a
href="https://github.com/Effect-TS/effect/commit/d6184fd6ce6288b146820e332ce79aba596aa59c"><code>d6184fd</code></a>
Version Packages (beta) (<a
href="https://github.com/Effect-TS/effect/tree/HEAD/packages/vitest/issues/2565">#2565</a>)</li>
<li><a
href="https://github.com/Effect-TS/effect/commit/1503f45cb5bb2a74f4705252ec505a1f0ade7e62"><code>1503f45</code></a>
update dependencies (<a
href="https://github.com/Effect-TS/effect/tree/HEAD/packages/vitest/issues/2563">#2563</a>)</li>
<li><a
href="https://github.com/Effect-TS/effect/commit/5434f2e88c16ffb65fd2cfdedc76f33df34c245c"><code>5434f2e</code></a>
Version Packages (beta) (<a
href="https://github.com/Effect-TS/effect/tree/HEAD/packages/vitest/issues/2548">#2548</a>)</li>
<li><a
href="https://github.com/Effect-TS/effect/commit/82951e58d341d79b6fcb51bb9c122ced02f01b38"><code>82951e5</code></a>
Version Packages (beta) (<a
href="https://github.com/Effect-TS/effect/tree/HEAD/packages/vitest/issues/2525">#2525</a>)</li>
<li>See full diff in <a
href="https://github.com/Effect-TS/effect/commits/@effect/vitest@4.0.0-beta.97/packages/vitest">compare
view</a></li>
</ul>
</details>
<br />

Updates `@typescript/native-preview` from 7.0.0-dev.20260703.1 to
7.0.0-dev.20260707.2
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/microsoft/typescript-go/commits">compare
view</a></li>
</ul>
</details>
<br />

Updates `@vitest/coverage-istanbul` from 4.1.9 to 4.1.10
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/vitest-dev/vitest/releases">@​vitest/coverage-istanbul's
releases</a>.</em></p>
<blockquote>
<h2>v4.1.10</h2>
<h3>   🐞 Bug Fixes</h3>
<ul>
<li><strong>browser</strong>: Check fs access in builtin commands
[backport to v4]  -  by <a
href="https://github.com/hi-ogawa"><code>@​hi-ogawa</code></a>,
<strong>Hiroshi Ogawa</strong> and <strong>OpenCode
(claude-opus-4-8)</strong> in <a
href="https://redirect.github.com/vitest-dev/vitest/issues/10680">vitest-dev/vitest#10680</a>
<a href="https://github.com/vitest-dev/vitest/commit/5c18dd267"><!-- raw
HTML omitted -->(5c18d)<!-- raw HTML omitted --></a></li>
<li><strong>vm</strong>: Fix external module resolve error with deps
optimizer query for encoded URI [backport to v4]  -  by <a
href="https://github.com/SveLil"><code>@​SveLil</code></a> and <a
href="https://github.com/hi-ogawa"><code>@​hi-ogawa</code></a> in <a
href="https://redirect.github.com/vitest-dev/vitest/issues/10661">vitest-dev/vitest#10661</a>
<a href="https://github.com/vitest-dev/vitest/commit/bae52b511"><!-- raw
HTML omitted -->(bae52)<!-- raw HTML omitted --></a></li>
</ul>
<h5>    <a
href="https://github.com/vitest-dev/vitest/compare/v4.1.9...v4.1.10">View
changes on GitHub</a></h5>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/vitest-dev/vitest/commit/db616d227b6e0cb07a94f5d1bba262ee95db7e46"><code>db616d2</code></a>
chore: release v4.1.10 (<a
href="https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-istanbul/issues/10718">#10718</a>)</li>
<li>See full diff in <a
href="https://github.com/vitest-dev/vitest/commits/v4.1.10/packages/coverage-istanbul">compare
view</a></li>
</ul>
</details>
<br />

Updates `effect` from 4.0.0-beta.93 to 4.0.0-beta.97
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/Effect-TS/effect/blob/main/packages/effect/CHANGELOG.md">effect's
changelog</a>.</em></p>
<blockquote>
<h2>4.0.0-beta.97</h2>
<h2>4.0.0-beta.96</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p><a
href="https://redirect.github.com/Effect-TS/effect-smol/pull/2563">#2563</a>
<a
href="https://github.com/Effect-TS/effect-smol/commit/1503f45cb5bb2a74f4705252ec505a1f0ade7e62"><code>1503f45</code></a>
Thanks <a
href="https://github.com/tim-smart"><code>@​tim-smart</code></a>! -
update dependencies</p>
</li>
<li>
<p><a
href="https://redirect.github.com/Effect-TS/effect-smol/pull/2566">#2566</a>
<a
href="https://github.com/Effect-TS/effect-smol/commit/57fe79316ffbc380b30626a168981fb26ae97459"><code>57fe793</code></a>
Thanks <a
href="https://github.com/tim-smart"><code>@​tim-smart</code></a>! -
change rpc ids to string | number</p>
</li>
<li>
<p><a
href="https://redirect.github.com/Effect-TS/effect-smol/pull/2561">#2561</a>
<a
href="https://github.com/Effect-TS/effect-smol/commit/0c2f78f695ec474e1ff5474da183577975e418f5"><code>0c2f78f</code></a>
Thanks <a
href="https://github.com/tim-smart"><code>@​tim-smart</code></a>! -
Remove <code>Schedule.elapsed</code>.</p>
</li>
<li>
<p><a
href="https://redirect.github.com/Effect-TS/effect-smol/pull/2561">#2561</a>
<a
href="https://github.com/Effect-TS/effect-smol/commit/0c2f78f695ec474e1ff5474da183577975e418f5"><code>0c2f78f</code></a>
Thanks <a
href="https://github.com/tim-smart"><code>@​tim-smart</code></a>! -
Remove <code>Schedule.tapInput</code> and
<code>Schedule.tapOutput</code>. Use <code>Schedule.tap</code>
instead.</p>
</li>
<li>
<p><a
href="https://redirect.github.com/Effect-TS/effect-smol/pull/2561">#2561</a>
<a
href="https://github.com/Effect-TS/effect-smol/commit/0c2f78f695ec474e1ff5474da183577975e418f5"><code>0c2f78f</code></a>
Thanks <a
href="https://github.com/tim-smart"><code>@​tim-smart</code></a>! -
Update <code>Schedule.addDelay</code> and
<code>Schedule.modifyDelay</code> to receive full schedule metadata
instead of separate output and delay arguments.</p>
</li>
<li>
<p><a
href="https://redirect.github.com/Effect-TS/effect-smol/pull/2562">#2562</a>
<a
href="https://github.com/Effect-TS/effect-smol/commit/97f29df457f7ffd07cfb4b379315c12c086af805"><code>97f29df</code></a>
Thanks <a
href="https://github.com/tim-smart"><code>@​tim-smart</code></a>! - use
Sets to track atom relationships</p>
</li>
</ul>
<h2>4.0.0-beta.95</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p><a
href="https://redirect.github.com/Effect-TS/effect-smol/pull/2542">#2542</a>
<a
href="https://github.com/Effect-TS/effect-smol/commit/a482442abdeb490e9652b854ec3495e4aa7273e7"><code>a482442</code></a>
Thanks <a
href="https://github.com/IGassmann"><code>@​IGassmann</code></a>! - Add
<code>Schema.DateFromMillis</code> and
<code>SchemaTransformation.dateFromMillis</code> for decoding
millisecond timestamps into <code>Date</code> values.</p>
</li>
<li>
<p><a
href="https://redirect.github.com/Effect-TS/effect-smol/pull/2559">#2559</a>
<a
href="https://github.com/Effect-TS/effect-smol/commit/fbefa850fab2f0a302c20614496aeaaa2a8b5590"><code>fbefa85</code></a>
Thanks <a
href="https://github.com/tim-smart"><code>@​tim-smart</code></a>! - fix
activity retry policy</p>
</li>
<li>
<p><a
href="https://redirect.github.com/Effect-TS/effect-smol/pull/2547">#2547</a>
<a
href="https://github.com/Effect-TS/effect-smol/commit/0b4a32f4260f0d8500942a133001b0d349328102"><code>0b4a32f</code></a>
Thanks <a href="https://github.com/fubhy"><code>@​fubhy</code></a>! -
Allow cron fields like <code>5/15</code> to expand from the starting
value through the field maximum.</p>
</li>
<li>
<p><a
href="https://redirect.github.com/Effect-TS/effect-smol/pull/2557">#2557</a>
<a
href="https://github.com/Effect-TS/effect-smol/commit/18a49e1786679456258002ff9397faf02f678c2d"><code>18a49e1</code></a>
Thanks <a href="https://github.com/fubhy"><code>@​fubhy</code></a>! -
Fix <code>Schedule.cron</code> when the test clock is adjusted to
infinity.</p>
</li>
<li>
<p><a
href="https://redirect.github.com/Effect-TS/effect-smol/pull/2560">#2560</a>
<a
href="https://github.com/Effect-TS/effect-smol/commit/266cb90bb2c17aabc40563c32db334f09ba3d74b"><code>266cb90</code></a>
Thanks <a href="https://github.com/gcanti"><code>@​gcanti</code></a>! -
Treat empty strings as missing values in built-in
<code>ConfigProvider</code>s by default.</p>
<p><code>ConfigProvider.fromEnv</code>,
<code>ConfigProvider.fromDotEnvContents</code>,
<code>ConfigProvider.fromDotEnv</code>,
<code>ConfigProvider.fromUnknown</code>, and
<code>ConfigProvider.fromDir</code> now treat literal empty strings as
absent values when loaded as values, allowing
<code>Config.withDefault</code> and <code>Config.option</code> to
recover. Container discovery still reflects the source structure. Pass
<code>preserveEmptyStrings: true</code> to restore the previous
behavior.</p>
<p><code>ConfigProvider.fromDotEnv({ expandVariables: true })</code> now
expands variables consistently with
<code>ConfigProvider.fromDotEnvContents</code>.</p>
</li>
<li>
<p><a
href="https://redirect.github.com/Effect-TS/effect-smol/pull/2554">#2554</a>
<a
href="https://github.com/Effect-TS/effect-smol/commit/912f095a34572bbd3cedf6edb27878443e3e4a95"><code>912f095</code></a>
Thanks <a
href="https://github.com/tim-smart"><code>@​tim-smart</code></a>! - Add
Schedule.upTo options for limiting schedules by duration and/or
recurrence count.</p>
</li>
<li>
<p><a
href="https://redirect.github.com/Effect-TS/effect-smol/pull/2556">#2556</a>
<a
href="https://github.com/Effect-TS/effect-smol/commit/a6718f9e00a15ca903b0732da46116cbf3d6aca7"><code>a6718f9</code></a>
Thanks <a href="https://github.com/fubhy"><code>@​fubhy</code></a>! -
Fix cron parsing and scheduling edge cases for whitespace, Sunday
<code>7</code>, strict numeric tokens, explicit full day ranges, and
month-constrained day-of-month / weekday matching.</p>
</li>
<li>
<p><a
href="https://redirect.github.com/Effect-TS/effect-smol/pull/2551">#2551</a>
<a
href="https://github.com/Effect-TS/effect-smol/commit/bef51540a243aa2f872a00c01d0cd58b7a769baa"><code>bef5154</code></a>
Thanks <a
href="https://github.com/tim-smart"><code>@​tim-smart</code></a>! -
Remove the <code>Schedule.both</code> APIs and add
<code>Schedule.max</code> for combining schedules by their slowest
delay.</p>
</li>
<li>
<p><a
href="https://redirect.github.com/Effect-TS/effect-smol/pull/2553">#2553</a>
<a
href="https://github.com/Effect-TS/effect-smol/commit/18e0564bd0f8ebbdfcaf1e2c21529948e9e4a81d"><code>18e0564</code></a>
Thanks <a
href="https://github.com/tim-smart"><code>@​tim-smart</code></a>! -
Remove some Schedule APIs: <code>collectInputs</code>,
<code>collectOutputs</code>, <code>collectWhile</code>,
<code>delays</code>, <code>reduce</code>,
<code>satisfiesErrorType</code>, <code>satisfiesInputType</code>,
<code>satisfiesOutputType</code>, <code>satisfiesServicesType</code>,
and <code>unfold</code>.</p>
</li>
<li>
<p><a
href="https://redirect.github.com/Effect-TS/effect-smol/pull/2558">#2558</a>
<a
href="https://github.com/Effect-TS/effect-smol/commit/fb50f14fc3657c1973785aa5b72ecf0b0d28e0b2"><code>fb50f14</code></a>
Thanks <a
href="https://github.com/tim-smart"><code>@​tim-smart</code></a>! -
Remove the Schedule.either APIs and add Schedule.min for
fastest-duration schedule composition.</p>
</li>
</ul>
<h2>4.0.0-beta.94</h2>
<h3>Patch Changes</h3>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/Effect-TS/effect/commit/8e6f66adf1bcfa842829bf787aef26c1d7979991"><code>8e6f66a</code></a>
Version Packages (beta) (<a
href="https://github.com/Effect-TS/effect/tree/HEAD/packages/effect/issues/2571">#2571</a>)</li>
<li><a
href="https://github.com/Effect-TS/effect/commit/3f0ccc04711b0a187b973e20fc9c3010c2560da2"><code>3f0ccc0</code></a>
Document interdependent HTTP API middleware (<a
href="https://github.com/Effect-TS/effect/tree/HEAD/packages/effect/issues/2569">#2569</a>)</li>
<li><a
href="https://github.com/Effect-TS/effect/commit/d6184fd6ce6288b146820e332ce79aba596aa59c"><code>d6184fd</code></a>
Version Packages (beta) (<a
href="https://github.com/Effect-TS/effect/tree/HEAD/packages/effect/issues/2565">#2565</a>)</li>
<li><a
href="https://github.com/Effect-TS/effect/commit/57fe79316ffbc380b30626a168981fb26ae97459"><code>57fe793</code></a>
change rpc ids to string | number (<a
href="https://github.com/Effect-TS/effect/tree/HEAD/packages/effect/issues/2566">#2566</a>)</li>
<li><a
href="https://github.com/Effect-TS/effect/commit/1503f45cb5bb2a74f4705252ec505a1f0ade7e62"><code>1503f45</code></a>
update dependencies (<a
href="https://github.com/Effect-TS/effect/tree/HEAD/packages/effect/issues/2563">#2563</a>)</li>
<li><a
href="https://github.com/Effect-TS/effect/commit/5434f2e88c16ffb65fd2cfdedc76f33df34c245c"><code>5434f2e</code></a>
Version Packages (beta) (<a
href="https://github.com/Effect-TS/effect/tree/HEAD/packages/effect/issues/2548">#2548</a>)</li>
<li><a
href="https://github.com/Effect-TS/effect/commit/97f29df457f7ffd07cfb4b379315c12c086af805"><code>97f29df</code></a>
use Sets to track atom relationships (<a
href="https://github.com/Effect-TS/effect/tree/HEAD/packages/effect/issues/2562">#2562</a>)</li>
<li><a
href="https://github.com/Effect-TS/effect/commit/0c2f78f695ec474e1ff5474da183577975e418f5"><code>0c2f78f</code></a>
Schedule simplification (<a
href="https://github.com/Effect-TS/effect/tree/HEAD/packages/effect/issues/2561">#2561</a>)</li>
<li><a
href="https://github.com/Effect-TS/effect/commit/266cb90bb2c17aabc40563c32db334f09ba3d74b"><code>266cb90</code></a>
Treat empty config strings as missing (<a
href="https://github.com/Effect-TS/effect/tree/HEAD/packages/effect/issues/2560">#2560</a>)</li>
<li><a
href="https://github.com/Effect-TS/effect/commit/fbefa850fab2f0a302c20614496aeaaa2a8b5590"><code>fbefa85</code></a>
fix activity retry policy (<a
href="https://github.com/Effect-TS/effect/tree/HEAD/packages/effect/issues/2559">#2559</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/Effect-TS/effect/commits/effect@4.0.0-beta.97/packages/effect">compare
view</a></li>
</ul>
</details>
<br />

Updates `oxfmt` from 0.57.0 to 0.58.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/oxc-project/oxc/commit/39677ba50d908ea09f6d9e58ded328461212f52a"><code>39677ba</code></a>
release(apps): oxlint v1.73.0 &amp;&amp; oxfmt v0.58.0 (<a
href="https://github.com/oxc-project/oxc/tree/HEAD/npm/oxfmt/issues/24219">#24219</a>)</li>
<li>See full diff in <a
href="https://github.com/oxc-project/oxc/commits/oxfmt_v0.58.0/npm/oxfmt">compare
view</a></li>
</ul>
</details>
<br />

Updates `tldts` from 6.1.86 to 7.4.8
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/remusao/tldts/releases">tldts's
releases</a>.</em></p>
<blockquote>
<h2>v7.4.8</h2>
<h4>:scroll: Update Public Suffix List</h4>
<ul>
<li><code>tldts-experimental</code>, <code>tldts</code>
<ul>
<li>Update upstream public suffix list <a
href="https://redirect.github.com/remusao/tldts/pull/2632">#2632</a> (<a
href="https://github.com/remusao"><code>@​remusao</code></a>)</li>
</ul>
</li>
</ul>
<h4>Authors: 1</h4>
<ul>
<li>Rémi (<a
href="https://github.com/remusao"><code>@​remusao</code></a>)</li>
</ul>
<h2>v7.4.7</h2>
<h4>:scroll: Update Public Suffix List</h4>
<ul>
<li><code>tldts-experimental</code>, <code>tldts</code>
<ul>
<li>Update upstream public suffix list <a
href="https://redirect.github.com/remusao/tldts/pull/2630">#2630</a> (<a
href="https://github.com/remusao"><code>@​remusao</code></a>)</li>
</ul>
</li>
</ul>
<h4>Authors: 1</h4>
<ul>
<li>Rémi (<a
href="https://github.com/remusao"><code>@​remusao</code></a>)</li>
</ul>
<h2>v7.4.6</h2>
<h4>:scroll: Update Public Suffix List</h4>
<ul>
<li><code>tldts-experimental</code>, <code>tldts</code>
<ul>
<li>Update upstream public suffix list <a
href="https://redirect.github.com/remusao/tldts/pull/2626">#2626</a> (<a
href="https://github.com/remusao"><code>@​remusao</code></a>)</li>
</ul>
</li>
</ul>
<h4>:nut_and_bolt: Dependencies</h4>
<ul>
<li>Bump sigstore from 4.1.0 to 4.1.1 <a
href="https://redirect.github.com/remusao/tldts/pull/2629">#2629</a> (<a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a>)</li>
<li>Bump <code>@​babel/core</code> from 7.24.7 to 7.29.7 <a
href="https://redirect.github.com/remusao/tldts/pull/2618">#2618</a> (<a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a>)</li>
<li>Bump form-data from 4.0.5 to 4.0.6 <a
href="https://redirect.github.com/remusao/tldts/pull/2611">#2611</a> (<a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a>)</li>
<li>Bump rollup from 4.61.1 to 4.62.2 <a
href="https://redirect.github.com/remusao/tldts/pull/2612">#2612</a> (<a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a>)</li>
<li>Bump rollup-plugin-sourcemaps2 from 0.5.7 to 0.5.8 <a
href="https://redirect.github.com/remusao/tldts/pull/2619">#2619</a> (<a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a>)</li>
<li>Bump typescript-eslint from 8.60.1 to 8.62.1 <a
href="https://redirect.github.com/remusao/tldts/pull/2624">#2624</a> (<a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a>)</li>
<li>Bump <code>@​sigstore/core</code> from 3.1.0 to 3.2.1 <a
href="https://redirect.github.com/remusao/tldts/pull/2625">#2625</a> (<a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a>)</li>
<li>Bump <code>@​sigstore/verify</code> from 3.1.0 to 3.1.1 <a
href="https://redirect.github.com/remusao/tldts/pull/2628">#2628</a> (<a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a>)</li>
<li><code>tldts-core</code>, <code>tldts-experimental</code>,
<code>tldts-icann</code>, <code>tldts-tests</code>,
<code>tldts-utils</code>, <code>tldts</code>
<ul>
<li>Bump <code>@​types/node</code> from 25.9.1 to 26.1.0 <a
href="https://redirect.github.com/remusao/tldts/pull/2627">#2627</a> (<a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a>)</li>
</ul>
</li>
</ul>
<h4>Authors: 2</h4>
<ul>
<li><a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a></li>
<li>Rémi (<a
href="https://github.com/remusao"><code>@​remusao</code></a>)</li>
</ul>
<h2>v7.4.5</h2>
<h4>:scroll: Update Public Suffix List</h4>
<ul>
<li><code>tldts-experimental</code>, <code>tldts</code>
<ul>
<li>Update upstream public suffix list <a
href="https://redirect.github.com/remusao/tldts/pull/2617">#2617</a> (<a
href="https://github.com/remusao"><code>@​remusao</code></a>)</li>
</ul>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/remusao/tldts/blob/master/CHANGELOG.md">tldts's
changelog</a>.</em></p>
<blockquote>
<h1>v7.4.8 (Thu Jul 09 2026)</h1>
<h4>:scroll: Update Public Suffix List</h4>
<ul>
<li><code>tldts-experimental</code>, <code>tldts</code>
<ul>
<li>Update upstream public suffix list <a
href="https://redirect.github.com/remusao/tldts/pull/2632">#2632</a> (<a
href="https://github.com/remusao"><code>@​remusao</code></a>)</li>
</ul>
</li>
</ul>
<h4>Authors: 1</h4>
<ul>
<li>Rémi (<a
href="https://github.com/remusao"><code>@​remusao</code></a>)</li>
</ul>
<hr />
<h1>v7.4.7 (Tue Jul 07 2026)</h1>
<h4>:scroll: Update Public Suffix List</h4>
<ul>
<li><code>tldts-experimental</code>, <code>tldts</code>
<ul>
<li>Update upstream public suffix list <a
href="https://redirect.github.com/remusao/tldts/pull/2630">#2630</a> (<a
href="https://github.com/remusao"><code>@​remusao</code></a>)</li>
</ul>
</li>
</ul>
<h4>Authors: 1</h4>
<ul>
<li>Rémi (<a
href="https://github.com/remusao"><code>@​remusao</code></a>)</li>
</ul>
<hr />
<h1>v7.4.6 (Thu Jul 02 2026)</h1>
<h4>:scroll: Update Public Suffix List</h4>
<ul>
<li><code>tldts-experimental</code>, <code>tldts</code>
<ul>
<li>Update upstream public suffix list <a
href="https://redirect.github.com/remusao/tldts/pull/2626">#2626</a> (<a
href="https://github.com/remusao"><code>@​remusao</code></a>)</li>
</ul>
</li>
</ul>
<h4>:nut_and_bolt: Dependencies</h4>
<ul>
<li>Bump sigstore from 4.1.0 to 4.1.1 <a
href="https://redirect.github.com/remusao/tldts/pull/2629">#2629</a> (<a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a>)</li>
<li>Bump <code>@​babel/core</code> from 7.24.7 to 7.29.7 <a
href="https://redirect.github.com/remusao/tldts/pull/2618">#2618</a> (<a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a>)</li>
<li>Bump form-data from 4.0.5 to 4.0.6 <a
href="https://redirect.github.com/remusao/tldts/pull/2611">#2611</a> (<a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a>)</li>
<li>Bump rollup from 4.61.1 to 4.62.2 <a
href="https://redirect.github.com/remusao/tldts/pull/2612">#2612</a> (<a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a>)</li>
<li>Bump rollup-plugin-sourcemaps2 from 0.5.7 to 0.5.8 <a
href="https://redirect.github.com/remusao/tldts/pull/2619">#2619</a> (<a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a>)</li>
<li>Bump typescript-eslint from 8.60.1 to 8.62.1 <a
href="https://redirect.github.com/remusao/tldts/pull/2624">#2624</a> (<a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a>)</li>
<li>Bump <code>@​sigstore/core</code> from 3.1.0 to 3.2.1 <a
href="https://redirect.github.com/remusao/tldts/pull/2625">#2625</a> (<a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a>)</li>
<li>Bump <code>@​sigstore/verify</code> from 3.1.0 to 3.1.1 <a
href="https://redirect.github.com/remusao/tldts/pull/2628">#2628</a> (<a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a>)</li>
<li><code>tldts-core</code>, <code>tldts-experimental</code>,
<code>tldts-icann</code>, <code>tldts-tests</code>,
<code>tldts-utils</code>, <code>tldts</code>
<ul>
<li>Bump <code>@​types/node</code> from 25.9.1 to 26.1.0 <a
href="https://redirect.github.com/remusao/tldts/pull/2627">#2627</a> (<a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a>)</li>
</ul>
</li>
</ul>
<h4>Authors: 2</h4>
<ul>
<li><a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a></li>
<li>Rémi (<a
href="https://github.com/remusao"><code>@​remusao</code></a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/remusao/tldts/commit/e46ca7aa952df519efae2d11dcdb4f3a817ac8e5"><code>e46ca7a</code></a>
Bump version to: v7.4.8 [skip ci]</li>
<li><a
href="https://github.com/remusao/tldts/commit/a4823cde0ae806f2feff89ce68d8895243168feb"><code>a4823cd</code></a>
Update CHANGELOG.md [skip ci]</li>
<li><a
href="https://github.com/remusao/tldts/commit/86a0a5799995ff495dfb15b00016c7314cf3454a"><code>86a0a57</code></a>
Update upstream public suffix list (<a
href="https://redirect.github.com/remusao/tldts/issues/2632">#2632</a>)</li>
<li><a
href="https://github.com/remusao/tldts/commit/c43f3f113164626a96ebbe71f8979f7c512ad382"><code>c43f3f1</code></a>
Bump version to: v7.4.7 [skip ci]</li>
<li><a
href="https://github.com/remusao/tldts/commit/22e72c3c68278bfb084c8acfaa1a830cefc9b6e0"><code>22e72c3</code></a>
Update CHANGELOG.md [skip ci]</li>
<li><a
href="https://github.com/remusao/tldts/commit/44a567cd9ebcdb6190ff9d1996047e95bc8d938a"><code>44a567c</code></a>
Update upstream public suffix list (<a
href="https://redirect.github.com/remusao/tldts/issues/2630">#2630</a>)</li>
<li><a
href="https://github.com/remusao/tldts/commit/92ee2b31e72433487577a6c027ad7ec69aa8c8fe"><code>92ee2b3</code></a>
Bump version to: v7.4.6 [skip ci]</li>
<li><a
href="https://github.com/remusao/tldts/commit/cd23a4106ee0ed11cecf7ec7ed9bc308743d99ca"><code>cd23a41</code></a>
Update CHANGELOG.md [skip ci]</li>
<li><a
href="https://github.com/remusao/tldts/commit/11b91adfef769de8dbd8c87b1ed0809e0371e9a2"><code>11b91ad</code></a>
Update upstream public suffix list (<a
href="https://redirect.github.com/remusao/tldts/issues/2626">#2626</a>)</li>
<li><a
href="https://github.com/remusao/tldts/commit/3136742bd2a089b2c9592cbbcc3de6c229bba5a9"><code>3136742</code></a>
Bump sigstore from 4.1.0 to 4.1.1 (<a
href="https://redirect.github.com/remusao/tldts/issues/2629">#2629</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/remusao/tldts/compare/v6.1.86...v7.4.8">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This versi…

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 850156f7e3

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment on lines +249 to +251
flag ||
legacyViperEnvBool("SUPABASE_EXPERIMENTAL") ||
legacyViperBool(projectEnv["SUPABASE_EXPERIMENTAL"])

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Preserve shell false for project experimental

When the shell exports SUPABASE_EXPERIMENTAL=false but a project dotenv contains SUPABASE_EXPERIMENTAL=true, Go's godotenv.Load keeps the existing shell value so viper.GetBool("EXPERIMENTAL") remains false. This new resolver ORs the shell value with the project value, so project dotenv can enable the experimental path for callers such as db reset and declarative commands even though the user explicitly disabled it in the environment; resolve this with existence/precedence semantics instead of boolean OR.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

do not merge Approve to apply; do not merge.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants