- postgrest: query reassignment regression (#2292)
- realtime: surface real Error on transport-level CHANNEL_ERROR (#2299)
- Vaibhav @7ttp
- auth: add passkey support with WebAuthn registration, authentication, and management (#2283)
- realtime: Realtime deferred disconnect (#2282)
- postgrest: narrow column types after not(column, is, null) (#2264)
- realtime: annotate Timer/Vsn getters to avoid deep phoenix imports (#2284)
- storage: apply metadata, headers, and cacheControl dedupe to uploadToSignedUrl (#2275)
- storage: forward duplex option for stream uploads via uploadToSignedUrl (#2289)
- Katerina Skroumpelou @mandarini
- oniani1
- auth: emit PASSWORD_RECOVERY event for PKCE recovery flows (#2272)
- postgrest: restore runtime test files to tstyche scope (#2266)
- supabase: propagate custom fetch to realtime client (#2267)
- Katerina Skroumpelou @mandarini
- storage: extract shared header normalization utility (#2251)
- Katerina Skroumpelou @mandarini
- realtime: throw Error objects instead of bare strings (#2256)
- storage: correct signedUrl type to allow null in createSignedUrls (#2254)
- Katerina Skroumpelou @mandarini
- oniani1
- auth: include Cloudflare error codes in NETWORK_ERROR_CODES (#2239)
- auth: remove Prettify wrapper from exported types for TypeDoc expansion (#2250)
- misc: add explicit return types to toJSON methods for JSR compat (#2252)
- storage: remove client-side signed URL render endpoint normalization (#2249)
- Katerina Skroumpelou @mandarini
- Vansh Sharma @Vansh1811
- auth: add toJSON to AuthError for correct JSON serialization (#2238)
- postgrest: handle bigint rpc (#2245)
- storage: add toJSON to StorageError for correct JSON serialization (#2246)
- storage: apply empty transform check to download and getPublicUrl (#2219)
- oniani1
- Vaibhav @7ttp
- postgrest: add stripNulls method for null value stripping (#2189)
- storage: add cacheNonce parameter for download (#2234)
- postgrest: fix scalar computed column type inference for isNotNullable and SETOF scalar (#2224)
- Katerina Skroumpelou @mandarini
- Seydi Charyyev @TheSeydiCharyyev
- Vaibhav @7ttp
- functions: add toJSON to FunctionsError for correct JSON serialization (#2226)
- oniani1
- postgrest: add automatic retries for transient errors (#2072)
- postgrest: add success discriminator field to PostgREST response types (#2198)
- supabase: export PostgrestFilterBuilder and StorageApiError from supabase-js (#2222)
- auth: downgrade console.error to console.warn for missing session (#2214)
- ci: add --ignore-scripts to platform test installs to block post install attacks (#2206)
- postgrest: add toJSON to PostgrestError for correct JSON serialization (#2212)
- postgrest: reject excess properties in insert, update, and upsert (#2186)
- storage: set correct content-type for uploads (#2211)
- storage: avoid duplicate content-type headers in vector requests (#2220)
- Clay
- Guilherme Souza
- Katerina Skroumpelou @mandarini
- oniani1
- Vaibhav @7ttp
- storage: support exactOptionalPropertyTypes (#2200)
- Vaibhav @7ttp
- realtime: add
copyBindingsfunctionality (#2197) - realtime: block setting
postgres_changesevent listener after joining (#2201)
- Dominik Pilipczuk @snickerdoodle2
- postgrest: add type safety for eq() and neq() column names (#2175)
- postgrest: fix maybeSingle for all request methods by removing Accept header override (#2182)
- postgrest: narrow tstyche testFileMatch to only type test files (#2193)
- postgrest: prevent Args: never functions from being classified as computed fields (#2195)
- storage: spread all DEFAULT_FILE_OPTIONS in uploadToSignedUrl (#2194)
- Ayush Baluni @aayushbaluni
- Katerina Skroumpelou @mandarini
- realtime: use phoenix's js lib inside realtime-js (#2119)
- auth: guard navigator lock steal against cascade when lock is stolen by another request (#2178)
- realtime: revert
vsntype tostring(#2170) - storage: structural detection on json() to detect Response-like errors (#2179)
- Alan Guzek @GuzekAlan
- Dominik Pilipczuk @snickerdoodle2
- Katerina Skroumpelou @mandarini
- storage: do not rewrite signed URL to render endpoint for empty transform object (#2162)
- Katerina Skroumpelou @mandarini
- functions: add RateLimitError in
Deno.errorsnamespace (#2160)
- 냥냐챠 @nyannyacha
- auth: add custom OIDC/OAuth provider admin CRUD methods (#2133)
- storage: improve FileObject type accuracy with nullable fields (#2116)
- Cemal Kılıç @cemalkilic
- Katerina Skroumpelou @mandarini
- auth: add
token_endpoint_auth_methodto OAuth client create/update (#2132) - auth: support custom providers via
custom:prefix in Provider type (#2134) - auth: add currentPassword to UserAttributes type (#2131)
- auth: recover from orphaned navigator locks via steal fallback (#2106)
- auth: lower lockAcquireTimeout default to 5s and fix stale JSDoc (#2125)
- auth: fixes userattributes type (#2139)
- realtime: patch channel join payloads with resolved access token before flushing send buffer (#2136)
- Cemal Kılıç @cemalkilic
- Elliot Padfield @ElliotPadfield
- Etienne Stalmans @staaldraad
- Katerina Skroumpelou @mandarini
- auth: add skipAutoInitialize option to prevent constructor auto-init (#2123)
- Katerina Skroumpelou @mandarini
- storage: add setHeader method to BaseApiClient (#2079)
- auth: resolve Firefox content script Promise.then() security errors in locks (#2112)
- postgrest: enforce type safety for table and view names in from() method (#2058)
- realtime: remove unnecessary check in
removeChannel(#2109)
- David Barrell @dabarrell
- Dominik Pilipczuk @snickerdoodle2
- Katerina Skroumpelou @mandarini
- Vaibhav @7ttp
- supabase: add canonical CORS headers export for edge functions (#2071)
- realtime: removeChannel when unsubscribe successfully (#2091)
- storage: expose fetch parameters in download method (#2090)
- Eduardo Gurgel
- Katerina Skroumpelou @mandarini
- supabase: add canonical CORS headers export for edge functions (#2071)
- realtime: removeChannel when unsubscribe successfully (#2091)
- storage: expose fetch parameters in download method (#2090)
- Eduardo Gurgel
- Katerina Skroumpelou @mandarini
- auth: correct OAuth authorization types to match API responses (#2088)
- Katerina Skroumpelou @mandarini
- postgrest: add URL length validation and timeout protection (#2078)
- ci: handle missing git auth header in release-canary script (#2077)
- Katerina Skroumpelou @mandarini
- auth: add webauthn tests and fix fallback naming (#1763)
- ci: add persist-credentials: false to release job checkouts (#2074)
- storage: handle empty 200 responses in vector operations (#2073)
- Katerina Skroumpelou @mandarini
- supabase: revert client platform and runtime detection headers (#2067)
- Guilherme Souza
- realtime: revert validate table filter in postgres_changes event dispatch (#2060)
- Katerina Skroumpelou @mandarini
- auth: add optional jwt parameter to getAuthenticatorAssuranceLevel (#1940)
- supabase: add missing HTTP headers for client platform and runtime detection (#2046)
- auth: handle uncaught promise rejections during initialization (#2032)
- auth: clear local storage on signOut when session is already missing (#2026)
- realtime: send heartbeat for initial connection error (#1746)
- realtime: add generic overload for postgres_changes event type (#1984)
- storage: expose status and statusCode on StorageError base class (#2018)
- supabase: safe environment detection node v browser (#2053)
- Katerina Skroumpelou @mandarini
- Vaibhav @7ttp
- auth: restore SSR OAuth functionality broken in v2.91.0 (#2039)
- Vaibhav @7ttp
- realtime: set default serializer to 2.0.0 (#2034)
- auth: defer subscriber notification in exchangeCodeForSession to prevent deadlock (#2014)
- auth: clarify updateUserById applies changes directly (#2031)
- supabase: resolve Firefox extension cross-context Promise error (#2033)
- Eduardo Gurgel
- Vaibhav @7ttp
- postgrest: prevent shared state between query builder operations (#1978)
- realtime: validate table filter in postgres_changes event dispatch (#1999)
- Vaibhav @7ttp
- realtime: expose heartbeat latency on heartbeat callback (#1982)
- auth: add banned_until property to user type (#1989)
- auth: add last_challenged_at property to factor type (#1990)
- auth: clear initial setTimeout in stopAutoRefresh (#1993)
- auth: preserve session when magic link is clicked twice (#1996)
- auth: add configurable lock acquisition timeout to prevent deadlocks (#1962)
- functions: auto-stringify object body when custom Content-Type header is provided (#1988)
- postgrest: use post with return minimal for rpc head requests with object args (#1994)
- supabase: split type-only exports to avoid unused import warnings (#1979)
- supabase: inline string literal in databasewithoutinternals type (#1986)
- supabase: avoid edge runtime warnings in next.js (#1998)
- Eduardo Gurgel
- Nico Kempe @nicokempe
- Vaibhav @7ttp
- yoshifumi kondo @yoshifumi-kondo
- auth: add X (OAuth 2.0) provider (#1960)
- auth: add string array support for AMR claims (#1967)
- supabase: export DatabaseWithoutInternals utility type (#1935)
- Cemal Kılıç @cemalkilic
- issuedat @issuedat
- Vaibhav @7ttp
- auth: allow custom predicate for detectSessionInUrl option (#1958)
- postgrest: add notin filter (#1957)
- repo: migrate build system to tsdown for proper ESM/CJS support (#1961)
- realtime: handle websocket race condition in node.js (#1946)
- realtime: omit authorization header when no access token exists (#1937)
- Katerina Skroumpelou @mandarini
- Vaibhav @7ttp
- supabase: resolve jsDelivr CDN ESM import failure with .js extensions (#1953)
- Katerina Skroumpelou @mandarini
- auth: add helpful error when PKCE code verifier is missing (#1931)
- realtime: terminate web worker on disconnect to prevent memory leak (#1907)
- supabase: resolve jsDelivr CDN ESM import failure (#1950)
- Katerina Skroumpelou @mandarini
- Tanmay Sharma @tanmaysharma2001
- auth: skip navigator lock when persistSession is false (#1928)
- realtime: preserve custom JWT tokens across channel resubscribe (#1908)
- realtime: handle null values in postgres changes filter comparison (#1918)
- Liam
- Vaibhav @7ttp
- storage: align analytics from method with { data, error } pattern (#1927)
- repo: update lock file after dependabot to use npm 11 (#1926)
- Katerina Skroumpelou @mandarini
- storage: correct QueryVectorsResponse to use vectors instead of matches (#1922)
- Katerina Skroumpelou @mandarini
- auth: suppress getsession warning when getuser is called first (#1898)
- auth: code verifier remains in storage during edge cases (#1759)
- postgrest: cross-schema rpc setof type inference (#1900)
- repo: update lock file (#1910)
- repo: lock file issues (#1919)
- repo: update npm and install again (#1920)
- supabase: add esm wrapper to resolve module not found error in nuxt (#1914)
- Katerina Skroumpelou @mandarini
- Vaibhav @7ttp
- storage: install iceberg-js and add from method (#1881)
- Katerina Skroumpelou @mandarini
- realtime: add metadata to realtime user broadcast push (#1894)
- auth: oauth minor fixes on types (#1891)
- Cemal Kılıç @cemalkilic
- Eduardo Gurgel
- postgrest: add isdistinct and regex pattern matching operators (#1875)
- postgrest: validate empty or invalid relation names in Postgrest… (#1863)
- realtime: simplify serializer by removing unnecessary types of messages (#1871)
- Eduardo Gurgel
- Katerina Skroumpelou @mandarini
- Soufiane Radouane @sofmega
- storage: rename StorageAnalyticsApi to StorageAnalyticsClient (#1869)
- Katerina Skroumpelou @mandarini
- auth: add OAuth grant listing and revocation endpoints (#1833)
- postgrest: bubble up fetch error causes and codes (#1856)
- realtime: account for null refs when encoding messages (#1862)
- storage: analytics bucket prop (#1852)
- Cemal Kılıç @cemalkilic
- Eduardo Gurgel
- Fabrizio @fenos
- Katerina Skroumpelou @mandarini
- auth: use Symbols for callback IDs to resolve Next.js 16 compatibility (#1847)
- auth: add automatic browser redirect to signInWithSSO (#1849)
- realtime: setAuth not required on custom jwt token (#1826)
- Filipe Cabaço @filipecabaco
- Katerina Skroumpelou @mandarini
- realtime: implement V2 serializer (#1829)
- auth: make webauthn param optional and move register params to webauthn (#1765)
- auth: add providers type to UserAppMetadata interface (#1760)
- auth: use direct attestation for registration/authentication (#1764)
- functions: add configurable timeout and normalize abort/timeout errors as FunctionsFetchError (#1837)
- realtime: ensure WebSocket connections are properly closed in teardown (#1841)
- Eduardo Gurgel
- Katerina Skroumpelou @mandarini
- Tanmay Sharma @tanmaysharma2001
- auth: add TypeScript types for documented JWT claims fields (#1802)
- auth: only warn if multiple clients share a storage-key (#1767)
- Steve Hall @sh41
- Sumit Kumar @Software-Engineering-Project-Team-Bob
- auth: support throwing errors instead of returning them (#1766)
- repo: remove node-fetch dependency, require Node.js 20+ (#1830)
- Katerina Skroumpelou @mandarini
- auth: add OAuth 2.1 authorization consent management API calls (#1793)
- auth: add OAuth client update support (#1812)
- auth: refactor getAuthenticatorAssuranceLevel method (#1822)
- auth: remove redirection in
getAuthorizationDetails(#1811) - auth: move session warning proxy from session to user object (#1817)
- Cemal Kılıç @cemalkilic
- Katerina Skroumpelou @mandarini
- Stojan Dimitrovski @hf
- auth: add OAuth 2.1 authorization consent management API calls (#1793)
- auth: add OAuth client update support (#1812)
- storage: add support for bucket pagination and sorting (#1790)
- auth: handle 204 No Content response in OAuth client delete (#1786)
- auth: remove redirection in
getAuthorizationDetails(#1811) - postgrest: add incoming major 14 support (#1807)
- repo: add missing tslib dependency to core packages (#1789)
- repo: cleanup package-lock.json and bun.lock (#1799)
- storage: remove unnecessary filter (#1809)
- precompile RegExp (#1806)
- Andrew Valleteau @avallete
- Cemal Kılıç @cemalkilic
- Fabrizio @fenos
- Katerina Skroumpelou @mandarini
- Kevin Grüneberg @kevcodez
- Lenny @itslenny
- repo: add missing tslib dependency to core packages (#1789)
- Katerina Skroumpelou @mandarini
- realtime: realtime explicit REST call (#1751)
- realtime: enhance RealtimeChannel type (#1747)
- storage: storage vectors and analytics in storage-js (#1752)
- functions: missing body when Content-Type header supplied by dev (#1758)
- functions: add application/pdf response parsing to FunctionsClient (#1757)
- realtime: manipulate URLs using URL object (#1769)
- repo: convert postbuild to explicit codegen (#1778)
- storage: correct list v2 types to correctly match data returned from api (#1761)
- storage: use backward compatible return type in download function (#1750)
- storage: api types (#1784)
- Fabrizio @fenos
- Filipe Cabaço @filipecabaco
- Guilherme Souza
- Katerina Skroumpelou @mandarini
- Lenny @itslenny
- storage: use backward compatible return type in download function (#1750)
- Lenny @itslenny
- postgrest: add embeded functions type inference (#1632)
- Andrew Valleteau @avallete
- auth: add deprecation notice to
onAuthStateChangewith async function (#1580) - auth: add OAuth 2.1 client admin endpoints (#1582)
- docs: explicitly mark options as optional (#1622)
- realtime: add support to configure Broadcast Replay (#1623)
- release: enable trusted publishing (#1592)
- storage: add support for sorting to list v2 (#1606)
- storage: remove trailing slash from baseUrl normalization (#1589)
- Cemal Kılıç @cemalkilic
- Doğukan Akkaya
- Eduardo Gurgel
- Etienne Stalmans @staaldraad
- Lenny @itslenny
- Stojan Dimitrovski @hf
- Taketo Yoshida