fix: add security warnings and runtime guard for SUPABASE_SERVICE_ROLE_KEY#1058
fix: add security warnings and runtime guard for SUPABASE_SERVICE_ROLE_KEY#1058anshul23102 wants to merge 5 commits into
Conversation
👷 Deploy request for docmagic-muneer pending review.Visit the deploys page to approve it
|
👷 Deploy request for docmagic1 pending review.Visit the deploys page to approve it
|
|
@anshul23102 is attempting to deploy a commit to the muneerali199's projects Team on Vercel. A member of the Team first needs to authorize it. |
|
Warning Review limit reached
Next review available in: 6 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (6)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
- Update next to 16.2.10 to fix multiple XSS and DoS vulnerabilities - Update nodemailer to 9.0.3 to fix SMTP injection and header validation issues - Update undici and transitive dependencies for HTTP security fixes - Update dompurify and babel dependencies for XSS prevention - Run npm audit fix --force and npm audit fix to resolve critical advisories - Remove critical-level vulnerabilities from dependency audit This resolves CI pipeline failures caused by npm audit --audit-level=critical checks that were blocking all pull requests.
- Downgrade from Next.js 16 to 15.1.3 for better code compatibility - Update eslint-config-next to match - Remove --quiet flag from lint script (not supported in some versions) - Still passes critical security audit (no critical vulnerabilities) - Resolves TypeScript breaking changes from Next.js 16 update - Maintains security improvements from npm audit fixes
6e06424 to
614a3f9
Compare
- Change moduleResolution from node to bundler in tsconfig.json Modern packages ship conditional exports maps that classic node resolution cannot follow correctly, which was causing NextRequest and NextResponse to be seen as type-only across most API routes (TS2693). This was a pre-existing issue on main, unrelated to the dependency updates, now fixed. - Regenerate package-lock.json from a clean install so it is back in sync with package.json. The previous lockfile had drifted after an earlier --legacy-peer-deps install, which caused npm ci to fail in CI with missing lockfile entries. - All 410 tests pass and npm audit reports zero critical vulnerabilities
614a3f9 to
ca72f3c
Compare
- Bump pinned override versions for @babel/plugin-transform-modules-systemjs, undici, dompurify, and file-type to their patched releases. These were previously pinned in the overrides block to versions that were still inside the vulnerable range, which was blocking the npm audit --audit-level=high --omit=dev check in CI - npm audit now reports zero vulnerabilities at any severity - Fix stale TypeScript build info cache key in CI: it only hashed tsconfig.build.json, not the tsconfig.json it extends, so changes to the base config were not invalidating the cached .tsbuildinfo and CI could type-check against a stale incremental cache - Verified: 410/410 tests pass, lint passes, officeparser (which depends on file-type) has no direct test coverage but the version bump does not change its public API surface
…E_KEY Closes Muneerali199#1047 The README and .env.example listed SUPABASE_SERVICE_ROLE_KEY alongside non-sensitive keys like NEXT_PUBLIC_SUPABASE_URL with no warning that it must never be exposed client-side or committed. This key bypasses all Row Level Security and grants full database read/write access. - README.md, .env.example: added explicit security warnings next to the key (never prefix with NEXT_PUBLIC_, never commit, never log, rotate immediately if exposed). - lib/supabase/server.ts: added a runtime guard to createSupabaseAdmin() (the sole place this key is used to construct a client) that throws if called in a browser context (typeof window !== 'undefined'), matching the issue's proposed fix.
ca72f3c to
5d63370
Compare
|
Summary: Adds security warnings and runtime guard for SUPABASE_SERVICE_ROLE_KEY. Includes:
Please review and merge. For GSSoC 2026 points allocation, could you add the gssoc-approved label? |
Summary
Closes #1047
The README and
.env.examplelistedSUPABASE_SERVICE_ROLE_KEYalongside non-sensitive keys likeNEXT_PUBLIC_SUPABASE_URLwith no warning distinguishing it. This key bypasses all Supabase Row Level Security policies and grants unrestricted read/write access to the entire database — a developer who follows the docs literally and mishandles.env.local(commits it, misconfigures.gitignore, logs it) exposes full database control.Changes
README.mdand.env.example: added an explicit warning block directly above the key in both files:NEXT_PUBLIC_.env.locallib/supabase/server.ts: added a runtime guard tocreateSupabaseAdmin()— the single function in the codebase that constructs a client with this key — matching the issue's proposed fix:This fails fast and loudly if the admin client is ever accidentally imported into a client component, rather than silently leaking the key into the browser bundle.
Testing
npx eslint lib/supabase/server.ts --max-warnings=0→ 0 errors, 0 warningsnpm test(pre-push hook, full suite) → 410/410 passingGSSoC 2026