## What kind of change does this PR introduce?
Documentation update
## What is the current behavior?
The Refine tutorial uses `supabaseClient.auth.getSession()` in the
`authProvider.check` method to verify authentication. `getSession` is
deprecated and not recommended for auth verification.
## What is the new behavior?
Replaced `getSession()` with `getClaims()` which reads claims from the
locally cached JWT. This is the recommended approach as mentioned in the
issue.
## Files changed
- `apps/docs/content/guides/getting-started/tutorials/with-refine.mdx` —
Updated `check` method in the authProvider code example
-
`examples/user-management/refine-user-management/src/providers/auth-provider.ts`
— Updated the corresponding example code to match
Closes#42193
---------
Co-authored-by: gorillaworkout <bayudarmawan215@gmail.com>
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Feature restoration
## What is the current behavior?
Incident banners cannot be dismissed by users.
## What is the new behavior?
Users can dismiss incident banners again.
## Additional context
## What kind of change does this PR introduce?
UI update
## What is the current behavior?
AlertError is usually full of prose yet has `horizontal` button
placement. This looks incredibly awkward at smaller breakpoints.
## What is the new behavior?
AlertError swaps the default `layout` to `responsive`, making the
smaller breakpoint composition much nicer.
| Before | After |
| --- | --- |
| <img width="370" height="850" alt="Spinner Toolshed
Supabase-FBF6DD34-258E-4E36-B3DF-533F0EDDC307"
src="https://github.com/user-attachments/assets/cb38c270-bdc1-46b7-8fed-7c6ff9f15ccc"
/> | <img width="370" height="850" alt="Spinner Toolshed
Supabase-37BDDE9A-DF90-4B96-95F4-4AA15A12682A"
src="https://github.com/user-attachments/assets/d8ff89bf-2451-44e0-a048-418272f7514a"
/> |
## Additional context
2+ buttons (`additionalActions`) still forces the `vertical` layout
type.
## To test
The pictured example is not available on this branch. An easy one to
test is
[CreateBranchModal](2cc275fd51/apps/studio/components/interfaces/BranchManagement/CreateBranchModal.tsx (L410)):
```diff
- {isErrorConnections && (
+ {true && (
<AlertError
error={connectionsError}
subject="Failed to retrieve GitHub connection information"
/>
)}
```
Sentry was flooded with un-actionable events: browser extension errors,
network blips, React hydration
noise from DOM-manipulating extensions, and CriticalError issues that
were impossible to route because
they grouped by message string rather than type. This made it hard to
spot real regressions.
## Changes:
- Improved client-side Sentry signal quality in
apps/studio/instrumentation-client.ts by replacing
custom third-party stack filtering with
Sentry.thirdPartyErrorFilterIntegration, plus stricter
allowUrls filtering for Supabase/app frames.
- Added build-time Sentry bundle annotation in
apps/studio/next.config.js via
unstable_sentryWebpackPluginOptions.applicationKey = 'supabase-studio'
to support reliable third-party
frame filtering.
- Expanded and reorganized ignoreErrors rules across client/server/edge
Sentry configs to suppress known
non-actionable noise (Next.js navigation internals, network/transient
chunk failures, extension/DOM-
manipulation noise, hydration-noise patterns).
- Refactored critical error reporting in
apps/studio/lib/error-reporting.ts from captureMessage to
captureException with scoped tags (critical=true, context=<action>) and
synthetic CriticalError
exceptions for better alerting/grouping.
- Updated tests in apps/studio/lib/error-reporting.test.ts to match the
new Sentry API usage (withScope
+ captureException) and assert on exception objects/tags behavior.
- 100% sampling (codeSampleRate = 1) for normal/useful errors.
- 1% sampling (codeSampleRate = 0.01) only for explicitly noisy classes:
- Failed to construct 'URL': Invalid URL
- Session error detected
- chunk-load failures (ChunkLoadError, Loading chunk ... failed, Loading
CSS chunk ... failed)
- Sent events are tagged with codeSampleRate so you can filter/segment
in Sentry dashboards.
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This pull request improves how user consent is handled for telemetry and
tracking, ensuring that analytics scripts and cookies are only active
when the user has provided consent. The changes both enforce stricter
checks before enabling Google Tag Manager and ensure that tracking
cookies are cleared when consent is denied.
Refactor
## What is the current behavior?
Many utility functions are in the Valtio object which is overly large
and complex.
## What is the new behavior?
Some utility functions are moved out and tested. No behaviour has been
changed, they've just been moved with any necessary changes to
arguments.
Mobile sheet nav doesn't close on route change and viewport resizing
after #43184.
This PR fixes that and also makes it optional to close on nav and
resizing, because the sidepanels need them _not_ to resize, while mobile
navigation menu does.
Also added some tests. 🪄
This PR updates @supabase/*-js libraries to version 2.98.0.
**Source**: supabase-js-stable-release
**Changes**:
- Updated @supabase/supabase-js to 2.98.0
- Updated @supabase/auth-js to 2.98.0
- Updated @supabase/realtime-js to 2.98.0
- Updated @supabase/postgest-js to 2.98.0
- Refreshed pnpm-lock.yaml
This PR was created automatically.
Co-authored-by: supabase-releaser[bot] <223506987+supabase-releaser[bot]@users.noreply.github.com>
- Deleted SQL Snippets leave a hanging block that loads forever in
custom reports, and its not possible to delete them.
- Now you can delete blocks if they get stuck loading
- Also shows correct error state when a block couldn't load because the
sql snippet was removed
## before
- stuck forever
<img width="1296" height="936" alt="CleanShot 2026-02-26 at 13 23 25@2x"
src="https://github.com/user-attachments/assets/bb65cc5f-c2a4-4027-876e-db9682ec6f3c"
/>
## after
- show error state
- allow user to delete snippet
<img width="1388" height="862" alt="CleanShot 2026-02-26 at 13 23 45@2x"
src="https://github.com/user-attachments/assets/c5d6c114-071b-4e4d-a913-25b3c788db95"
/>
---------
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
## What kind of change does this PR introduce?
Fix
## What is the current behavior?
The theme switcher in `CommandMenu` is not showing up when typing in
“dark mode”, “toggle theme” or similar commands.
## What is the new behavior?
Added hidden root commands: `Toggle theme`, `Use dark theme`, `Use light
theme`, `Use system theme`, plus existing `Switch theme...` with search
aliases.
Also added `value` aliases to the theme items so searches pop up.
---------
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
## What kind of change does this PR introduce?
- Design system docs addition
## What is the current behavior?
- We used a ’sandwiched’ style Admonition a lot but have no clear
docs/examples for it
## What is the new behavior?
- An example file and documentation around the sandwiched Admonition
- Minor unrelated changes
- Copywriting docs expansion on capitalization and declarative writing
- `pnpm format` on charts
## Additional context
| Preview |
| --- |
| <img width="1714" height="612" alt="CleanShot 2026-02-24 at 16 02
21@2x"
src="https://github.com/user-attachments/assets/f547bdea-ca31-4ba7-85eb-bd9bcbf30d35"
/> |
This pull request refactors how the `TabsStateContextProvider` receives
the project reference and updates related imports for consistency and
maintainability. The main change is to pass `projectRef` explicitly as a
prop instead of fetching it internally, which improves context control
and makes the component easier to test and reuse. Additionally, the PR
updates import paths to use absolute aliases and removes an unused
function.
This fixes an issue which you can replicate by:
1. Go to SQL editor
2. Open any snippet
3. Delete the local storage `supabase_studio_tabs_{project ref}`
4. Refresh the page while still the snippet is open
This will make the snippet to enter in a ghost state where the tab name
is not visible but you see the content.
---------
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
## What kind of change does this PR introduce?
UI update
## What is the current behavior?
- Database settings uses an older, much wider, layout
- This will become problematic later on as more complex elements are
added to the page
- Titles and descriptions are inconsistently formatted
## What is the new behavior?
| Before | After |
| --- | --- |
| <img width="1728" height="994" alt="Oldie 2 Toolshed
Supabase-EE998752-3696-45E4-A842-9666049153D8"
src="https://github.com/user-attachments/assets/8f0004cf-3bb4-4b00-900a-b116b80371a6"
/> | <img width="1728" height="994" alt="Oldie 2 Toolshed
Supabase-7E86FD58-35BB-4912-8B2F-8C7AAA03B462"
src="https://github.com/user-attachments/assets/606b51b4-21a0-4b7b-870b-ac92ed363f3c"
/> |
…ng 'a authorization' to 'an authorization'''
Fixed a minor grammatical error in
`apps/docs/content/guides/storage/buckets` where "a authorization" was
incorrectly used instead of "an authorization".
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
It is a typo fix in the docs
## What is the current behavior?
There are no issues concerning the performance. Just a minor grammar
mistake
## What is the new behavior?
Feel free to include screenshots if it includes visual changes.
<img width="863" height="431" alt="Screenshot 2026-02-24 at 20 42 00"
src="https://github.com/user-attachments/assets/364a405c-ea60-41cf-a6ec-b83f0ed3f6ab"
/>
Add any other context or screenshots.
## Context
Should've removed the `status` prop when fetching notifications in
`AdvisorButton` for a more accurate indication of
`hasCriticalNotifications` as we should show that dot for read critical
notifications too (not just new)
## Context
With the new home page, we have a stat to show the overall status of the
project + individual service health, both of which data is pulled from
an endpoint
<img width="283" height="400" alt="image"
src="https://github.com/user-attachments/assets/c7cbfdc6-b46b-41ce-9a89-59a3df98b586"
/>
At the time of project creation, some of the services start of as
UNHEALTHY, which results in the status stat here showing a label of
"Unhealthy" (while accurate in the sense that we're showing what's
coming from the API, its inaccurate as the services are still spinning
up)
## Changes involved
For each service, am opting to show their status as "COMING_UP" if the
service status is UNHEALTHY + the project's status is COMING_UP or
UNKNOWN. The overall status label should also show "Coming up" if the
project's status is COMING_UP or UNKNOWN as well
## Context
Renaming folders on the Storage Explorer has a tendency to be flaky as
we're using the `POST /objects/move` storage API to move files to the
renamed folder which handles one file per request.
For a big folder (e.g 100+ files), users will easily hit rate limits and
run into 429s with the API, in which the current behaviour just shows
toast errors as the error handler, leaving an odd state upon running
through every file in the folder where some files are in the old folder,
and others in the new one
## Changes involved
Main solution is to implement an automatic retry logic for
`renameFolder`, but changes involved are:
- Remove batching logic for renaming folders (Which fires `n` requests
per batch)
- The batch logic was negligible anyways since our batch size was only 2
😅
- Instead we now handle moving of files sequentially
- If a file runs into an error during the `POST` request, retry the
request after `n` seconds
- If the error was a 429, retry after 60 seconds, otherwise just 5
seconds
- Will attempt the request for a total of 3 times
- Toast progress description will also be updated to show the message
(timer will also count down to keep the UI interactive and not look
stuck)
<img width="362" height="98" alt="image"
src="https://github.com/user-attachments/assets/52ba685a-2f35-42f1-8fcf-98351184fd56"
/>
- After the whole process is completed, if any file ran into an error,
toast description will add a CTA to retry the rename
## Demo
https://github.com/user-attachments/assets/d65b3c22-f9f8-4984-9521-6fc83a69f82e
## To test
Have a folder in your project's storage bucket with 100+ files (can
stress test with nested folders)
- [ ] Verify that you can rename the folder, and the dashboard
automatically handles errors
## Context
Adjust advisor panel to not show "Project required" UI for the "All"
panel since messages do not require to be in a specific project
<img width="434" height="251" alt="image"
src="https://github.com/user-attachments/assets/8a999ca7-1a81-4c63-a6f7-c73cbdd676e3"
/>
Also adjusts the red dot for advisor center button to show if there's
critical notifications
## What kind of change does this PR introduce?
- Feature
- Resolves DEPR-355
## What is the current behavior?
Only one email address can be invited to an organization at a time.
## What is the new behavior?
- Multiple email addresses can be invited (at a single scope) to an
organization at one time
- List of email addresses detected via comma-separation
- Pluralization on fields and labels
- Table and copywriting cleanup
| Before | After |
| --- | --- |
| <img width="808" height="691" alt="Supabase"
src="https://github.com/user-attachments/assets/f6450c26-968c-4ee8-bb7c-d6f6a3af1209"
/> | <img width="808" height="691" alt="8298"
src="https://github.com/user-attachments/assets/2d7e3869-b9d4-4a4f-89aa-ae55d67e794b"
/> |
| <img width="1024" height="560" alt="Supabase"
src="https://github.com/user-attachments/assets/9a255167-fcd3-4294-ba3a-9160bd500cff"
/> | <img width="1024" height="560" alt="Supabase"
src="https://github.com/user-attachments/assets/daba5bb8-eb12-43dc-86de-217e9baf0b72"
/> |
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added support for inviting multiple team members simultaneously via
comma-separated emails.
* **Improvements**
* Enhanced member management interface with clearer status indicators
(You, Invited, SSO, MFA enabled/disabled).
* Improved feedback messages for invitation outcomes and member status
changes.
* Updated member table layout with summary footer displaying member
count.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
I modified previous webinars to include the following:
- A YouTube embed of the recording
- New "Watch the Recording" CTA buttons
- New slug for the go page `/vibe-coding-done-right-webinar`
---------
Co-authored-by: Alan Daniel <stylesshjs@gmail.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Summary
- Reverts the middleware changes to `apps/studio` and `apps/docs` from
#43153 that caused full page reloads on every client-side navigation in
Studio
- Root cause: broadening the `middleware` matchers to match all routes
and returning `NextResponse.next()` unconditionally interferes with
client-side navigation in the multi-zone production setup (`www` proxies
`/dashboard/*` → Studio, `/docs/*` → Docs)
- Cookie stamping is unnecessary in Studio and Docs because `apps/www`
sits in front of both apps in production and already handles
first-referrer cookie attribution for all incoming traffic
- The `apps/www` middleware, packages/common cookie utilities, and
telemetry changes from #43153 are left intact
Test plan
- Verify client-side navigation works without full page reloads in
Studio (production or preview deploy)
- Verify first-referrer cookie is still stamped via `www` middleware on
initial visit
## What kind of change does this PR introduce?
Changes the base font weight for strong tags within the
tailwind/typography configuration.
## What is the current behavior?
I noticed that texts within our strong tags had an irregular stroke, and
problems on rendering. The main problem is we are using the default 600
weight value coming from the config of tailwind, while our Circular
custom font supports 400 and 600.
_See the first text in the list from the screen just, like "Multi
Protocol"._
<img width="717" height="555" alt="Screenshot 2026-02-25 at 16 10 29"
src="https://github.com/user-attachments/assets/1063f049-ba9d-45a4-9946-ec4a0e380c48"
/>
## What is the new behavior?
Strong tags now render with 500 font weight to prevent bad text
rendering.
<img width="674" height="505" alt="Screenshot 2026-02-25 at 16 12 56"
src="https://github.com/user-attachments/assets/383e895d-e2b7-4d92-9357-403396ca2722"
/>
Summary
- Fixes full page reloads on every client-side navigation in Studio
caused by the first-referrer cookie middleware (#43153)
- In the multi-zone production setup (www proxies /dashboard/* →
Studio), returning `NextResponse.next()` unconditionally processes every
response through Next.js's middleware pipeline, interfering with
client-side navigation
- Now only returns NextResponse.next() when a cookie actually needs to
be stamped; returns undefined otherwise so Next.js handles the request
untouched
- Also fixes valid API routes (e.g. /api/ai/sql/generate-v4) falling
through to cookie-stamping code instead of passing through cleanly
The Y axis domain/range was being calculated incorrectly.
Testing this is a bit painful. You need to:
- using tweak-extension or similar overwrite the API response for the
IOPS chart and add a really big value
- reload the page
- the Y axis should adapt to that really big value even if it goes over
the disk max iops
See screenshots below
## before
- big data point wouldn't change the chart range
- Y Axis max is 6k even tho we have a data point over 20k
<img width="1204" height="714" alt="CleanShot 2026-02-25 at 18 47 14@2x"
src="https://github.com/user-attachments/assets/881aff6e-22a2-408d-b2c4-5a27f3fda386"
/>
## after
- the Y axis shows the correct range
<img width="932" height="786" alt="CleanShot 2026-02-25 at 18 47 57@2x"
src="https://github.com/user-attachments/assets/6247c66e-4b3e-49e9-9f6b-086086913fab"
/>
## Summary
Re-lands the first-referrer cookie feature from #42768 (reverted in
#43129) with middleware matcher fixes that prevent Studio traffic
interference.
**Tracks:** [GROWTH-651](https://linear.app/supabase/issue/GROWTH-651)
## What changed
New shared module in `packages/common/first-referrer-cookie.ts` that
handles stamping and parsing a first-referrer cookie (referrer, UTMs,
click IDs, landing URL). Each app's middleware calls
`stampFirstReferrerCookie` on the edge response — www and docs are the
primary entry points, Studio is a fallback for direct visits with UTMs.
On the telemetry side, `handlePageTelemetry` now takes an options object
instead of positional args, reads the cookie on initial pageview, and
overrides the referrer if the cookie captured an external source but the
current referrer is internal (i.e., the user navigated cross-app). Also
sends `first_referrer_cookie_present`/`consumed` properties so we can
observe the handoff in PostHog.
The docs middleware matcher was broadened from `/reference/:path*` to
all docs pages so we stamp cookies site-wide, not just on reference
paths.
## Root cause of original revert
Two layers:
1. **Matcher gap**: www middleware ran on `/dashboard/*` traffic in prod
due to Vercel Multi-Zone architecture (www is the gateway for
`supabase.com`, proxying `/dashboard` → Studio, `/docs` → Docs).
Middleware runs *before* rewrites, so www middleware executed on all
proxied traffic.
2. **`_next/data` interception**: The matcher didn't exclude
`_next/data` paths. Client-side navigation in Next.js fetches JSON via
`/_next/data/...` — middleware intercepted these, returned
`NextResponse.next()` with cookie mutations (which processes through the
middleware response pipeline), and this interfered with the JSON
responses, causing full page reloads in the SQL editor.
## How this PR fixes it
| Fix | Detail |
|---|---|
| Exclude `_next/data` | All three matchers (`www`, `docs`, `studio`)
exclude `_next/data` via negative lookahead |
| Exclude `dashboard` + `docs` from www | www middleware no longer runs
on proxied app traffic |
| `/api/` path guard in Studio | Broadened matcher requires explicit
path check for API route filtering |
| `NextResponse.next()` semantics | Cookie stamping only happens on
matched paths; unmatched paths never enter middleware |
### `NextResponse.next()` vs `undefined` nuance
Returning an explicit `NextResponse.next()` with cookie mutations
processes through Next.js's middleware response pipeline (headers are
merged, cookies are set). Returning `undefined` (i.e. the request never
matches the matcher) lets Next.js handle the request completely
untouched. The matcher exclusions ensure `_next/data` and proxied app
paths never enter middleware at all.
## Testing
- ✅ 22 unit tests for shared cookie utilities (all pass)
- ✅ Studio prod build succeeds, middleware recognized as `ƒ Proxy
(Middleware)`
- ✅ Playwright validation: client-side navigation works across 3 page
transitions, `_next/data` requests return 200 OK without middleware
interception, no full-page reloads
- ❌ www/docs SSG builds require platform backend services (expected —
same as master)
Feature enhancement — smarter incident banner targeting logic
## What is the current behavior?
Displaying the incident banner requires toggling a flag or environment
variable. Banners are shown to all users regardless of whether their
projects are in affected regions or whether the incident affects project
creation.
## What is the new behavior?
Banner visibility is now driven by `show_banner` metadata from the
StatusPage API — no manual flag or env var toggle needed. Per-user
targeting is then applied:
- Users with projects only see the banner when they have a database in
an affected region
- Users without projects only see the banner when the incident affects
project creation
Incident responses are enriched with cache data (`affected_regions`,
`affects_project_creation`) fetched from a Supabase table. Visibility
logic is extracted into a dedicated hook and pure utility function,
backed by unit tests.
## Additional context
Resolves FE-2562
The SDK now handles orphaned lock recovery via steal internally
(supabase-js#2106). Keep the BroadcastChannel observability wrapper for
Sentry signals. The steal-based orphaned lock recovery in
`debuggableNavigatorLock` (packages/common/gotrue.ts) (introduced in
https://github.com/supabase/supabase/pull/39868) is now redundant,
supabase-js#2106 handles this natively in the SDK.
Removes the `navigator.locks.request({ steal: true })` block while
keeping the BroadcastChannel wrapper that sends lock-holder stack traces
to Sentry.
Related: supabase/supabase-js#2106, supabase/supabase-js#2125
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES/NO
## What kind of change does this PR introduce?
Bug fix, feature, docs update, ...
## What is the current behavior?
Please link any relevant issues here.
## What is the new behavior?
Feel free to include screenshots if it includes visual changes.
## Additional context
Add any other context or screenshots.
Co-authored-by: Jordi Enric <37541088+jordienr@users.noreply.github.com>
## Context
In the new project home page, we have a stat for "Last migration" which
we're showing _when_ the last migration was applied. However:
- The timestamp for the migration is derived from the "version" column
of the migration (in the `supabase_migrations` table) which afaik is
derived from the migration's file name
- It'll be alright if the migration was generated via the CLI, but we
can't really enforce the name of the migration file if say they were
generated via AI, so this is technically a point of flakiness
- Reckon that it's more value to show _what_ was the last migration
rather than _when_ so opting to change the value here to show the name
of the last migration instead
### Before
<img width="620" height="311" alt="image"
src="https://github.com/user-attachments/assets/6876acb6-91d2-4ae3-8ce8-98375658c12c"
/>
### After
<img width="582" height="322" alt="image"
src="https://github.com/user-attachments/assets/a40f6635-2068-4edb-a91a-ccf03d8e4d3c"
/>
