Merged
Conversation
The Supabase template hardcoded GOTRUE_SITE_URL to the internal Supabase Kong URL, which caused OAuth redirects to go to the Supabase API domain instead of the user's frontend domain. This broke Google OAuth, magic links, and other redirect-based auth flows. Allow users to set GOTRUE_SITE_URL in the Coolify UI to their frontend domain while keeping the Supabase URL as a sensible default. Fixes #5581
The Directus service templates were missing CORS configuration, causing preflight OPTIONS requests to fail when connecting from frontend apps. Users had to manually edit the compose file to add CORS variables. Add sensible CORS defaults (enabled with dynamic origin matching) to both directus.yaml and directus-with-postgresql.yaml templates. All values are user-overridable via the Coolify UI. Fixes #5024
Updated all Supabase service images to latest versions: - studio: 2026.01.07 -> 2026.01.27-sha-6aa59ff - postgres: 15.8.1.048 -> 15.8.1.085 - logflare: 1.4.0 -> 1.30.3 - postgrest: v12.2.12 -> v14.3 - gotrue: v2.174.0 -> v2.185.0 - realtime: v2.34.47 -> v2.72.0 - storage-api: v1.14.6 -> v1.37.1 - imgproxy: v3.8.0 -> v3.30.1 - postgres-meta: v0.89.3 -> v0.95.2 - edge-runtime: v1.67.4 -> v1.70.0 - supavisor: 2.5.1 -> 2.7.4 Config changes: - analytics: LOGFLARE_API_KEY replaced with LOGFLARE_PUBLIC/PRIVATE_ACCESS_TOKEN, removed LOGFLARE_SINGLE_TENANT_MODE and LOGFLARE_MIN_CLUSTER_SIZE - studio: added POSTGRES_PORT/DB, LOGFLARE_*_ACCESS_TOKEN, SNIPPETS/EDGE_FUNCTIONS management, volumes; removed CURRENT_CLI_VERSION, SUPABASE_PUBLIC_API - imgproxy: added IMGPROXY_BIND, IMGPROXY_MAX_SRC_RESOLUTION - meta: added CRYPTO_KEY - realtime: removed FLY_ALLOC_ID, FLY_APP_NAME, ENABLE_TAILSCALE; added DISABLE_HEALTHCHECK_LOGGING - storage: removed obsolete commented-out env vars
The pinned commit hashes (00bd9272, 33cef775) are from ~Nov 2025 and incompatible with convex npm package >=1.30, causing deploy failures with "missing field `functions`" errors. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…osting setup - Update Kong to 3.9.1 with new awk-based entrypoint script (replaces fragile eval/echo) - Add request-transformer plugin to all secure Kong routes for API key translation - Fix hide_credentials: false on REST and GraphQL routes - Add post-function plugin on storage route for S3 presigned URL compatibility - Add opaque API key support (SUPABASE_PUBLISHABLE_KEY, SUPABASE_SECRET_KEY) - Update Vector router to use contains() matching for Coolify container names - Add auto-generated self-signed TLS cert for Supavisor (fixes Supabase CLI connectivity) - Fix logs not queryable in Studio by separating public/private Logflare access tokens - Update image versions: Kong 3.9.1, Studio 2026.03.16, PostgREST v14.6, Storage v1.44.2, Edge Runtime v1.71.2 - Fix IMGPROXY_ENABLE_WEBP_DETECTION -> IMGPROXY_AUTO_WEBP - Add deno-cache volume for faster Edge Function cold starts - Make POOLER_TENANT_ID configurable - Add start_period to Realtime and Supavisor healthchecks - Add KONG_PROXY_ACCESS_LOG configuration - Update SQL init scripts to use $POSTGRES_USER instead of hardcoded supabase_admin
…compatibility Using 'stub' as default would break existing installations that stored files under the default tenantId 'storage-single-tenant' (pre-TENANT_ID era). After upgrading, storage-api would look for files under 'stub/...' prefix instead of 'storage-single-tenant/...', making all existing files inaccessible.
This docker image is abandoned, in future we have to swap it to a well maintained one, for time being we can use this one
The production Dockerfile already runs apk upgrade at build time. The helper and realtime Dockerfiles were missing this step. The helper (Alpine 3.21) ships with CVE-2025-15467 in OpenSSL 3.3.5. The realtime (Alpine 3.18) has outdated OpenSSL 3.1.2 with HIGH CVEs. Adding apk upgrade before apk add makes both images consistent with the production Dockerfile.
Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 7.3.0 to 7.3.2. - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v7.3.2/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v7.3.2/packages/vite) --- updated-dependencies: - dependency-name: vite dependency-version: 7.3.2 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>
Permit single-quoted arguments in SHELL_SAFE_COMMAND_PATTERN while keeping dangerous metacharacters blocked, and add security test cases for quoted --entrypoint and --hostname values.
Co-authored-by: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
|
Wow, big update for supabase, thx! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
15 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What's Changed
Security & Fixes
New Services & Templates
/status.php(chore(service): update nextcloud healthcheck endpoint #9470)Improvements