Skip to content

chore: production deploy#5874

Open
supabase-cli-releaser[bot] wants to merge 48 commits into
mainfrom
develop
Open

chore: production deploy#5874
supabase-cli-releaser[bot] wants to merge 48 commits into
mainfrom
develop

Conversation

@supabase-cli-releaser

Copy link
Copy Markdown
Contributor

Coly010 and others added 30 commits July 7, 2026 10:13
… parity) (#5794)

## Current Behavior

Go's overwrite-confirmation prompt for `gen signing-key` reads piped
stdin even in non-TTY mode (`internal/utils/console.go`'s
`PromptYesNo`/`ReadLine`, racing a 100ms timeout) and honors an explicit
y/n answer. The TS port's `signing-key.handler.ts` had its own local
`confirmOverwrite` that returned `true` unconditionally in non-TTY mode
without reading stdin at all, so `echo n | supabase gen signing-key`
silently overwrote the existing key file instead of canceling — a
data-loss risk for scripted/CI usage.

## Expected Behavior

- Deletes the local `confirmOverwrite` and switches the call site to the
shared `legacyPromptYesNo` helper (already used by `seed buckets`,
`config push`, `logout`, `storage rm`, `db pull`), which already
correctly implements Go's non-TTY read-with-timeout-and-parse behavior.
- Swaps `LegacyYesFlag` for `legacyResolveYes` (matching those same five
callers), so `gen signing-key` now also honors `SUPABASE_YES` and an
explicit `--yes=false`, matching Go's `viper.GetBool("YES")`.
- Fails the overwrite closed (rather than silently defaulting to yes)
when a real interactive TTY requests a non-text `--output-format` — this
command has no structured json/stream-json payload (SIDE_EFFECTS.md),
and the shared helper's own default-on-non-text short-circuit would
otherwise silently overwrite irrecoverable key material with no prompt
at all. A non-TTY caller (piped or not) is unaffected by this guard.

Fixes CLI-1865
…5813)

## What kind of change does this PR introduce?

Docs fix — Legacy port SIDE_EFFECTS.md / AGENTS.md accuracy (F3-F10, F12
from the parity audit).

## What is the current behavior?

11 `SIDE_EFFECTS.md` files and `AGENTS.md` contained factual errors
where the code was already correct but the documentation was wrong —
wrong file paths, a fabricated stdout message, an inverted claim about
whether a command writes the linked-project cache, a missing
json/stream-json output envelope, a fictitious subprocess name, a
backwards project-ref claim, and a fabricated telemetry-identity call.
Each claim was independently re-verified against `apps/cli-go/` (and,
for the `completion` exit-code claim, against the actual compiled Go
binary and the actual TS CLI) before editing.

## What is the new behavior?

- **F3**: `db/branch/{create,delete,list,switch}` — corrected the
current-branch file path to `supabase/.branches/_current_branch`,
matching `internal/utils/misc.go:99`.
- **F4**: `db/remote/commit` — removed the false claim it prints
`Finished supabase db pull.` (that belongs only to `db pull`).
- **F5**: `db/lint` — corrected: it DOES write the linked-project cache
on `--linked`, matching Go's `ensureProjectGroupsCached`.
- **F6**: `db/schema/declarative/generate` — corrected: it has a real
json/stream-json success envelope.
- **F7**: `db/schema/declarative/sync` — replaced a fictitious
`migration up --local` subprocess with the real `db reset --local`
recovery-path subprocess.
- **F8**: `completion` — the doc's exit-code claim was backwards. Go
exits `0` on both bare `completion` and an unrecognized shell subcommand
(verified against the compiled binary); the legacy TS shell currently
exits `1` for both — a genuine, systemic exit-code bug in the shared CLI
harness, not `completion`-specific (it reproduces on any
bare/unrecognized group-command invocation, e.g. `branches`). Rather
than fixing the code here or describing the bug as intended, the doc now
states Go's true behavior and flags the current TS divergence, filed
separately as CLI-1906.
- **F9**: `config/push` + `AGENTS.md` — corrected the
linked-project-cache path (was a fabricated `~/.supabase/<hash>/...`,
real path is `<workdir>/supabase/.temp/linked-project.json`) and fixed
an adjacent conflation where the project-ref-fallback file was wrongly
attributed to the same cache file, when it's actually a separate file
(`<workdir>/supabase/.temp/project-ref`).
- **F10**: `branches/update` — corrected: the upgrade-suggest call uses
the branch's own resolved ref, not the parent `--project-ref`.
- **F12**: `AGENTS.md` telemetry table — removed a fabricated
`analytics.identify(gotrueId)` claim from the `login` row; Go's
`StitchLogin` only aliases.

A second, wider pre-existing doc bug was found during F9's verification
(the same fabricated linked-project-cache path is copy-pasted across 29
other `SIDE_EFFECTS.md` files not touched here) — filed separately as
CLI-1907 rather than expanding this diff.

Docs-only change; no `.ts`/`.go` files touched. `pnpm check:all` passes.
…r references (#5811)

## What kind of change does this PR introduce?

Docs fix — Legacy port SIDE_EFFECTS.md accuracy.

## What is the current behavior?

Two systemic env-var documentation errors across
`src/legacy/**/SIDE_EFFECTS.md`, found in the parity audit:

- **~36 files** document `SUPABASE_API_URL` as a real override for the
Management API base URL. No such env var exists in Go:
`SetEnvPrefix("SUPABASE")` + `AutomaticEnv()` never binds `API_URL`,
there's no `os.Getenv("SUPABASE_API_URL")` anywhere, and the
`Profile.api_url` field loads on a separate, unbound `viper.New()`
instance (`internal/utils/profile.go:99`). The real override is
`SUPABASE_PROFILE` (built-in name or a path to a YAML profile file).
- **~18 files** document bare `PROJECT_ID` as if it were itself a
settable env var. It's Go's internal viper key name — the real,
user-facing env var is `SUPABASE_PROJECT_ID`
(`viper.GetString("PROJECT_ID")` under the global
`SetEnvPrefix("SUPABASE")` singleton,
`internal/utils/flags/project_ref.go:62`).

Both claims were independently verified against the real Go source and,
for the viper-specific mechanics, a compiled test program against the
exact pinned `github.com/spf13/viper v1.21.0`.

## What is the new behavior?

- Removed the fabricated `SUPABASE_API_URL` rows; where a file didn't
already document `SUPABASE_PROFILE`, added a real row for it (including
the persisted `~/.supabase/profile` fallback step in the resolution
chain, matching `legacy-cli-config.layer.ts`).
- Corrected every bare `PROJECT_ID` mention (Environment Variables
tables, Files Read "When" columns, and prose) to `SUPABASE_PROJECT_ID`,
converging on the dominant convention already used correctly across ~15
sibling files.
- Left `db/advisors/SIDE_EFFECTS.md` untouched — it already correctly
documents that `SUPABASE_API_URL` is not honored.
- Filed follow-ups for two related-but-out-of-scope findings surfaced
during review: CLI-1904 (global choice-flag telemetry gap, unrelated)
and CLI-1905 (bare `DB_PASSWORD` has the same bug class as this PR's F2,
in a set of files this PR doesn't touch).

Docs-only change; no `.ts` files touched. `pnpm check:all` passes.
…5715)

Ports the `db push`, `db reset`, and `db start` commands of the legacy
CLI shell from Go-binary proxies to native TypeScript (CLI-1325), and
introduces a hidden Go seam for the container-bootstrap primitives that
aren't ported.

## What changed

**`db push`** — fully native: pending-migration reconciliation,
seed-file ops with `seed_files` hash tracking, `[db.vault]` upsert,
`--include-roles`/`--include-seed`/`--dry-run`, against local / linked /
`--db-url`.

**`db reset`** — native on both legs:
- Remote (`--linked` / remote `--db-url`): drop user schemas → vault
upsert → migrate + seed, `--version`/`--last`, and the Go-parity
`--sql-paths` seed override (merged from develop, mutually exclusive
with `--no-seed`).
- Local (`--local` / local `--db-url`): running check, `Resetting local
database…`, container recreate + migrate + seed via the seam,
storage-gated bucket seeding (reuses the ported `seed buckets` core),
and the `Finished … on branch <branch>.` line.
- Only the niche `--experimental` remote schema-files path still
delegates to the Go binary.

**`db start`** — native: config validation, the
`AssertSupabaseDbIsRunning` check (prints Go's "already running" line),
else container bootstrap via the seam. No status table and no
`cli_stack_started` — those belong to the top-level `supabase start`,
not `db start`.

**Hidden Go seam (`db __db-bootstrap`)** — mirrors the existing `db
__shadow` seam. Exposes the un-ported container primitives
(`StartDatabase` + `DockerRemoveAll` cleanup, the PG14/PG15 reset
recreate, the storage health gate) behind `--mode
{start|recreate|await-storage}`. The TS side orchestrates everything
else (messages, version resolution, bucket seeding, the git-branch line,
telemetry, `--output-format` shaping); the seam runs with telemetry
disabled and stderr inherited, like `__shadow`.

**Config loading (review follow-ups)** — `db push` / `db reset` / `db
start` load `config.toml` through the legacy Go-parity reader
(`legacyCheckDbToml`, Go's `flags.LoadConfig` → `config.Load` +
`Validate`) rather than `@supabase/config`, so their config semantics
match the Go CLI exactly:
- Go-style env-reference booleans (e.g. `[db.seed] enabled =
"env(SEED_ENABLED)"`) load like Go (env-expand → `strconv.ParseBool`)
instead of failing with a parse error.
- a matched `[remotes.<ref>]` block's `db.migrations.enabled` /
`db.seed.enabled` beats the `SUPABASE_DB_*_ENABLED` env var (Go's
`v.Set` override tier sits above AutomaticEnv), closing the last
remote-vs-env precedence gap.
- `encrypted:` `[db.vault]` secrets are decrypted at config-load time
with the shell **and** project-`.env` `DOTENV_PRIVATE_KEY*` keys and
fail fast (before any connect / schema drop) on an undecryptable value,
matching Go's `DecryptSecretHookFunc`.
- seed `sql_paths` (config and `--sql-paths`) resolve once to Go's
config-load form; `db start` validates config before the already-running
check.

Malformed config now surfaces the reader's Go message (`failed to load
config`), consistent with `db diff` / `dump` / `pull` / `migration`.

## Why

`db start` / `db reset --local` need container lifecycle
(create/recreate, image pull, health checks, init schema, service
restarts) that is impractical to reimplement in TS. The seam keeps that
lifecycle in Go while moving orchestration, output parity, telemetry,
and `--output-format` handling to native TS — matching the approach
already used for `db diff` / `db pull`.

## Reviewer notes

- The seam is the only `db reset`/`db start` boundary the in-process
integration suites mock; it's covered end-to-end by the cli-e2e live
suite (`db-reset-start.live.e2e.test.ts`, run via `pnpm --filter
@supabase/cli-e2e test:e2e:live`), which exercises the local leg against
a real Docker socket and the remote `db reset` leg against the staging
session pooler. Both `describe`s skip the `ts-next` target (the next
shell has no `db` group).
- `db reset --local` recreate forwards `--no-seed` / `--sql-paths` to
the seam, which applies them via the same `applyDbResetSeedFlags` helper
`db reset` uses, so seed handling stays identical across local and
remote.
- The bundled `supabase-go` binary must be rebuilt (`pnpm
build:go-sidecar` copies it into `dist/`) since the seam adds the `db
__db-bootstrap` command.
- `docs/go-cli-porting-status.md` flips `db push` / `db reset` / `db
start` to `ported`; each command's `SIDE_EFFECTS.md` documents the
files, subprocesses, DB mutations, env vars, and exit codes.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude <noreply@anthropic.com>
…rity) (#5797)

## What kind of change does this PR introduce?

Bug fix (Go parity).

## What is the current behavior?

`supabase functions deploy --jobs` diverges from the Go CLI in two
related ways:

1. The `--jobs` guard only errored when local bundling
(Docker/legacy-bundle) was active, so `--use-docker=false --jobs 2` (no
`--use-api`) silently passed in TS while Go rejects it. The error text
also differed from Go's wording.
2. `useLocalBundler` decided Docker-vs-API routing based on whether
`--use-api` was *typed* on the command line (`explicitUseApi`), not its
*resolved* value — so `--use-api=false` alone silently forced the API
bundler instead of falling through to Docker, contrary to Go's `if
useApi { useDocker = false }` (which only fires when the resolved value
is true).

Go's only guard (`apps/cli-go/cmd/functions.go:79-82`) is:
```go
if useApi {
    useDocker = false
} else if maxJobs > 1 {
    return errors.New("--jobs must be used together with --use-api")
}
```

## What is the new behavior?

- `--jobs > 1` is now rejected whenever `--use-api`'s resolved value is
`false`, regardless of `--use-docker`/`--legacy-bundle`, with the exact
Go error text: `--jobs must be used together with --use-api`.
- Bundler routing (`useLocalBundler`) now keys off the same resolved
`flags.useApi` value, so `--use-api=false` alone falls through to
Docker/legacy-bundle instead of silently switching to the API path.
- Both fixes land in the shared `deployFunctions()` used by both the
`legacy` and `next` shells, with regression coverage added in both.

Fixes CLI-1861.
…mFlag parity) (#5810)

## What kind of change does this PR introduce?

Bug fix (Go CLI parity).

## What is the current behavior?

Go's telemetry (`cmd/root_analytics.go:110-116`, `isEnumFlag`)
unconditionally treats any enum/choice flag as telemetry-safe — the
value is sent verbatim to PostHog, no per-flag opt-in required. The TS
legacy port's `withLegacyCommandInstrumentation` only exempted booleans
and explicit `safeFlags` entries, so every `Flag.choice` value was
silently redacted to `<redacted>` unless someone remembered to hand-list
it — which had already happened inconsistently across the 14 commands
using `Flag.choice`. `gen signing-key`'s `algorithm` and `gen types`'s
`lang`/`swift-access-control` had no exemption at all; several other
commands had partial coverage via ad-hoc `safeFlags`.

## What is the new behavior?

- `withLegacyCommandInstrumentation` now accepts a `config` option (the
command's own flag config record, the same object passed to
`Command.make`). Any flag built with
`Flag.choice`/`Flag.choiceWithValue` is auto-detected and treated as
telemetry-safe, covering every current and future enum flag on that
command without hand-maintaining a `safeFlags` list.
- The detection unwraps `Map`/`Transform`/`Optional`/`Variadic` wrapper
params down to the underlying `Single` the same way `--help` rendering
does internally, reimplemented using only type-visible public `effect`
API (the library's own internal helpers for this exact purpose exist in
the compiled JS but are absent from the published `.d.ts`, so calling
them directly isn't possible without an `as` cast).
- Wired `config` into all 14 commands with choice flags. Removed 3
files' now-redundant hand-listed `safeFlags` entries where every listed
name was already choice-typed.
- Filed CLI-1904 to track a related, pre-existing, out-of-scope gap:
global/root flags (`--output`, `--dns-resolver`, `--agent`) aren't wired
into any command's `config`, so they're not covered by this fix even
though Go's equivalents are also `EnumFlag`.

Fixes CLI-1866
This PR was automatically created to sync the generated `@supabase/api`
package with the latest Management API OpenAPI document.

Changes were detected in the upstream OpenAPI document exposed by
`https://api.supabase.com/api/v1-json`.

Co-authored-by: jgoux <1443499+jgoux@users.noreply.github.com>
…ploy/download (#5804)

## What kind of change does this PR introduce?

Bug fix (Go-parity divergence).

## What is the current behavior?

Go's cobra emits a fixed template for `MarkFlagsMutuallyExclusive`
violations (`flag_groups.go:204`): the full group in registration order,
plus the subset of flags actually set, sorted alphabetically. `functions
deploy`/`functions download` emitted a custom TS string instead ("flags
--use-api, --use-docker are mutually exclusive"), diverging on wording
and dash usage. `download`'s check also branched on flag *truthiness*
rather than whether the flag was explicitly *changed* on the command
line, so `--use-api --use-docker=false` was silently allowed even though
cobra's real `pflag.Changed` semantics reject it.

## What is the new behavior?

Both commands now emit cobra's exact error text (verified byte-for-byte
against the real compiled Go binary), and `download`'s mutex check now
detects "explicitly changed" the same way `deploy`'s already did,
closing the `--use-docker=false` gap.

While fixing this, found the same cobra-template string duplicated in
two other places during a review pass — `db dump` (own inline copy of
the message format) and `gen types` (its own private
`hasExplicitLongFlag` plus a *second* copy of the message template that
had a real, independently-verified bug: it joined the violating-flag set
in check order instead of sorting it, so `gen types --local --linked`
printed `[local linked]` while the actual Go binary prints `[linked
local]`). Hoisted the two generic helpers to
`shared/cli/cobra-flag-groups.ts` and pointed all three call sites at
them, fixing the `gen types` sort-order bug as a direct consequence.

Filed two follow-ups discovered during review: CLI-1902 (`sso update`'s
`--domains`/`--add-domains`/`--remove-domains` mutex has the same class
of bug, different flag family, out of scope here) and CLI-1903 (`next/`
inherits the same byte-exact cobra text via the shared validator, even
though it isn't bound by the Go-parity contract — worth a friendlier
message there, but that's additive UX work, not a parity fix).

Reviewed via a 4-way parallel pass (architect/engineer/security/DX), all
approved. Architect's finding (the two generic helpers were hoisted into
a functions-specific file despite having zero functions-domain logic,
evidenced by the two duplicate implementations above) is what prompted
the `shared/cli/` relocation and dedup in this PR.
…t ref (#5802)

## What kind of change does this PR introduce?

Bug fix (Go-parity divergence).

## What is the current behavior?

On a malformed linked project ref, Go's `services` command validates the
ref (`flags.LoadProjectRef`) but only warns to stderr on failure and
still proceeds to call the remote tenant lookup with the bad ref
(`cmd/services.go`, `internal/services/services.go:61-62`). The
TypeScript port silently skipped the remote lookup on a malformed ref
with no warning at all, and `services/SIDE_EFFECTS.md` mis-attributed
that silent skip to Go.

Fixes CLI-1872.

## What is the new behavior?

TS now prints the same warning Go would print (`Invalid project ref
format. Must be like \`abcdefghijklmnopqrst\`.`, reusing the constant
already exported from `legacy-project-ref.service.ts`), matching Go's
stderr ordering. Unlike Go, TS deliberately does **not** then proceed
with the malformed ref — the ref gets embedded unescaped into the tenant
gateway hostname in `fetchLinkedServiceVersions`, so proceeding would
let a malformed/tampered ref redirect the service-role key to an
attacker-controlled host. This is an intentional, documented TS-only
divergence (SSRF hardening), not a parity bug — see the updated
`SIDE_EFFECTS.md` and the new "Behavioral divergences" section in
`docs/go-cli-porting-status.md`.

Reviewed via a 4-way parallel pass (architect/engineer/security/DX);
security and engineer approved outright, architect approved after
closing a branch-coverage gap on the exact code this PR restructured,
and DX surfaced that the identical Go idiom (`flags.LoadProjectRef`'s
warn-and-continue) is also unhandled in `projects list` and a few
`resolveOptional` callers — filed as CLI-1900 for its own dedicated
audit, since each caller needs independent verification against its Go
counterpart rather than a blanket fix.
…#5793)

## Current Behavior

Go defaults `--use-docker` to `true` on `functions download`
(`cmd/functions.go:181`); the TS port omitted the default, so it
resolved to `false`. This flipped the default download path (native HTTP
vs. Docker-proxied) whenever no flags were passed, and once fixed
naively, the mutex check between
`--use-api`/`--use-docker`/`--legacy-bundle` (truthiness-based) would
start misfiring on the new default-true value, and `--use-api` alone
would keep routing to Docker instead of overriding it the way Go's `if
useApi { useDocker = false }` does.

## Expected Behavior

- `useDocker` now defaults to `true` via `Flag.withDefault(true)`,
matching Go.
- The mutex check (`validateDownloadFlags`) now scans raw argv for
explicit flag presence (`hasExplicitLongFlag`, hoisted out of
`deploy.ts` into the shared `functions.shared.ts` family root, since
it's now used by two commands) instead of checking parsed boolean
truthiness — mirroring Go's `pflag.Changed`-based
`MarkFlagsMutuallyExclusive`.
- `downloadFunctions` gates the Docker/legacy-bundle proxy branch on
`!flags.useApi`, mirroring Go's value-based `if useApi { useDocker =
false }` override (`cmd/functions.go:51-53`) — not presence, so
`--use-api=false` still proxies to Docker like an unpassed `--use-api`
would.
- The Go-proxy arg builder (`makeGoProxyDownloadArgs`) now forwards at
most one of `--use-docker`/`--legacy-bundle` — previously it could
forward both once `useDocker` defaults true, which the Go binary's own
mutex check would then reject.
- Slug validation now runs unconditionally, before the proxy-dispatch
branch, so a malformed/traversal-shaped function name is rejected before
ever reaching the Go proxy's argv.
- The delegated Go call now runs with `SUPABASE_TELEMETRY_DISABLED=1`
(mirrors `db pull`/`db diff`'s delegated-call pattern), and in
`--output-format json|stream-json` its stdout is captured/discarded via
`execCapture` instead of inherited, with `downloadFunctions` emitting
the `Output` envelope itself — the Docker/legacy-bundle proxy branch is
now safe as the default path for both telemetry accuracy and
machine-output correctness (CLI-1546), not just opt-in flags.
- `rawArgs` is threaded through `DownloadFunctionsDependencies` from the
`Stdio.Stdio` service in both the legacy and next shell handlers (the
shared `downloadFunctions` helper is used by both); `next`'s own
`--use-docker` default is intentionally left unchanged — this is a
legacy/Go-parity-only fix.

## Known follow-ups (not fixed here)

- Go's own server-side unbundle extractor (`saveFile` in
`apps/cli-go/internal/functions/download/download.go`) lacks the
path-containment checks the native TS downloader already has —
pre-existing Go CLI behavior, now reachable by default rather than via
opt-in flags. Tracked as CLI-1891.
- `hasExplicitLongFlag` detects flag token presence, not resolved value,
so `--use-docker=false` isn't treated as disabling Docker in the mutex
check. Pre-existing pattern shared with `deploy.ts`.

Closes CLI-1862
… (Go parity) (#5809)

## What kind of change does this PR introduce?

Bug fix (Go CLI parity).

## What is the current behavior?

Go marks `--project-ref` telemetry-safe on all four `functions` leaf
commands (`cmd/functions.go:151,153,165,178`) — `list`, `delete`,
`deploy`, `download` — so the flag value is recorded verbatim in the
`cli_command_executed` PostHog event instead of being redacted.

The TS legacy port only did this for `list` and `deploy`. `functions
delete` and `functions download` were both redacting `--project-ref`,
diverging from Go and from their own sibling commands.

## What is the new behavior?

- Added `safeFlags` for `--project-ref` to `functions delete` and
`functions download`, matching `list`/`deploy` and Go.
- Hoisted the `["project-ref"]` safe-flags list into a shared
`FUNCTIONS_PROJECT_REF_SAFE_FLAGS` constant in
`shared/functions/functions.shared.ts`, now referenced by all four
commands instead of being duplicated inline.
- Exported each command's composed handler
(`legacyFunctionsDeleteHandler`, `legacyFunctionsDownloadHandler`) so
integration tests can drive the exact effect `Command.withHandler` wires
up, rather than re-testing the generic instrumentation wrapper in
isolation.
- Corrected stale/missing rows in `delete`/`download`'s
`SIDE_EFFECTS.md` (missing `Files Written`/`Files Read`/`Environment
Variables` rows, a stale `SUPABASE_API_URL` claim, and a new `Telemetry
Events Fired` section), reconciled against `list`'s already-accurate
doc.

Fixes CLI-1864
…5796)

## Current Behavior

Go's `secrets set` (`internal/secrets/set/set.go:20-24`) swallows a
malformed `supabase/config.toml` parse error to the debug logger and
proceeds with empty `EdgeRuntime.Secrets` — env-file and positional-arg
secrets still apply. `secrets set` has no
`--linked`/`--local`/`--db-url` flag, so the root PreRun never loads the
config first either; this is the only load. The TS port instead let the
parse error propagate as a fatal `LegacySecretsConfigParseError`,
aborting the whole command even when the user only wanted to set a
secret via CLI arg or env-file.

## Expected Behavior

- Catches `ProjectConfigParseError`, logs it to the debug logger, and
continues with no config-declared secrets, matching Go.
- The logged message is truncated before any blank-line-separated source
snippet: `smol-toml`'s `TomlError` (and some schema-decode errors) embed
a codeblock of the surrounding file lines in their message, which for
this file's `[edge_runtime.secrets]` section can include literal secret
values. Go's equivalent log line (`DecodeError.Error()`) is a short,
content-free message — its verbose `.String()` with the snippet is never
called by `set.go`. Truncating avoids echoing a user's own secret value
into `--debug` output next to an unrelated syntax error.
- Deletes the now-unused `LegacySecretsConfigParseError` (no remaining
references).
- Threads `LegacyDebugLogger` into the shared
`legacyManagementApiRuntimeLayer` (used by many legacy commands) since
the layer was already building the same instance internally for
`cliConfig`/`httpClient`/`credentials` but never exposed it at the top
level — the file's own doc comment describes this as the sanctioned way
to add a new commonly-needed top-level service.

Fixes CLI-1867
…oggle consent (#5798)

## What kind of change does this PR introduce?

Bug fix (Go parity).

## What is the current behavior?

Go's `cli_command_executed` telemetry event is gated on a consent
snapshot read once at process start (`PersistentPreRunE`,
`apps/cli-go/cmd/root.go:131-138`), before a command's own handler runs,
and fired after the handler completes (`:171-181`) based on that
snapshot — not on any value the handler itself just wrote. This applies
uniformly to every command, including `telemetry enable`/`disable`
themselves.

The TS legacy port instead unconditionally suppressed this event for
both `telemetry enable` and `telemetry disable` via `analytics: false`,
so neither command ever fired it, regardless of prior telemetry state.

## What is the new behavior?

`analytics: false` is removed from both commands. The existing
`legacyAnalyticsLayer`/`telemetryRuntimeLayer` machinery already reads
consent from disk once, at Effect layer-construction time — before
either handler mutates `telemetry.json` — so this reproduces Go's
snapshot semantics without any new bespoke logic:

- Running `disable` while telemetry is enabled fires the event one last
time (using the pre-toggle, still-enabled snapshot); running it while
already disabled stays silent.
- Running `enable` while telemetry is already enabled (a
redundant/idempotent invocation) fires the event; the common case
(enabling from disabled) stays silent.

This is intentionally broader than the original report's "disable only"
framing — tracing Go's actual gate (`internal/telemetry/service.go`'s
`canSend()`) showed it's symmetric and state-based, not command-based,
so scoping the fix to `disable` alone would have left a real (if narrow)
parity gap for the redundant-`enable` case.

Also documents a previously-unmentioned side effect: when the event
fires, the command now waits (bounded, ~5s) for a PostHog flush attempt
before exiting, since the analytics client's shutdown is a finalizer
around the whole command run.

Closes CLI-1868
…#5821)

Bumps the go-minor group with 1 update in the /apps/cli-go directory:
[google.golang.org/grpc](https://github.com/grpc/grpc-go).
Bumps the go-minor group with 1 update in the /apps/cli-go/pkg
directory: [google.golang.org/grpc](https://github.com/grpc/grpc-go).

Updates `google.golang.org/grpc` from 1.81.1 to 1.82.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/grpc/grpc-go/releases">google.golang.org/grpc's
releases</a>.</em></p>
<blockquote>
<h2>Release 1.82.0</h2>
<h1>Behavior Changes</h1>
<ul>
<li>server: Remove support for
<code>GRPC_GO_EXPERIMENTAL_DISABLE_STRICT_PATH_CHECKING</code>
environment varibale. Strict incoming RPC path validation (which has
been the default since <code>v1.79.3</code>) can no longer be disabled.
(<a
href="https://redirect.github.com/grpc/grpc-go/issues/9112">#9112</a>)</li>
<li>transport: Add environment variable to change the default max header
list size from <code>16MB</code> to <code>8KB</code>. This may be
enabled by setting
<code>GRPC_GO_EXPERIMENTAL_ENABLE_8KB_DEFAULT_HEADER_LIST_SIZE=true</code>.
This will be enabled by default in a subsequent release. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9019">#9019</a>)</li>
<li>balancer: Load Balancing policy registry is now case-sensitive. Set
<code>GRPC_GO_EXPERIMENTAL_CASE_SENSITIVE_BALANCER_REGISTRIES=false</code>
(and file an issue) to revert to case-insensitive behavior. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9017">#9017</a>)</li>
</ul>
<h1>New Features</h1>
<ul>
<li>experimental/stats: Expose a new API,
<code>NewContextWithLabelCallback</code>, to register a callback that is
invoked when telemetry labels are added. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/8877">#8877</a>)
<ul>
<li>Special Thanks: <a
href="https://github.com/seth-epps"><code>@​seth-epps</code></a></li>
</ul>
</li>
<li>client: Return a portion of the response body in the error message,
when the client receives an unexpected non-gRPC HTTP response, to make
debugging easier. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/8929">#8929</a>)
<ul>
<li>Special Thanks: <a
href="https://github.com/chengxilo"><code>@​chengxilo</code></a></li>
</ul>
</li>
<li>server: Add environment variable
<code>GRPC_GO_SERVER_GOROUTINE_LABELS</code> that controls setting
<code>runtime/pprof.Labels</code> on goroutines spawned by the server.
Set <code>GRPC_GO_SERVER_GOROUTINE_LABELS=grpc.method=true</code> to add
the <code>grpc.method</code> label on goroutines spawned to handle
incoming requests. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9082">#9082</a>)
<ul>
<li>Special Thanks: <a
href="https://github.com/dfinkel"><code>@​dfinkel</code></a></li>
</ul>
</li>
</ul>
<h1>Bug Fixes</h1>
<ul>
<li>xds/server: Fix a memory leak of HTTP filter instances occurring
when route configurations are updated in-place during a Route Discovery
Service (RDS) update. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9138">#9138</a>)</li>
<li>grpc: In the deprecated <code>gzip</code> Compressor (used via the
deprecated <code>WithCompressor</code> dial option), enforce the
<code>MaxRecvMsgSize</code> limit on the decompressed message buffer,
preventing excessive memory allocation from highly compressed payloads.
(<a
href="https://redirect.github.com/grpc/grpc-go/issues/9114">#9114</a>)
<ul>
<li>Special Thanks: <a
href="https://github.com/evilgensec"><code>@​evilgensec</code></a></li>
</ul>
</li>
<li>stats/opentelemetry: Record retry attempts,
<code>grpc.previous-rpc-attempts</code>, at the call level and not the
attempt level. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/8923">#8923</a>)</li>
<li>encoding: Ensure <code>Close()</code> is always called on readers
returned from <code>Compressor.Decompress</code> if possible. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9135">#9135</a>)</li>
<li>channelz: Fix the <code>LastMessageSentTimestamp</code> and
<code>LastMessageReceivedTimestamp</code> fields in
<code>SocketMetrics</code> to ensure they contain correct timestamp
values. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9109">#9109</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/grpc/grpc-go/commit/bd239854f0ab7f1ee63457d47f7c1d2675e1f736"><code>bd23985</code></a>
Change version to 1.82.0 (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9170">#9170</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/0f3086db7a755b6af83a90809471dd7f645b345a"><code>0f3086d</code></a>
Fix minor issues not covered by PR <a
href="https://redirect.github.com/grpc/grpc-go/issues/9137">#9137</a>
(<a
href="https://redirect.github.com/grpc/grpc-go/issues/9147">#9147</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/fef07fbb2b94b668e8daca1f6b70433dcd36c1c8"><code>fef07fb</code></a>
internal: Split v3procservicepb import into pb and grpc for extproc (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9163">#9163</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/91dd64f4b83cb5134e279d1126ebb1ccf47d4d31"><code>91dd64f</code></a>
transport: surface subsequent data when receiving non-gRPC header (<a
href="https://redirect.github.com/grpc/grpc-go/issues/8929">#8929</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/adc97de9521a9f377dab5e911039842dc4de23e5"><code>adc97de</code></a>
test/kokoro: add config for regional-td test (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9158">#9158</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/57c9ff14e05b535ee6995ba49bc882b287a175de"><code>57c9ff1</code></a>
xds: ensure full-string matching for RBAC Filter rules (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9148">#9148</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/b58f32d9ff07c612d64e677bd826bcbec88af9bd"><code>b58f32d</code></a>
server: Set a pprof label on new stream goroutines (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9082">#9082</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/6c98be31ce0aec1592b783b0edb16916eb5acd89"><code>6c98be3</code></a>
refactor(transport): extract shared stream state handling logic in
`loopyWrit...</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/bcaa6f4df4546c86e12ef3e95852c7baf7a08d67"><code>bcaa6f4</code></a>
rls: only reset backoff on recovery from TRANSIENT_FAILURE (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9137">#9137</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/429e6e06363a01f0dd9f9b6b9cf0c0e6617cda12"><code>429e6e0</code></a>
balancer: expose endpoint weight and hostname as experimental APIs (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9074">#9074</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/grpc/grpc-go/compare/v1.81.1...v1.82.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `google.golang.org/grpc` from 1.81.1 to 1.82.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/grpc/grpc-go/releases">google.golang.org/grpc's
releases</a>.</em></p>
<blockquote>
<h2>Release 1.82.0</h2>
<h1>Behavior Changes</h1>
<ul>
<li>server: Remove support for
<code>GRPC_GO_EXPERIMENTAL_DISABLE_STRICT_PATH_CHECKING</code>
environment varibale. Strict incoming RPC path validation (which has
been the default since <code>v1.79.3</code>) can no longer be disabled.
(<a
href="https://redirect.github.com/grpc/grpc-go/issues/9112">#9112</a>)</li>
<li>transport: Add environment variable to change the default max header
list size from <code>16MB</code> to <code>8KB</code>. This may be
enabled by setting
<code>GRPC_GO_EXPERIMENTAL_ENABLE_8KB_DEFAULT_HEADER_LIST_SIZE=true</code>.
This will be enabled by default in a subsequent release. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9019">#9019</a>)</li>
<li>balancer: Load Balancing policy registry is now case-sensitive. Set
<code>GRPC_GO_EXPERIMENTAL_CASE_SENSITIVE_BALANCER_REGISTRIES=false</code>
(and file an issue) to revert to case-insensitive behavior. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9017">#9017</a>)</li>
</ul>
<h1>New Features</h1>
<ul>
<li>experimental/stats: Expose a new API,
<code>NewContextWithLabelCallback</code>, to register a callback that is
invoked when telemetry labels are added. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/8877">#8877</a>)
<ul>
<li>Special Thanks: <a
href="https://github.com/seth-epps"><code>@​seth-epps</code></a></li>
</ul>
</li>
<li>client: Return a portion of the response body in the error message,
when the client receives an unexpected non-gRPC HTTP response, to make
debugging easier. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/8929">#8929</a>)
<ul>
<li>Special Thanks: <a
href="https://github.com/chengxilo"><code>@​chengxilo</code></a></li>
</ul>
</li>
<li>server: Add environment variable
<code>GRPC_GO_SERVER_GOROUTINE_LABELS</code> that controls setting
<code>runtime/pprof.Labels</code> on goroutines spawned by the server.
Set <code>GRPC_GO_SERVER_GOROUTINE_LABELS=grpc.method=true</code> to add
the <code>grpc.method</code> label on goroutines spawned to handle
incoming requests. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9082">#9082</a>)
<ul>
<li>Special Thanks: <a
href="https://github.com/dfinkel"><code>@​dfinkel</code></a></li>
</ul>
</li>
</ul>
<h1>Bug Fixes</h1>
<ul>
<li>xds/server: Fix a memory leak of HTTP filter instances occurring
when route configurations are updated in-place during a Route Discovery
Service (RDS) update. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9138">#9138</a>)</li>
<li>grpc: In the deprecated <code>gzip</code> Compressor (used via the
deprecated <code>WithCompressor</code> dial option), enforce the
<code>MaxRecvMsgSize</code> limit on the decompressed message buffer,
preventing excessive memory allocation from highly compressed payloads.
(<a
href="https://redirect.github.com/grpc/grpc-go/issues/9114">#9114</a>)
<ul>
<li>Special Thanks: <a
href="https://github.com/evilgensec"><code>@​evilgensec</code></a></li>
</ul>
</li>
<li>stats/opentelemetry: Record retry attempts,
<code>grpc.previous-rpc-attempts</code>, at the call level and not the
attempt level. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/8923">#8923</a>)</li>
<li>encoding: Ensure <code>Close()</code> is always called on readers
returned from <code>Compressor.Decompress</code> if possible. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9135">#9135</a>)</li>
<li>channelz: Fix the <code>LastMessageSentTimestamp</code> and
<code>LastMessageReceivedTimestamp</code> fields in
<code>SocketMetrics</code> to ensure they contain correct timestamp
values. (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9109">#9109</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/grpc/grpc-go/commit/bd239854f0ab7f1ee63457d47f7c1d2675e1f736"><code>bd23985</code></a>
Change version to 1.82.0 (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9170">#9170</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/0f3086db7a755b6af83a90809471dd7f645b345a"><code>0f3086d</code></a>
Fix minor issues not covered by PR <a
href="https://redirect.github.com/grpc/grpc-go/issues/9137">#9137</a>
(<a
href="https://redirect.github.com/grpc/grpc-go/issues/9147">#9147</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/fef07fbb2b94b668e8daca1f6b70433dcd36c1c8"><code>fef07fb</code></a>
internal: Split v3procservicepb import into pb and grpc for extproc (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9163">#9163</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/91dd64f4b83cb5134e279d1126ebb1ccf47d4d31"><code>91dd64f</code></a>
transport: surface subsequent data when receiving non-gRPC header (<a
href="https://redirect.github.com/grpc/grpc-go/issues/8929">#8929</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/adc97de9521a9f377dab5e911039842dc4de23e5"><code>adc97de</code></a>
test/kokoro: add config for regional-td test (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9158">#9158</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/57c9ff14e05b535ee6995ba49bc882b287a175de"><code>57c9ff1</code></a>
xds: ensure full-string matching for RBAC Filter rules (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9148">#9148</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/b58f32d9ff07c612d64e677bd826bcbec88af9bd"><code>b58f32d</code></a>
server: Set a pprof label on new stream goroutines (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9082">#9082</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/6c98be31ce0aec1592b783b0edb16916eb5acd89"><code>6c98be3</code></a>
refactor(transport): extract shared stream state handling logic in
`loopyWrit...</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/bcaa6f4df4546c86e12ef3e95852c7baf7a08d67"><code>bcaa6f4</code></a>
rls: only reset backoff on recovery from TRANSIENT_FAILURE (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9137">#9137</a>)</li>
<li><a
href="https://github.com/grpc/grpc-go/commit/429e6e06363a01f0dd9f9b6b9cf0c0e6617cda12"><code>429e6e0</code></a>
balancer: expose endpoint weight and hostname as experimental APIs (<a
href="https://redirect.github.com/grpc/grpc-go/issues/9074">#9074</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/grpc/grpc-go/compare/v1.81.1...v1.82.0">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the actions-major group with 2 updates:
[docker/build-push-action](https://github.com/docker/build-push-action)
and
[docker/setup-qemu-action](https://github.com/docker/setup-qemu-action).

Updates `docker/build-push-action` from 7.2.0 to 7.3.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/docker/build-push-action/releases">docker/build-push-action's
releases</a>.</em></p>
<blockquote>
<h2>v7.3.0</h2>
<ul>
<li>Preserve names in esbuild bundle by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/build-push-action/pull/1567">docker/build-push-action#1567</a></li>
<li>Bump <code>@​docker/actions-toolkit</code> from 0.90.0 to 0.92.0 in
<a
href="https://redirect.github.com/docker/build-push-action/pull/1545">docker/build-push-action#1545</a>
<a
href="https://redirect.github.com/docker/build-push-action/pull/1572">docker/build-push-action#1572</a></li>
<li>Bump <code>@​sigstore/core</code> from 3.1.0 to 3.2.1 in <a
href="https://redirect.github.com/docker/build-push-action/pull/1568">docker/build-push-action#1568</a></li>
<li>Bump js-yaml from 4.1.1 to 4.3.0 in <a
href="https://redirect.github.com/docker/build-push-action/pull/1566">docker/build-push-action#1566</a></li>
<li>Bump tmp from 0.2.5 to 0.2.7 in <a
href="https://redirect.github.com/docker/build-push-action/pull/1547">docker/build-push-action#1547</a></li>
<li>Bump undici from 6.24.1 to 6.27.0 in <a
href="https://redirect.github.com/docker/build-push-action/pull/1564">docker/build-push-action#1564</a></li>
<li>Bump vite from 7.3.2 to 7.3.6 in <a
href="https://redirect.github.com/docker/build-push-action/pull/1563">docker/build-push-action#1563</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/docker/build-push-action/compare/v7.2.0...v7.3.0">https://github.com/docker/build-push-action/compare/v7.2.0...v7.3.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/docker/build-push-action/commit/53b7df96c91f9c12dcc8a07bcb9ccacbed38856a"><code>53b7df9</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/build-push-action/issues/1572">#1572</a>
from docker/dependabot/npm_and_yarn/docker/actions-t...</li>
<li><a
href="https://github.com/docker/build-push-action/commit/154298c1ca89be1c0e019084f0611ddca621aafc"><code>154298c</code></a>
[dependabot skip] chore: update generated content</li>
<li><a
href="https://github.com/docker/build-push-action/commit/cb1238b9c9eb453d106b4e4142a5bd9cde710040"><code>cb1238b</code></a>
chore(deps): Bump <code>@​docker/actions-toolkit</code> from 0.91.0 to
0.92.0</li>
<li><a
href="https://github.com/docker/build-push-action/commit/24f845d5cbe75d2d350a984fd0e18cb7a3f29c1c"><code>24f845d</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/build-push-action/issues/1566">#1566</a>
from docker/dependabot/npm_and_yarn/js-yaml-4.2.0</li>
<li><a
href="https://github.com/docker/build-push-action/commit/9c6973007b52c322651c38915d5e8824cea95c50"><code>9c69730</code></a>
[dependabot skip] chore: update generated content</li>
<li><a
href="https://github.com/docker/build-push-action/commit/bc3a3a5f72a6dca16c2c2468d1dfc55ee66d2193"><code>bc3a3a5</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/build-push-action/issues/1574">#1574</a>
from docker/dependabot/github_actions/aws-actions/co...</li>
<li><a
href="https://github.com/docker/build-push-action/commit/a82c504a2387bb8bedc50072f9c554ae2a7dab5d"><code>a82c504</code></a>
chore(deps): Bump js-yaml from 4.1.1 to 4.3.0</li>
<li><a
href="https://github.com/docker/build-push-action/commit/0285a75190c039d6dac52b7711abcef3f5d8f6f6"><code>0285a75</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/build-push-action/issues/1573">#1573</a>
from docker/dependabot/github_actions/actions/cache-...</li>
<li><a
href="https://github.com/docker/build-push-action/commit/c6ad2a3f9644680619de938b97c8a10a87b2a88d"><code>c6ad2a3</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/build-push-action/issues/1575">#1575</a>
from docker/dependabot/github_actions/actions/checko...</li>
<li><a
href="https://github.com/docker/build-push-action/commit/d37484fb9737c5442a257e2f0ae5a8d756ed7d92"><code>d37484f</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/build-push-action/issues/1564">#1564</a>
from docker/dependabot/npm_and_yarn/undici-6.27.0</li>
<li>Additional commits viewable in <a
href="https://github.com/docker/build-push-action/compare/f9f3042f7e2789586610d6e8b85c8f03e5195baf...53b7df96c91f9c12dcc8a07bcb9ccacbed38856a">compare
view</a></li>
</ul>
</details>
<br />

Updates `docker/setup-qemu-action` from 4.1.0 to 4.2.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/docker/setup-qemu-action/releases">docker/setup-qemu-action's
releases</a>.</em></p>
<blockquote>
<h2>v4.2.0</h2>
<ul>
<li>Preserve names in esbuild bundle by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/311">docker/setup-qemu-action#311</a></li>
<li>Bump <code>@​actions/core</code> from 3.0.0 to 3.0.1 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/295">docker/setup-qemu-action#295</a></li>
<li>Bump <code>@​docker/actions-toolkit</code> from 0.91.0 to 0.92.0 in
<a
href="https://redirect.github.com/docker/setup-qemu-action/pull/315">docker/setup-qemu-action#315</a></li>
<li>Bump <code>@​sigstore/core</code> from 3.1.0 to 3.2.1 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/312">docker/setup-qemu-action#312</a></li>
<li>Bump js-yaml from 4.1.1 to 4.2.0 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/310">docker/setup-qemu-action#310</a></li>
<li>Bump tmp from 0.2.6 to 0.2.7 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/304">docker/setup-qemu-action#304</a></li>
<li>Bump undici from 6.26.0 to 6.27.0 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/308">docker/setup-qemu-action#308</a></li>
<li>Bump vite from 7.3.2 to 7.3.6 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/307">docker/setup-qemu-action#307</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/docker/setup-qemu-action/compare/v4.1.0...v4.2.0">https://github.com/docker/setup-qemu-action/compare/v4.1.0...v4.2.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/96fe6ef7f33517b61c61be40b68a1882f3264fb8"><code>96fe6ef</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-qemu-action/issues/315">#315</a>
from docker/dependabot/npm_and_yarn/docker/actions-to...</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/31f08d3fc9186dbe4b4550696f2e32e9aa7f9465"><code>31f08d3</code></a>
[dependabot skip] chore: update generated content</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/4e7017a474d2cf3912bb0437f7fafec6d5fb6c52"><code>4e7017a</code></a>
build(deps): bump <code>@​docker/actions-toolkit</code> from 0.91.0 to
0.92.0</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/0eca235293ca1939b58c082f69bdc981ccce8c94"><code>0eca235</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-qemu-action/issues/314">#314</a>
from crazy-max/fix-yarn-preapprove-actions-toolkit</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/ea66a4130b037e7961e14a0e5b155836e797cced"><code>ea66a41</code></a>
chore: allow actions-toolkit to bypass yarn age gate</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/451542b03ae7946b7082a398b11c8c315a0e4e80"><code>451542b</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-qemu-action/issues/308">#308</a>
from docker/dependabot/npm_and_yarn/undici-6.27.0</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/532ae0057542ec2102e2d19e9feccf85f1f69013"><code>532ae00</code></a>
[dependabot skip] chore: update generated content</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/b6f5af659afad3f9931b782668dee4595ae7e841"><code>b6f5af6</code></a>
build(deps): bump undici from 6.26.0 to 6.27.0</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/cf96b86294b57480ac6d330bd177fca87eac95bc"><code>cf96b86</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-qemu-action/issues/304">#304</a>
from docker/dependabot/npm_and_yarn/tmp-0.2.7</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/f0ba643f78dc96bc931fb83e5dadc39628e10047"><code>f0ba643</code></a>
[dependabot skip] chore: update generated content</li>
<li>Additional commits viewable in <a
href="https://github.com/docker/setup-qemu-action/compare/06116385d9baf250c9f4dcb4858b16962ea869c3...96fe6ef7f33517b61c61be40b68a1882f3264fb8">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the npm-major group with 6 updates:

| Package | From | To |
| --- | --- | --- |
|
[@supabase/supabase-js](https://github.com/supabase/supabase-js/tree/HEAD/packages/core/supabase-js)
| `2.108.2` | `2.110.0` |
|
[@anthropic-ai/claude-agent-sdk](https://github.com/anthropics/claude-agent-sdk-typescript)
| `0.3.196` | `0.3.197` |
|
[@anthropic-ai/sdk](https://github.com/anthropics/anthropic-sdk-typescript)
| `0.107.0` | `0.109.0` |
|
[posthog-node](https://github.com/PostHog/posthog-js/tree/HEAD/packages/node)
| `5.38.8` | `5.39.1` |
|
[@typescript/native-preview](https://github.com/microsoft/typescript-go)
| `7.0.0-dev.20260629.1` | `7.0.0-dev.20260630.1` |
| [oxlint-tsgolint](https://github.com/oxc-project/tsgolint) | `0.23.0`
| `0.24.0` |

Updates `@supabase/supabase-js` from 2.108.2 to 2.110.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/supabase/supabase-js/releases">@​supabase/supabase-js's
releases</a>.</em></p>
<blockquote>
<h2>v2.110.0</h2>
<h2>2.110.0 (2026-06-30)</h2>
<h3>🚀 Features</h3>
<ul>
<li><strong>repo:</strong> drop Node.js 20 support (<a
href="https://redirect.github.com/supabase/supabase-js/pull/2482">#2482</a>)</li>
</ul>
<h3>❤️ Thank You</h3>
<ul>
<li>Katerina Skroumpelou <a
href="https://github.com/mandarini"><code>@​mandarini</code></a></li>
</ul>
<h2>v2.110.0-canary.0</h2>
<h2>2.110.0-canary.0 (2026-06-30)</h2>
<h3>🚀 Features</h3>
<ul>
<li><strong>repo:</strong> drop Node.js 20 support (<a
href="https://redirect.github.com/supabase/supabase-js/pull/2482">#2482</a>)</li>
</ul>
<h3>❤️ Thank You</h3>
<ul>
<li>Katerina Skroumpelou <a
href="https://github.com/mandarini"><code>@​mandarini</code></a></li>
</ul>
<h2>v2.109.0</h2>
<h2>2.109.0 (2026-06-30)</h2>
<h3>🚀 Features</h3>
<ul>
<li><strong>auth:</strong> add custom_claims_allowlist to custom
providers admin API (<a
href="https://redirect.github.com/supabase/supabase-js/pull/2473">#2473</a>)</li>
<li><strong>realtime:</strong> add postgres_changes filter builder, new
operators and select (<a
href="https://redirect.github.com/supabase/supabase-js/pull/2463">#2463</a>)</li>
<li><strong>storage:</strong> expose purgeCache for buckets and single
objects (<a
href="https://redirect.github.com/supabase/supabase-js/pull/2429">#2429</a>)</li>
</ul>
<h3>🩹 Fixes</h3>
<ul>
<li><strong>functions:</strong> honor a caller's Content-Type override
regardless of casing (<a
href="https://redirect.github.com/supabase/supabase-js/pull/2455">#2455</a>)</li>
<li><strong>realtime:</strong> pin <code>@​supabase/phoenix</code> and
browser test CDN deps (<a
href="https://redirect.github.com/supabase/supabase-js/pull/2457">#2457</a>)</li>
<li><strong>realtime:</strong> add replication connection system message
option (<a
href="https://redirect.github.com/supabase/supabase-js/pull/2470">#2470</a>)</li>
<li><strong>storage:</strong> keep sortBy defaults when list() is given
a partial sortBy (<a
href="https://redirect.github.com/supabase/supabase-js/pull/2454">#2454</a>)</li>
</ul>
<h3>❤️ Thank You</h3>
<ul>
<li>Anubhav Anand <a
href="https://github.com/i-anubhav-anand"><code>@​i-anubhav-anand</code></a></li>
<li>Cemal Kılıç <a
href="https://github.com/cemalkilic"><code>@​cemalkilic</code></a></li>
<li>Claude Opus 4.8 (1M context)</li>
<li>Filipe Cabaço <a
href="https://github.com/filipecabaco"><code>@​filipecabaco</code></a></li>
<li>Katerina Skroumpelou <a
href="https://github.com/mandarini"><code>@​mandarini</code></a></li>
<li>Lenny</li>
<li>Rodrigo Mansueli <a
href="https://github.com/mansueli"><code>@​mansueli</code></a></li>
</ul>
<h2>v2.108.3-canary.2</h2>
<h2>2.108.3-canary.2 (2026-06-19)</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/supabase/supabase-js/blob/master/packages/core/supabase-js/CHANGELOG.md">@​supabase/supabase-js's
changelog</a>.</em></p>
<blockquote>
<h2>2.110.0 (2026-06-30)</h2>
<h3>🚀 Features</h3>
<ul>
<li><strong>repo:</strong> drop Node.js 20 support (<a
href="https://redirect.github.com/supabase/supabase-js/pull/2482">#2482</a>)</li>
</ul>
<h3>❤️ Thank You</h3>
<ul>
<li>Katerina Skroumpelou <a
href="https://github.com/mandarini"><code>@​mandarini</code></a></li>
</ul>
<h2>2.109.0 (2026-06-30)</h2>
<h3>🩹 Fixes</h3>
<ul>
<li><strong>realtime:</strong> pin <code>@​supabase/phoenix</code> and
browser test CDN deps (<a
href="https://redirect.github.com/supabase/supabase-js/pull/2457">#2457</a>)</li>
</ul>
<h3>❤️ Thank You</h3>
<ul>
<li>Katerina Skroumpelou <a
href="https://github.com/mandarini"><code>@​mandarini</code></a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/supabase/supabase-js/commit/c3d5e6d2949b0248de8ba97991e4484f0b57c83f"><code>c3d5e6d</code></a>
feat(repo): drop Node.js 20 support (<a
href="https://github.com/supabase/supabase-js/tree/HEAD/packages/core/supabase-js/issues/2482">#2482</a>)</li>
<li><a
href="https://github.com/supabase/supabase-js/commit/b2e02b997aaf81b4c09dcc67966629296b96f681"><code>b2e02b9</code></a>
chore(release): version 2.109.0 changelogs (<a
href="https://github.com/supabase/supabase-js/tree/HEAD/packages/core/supabase-js/issues/2481">#2481</a>)</li>
<li><a
href="https://github.com/supabase/supabase-js/commit/dd2d4c270f0d6b84e61f3fa80330c42966783f87"><code>dd2d4c2</code></a>
fix(realtime): pin <code>@​supabase/phoenix</code> and browser test CDN
deps (<a
href="https://github.com/supabase/supabase-js/tree/HEAD/packages/core/supabase-js/issues/2457">#2457</a>)</li>
<li><a
href="https://github.com/supabase/supabase-js/commit/a25062e9285fa8e3bd702c59ddda0d87ad1fcc27"><code>a25062e</code></a>
chore(release): version 2.108.2 changelogs (<a
href="https://github.com/supabase/supabase-js/tree/HEAD/packages/core/supabase-js/issues/2449">#2449</a>)</li>
<li><a
href="https://github.com/supabase/supabase-js/commit/b3e5f2d7a312eff971dfd9c7226c9c4edbc0de0f"><code>b3e5f2d</code></a>
chore(ci): unpin realtime version (<a
href="https://github.com/supabase/supabase-js/tree/HEAD/packages/core/supabase-js/issues/2432">#2432</a>)</li>
<li>See full diff in <a
href="https://github.com/supabase/supabase-js/commits/v2.110.0/packages/core/supabase-js">compare
view</a></li>
</ul>
</details>
<br />

Updates `@anthropic-ai/claude-agent-sdk` from 0.3.196 to 0.3.197
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/anthropics/claude-agent-sdk-typescript/releases">@​anthropic-ai/claude-agent-sdk's
releases</a>.</em></p>
<blockquote>
<h2>v0.3.197</h2>
<h2>What's changed</h2>
<ul>
<li>Updated to parity with Claude Code v2.1.197</li>
</ul>
<h2>Update</h2>
<pre lang="sh"><code>npm install @anthropic-ai/claude-agent-sdk@0.3.197
# or
yarn add @anthropic-ai/claude-agent-sdk@0.3.197
# or
pnpm add @anthropic-ai/claude-agent-sdk@0.3.197
# or
bun add @anthropic-ai/claude-agent-sdk@0.3.197
</code></pre>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/anthropics/claude-agent-sdk-typescript/blob/main/CHANGELOG.md">@​anthropic-ai/claude-agent-sdk's
changelog</a>.</em></p>
<blockquote>
<h2>0.3.197</h2>
<ul>
<li>Updated to parity with Claude Code v2.1.197</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/anthropics/claude-agent-sdk-typescript/commit/ccd90af1279349d9d1cf641eec8a43664c94ebdf"><code>ccd90af</code></a>
chore: Update CHANGELOG.md</li>
<li>See full diff in <a
href="https://github.com/anthropics/claude-agent-sdk-typescript/compare/v0.3.196...v0.3.197">compare
view</a></li>
</ul>
</details>
<br />

Updates `@anthropic-ai/sdk` from 0.107.0 to 0.109.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/anthropics/anthropic-sdk-typescript/releases">@​anthropic-ai/sdk's
releases</a>.</em></p>
<blockquote>
<h2>sdk: v0.109.0</h2>
<h2>0.109.0 (2026-06-30)</h2>
<p>Full Changelog: <a
href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.108.0...sdk-v0.109.0">sdk-v0.108.0...sdk-v0.109.0</a></p>
<h3>Features</h3>
<ul>
<li><strong>api:</strong> add support for Managed Agents event delta
streaming, agent overrides, reverse pagination, vault credential
injection scoping, and agent and deployment webhook events (<a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/7f3211b4886053d25e98b91edc90fedc199ef186">7f3211b</a>)</li>
</ul>
<h2>sdk: v0.108.0</h2>
<h2>0.108.0 (2026-06-30)</h2>
<p>Full Changelog: <a
href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.107.0...sdk-v0.108.0">sdk-v0.107.0...sdk-v0.108.0</a></p>
<h3>Features</h3>
<ul>
<li><strong>api:</strong> add support for claude-sonnet-5 (<a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/4588db01eccd7529a5d2e99b8e5da3af1acdbbc8">4588db0</a>)</li>
</ul>
<h3>Bug Fixes</h3>
<ul>
<li><strong>agent-toolset:</strong> allow absolute paths that resolve
inside workdir (<a
href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/112">#112</a>)
(<a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/e951fb2ed70f8d6cd0113ae1642a795404e1cc9a">e951fb2</a>)</li>
</ul>
<h3>Chores</h3>
<ul>
<li>format README.md (<a
href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/176">#176</a>)
(<a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/98dcff71b632a92e0e1dff19ca4a95439a5fe447">98dcff7</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/anthropics/anthropic-sdk-typescript/blob/main/CHANGELOG.md">@​anthropic-ai/sdk's
changelog</a>.</em></p>
<blockquote>
<h2>0.109.0 (2026-06-30)</h2>
<p>Full Changelog: <a
href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.108.0...sdk-v0.109.0">sdk-v0.108.0...sdk-v0.109.0</a></p>
<h3>Features</h3>
<ul>
<li><strong>api:</strong> add support for Managed Agents event delta
streaming, agent overrides, reverse pagination, vault credential
injection scoping, and agent and deployment webhook events (<a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/7f3211b4886053d25e98b91edc90fedc199ef186">7f3211b</a>)</li>
</ul>
<h2>0.108.0 (2026-06-30)</h2>
<p>Full Changelog: <a
href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.107.0...sdk-v0.108.0">sdk-v0.107.0...sdk-v0.108.0</a></p>
<h3>Features</h3>
<ul>
<li><strong>api:</strong> add support for claude-sonnet-5 (<a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/4588db01eccd7529a5d2e99b8e5da3af1acdbbc8">4588db0</a>)</li>
</ul>
<h3>Bug Fixes</h3>
<ul>
<li><strong>agent-toolset:</strong> allow absolute paths that resolve
inside workdir (<a
href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/112">#112</a>)
(<a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/e951fb2ed70f8d6cd0113ae1642a795404e1cc9a">e951fb2</a>)</li>
</ul>
<h3>Chores</h3>
<ul>
<li>format README.md (<a
href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/176">#176</a>)
(<a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/98dcff71b632a92e0e1dff19ca4a95439a5fe447">98dcff7</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/cb829c764293963665481f0b2a60f2e0923270ac"><code>cb829c7</code></a>
chore: release main</li>
<li><a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/fd0341dfe7a77f28678c9e474485bc7331e426d4"><code>fd0341d</code></a>
feat(api): add support for Managed Agents event delta streaming, agent
overri...</li>
<li><a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/90f767ae9078ac808c758670aac408267fa2c49f"><code>90f767a</code></a>
codegen metadata</li>
<li><a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/ed986cd68c9ca8674ac2548be479a1d4c6a282b6"><code>ed986cd</code></a>
chore: release main</li>
<li><a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/d3ffad4927b0da3baffde66b1372f8f0b4a7c434"><code>d3ffad4</code></a>
chore: format README.md (<a
href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/176">#176</a>)</li>
<li><a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/6b46ad31ff2682376f6e9f4c732ed35d3c45693b"><code>6b46ad3</code></a>
feat(api): add support for claude-sonnet-5</li>
<li><a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/8200ffac10fab553883efae64cf24a514add2b04"><code>8200ffa</code></a>
feat(vertex): bump google-auth-library to ^10.2.0 (SDK-91) (<a
href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/30">#30</a>)</li>
<li><a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/fa06d36ccb07b32a7098b71d40713add611548cc"><code>fa06d36</code></a>
feat(bedrock): pass client logger to AWS credential provider chain
(SDK-90) (...</li>
<li><a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/0fff7faad710ffaf2ceeb7f7f05139bbec72e6cc"><code>0fff7fa</code></a>
fix(agent-toolset): allow absolute paths that resolve inside workdir (<a
href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/112">#112</a>)</li>
<li>See full diff in <a
href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.107.0...sdk-v0.109.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `posthog-node` from 5.38.8 to 5.39.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/PostHog/posthog-js/releases">posthog-node's
releases</a>.</em></p>
<blockquote>
<h2>posthog-node@5.39.1</h2>
<h2>5.39.1</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p><a
href="https://redirect.github.com/PostHog/posthog-js/pull/4029">#4029</a>
<a
href="https://github.com/PostHog/posthog-js/commit/b36b1cc2bf771bc944a304c9523d0991a31a5fbd"><code>b36b1cc</code></a>
Thanks <a
href="https://github.com/marandaneto"><code>@​marandaneto</code></a>! -
Call <code>before_send</code> for identify, group identify, and alias
events.
(2026-06-30)</p>
</li>
<li>
<p><a
href="https://redirect.github.com/PostHog/posthog-js/pull/4027">#4027</a>
<a
href="https://github.com/PostHog/posthog-js/commit/ab118d278856e5f995229ab476987fcac936a25a"><code>ab118d2</code></a>
Thanks <a
href="https://github.com/marandaneto"><code>@​marandaneto</code></a>! -
Safely serialize event batches with circular property references instead
of crashing during flush.
(2026-06-30)</p>
</li>
<li>
<p>Updated dependencies [<a
href="https://github.com/PostHog/posthog-js/commit/ab118d278856e5f995229ab476987fcac936a25a"><code>ab118d2</code></a>]:</p>
<ul>
<li><code>@​posthog/core</code><a
href="https://github.com/1"><code>@​1</code></a>.39.2</li>
</ul>
</li>
</ul>
<h2>posthog-node@5.39.0</h2>
<h2>5.39.0</h2>
<h3>Minor Changes</h3>
<ul>
<li><a
href="https://redirect.github.com/PostHog/posthog-js/pull/4006">#4006</a>
<a
href="https://github.com/PostHog/posthog-js/commit/0063128fc443158e44c9b6bab623420fc04d8c4c"><code>0063128</code></a>
Thanks <a
href="https://github.com/apps/github-actions"><code>@​github-actions</code></a>!
- Add <code>groupIdentifyImmediate()</code> to await the network request
when identifying a group, mirroring
<code>captureImmediate</code>/<code>identifyImmediate</code>/<code>aliasImmediate</code>.
Useful in edge/serverless environments where the background queue may
not flush. The Convex integration now uses it directly instead of
routing <code>$groupidentify</code> through
<code>captureImmediate</code>.
(2026-06-30)</li>
</ul>
<h3>Patch Changes</h3>
<ul>
<li>Updated dependencies [<a
href="https://github.com/PostHog/posthog-js/commit/0063128fc443158e44c9b6bab623420fc04d8c4c"><code>0063128</code></a>]:
<ul>
<li><code>@​posthog/core</code><a
href="https://github.com/1"><code>@​1</code></a>.39.0</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/PostHog/posthog-js/blob/main/packages/node/CHANGELOG.md">posthog-node's
changelog</a>.</em></p>
<blockquote>
<h2>5.39.1</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p><a
href="https://redirect.github.com/PostHog/posthog-js/pull/4029">#4029</a>
<a
href="https://github.com/PostHog/posthog-js/commit/b36b1cc2bf771bc944a304c9523d0991a31a5fbd"><code>b36b1cc</code></a>
Thanks <a
href="https://github.com/marandaneto"><code>@​marandaneto</code></a>! -
Call <code>before_send</code> for identify, group identify, and alias
events.
(2026-06-30)</p>
</li>
<li>
<p><a
href="https://redirect.github.com/PostHog/posthog-js/pull/4027">#4027</a>
<a
href="https://github.com/PostHog/posthog-js/commit/ab118d278856e5f995229ab476987fcac936a25a"><code>ab118d2</code></a>
Thanks <a
href="https://github.com/marandaneto"><code>@​marandaneto</code></a>! -
Safely serialize event batches with circular property references instead
of crashing during flush.
(2026-06-30)</p>
</li>
<li>
<p>Updated dependencies [<a
href="https://github.com/PostHog/posthog-js/commit/ab118d278856e5f995229ab476987fcac936a25a"><code>ab118d2</code></a>]:</p>
<ul>
<li><code>@​posthog/core</code><a
href="https://github.com/1"><code>@​1</code></a>.39.2</li>
</ul>
</li>
</ul>
<h2>5.39.0</h2>
<h3>Minor Changes</h3>
<ul>
<li><a
href="https://redirect.github.com/PostHog/posthog-js/pull/4006">#4006</a>
<a
href="https://github.com/PostHog/posthog-js/commit/0063128fc443158e44c9b6bab623420fc04d8c4c"><code>0063128</code></a>
Thanks <a
href="https://github.com/apps/github-actions"><code>@​github-actions</code></a>!
- Add <code>groupIdentifyImmediate()</code> to await the network request
when identifying a group, mirroring
<code>captureImmediate</code>/<code>identifyImmediate</code>/<code>aliasImmediate</code>.
Useful in edge/serverless environments where the background queue may
not flush. The Convex integration now uses it directly instead of
routing <code>$groupidentify</code> through
<code>captureImmediate</code>.
(2026-06-30)</li>
</ul>
<h3>Patch Changes</h3>
<ul>
<li>Updated dependencies [<a
href="https://github.com/PostHog/posthog-js/commit/0063128fc443158e44c9b6bab623420fc04d8c4c"><code>0063128</code></a>]:
<ul>
<li><code>@​posthog/core</code><a
href="https://github.com/1"><code>@​1</code></a>.39.0</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/PostHog/posthog-js/commit/a5181ba36f64cf69108be2f0fbf1e68dbeb4e827"><code>a5181ba</code></a>
chore: update versions and lockfile [version bump]</li>
<li><a
href="https://github.com/PostHog/posthog-js/commit/b36b1cc2bf771bc944a304c9523d0991a31a5fbd"><code>b36b1cc</code></a>
fix(node): run before_send for all captured events (<a
href="https://github.com/PostHog/posthog-js/tree/HEAD/packages/node/issues/4029">#4029</a>)</li>
<li><a
href="https://github.com/PostHog/posthog-js/commit/ab118d278856e5f995229ab476987fcac936a25a"><code>ab118d2</code></a>
fix(node): handle circular event properties during flush (<a
href="https://github.com/PostHog/posthog-js/tree/HEAD/packages/node/issues/4027">#4027</a>)</li>
<li><a
href="https://github.com/PostHog/posthog-js/commit/0c95bce7a2b01707691783a41730ec89699cb429"><code>0c95bce</code></a>
fix: satisfy SDK compliance harness 0.8.0 (<a
href="https://github.com/PostHog/posthog-js/tree/HEAD/packages/node/issues/3998">#3998</a>)</li>
<li><a
href="https://github.com/PostHog/posthog-js/commit/254c5b15597ea06c7cd9967708b11b49707267ae"><code>254c5b1</code></a>
chore: update versions and lockfile [version bump]</li>
<li><a
href="https://github.com/PostHog/posthog-js/commit/0063128fc443158e44c9b6bab623420fc04d8c4c"><code>0063128</code></a>
feat: Add groupIdentifyImmediate() method to Node.js SDK (<a
href="https://github.com/PostHog/posthog-js/tree/HEAD/packages/node/issues/4006">#4006</a>)</li>
<li>See full diff in <a
href="https://github.com/PostHog/posthog-js/commits/posthog-node@5.39.1/packages/node">compare
view</a></li>
</ul>
</details>
<br />

Updates `@typescript/native-preview` from 7.0.0-dev.20260629.1 to
7.0.0-dev.20260630.1
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/microsoft/typescript-go/commits">compare
view</a></li>
</ul>
</details>
<br />

Updates `oxlint-tsgolint` from 0.23.0 to 0.24.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/oxc-project/tsgolint/releases">oxlint-tsgolint's
releases</a>.</em></p>
<blockquote>
<h2>v0.24.0</h2>
<h2>What's Changed</h2>
<ul>
<li>ci: run windows e2e pnpm commands outside workspace by <a
href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/969">oxc-project/tsgolint#969</a></li>
<li>test(no-deprecated): add test for only <code>allow</code> by <a
href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/970">oxc-project/tsgolint#970</a></li>
<li>fix(no-deprecated): report contextual object literal properties by
<a href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/944">oxc-project/tsgolint#944</a></li>
<li>Update README with PRs note on new rules by <a
href="https://github.com/camchenry"><code>@​camchenry</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/972">oxc-project/tsgolint#972</a></li>
<li>fix(strict-boolean-expressions): guard invalid predicate indexes by
<a href="https://github.com/camchenry"><code>@​camchenry</code></a> in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/971">oxc-project/tsgolint#971</a></li>
<li>fix(no-deprecated): fix crash when getting prop name for non-literal
by <a href="https://github.com/camchenry"><code>@​camchenry</code></a>
in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/973">oxc-project/tsgolint#973</a></li>
<li>test(no-deprecated): add non-literal computed key regression by <a
href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/974">oxc-project/tsgolint#974</a></li>
<li>test(no-floating-promises): sync tests with typescript-eslint by <a
href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/975">oxc-project/tsgolint#975</a></li>
<li>fix(no-floating-promises): handle spread arguments before rejection
handlers by <a
href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/976">oxc-project/tsgolint#976</a></li>
<li>chore(deps): update crate-ci/typos action to v1.46.2 by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/979">oxc-project/tsgolint#979</a></li>
<li>refactor: remove unneeded <code>nil</code> checks in
<code>strict-boolean-expressions</code> by <a
href="https://github.com/camchenry"><code>@​camchenry</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/980">oxc-project/tsgolint#980</a></li>
<li>perf(no-unsafe-assignment): add fast-path for sender type by <a
href="https://github.com/camchenry"><code>@​camchenry</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/981">oxc-project/tsgolint#981</a></li>
<li>feat: add per-rule debug timings by <a
href="https://github.com/camchenry"><code>@​camchenry</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/960">oxc-project/tsgolint#960</a></li>
<li>chore: update typescript-go submodule by <a
href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/982">oxc-project/tsgolint#982</a></li>
<li>chore(deps): update dprint plugins by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/984">oxc-project/tsgolint#984</a></li>
<li>chore(deps): update github actions by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/985">oxc-project/tsgolint#985</a></li>
<li>chore(deps): update gomod by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/986">oxc-project/tsgolint#986</a></li>
<li>chore(deps): update crate-ci/typos action to v1.46.3 by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/988">oxc-project/tsgolint#988</a></li>
<li>test(no-deprecated): cover call and jsx deprecated properties by <a
href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/989">oxc-project/tsgolint#989</a></li>
<li>chore: update typescript-go submodule by <a
href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/991">oxc-project/tsgolint#991</a></li>
<li>chore(deps): update github actions by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/993">oxc-project/tsgolint#993</a></li>
<li>chore(deps): update crate-ci/typos action to v1.47.0 by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/995">oxc-project/tsgolint#995</a></li>
<li>chore(deps): update module github.com/dlclark/regexp2/v2 to v2.1.1
by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/994">oxc-project/tsgolint#994</a></li>
<li>fix(prefer-optional-chain): suggest unsafe nullish rewrite by <a
href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/996">oxc-project/tsgolint#996</a></li>
<li>chore(deps): update pnpm to v11.4.0 by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/997">oxc-project/tsgolint#997</a></li>
<li>refactor: cache suppress program diagnostics env by <a
href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/999">oxc-project/tsgolint#999</a></li>
<li>refactor: use <code>sync.OnceValue</code> for logLevel by <a
href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1000">oxc-project/tsgolint#1000</a></li>
<li>test(no-unnecessary-type-assertion): sync tests with
typescript-eslint by <a
href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/998">oxc-project/tsgolint#998</a></li>
<li>fix(no-unnecessary-type-assertion): enable skipped upstream cases by
<a href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1001">oxc-project/tsgolint#1001</a></li>
<li>fix(justfile): use --ignore-workspace for e2e pnpm commands by <a
href="https://github.com/swandir"><code>@​swandir</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/983">oxc-project/tsgolint#983</a></li>
<li>test(no-unnecessary-type-arguments): sync tests with
typescript-eslint by <a
href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1003">oxc-project/tsgolint#1003</a></li>
<li>test(no-unnecessary-type-assertion): cover nullable literal
assertion by <a
href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1002">oxc-project/tsgolint#1002</a></li>
<li>fix(no-unnecessary-type-arguments): preserve constructor inference
by <a href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1004">oxc-project/tsgolint#1004</a></li>
<li>refactor: remove <code>OXLINT_TSGOLINT_TIMINGS</code> env var by <a
href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1005">oxc-project/tsgolint#1005</a></li>
<li>chore: update typescript-go submodule by <a
href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1007">oxc-project/tsgolint#1007</a></li>
<li>fix(prefer-optional-chain): optional chain type assertion handling
by <a href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1009">oxc-project/tsgolint#1009</a></li>
<li>chore(deps): update typos to v1.47.1 by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1010">oxc-project/tsgolint#1010</a></li>
<li>chore(deps): update typos to v1.47.2 by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1012">oxc-project/tsgolint#1012</a></li>
<li>chore(deps): update github actions by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1013">oxc-project/tsgolint#1013</a></li>
<li>chore(deps): update gomod by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1014">oxc-project/tsgolint#1014</a></li>
<li>chore(deps): update github actions to v2.81.5 by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1015">oxc-project/tsgolint#1015</a></li>
<li>chore: update typescript-go submodule by <a
href="https://github.com/camc314"><code>@​camc314</code></a> in <a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1016">oxc-project/tsgolint#1016</a></li>
<li>chore(deps): update github actions by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1017">oxc-project/tsgolint#1017</a></li>
<li>chore(deps): update gomod to v0.46.0 by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1018">oxc-project/tsgolint#1018</a></li>
<li>chore(deps): update gomod to v2.2.2 by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1021">oxc-project/tsgolint#1021</a></li>
<li>chore(deps): update github actions to v2.82.0 by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1023">oxc-project/tsgolint#1023</a></li>
<li>chore(deps): update dprint plugins to v0.22.0 by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1022">oxc-project/tsgolint#1022</a></li>
<li>chore(deps): update github actions to v7 by <a
href="https://github.com/renovate"><code>@​renovate</code></a>[bot] in
<a
href="https://redirect.github.com/oxc-project/tsgolint/pull/1024">oxc-project/tsgolint#1024</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/oxc-project/tsgolint/commit/5a37e8902f65440900be1436b814919fcdb4e3d4"><code>5a37e89</code></a>
fix(dot-notation): determine the relevant accessor (<a
href="https://redirect.github.com/oxc-project/tsgolint/issues/1028">#1028</a>)</li>
<li><a
href="https://github.com/oxc-project/tsgolint/commit/67a281f613312a30665e7d39dfb47f5c15b0ca60"><code>67a281f</code></a>
perf(consistent-return): defer per-function type resolution (<a
href="https://redirect.github.com/oxc-project/tsgolint/issues/1031">#1031</a>)</li>
<li><a
href="https://github.com/oxc-project/tsgolint/commit/a5e2ff0be1102d9082e13ec35f1f0e4ca7fa65ad"><code>a5e2ff0</code></a>
perf(no-unnecessary-qualifier): skip symbol resolution outside
namespaces. (#...</li>
<li><a
href="https://github.com/oxc-project/tsgolint/commit/a8fc6685df0a817e7c5045a4e3e141d342839959"><code>a8fc668</code></a>
perf(no-confusing-void-expression): check ancestor position before type
query...</li>
<li><a
href="https://github.com/oxc-project/tsgolint/commit/03158cc4c0a0ef2c8bdccab71e6d2723fcc1c4f2"><code>03158cc</code></a>
perf(no-unnecessary-type-conversion): hoist constant builtin-name slices
(<a
href="https://redirect.github.com/oxc-project/tsgolint/issues/1040">#1040</a>)</li>
<li><a
href="https://github.com/oxc-project/tsgolint/commit/d9e645c266b6c4b4671b0a3dc5d3935dbda3a5ef"><code>d9e645c</code></a>
perf(prefer-optional-chain): lazily allocate chain-processor caches (<a
href="https://redirect.github.com/oxc-project/tsgolint/issues/1041">#1041</a>)</li>
<li><a
href="https://github.com/oxc-project/tsgolint/commit/63f578abe093d7a7e8cb523a1e5e96aacf06b220"><code>63f578a</code></a>
refactor(no-unnecessary-condition): remove dead
containsUnguardedElementAcces...</li>
<li><a
href="https://github.com/oxc-project/tsgolint/commit/f174876a906e0350aff2b75d5607775529c9f845"><code>f174876</code></a>
chore(deps): update gomod (<a
href="https://redirect.github.com/oxc-project/tsgolint/issues/1035">#1035</a>)</li>
<li><a
href="https://github.com/oxc-project/tsgolint/commit/47de9cfea53da0ae274bc78d47388e3bdd5b7341"><code>47de9cf</code></a>
chore(deps): update github actions (<a
href="https://redirect.github.com/oxc-project/tsgolint/issues/1036">#1036</a>)</li>
<li><a
href="https://github.com/oxc-project/tsgolint/commit/e209b5b27f5fd22810735bfbfdb0785cbc5d4215"><code>e209b5b</code></a>
chore(deps): update actions/cache action to v6 (<a
href="https://redirect.github.com/oxc-project/tsgolint/issues/1037">#1037</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/oxc-project/tsgolint/compare/v0.23.0...v0.24.0">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…cli-go/pkg (#5825)

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from
0.50.0 to 0.52.0.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/golang/crypto/commit/a1c0d9929856c8aba2b31f079340f00578eda803"><code>a1c0d99</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="https://github.com/golang/crypto/commit/3c7c86938f4541c333d506f719388d9c42d4763d"><code>3c7c869</code></a>
ssh: fix deadlock on unexpected channel responses</li>
<li><a
href="https://github.com/golang/crypto/commit/533fb3f7e4a5ae23f69d1837cd851d35ff5b76ce"><code>533fb3f</code></a>
ssh: fix source-address critical option bypass</li>
<li><a
href="https://github.com/golang/crypto/commit/abbc44d451a6f9236a2bbd26cbcd4d0fec473da3"><code>abbc44d</code></a>
ssh: fix incorrect operator order</li>
<li><a
href="https://github.com/golang/crypto/commit/e052873987615dc96fe67607a9a6adb76311344f"><code>e052873</code></a>
ssh: fix infinite loop on large channel writes due to integer
overflow</li>
<li><a
href="https://github.com/golang/crypto/commit/b61cf853a89d82cad68da5e12a6beca2116f8456"><code>b61cf85</code></a>
ssh: enforce user presence verification for security keys</li>
<li><a
href="https://github.com/golang/crypto/commit/9c2cd33e8d96a96133fd6ff732510ebba539c2bd"><code>9c2cd33</code></a>
ssh: enforce strict limits on DSA key parameters</li>
<li><a
href="https://github.com/golang/crypto/commit/890731877d85f71cfdc9554e7a27fec4684fc4c4"><code>8907318</code></a>
ssh: reject RSA keys with excessively large moduli</li>
<li><a
href="https://github.com/golang/crypto/commit/ffd87b4878fa98ca2908ec534e1a410bf095a35e"><code>ffd87b4</code></a>
ssh: fix panic when authority callbacks are nil</li>
<li><a
href="https://github.com/golang/crypto/commit/4e7a7384ecbc8d519f6f4c11b36fa9d761fc8946"><code>4e7a738</code></a>
ssh: fix deadlock on unexpected global responses</li>
<li>Additional commits viewable in <a
href="https://github.com/golang/crypto/compare/v0.50.0...v0.52.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=golang.org/x/crypto&package-manager=go_modules&previous-version=0.50.0&new-version=0.52.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts page](https://github.com/supabase/cli/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
## TL;DR

adds Colima rootless docker socket fallback to vector start

## Ref

- closes #5073
…emplates with 3 updates (#5822)

Bumps the docker-minor group in /apps/cli-go/pkg/config/templates with 3
updates: supabase/studio, supabase/realtime and supabase/storage-api.

Updates `supabase/studio` from 2026.07.06-sha-66cf431 to
2026.07.07-sha-a6a04f2

Updates `supabase/realtime` from v2.112.6 to v2.112.9

Updates `supabase/storage-api` from v1.62.5 to v1.63.1


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
)

## What kind of change does this PR introduce?

Bug fix (Go parity).

## What is the current behavior?

Go's `--size` flag on `projects create`
(`apps/cli-go/cmd/projects.go:34-55`) is a single shared 18-value
`EnumFlag` reused by `branches create`
(`apps/cli-go/cmd/branches.go:212`), and does not include `"nano"` (or
`"pico"`). The TS legacy port's `INSTANCE_SIZES`
(`projects/create/create.command.ts`) and `BRANCH_SIZES`
(`branches/create/create.command.ts`) both included `"nano"` as a valid
`Flag.choice` value, so `--size nano` silently succeeded in TS while Go
rejects it.

Verified directly against the real, compiled Go binary (`apps/cli-go`)
rather than just reading source — `projects create --size nano`
genuinely errors with `invalid argument "nano" for "--size" flag: must
be one of [...]`, confirming this is current, shipped Go behavior and
not a stale enum.

Note: the live Management API contract
(`packages/api/src/generated/contracts.ts`) does list `"nano"`/`"pico"`
as accepted `desired_instance_size` values, and `next/`'s
independently-authored `branches create` already exposes both. Neither
the Go CLI nor this legacy port surfaces them as CLI options, though —
that's a separate product question (filed as CLI-1897) about whether
these tiers should eventually be CLI-selectable, not a reason to keep an
option the legacy shell's own Go-parity contract says should be
rejected.

## What is the new behavior?

`--size nano` is now rejected identically on both `projects create` and
`branches create`, matching Go's 18-value enum exactly.

Fixes CLI-1869. See also CLI-1897 (product decision on nano/pico) and
CLI-1898 (unrelated pre-existing bug in `effect`'s `Flag.choice`
error-message formatting, found during this PR's review).
…#5800)

## What kind of change does this PR introduce?

Docs update (Go parity disclosure) + telemetry-list correctness fix.

## What is the current behavior?

`--high-availability` on `projects create` has no Go CLI equivalent —
Go's `cmd/projects.go` never registers such a flag, and its `RunE`
closure never sets `HighAvailability` on the create request body even
though the underlying Management API field exists. Unlike `--reveal` on
`projects api-keys` (which explicitly documents itself as a TS-only
addition, in a code comment, `SIDE_EFFECTS.md`, and
`docs/go-cli-porting-status.md`'s "Flag divergences" list),
`--high-availability` was undisclosed everywhere.

It was also listed in `safeFlags: ["org-id", "high-availability"]`,
implying Go-parity telemetry-safety that doesn't exist (Go's
`markFlagTelemetrySafe` only covers `org-id`). Since it's a boolean
flag, this had no actual runtime effect — boolean flag values are always
logged verbatim by the instrumentation regardless of `safeFlags`
membership — but the array wrongly implied otherwise.

The linked ticket (CLI-1870) offered two valid resolutions: remove the
flag for strict parity, or disclose it as TS-only. This PR disclosure,
since `--high-availability` is a real, working, user-facing capability
that Go's CLI simply never got around to exposing (not a Go bug being
ported forward) — removing it would regress anyone currently relying on
it.

## What is the new behavior?

`--high-availability` is now disclosed as TS-only in a code comment,
`SIDE_EFFECTS.md`, and `docs/go-cli-porting-status.md`'s "Flag
divergences" list, matching the `--reveal` precedent exactly. Removed
from `safeFlags` (now just `["org-id"]`) to match Go's actual
telemetry-safe set.

Fixes CLI-1870.
…chema declarative (#5828)

## What changed

`db schema declarative generate`/`sync` ran their mutual-exclusivity
flag check (`db-url`/`linked`/`local`, `apply`/`no-apply`) BEFORE the
pg-delta/`--experimental` gate (`legacyRequirePgDelta`). Go's cobra runs
`PersistentPreRunE` (the gate) before `ValidateFlagGroups` (mutex check)
— confirmed against `apps/cli-go/cmd/db_schema_declarative.go` and the
actual `cobra@v1.10.2` source — so invoking either command with
conflicting flags and no `--experimental` surfaced the wrong error in
the TS shell vs Go.

Same bug class already fixed for `storage ls/cp/mv/rm` in CLI-1855
(#5768); this mirrors that precedent as closely as the code structure
allows. Declarative's gate needs a config read (`legacyReadDbToml`) that
storage's didn't, so the check lives inline in each handler's body
rather than at the `.command.ts` level — moving the config read ahead of
the mutex check as part of the same reorder is also more correct (Go's
`PersistentPreRunE` loads config unconditionally before validating flag
groups too).

Swaps the order in both handlers, fixes misleading ordering comments
(and two stale Go line-number citations found nearby), documents the
precedence in both commands' `SIDE_EFFECTS.md`, and adds regression
coverage for the "mutex conflict without `--experimental`" case in both
`generate` and `sync`.

Fixes CLI-1876
)

## What changed

Invoking a legacy-shell group command that has subcommands but is itself
not runnable — e.g. `supabase branches`, `supabase completion` — with no
subcommand and no `--help` exited **1** in the TS legacy shell. Go's
cobra CLI exits **0** for the identical invocation: a non-`Runnable()`
command with no `RunE` internally returns `flag.ErrHelp`, which cobra's
`ExecuteC()` maps to "print help, return nil error". Only explicit
`--help` got exit 0 before this fix; the bare/missing-subcommand form
did not, even though the printed help text was identical in both cases.

`CliError.ShowHelp` (in `effect/unstable/cli`) already declares the
correct exit code via Effect's own `Runtime.errorExitCode` marker (`0`
for a clean `ShowHelp` with no errors, `1` otherwise) —
`apps/cli/src/shared/cli/run.ts` now delegates to
`Runtime.getErrorExitCode(Cause.squash(cause))` instead of hand-rolling
`ShowHelp` classification, which is simpler and tracks the library's own
source of truth for any future `CliError` additions.

Also added an integration test driving the real `legacyBranchesCommand`
through `Command.runWith` (confirming the actual `ShowHelp` cause
shape), and an e2e test asserting the real compiled-binary exit code,
since this bug is specifically about the real OS process exit code.

## Known related (not fixed here)

A typo'd subcommand under a group (e.g. `supabase branches bogus`) still
exits 1 where Go cobra exits 0 for a non-root command — this is
pre-existing on `develop`, not a regression from this change, and out of
scope for this fix. Filed as a follow-up.

Fixes CLI-1906
#5765)

## Summary

Ports `supabase stop` and `supabase status` from Go-proxy stubs to
native TypeScript in the legacy CLI shell (CLI-1324).

- Both commands now talk directly to Docker/Podman via subprocess,
replicating Go's label-filtering and container-naming scheme
byte-for-byte. Legacy `start` is still Go-proxied, so this intentionally
does **not** route through `@supabase/stack/effect`'s daemon-based
orchestration model — that substrate manages a different set of
containers than the ones Go's binary actually creates, and using it
would silently no-op against a real running stack.
- New shared infrastructure (`legacy-docker-lifecycle`, `legacy-go-jwt`,
`legacy-local-config-values`, `legacy-api-url`) is reused by both
commands, matching Go's local-dev defaults exactly — including a
Go-byte-exact JWT signer, since `@supabase/stack`'s own JWT generator
uses a different issuer/claim order than what Go prints for local dev
keys.
- Adds `*.live.test.ts` as a documented test category (`AGENTS.md`)
alongside unit/integration/e2e: black-box subprocess tests run by the
`cli-e2e-ci` harness against a real platform. `stop`/`status` don't call
the Management API, so their live tests spin up a real local Docker
stack instead and verify against it directly (e.g. confirming Docker
itself has no containers left after `stop`, not just trusting the CLI's
exit code).

## Notable review findings fixed along the way

- Table/status output was colorizing based on `stderr`'s TTY status
while writing to `stdout` — piping stdout while stderr stayed a TTY
(`supabase status | less`) would have corrupted output with ANSI escapes
(the same bug class CLI-1546 fixed once before).
- `--override-name` was leaking into pretty-mode output; Go's
`PrettyPrint` rebuilds a fresh, un-overridden view and ignores it there.
- `--backup`/`--no-backup`: Go's `--backup` flag is dead code (declared,
never bound to a variable in `cmd/stop.go`) — the port now matches that
exactly instead of an intended-but-never-true semantic.
- Docker/Podman-both-missing errors now name the actual root cause
instead of a generic "failed to ..." string.

## Post-review hardening: scoping and consolidation

Two structural fixes on top of the port, addressing drift introduced
while iterating on review feedback:

- **`next/` no longer inherits Go-parity config semantics.** The four
viper-compat behaviors added during review (unconditional `[remotes.*]`
project-id checks, the deprecated-provider WARN, the widened `env()`
reference pattern, and comma-split coercion into array-typed fields) are
now gated behind an opt-in `goViperCompat` flag on
`LoadProjectConfigOptions` — default off restores the pre-review
behavior for `next/`, `packages/stack`, and other non-parity consumers,
following the same opt-in pattern as `tomlOnly`/`skipEnvLocal`. Only
legacy-shell callers opt in. Regression tests pin the default-off
behavior, including the `next start` config-load path that would
otherwise have started hard-failing on a malformed
`[remotes.*].project_id`.
- **Go's `Config.Validate` now has exactly one TS home.**
`legacy/shared/legacy-config-validate.ts` replaces the validation
orchestration previously duplicated between
`legacy-db-config.toml-read.ts` (db/migration family) and
`legacy-local-config-values.ts` (status/stop); both callers build a
normalized `LegacyConfigValidationInput` from their own pipelines and
call the shared validator, and a cross-caller parity test feeds
identical broken configs through both real pipelines asserting identical
error strings. Consolidating surfaced and fixed three real divergences
between the two copies: `db.major_version = 0` now emits Go's `Missing
required field in config: db.major_version` (the db loader previously
emitted a non-Go message), and the captcha provider-enum and email
`content`-vs-`content_path` checks are now present in both paths.

CLOSES CLI-1324
Bumps the npm-major group with 6 updates:

| Package | From | To |
| --- | --- | --- |
|
[@anthropic-ai/claude-agent-sdk](https://github.com/anthropics/claude-agent-sdk-typescript)
| `0.3.197` | `0.3.198` |
|
[@anthropic-ai/sdk](https://github.com/anthropics/anthropic-sdk-typescript)
| `0.109.0` | `0.109.1` |
|
[posthog-node](https://github.com/PostHog/posthog-js/tree/HEAD/packages/node)
| `5.39.1` | `5.39.2` |
| [next](https://github.com/vercel/next.js) | `16.2.9` | `16.2.10` |
|
[@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)
| `26.0.1` | `26.1.0` |
|
[@typescript/native-preview](https://github.com/microsoft/typescript-go)
| `7.0.0-dev.20260630.1` | `7.0.0-dev.20260701.1` |

Updates `@anthropic-ai/claude-agent-sdk` from 0.3.197 to 0.3.198
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/anthropics/claude-agent-sdk-typescript/releases">@​anthropic-ai/claude-agent-sdk's
releases</a>.</em></p>
<blockquote>
<h2>v0.3.198</h2>
<h2>What's changed</h2>
<ul>
<li>Added a runtime warning when <code>canUseTool</code> is configured
alongside <code>allowedTools</code> or <code>bypassPermissions</code>,
which shadow the callback</li>
<li>Added per-server <code>request_timeout_ms</code> option to
<code>mcp_set_servers</code> control request</li>
<li>Fixed <code>SDKUserMessage.isSynthetic</code> not being mapped to
<code>isMeta</code> on ingestion, which could cause synthetic messages
to be treated as real user messages</li>
<li>Fixed workflow progress events silently dropping earliest agents
from the list while the phase counter remained correct</li>
</ul>
<h2>Update</h2>
<pre lang="sh"><code>npm install @anthropic-ai/claude-agent-sdk@0.3.198
# or
yarn add @anthropic-ai/claude-agent-sdk@0.3.198
# or
pnpm add @anthropic-ai/claude-agent-sdk@0.3.198
# or
bun add @anthropic-ai/claude-agent-sdk@0.3.198
</code></pre>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/anthropics/claude-agent-sdk-typescript/blob/main/CHANGELOG.md">@​anthropic-ai/claude-agent-sdk's
changelog</a>.</em></p>
<blockquote>
<h2>0.3.198</h2>
<ul>
<li>Added a runtime warning when <code>canUseTool</code> is configured
alongside <code>allowedTools</code> or <code>bypassPermissions</code>,
which shadow the callback</li>
<li>Added per-server <code>request_timeout_ms</code> option to
<code>mcp_set_servers</code> control request</li>
<li>Fixed <code>SDKUserMessage.isSynthetic</code> not being mapped to
<code>isMeta</code> on ingestion, which could cause synthetic messages
to be treated as real user messages</li>
<li>Fixed workflow progress events silently dropping earliest agents
from the list while the phase counter remained correct</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/anthropics/claude-agent-sdk-typescript/commit/23c685c51e5bf95ebf0aa3bd0e319a82d0cc39f9"><code>23c685c</code></a>
chore: Update CHANGELOG.md</li>
<li>See full diff in <a
href="https://github.com/anthropics/claude-agent-sdk-typescript/compare/v0.3.197...v0.3.198">compare
view</a></li>
</ul>
</details>
<br />

Updates `@anthropic-ai/sdk` from 0.109.0 to 0.109.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/anthropics/anthropic-sdk-typescript/releases">@​anthropic-ai/sdk's
releases</a>.</em></p>
<blockquote>
<h2>sdk: v0.109.1</h2>
<h2>0.109.1 (2026-07-01)</h2>
<p>Full Changelog: <a
href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.109.0...sdk-v0.109.1">sdk-v0.109.0...sdk-v0.109.1</a></p>
<h3>Chores</h3>
<ul>
<li><strong>api:</strong> remove some nonfunctional types from the SDKs
(<a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/cc4dd4e257cc3354f14e263b0d2441ddae71759e">cc4dd4e</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/anthropics/anthropic-sdk-typescript/blob/main/CHANGELOG.md">@​anthropic-ai/sdk's
changelog</a>.</em></p>
<blockquote>
<h2>0.109.1 (2026-07-01)</h2>
<p>Full Changelog: <a
href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.109.0...sdk-v0.109.1">sdk-v0.109.0...sdk-v0.109.1</a></p>
<h3>Chores</h3>
<ul>
<li><strong>api:</strong> remove some nonfunctional types from the SDKs
(<a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/cc4dd4e257cc3354f14e263b0d2441ddae71759e">cc4dd4e</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/96d1a991b64b1692b70d16435babe9c5d702ad8d"><code>96d1a99</code></a>
chore: release main (<a
href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/1106">#1106</a>)</li>
<li>See full diff in <a
href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.109.0...sdk-v0.109.1">compare
view</a></li>
</ul>
</details>
<br />

Updates `posthog-node` from 5.39.1 to 5.39.2
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/PostHog/posthog-js/releases">posthog-node's
releases</a>.</em></p>
<blockquote>
<h2>posthog-node@5.39.2</h2>
<h2>5.39.2</h2>
<h3>Patch Changes</h3>
<ul>
<li><a
href="https://redirect.github.com/PostHog/posthog-js/pull/4028">#4028</a>
<a
href="https://github.com/PostHog/posthog-js/commit/a664b815dd074c8eed87830904fa182306d07e6b"><code>a664b81</code></a>
Thanks <a
href="https://github.com/marandaneto"><code>@​marandaneto</code></a>! -
Make Node <code>flush()</code> wait for pending asynchronous SDK work
before draining the event queue, so events produced by helpers like
<code>captureException()</code> are not missed. Pending work rejections
no longer prevent queued events from flushing.
(2026-07-01)</li>
<li>Updated dependencies [<a
href="https://github.com/PostHog/posthog-js/commit/a664b815dd074c8eed87830904fa182306d07e6b"><code>a664b81</code></a>]:
<ul>
<li><code>@​posthog/core</code><a
href="https://github.com/1"><code>@​1</code></a>.39.3</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/PostHog/posthog-js/blob/main/packages/node/CHANGELOG.md">posthog-node's
changelog</a>.</em></p>
<blockquote>
<h2>5.39.2</h2>
<h3>Patch Changes</h3>
<ul>
<li><a
href="https://redirect.github.com/PostHog/posthog-js/pull/4028">#4028</a>
<a
href="https://github.com/PostHog/posthog-js/commit/a664b815dd074c8eed87830904fa182306d07e6b"><code>a664b81</code></a>
Thanks <a
href="https://github.com/marandaneto"><code>@​marandaneto</code></a>! -
Make Node <code>flush()</code> wait for pending asynchronous SDK work
before draining the event queue, so events produced by helpers like
<code>captureException()</code> are not missed. Pending work rejections
no longer prevent queued events from flushing.
(2026-07-01)</li>
<li>Updated dependencies [<a
href="https://github.com/PostHog/posthog-js/commit/a664b815dd074c8eed87830904fa182306d07e6b"><code>a664b81</code></a>]:
<ul>
<li><code>@​posthog/core</code><a
href="https://github.com/1"><code>@​1</code></a>.39.3</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/PostHog/posthog-js/commit/d1e6df86ddbdbc3a9a542995986080e7e7c2cd4e"><code>d1e6df8</code></a>
chore: update versions and lockfile [version bump]</li>
<li><a
href="https://github.com/PostHog/posthog-js/commit/a664b815dd074c8eed87830904fa182306d07e6b"><code>a664b81</code></a>
fix: make flush wait for pending async work (<a
href="https://github.com/PostHog/posthog-js/tree/HEAD/packages/node/issues/4028">#4028</a>)</li>
<li>See full diff in <a
href="https://github.com/PostHog/posthog-js/commits/posthog-node@5.39.2/packages/node">compare
view</a></li>
</ul>
</details>
<br />

Updates `next` from 16.2.9 to 16.2.10
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/vercel/next.js/releases">next's
releases</a>.</em></p>
<blockquote>
<h2>v16.2.10</h2>
<p>Contains no changes except publishing <code>@next/swc-wasm-web</code>
which was accidentally not published since 16.2.4.</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/vercel/next.js/commit/9dadfd693c5d26bb3c85d1c17802f49dde244b3e"><code>9dadfd6</code></a>
v16.2.10</li>
<li><a
href="https://github.com/vercel/next.js/commit/534d9c144ca342ff9ee5569241a814539d6eadb9"><code>534d9c1</code></a>
[16.2.x] Release pipeline updates (<a
href="https://redirect.github.com/vercel/next.js/issues/95160">#95160</a>)</li>
<li><a
href="https://github.com/vercel/next.js/commit/98941fc427213b0b2770ac40e24a1855ea0ae349"><code>98941fc</code></a>
backport: docs fixes 16.2.x (<a
href="https://redirect.github.com/vercel/next.js/issues/94935">#94935</a>)</li>
<li><a
href="https://github.com/vercel/next.js/commit/6e1a94de7c4e68892de4b1e28262be5970358458"><code>6e1a94d</code></a>
[16.2.x][ci]: fix release script to not strip newlines (<a
href="https://redirect.github.com/vercel/next.js/issues/94640">#94640</a>)</li>
<li>See full diff in <a
href="https://github.com/vercel/next.js/compare/v16.2.9...v16.2.10">compare
view</a></li>
</ul>
</details>
<br />

Updates `@types/node` from 26.0.1 to 26.1.0
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare
view</a></li>
</ul>
</details>
<br />

Updates `@typescript/native-preview` from 7.0.0-dev.20260630.1 to
7.0.0-dev.20260701.1
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/microsoft/typescript-go/commits">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the actions-major group with 4 updates:
[github/codeql-action/init](https://github.com/github/codeql-action),
[github/codeql-action/analyze](https://github.com/github/codeql-action),
[docker/login-action](https://github.com/docker/login-action) and
[docker/setup-buildx-action](https://github.com/docker/setup-buildx-action).

Updates `github/codeql-action/init` from 4.36.2 to 4.36.3
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/releases">github/codeql-action/init's
releases</a>.</em></p>
<blockquote>
<h2>v4.36.3</h2>
<p>No user facing changes.</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action/init's
changelog</a>.</em></p>
<blockquote>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<h2>[UNRELEASED]</h2>
<p>No user facing changes.</p>
<h2>4.37.0 - 08 Jul 2026</h2>
<ul>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.26.0">2.26.0</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3995">#3995</a></li>
<li>In addition to the existing input format, the
<code>config-file</code> input for the <code>codeql-action/init</code>
step will soon support a new <code>[owner/]repo[@ref][:path]</code>
format. All components except the repository name are optional. If
omitted, <code>owner</code> defaults to the same owner as the repository
the analysis is running for, <code>ref</code> to <code>main</code>, and
<code>path</code> to <code>.github/codeql-action.yaml</code>. Support
for this format ships in this version of the CodeQL Action, but will
only be enabled over the coming weeks. <a
href="https://redirect.github.com/github/codeql-action/pull/3973">#3973</a></li>
</ul>
<h2>4.36.3 - 01 Jul 2026</h2>
<p>No user facing changes.</p>
<h2>4.36.2 - 04 Jun 2026</h2>
<ul>
<li>Cache CodeQL CLI version information across Actions steps. <a
href="https://redirect.github.com/github/codeql-action/pull/3943">#3943</a></li>
<li>Reduce requests while waiting for analysis processing by using
exponential backoff when polling SARIF processing status. <a
href="https://redirect.github.com/github/codeql-action/pull/3937">#3937</a></li>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.6">2.25.6</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3948">#3948</a></li>
</ul>
<h2>4.36.1 - 02 Jun 2026</h2>
<p>No user facing changes.</p>
<h2>4.36.0 - 22 May 2026</h2>
<ul>
<li><em>Breaking change</em>: Bump the minimum required CodeQL bundle
version to 2.19.4. <a
href="https://redirect.github.com/github/codeql-action/pull/3894">#3894</a></li>
<li>Add support for SHA-256 Git object IDs. <a
href="https://redirect.github.com/github/codeql-action/pull/3893">#3893</a></li>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.5">2.25.5</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3926">#3926</a></li>
</ul>
<h2>4.35.5 - 15 May 2026</h2>
<ul>
<li>We have improved how the JavaScript bundles for the CodeQL Action
are generated to avoid duplication across bundles and reduce the size of
the repository by around 70%. This should have no effect on the runtime
behaviour of the CodeQL Action. <a
href="https://redirect.github.com/github/codeql-action/pull/3899">#3899</a></li>
<li>For performance and accuracy reasons, <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a> will now only be enabled on a pull request when
diff-informed analysis is also enabled for that run. If diff-informed
analysis is unavailable (for example, because the PR diff ranges could
not be computed), the action will fall back to a full analysis. <a
href="https://redirect.github.com/github/codeql-action/pull/3791">#3791</a></li>
<li>If multiple inputs are provided for the GitHub-internal
<code>analysis-kinds</code> input, only <code>code-scanning</code> will
be enabled. The <code>analysis-kinds</code> input is experimental, for
GitHub-internal use only, and may change without notice at any time. <a
href="https://redirect.github.com/github/codeql-action/pull/3892">#3892</a></li>
<li>Added an experimental change which, when running a Code Scanning
analysis for a PR with <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a> enabled, prefers CodeQL CLI versions that have
a cached overlay-base database for the configured languages. This speeds
up analysis for a repository when there is not yet a cached overlay-base
database for the latest CLI version. We expect to roll this change out
to everyone in May. <a
href="https://redirect.github.com/github/codeql-action/pull/3880">#3880</a></li>
</ul>
<h2>4.35.4 - 07 May 2026</h2>
<ul>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.4">2.25.4</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3881">#3881</a></li>
</ul>
<h2>4.35.3 - 01 May 2026</h2>
<ul>
<li><em>Upcoming breaking change</em>: Add a deprecation warning for
customers using CodeQL version 2.19.3 and earlier. These versions of
CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise
Server 3.15, and will be unsupported by the next minor release of the
CodeQL Action. <a
href="https://redirect.github.com/github/codeql-action/pull/3837">#3837</a></li>
<li>Configurations for private registries that use Cloudsmith or GCP
OIDC are now accepted. <a
href="https://redirect.github.com/github/codeql-action/pull/3850">#3850</a></li>
<li>Best-effort connection tests for private registries now use
<code>GET</code> requests instead of <code>HEAD</code> for better
compatibility with various registry implementations. For NuGet feeds,
the test is now always performed against the service index. <a
href="https://redirect.github.com/github/codeql-action/pull/3853">#3853</a></li>
<li>Fixed a bug where two diagnostics produced within the same
millisecond could overwrite each other on disk, causing one of them to
be lost. <a
href="https://redirect.github.com/github/codeql-action/pull/3852">#3852</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/github/codeql-action/commit/54f647b7e1bb85c95cddabcd46b0c578ec92bc1a"><code>54f647b</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3984">#3984</a>
from github/update-v4.36.3-1f34ec164</li>
<li><a
href="https://github.com/github/codeql-action/commit/e78819e05527766c3c5919e3177647e280c6cb83"><code>e78819e</code></a>
Trigger checks</li>
<li><a
href="https://github.com/github/codeql-action/commit/2c9d3d63eb4941734e2d29468953529a56f5ff1c"><code>2c9d3d6</code></a>
Update changelog for v4.36.3</li>
<li><a
href="https://github.com/github/codeql-action/commit/1f34ec16430d82636d18716acc7aaa6d843b35a9"><code>1f34ec1</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3983">#3983</a>
from github/mbg/repo-props/ff-for-config-file-prop</li>
<li><a
href="https://github.com/github/codeql-action/commit/d5f0145480025b49d8b08c3f6b36e6ad41a68c90"><code>d5f0145</code></a>
Log when repository property has a value but is ignored</li>
<li><a
href="https://github.com/github/codeql-action/commit/f27f56386a3c745af8d7bbfb806098c714a5e32a"><code>f27f563</code></a>
Add test for when the FF is off</li>
<li><a
href="https://github.com/github/codeql-action/commit/0025d0f2b5676fde748a0be9725dcce18dd9f986"><code>0025d0f</code></a>
Use FF</li>
<li><a
href="https://github.com/github/codeql-action/commit/f7fa18f05d107ff6735857c3510fbff190c9a1eb"><code>f7fa18f</code></a>
Add FF for config file repo property</li>
<li><a
href="https://github.com/github/codeql-action/commit/628fc3f124e68b0151f0d2a5d81e864ee1e42335"><code>628fc3f</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3979">#3979</a>
from github/henrymercer/overlay-db-cleanup-size-tele...</li>
<li><a
href="https://github.com/github/codeql-action/commit/9cfb67bab9b32441237f92d4ba29a7f3ccff259f"><code>9cfb67b</code></a>
Add clarifying comments</li>
<li>Additional commits viewable in <a
href="https://github.com/github/codeql-action/compare/8aad20d150bbac5944a9f9d289da16a4b0d87c1e...54f647b7e1bb85c95cddabcd46b0c578ec92bc1a">compare
view</a></li>
</ul>
</details>
<br />

Updates `github/codeql-action/analyze` from 4.36.2 to 4.36.3
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/releases">github/codeql-action/analyze's
releases</a>.</em></p>
<blockquote>
<h2>v4.36.3</h2>
<p>No user facing changes.</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action/analyze's
changelog</a>.</em></p>
<blockquote>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<h2>[UNRELEASED]</h2>
<p>No user facing changes.</p>
<h2>4.37.0 - 08 Jul 2026</h2>
<ul>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.26.0">2.26.0</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3995">#3995</a></li>
<li>In addition to the existing input format, the
<code>config-file</code> input for the <code>codeql-action/init</code>
step will soon support a new <code>[owner/]repo[@ref][:path]</code>
format. All components except the repository name are optional. If
omitted, <code>owner</code> defaults to the same owner as the repository
the analysis is running for, <code>ref</code> to <code>main</code>, and
<code>path</code> to <code>.github/codeql-action.yaml</code>. Support
for this format ships in this version of the CodeQL Action, but will
only be enabled over the coming weeks. <a
href="https://redirect.github.com/github/codeql-action/pull/3973">#3973</a></li>
</ul>
<h2>4.36.3 - 01 Jul 2026</h2>
<p>No user facing changes.</p>
<h2>4.36.2 - 04 Jun 2026</h2>
<ul>
<li>Cache CodeQL CLI version information across Actions steps. <a
href="https://redirect.github.com/github/codeql-action/pull/3943">#3943</a></li>
<li>Reduce requests while waiting for analysis processing by using
exponential backoff when polling SARIF processing status. <a
href="https://redirect.github.com/github/codeql-action/pull/3937">#3937</a></li>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.6">2.25.6</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3948">#3948</a></li>
</ul>
<h2>4.36.1 - 02 Jun 2026</h2>
<p>No user facing changes.</p>
<h2>4.36.0 - 22 May 2026</h2>
<ul>
<li><em>Breaking change</em>: Bump the minimum required CodeQL bundle
version to 2.19.4. <a
href="https://redirect.github.com/github/codeql-action/pull/3894">#3894</a></li>
<li>Add support for SHA-256 Git object IDs. <a
href="https://redirect.github.com/github/codeql-action/pull/3893">#3893</a></li>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.5">2.25.5</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3926">#3926</a></li>
</ul>
<h2>4.35.5 - 15 May 2026</h2>
<ul>
<li>We have improved how the JavaScript bundles for the CodeQL Action
are generated to avoid duplication across bundles and reduce the size of
the repository by around 70%. This should have no effect on the runtime
behaviour of the CodeQL Action. <a
href="https://redirect.github.com/github/codeql-action/pull/3899">#3899</a></li>
<li>For performance and accuracy reasons, <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a> will now only be enabled on a pull request when
diff-informed analysis is also enabled for that run. If diff-informed
analysis is unavailable (for example, because the PR diff ranges could
not be computed), the action will fall back to a full analysis. <a
href="https://redirect.github.com/github/codeql-action/pull/3791">#3791</a></li>
<li>If multiple inputs are provided for the GitHub-internal
<code>analysis-kinds</code> input, only <code>code-scanning</code> will
be enabled. The <code>analysis-kinds</code> input is experimental, for
GitHub-internal use only, and may change without notice at any time. <a
href="https://redirect.github.com/github/codeql-action/pull/3892">#3892</a></li>
<li>Added an experimental change which, when running a Code Scanning
analysis for a PR with <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a> enabled, prefers CodeQL CLI versions that have
a cached overlay-base database for the configured languages. This speeds
up analysis for a repository when there is not yet a cached overlay-base
database for the latest CLI version. We expect to roll this change out
to everyone in May. <a
href="https://redirect.github.com/github/codeql-action/pull/3880">#3880</a></li>
</ul>
<h2>4.35.4 - 07 May 2026</h2>
<ul>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.4">2.25.4</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3881">#3881</a></li>
</ul>
<h2>4.35.3 - 01 May 2026</h2>
<ul>
<li><em>Upcoming breaking change</em>: Add a deprecation warning for
customers using CodeQL version 2.19.3 and earlier. These versions of
CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise
Server 3.15, and will be unsupported by the next minor release of the
CodeQL Action. <a
href="https://redirect.github.com/github/codeql-action/pull/3837">#3837</a></li>
<li>Configurations for private registries that use Cloudsmith or GCP
OIDC are now accepted. <a
href="https://redirect.github.com/github/codeql-action/pull/3850">#3850</a></li>
<li>Best-effort connection tests for private registries now use
<code>GET</code> requests instead of <code>HEAD</code> for better
compatibility with various registry implementations. For NuGet feeds,
the test is now always performed against the service index. <a
href="https://redirect.github.com/github/codeql-action/pull/3853">#3853</a></li>
<li>Fixed a bug where two diagnostics produced within the same
millisecond could overwrite each other on disk, causing one of them to
be lost. <a
href="https://redirect.github.com/github/codeql-action/pull/3852">#3852</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/github/codeql-action/commit/54f647b7e1bb85c95cddabcd46b0c578ec92bc1a"><code>54f647b</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3984">#3984</a>
from github/update-v4.36.3-1f34ec164</li>
<li><a
href="https://github.com/github/codeql-action/commit/e78819e05527766c3c5919e3177647e280c6cb83"><code>e78819e</code></a>
Trigger checks</li>
<li><a
href="https://github.com/github/codeql-action/commit/2c9d3d63eb4941734e2d29468953529a56f5ff1c"><code>2c9d3d6</code></a>
Update changelog for v4.36.3</li>
<li><a
href="https://github.com/github/codeql-action/commit/1f34ec16430d82636d18716acc7aaa6d843b35a9"><code>1f34ec1</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3983">#3983</a>
from github/mbg/repo-props/ff-for-config-file-prop</li>
<li><a
href="https://github.com/github/codeql-action/commit/d5f0145480025b49d8b08c3f6b36e6ad41a68c90"><code>d5f0145</code></a>
Log when repository property has a value but is ignored</li>
<li><a
href="https://github.com/github/codeql-action/commit/f27f56386a3c745af8d7bbfb806098c714a5e32a"><code>f27f563</code></a>
Add test for when the FF is off</li>
<li><a
href="https://github.com/github/codeql-action/commit/0025d0f2b5676fde748a0be9725dcce18dd9f986"><code>0025d0f</code></a>
Use FF</li>
<li><a
href="https://github.com/github/codeql-action/commit/f7fa18f05d107ff6735857c3510fbff190c9a1eb"><code>f7fa18f</code></a>
Add FF for config file repo property</li>
<li><a
href="https://github.com/github/codeql-action/commit/628fc3f124e68b0151f0d2a5d81e864ee1e42335"><code>628fc3f</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3979">#3979</a>
from github/henrymercer/overlay-db-cleanup-size-tele...</li>
<li><a
href="https://github.com/github/codeql-action/commit/9cfb67bab9b32441237f92d4ba29a7f3ccff259f"><code>9cfb67b</code></a>
Add clarifying comments</li>
<li>Additional commits viewable in <a
href="https://github.com/github/codeql-action/compare/8aad20d150bbac5944a9f9d289da16a4b0d87c1e...54f647b7e1bb85c95cddabcd46b0c578ec92bc1a">compare
view</a></li>
</ul>
</details>
<br />

Updates `docker/login-action` from 4.2.0 to 4.3.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/docker/login-action/releases">docker/login-action's
releases</a>.</em></p>
<blockquote>
<h2>v4.3.0</h2>
<ul>
<li>Preserve names in esbuild bundle by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/login-action/pull/1022">docker/login-action#1022</a></li>
<li>Bump <code>@​aws-sdk/client-ecr</code> and
<code>@​aws-sdk/client-ecr-public</code> to 3.1076.0 <a
href="https://redirect.github.com/docker/login-action/pull/999">docker/login-action#999</a>
<a
href="https://redirect.github.com/docker/login-action/pull/1030">docker/login-action#1030</a></li>
<li>Bump <code>@​docker/actions-toolkit</code> from 0.90.0 to 0.92.0 in
<a
href="https://redirect.github.com/docker/login-action/pull/1004">docker/login-action#1004</a>
<a
href="https://redirect.github.com/docker/login-action/pull/1027">docker/login-action#1027</a></li>
<li>Bump <code>@​sigstore/core</code> from 3.1.0 to 3.2.1 in <a
href="https://redirect.github.com/docker/login-action/pull/1023">docker/login-action#1023</a></li>
<li>Bump <code>@​sigstore/verify</code> from 3.1.0 to 3.1.1 in <a
href="https://redirect.github.com/docker/login-action/pull/1029">docker/login-action#1029</a></li>
<li>Bump http-proxy-agent and https-proxy-agent to 9.1.0 in <a
href="https://redirect.github.com/docker/login-action/pull/1017">docker/login-action#1017</a></li>
<li>Bump js-yaml from 4.1.1 to 5.2.0 in <a
href="https://redirect.github.com/docker/login-action/pull/1028">docker/login-action#1028</a></li>
<li>Bump sigstore from 4.1.0 to 4.1.1 in <a
href="https://redirect.github.com/docker/login-action/pull/1031">docker/login-action#1031</a></li>
<li>Bump tmp from 0.2.5 to 0.2.7 in <a
href="https://redirect.github.com/docker/login-action/pull/1002">docker/login-action#1002</a></li>
<li>Bump undici from 6.24.1 to 6.27.0 in <a
href="https://redirect.github.com/docker/login-action/pull/1020">docker/login-action#1020</a></li>
<li>Bump vite from 7.3.3 to 7.3.6 in <a
href="https://redirect.github.com/docker/login-action/pull/1019">docker/login-action#1019</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/docker/login-action/compare/v4.2.0...v4.3.0">https://github.com/docker/login-action/compare/v4.2.0...v4.3.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/docker/login-action/commit/c99871dec2022cc055c062a10cc1a1310835ceb4"><code>c99871d</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/login-action/issues/1030">#1030</a>
from docker/dependabot/npm_and_yarn/aws-sdk-dependen...</li>
<li><a
href="https://github.com/docker/login-action/commit/b43355553d3ea8fb194053c74a883544c9fc25b1"><code>b433555</code></a>
[dependabot skip] chore: update generated content</li>
<li><a
href="https://github.com/docker/login-action/commit/678a46a45e920924c7b07d6209b4d02a3031d403"><code>678a46a</code></a>
build(deps): bump the aws-sdk-dependencies group across 1 directory with
2 up...</li>
<li><a
href="https://github.com/docker/login-action/commit/f9a0aea0f208193fd8b1c2cffdf4be3b345d3e8a"><code>f9a0aea</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/login-action/issues/1031">#1031</a>
from docker/dependabot/npm_and_yarn/sigstore-4.1.1</li>
<li><a
href="https://github.com/docker/login-action/commit/cc1e4cb459afd4c2ed14dd1998c217908162b52b"><code>cc1e4cb</code></a>
build(deps): bump sigstore from 4.1.0 to 4.1.1</li>
<li><a
href="https://github.com/docker/login-action/commit/02e17303690804fb3ed891da7cd98e78c249fc3e"><code>02e1730</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/login-action/issues/1029">#1029</a>
from docker/dependabot/npm_and_yarn/sigstore/verify-...</li>
<li><a
href="https://github.com/docker/login-action/commit/b5485183742f9c17a05828cc9a655d45bcf24b31"><code>b548518</code></a>
build(deps): bump <code>@​sigstore/verify</code> from 3.1.0 to
3.1.1</li>
<li><a
href="https://github.com/docker/login-action/commit/a244be39449bb9d5bcc834770924d8c3f72806ab"><code>a244be3</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/login-action/issues/1027">#1027</a>
from docker/dependabot/npm_and_yarn/docker/actions-t...</li>
<li><a
href="https://github.com/docker/login-action/commit/ee0d698156bca198952822c0f8ef652bc58ab218"><code>ee0d698</code></a>
[dependabot skip] chore: update generated content</li>
<li><a
href="https://github.com/docker/login-action/commit/127dc2c62e49cc3f37601f40b7bbf4fe7051fac4"><code>127dc2c</code></a>
build(deps): bump <code>@​docker/actions-toolkit</code> from 0.91.0 to
0.92.0</li>
<li>Additional commits viewable in <a
href="https://github.com/docker/login-action/compare/650006c6eb7dba73a995cc03b0b2d7f5ca915bee...c99871dec2022cc055c062a10cc1a1310835ceb4">compare
view</a></li>
</ul>
</details>
<br />

Updates `docker/setup-buildx-action` from 4.1.0 to 4.2.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/docker/setup-buildx-action/releases">docker/setup-buildx-action's
releases</a>.</em></p>
<blockquote>
<h2>v4.2.0</h2>
<ul>
<li>Preserve names in esbuild bundle by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/setup-buildx-action/pull/572">docker/setup-buildx-action#572</a></li>
<li>Bump <code>@​actions/core</code> from 3.0.0 to 3.0.1 in <a
href="https://redirect.github.com/docker/setup-buildx-action/pull/551">docker/setup-buildx-action#551</a></li>
<li>Bump <code>@​docker/actions-toolkit</code> from 0.90.0 to 0.92.0 in
<a
href="https://redirect.github.com/docker/setup-buildx-action/pull/557">docker/setup-buildx-action#557</a>
<a
href="https://redirect.github.com/docker/setup-buildx-action/pull/580">docker/setup-buildx-action#580</a></li>
<li>Bump <code>@​sigstore/core</code> from 3.1.0 to 3.2.1 in <a
href="https://redirect.github.com/docker/setup-buildx-action/pull/573">docker/setup-buildx-action#573</a></li>
<li>Bump <code>@​sigstore/verify</code> from 3.1.0 to 3.1.1 in <a
href="https://redirect.github.com/docker/setup-buildx-action/pull/576">docker/setup-buildx-action#576</a></li>
<li>Bump js-yaml from 4.1.1 to 5.2.0 in <a
href="https://redirect.github.com/docker/setup-buildx-action/pull/562">docker/setup-buildx-action#562</a></li>
<li>Bump sigstore from 4.1.0 to 4.1.1 in <a
href="https://redirect.github.com/docker/setup-buildx-action/pull/577">docker/setup-buildx-action#577</a></li>
<li>Bump tmp from 0.2.5 to 0.2.7 in <a
href="https://redirect.github.com/docker/setup-buildx-action/pull/556">docker/setup-buildx-action#556</a></li>
<li>Bump undici from 6.25.0 to 6.27.0 in <a
href="https://redirect.github.com/docker/setup-buildx-action/pull/570">docker/setup-buildx-action#570</a></li>
<li>Bump vite from 7.3.2 to 7.3.6 in <a
href="https://redirect.github.com/docker/setup-buildx-action/pull/569">docker/setup-buildx-action#569</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/docker/setup-buildx-action/compare/v4.1.0...v4.2.0">https://github.com/docker/setup-buildx-action/compare/v4.1.0...v4.2.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/bb05f3f5519dd87d3ba754cc423b652a5edd6d2c"><code>bb05f3f</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-buildx-action/issues/580">#580</a>
from docker/dependabot/npm_and_yarn/docker/actions-to...</li>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/321c814cb51fbe4af8eca00249525cc0973ea66f"><code>321c814</code></a>
[dependabot skip] chore: update generated content</li>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/b9a36ef79ba42cfc611885a1e8c388fbf8b8cb3f"><code>b9a36ef</code></a>
build(deps): bump <code>@​docker/actions-toolkit</code> from 0.91.0 to
0.92.0</li>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/ebeab241289497cd564ac98b3cfc9e64607bb276"><code>ebeab24</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-buildx-action/issues/570">#570</a>
from docker/dependabot/npm_and_yarn/undici-6.27.0</li>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/5c7b8ae78cec97a3215d4d86679b1d072eaa80cb"><code>5c7b8ae</code></a>
[dependabot skip] chore: update generated content</li>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/037e618cd98e95e81525b15ff0e9c96f507e6a0e"><code>037e618</code></a>
build(deps): bump undici from 6.25.0 to 6.27.0</li>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/66080e5802281ec2e72b7f3108915643e702db85"><code>66080e5</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-buildx-action/issues/577">#577</a>
from docker/dependabot/npm_and_yarn/sigstore-4.1.1</li>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/409aef0aa3f48f0a742e7dec4e0e04ab19afe93c"><code>409aef0</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-buildx-action/issues/562">#562</a>
from docker/dependabot/npm_and_yarn/js-yaml-4.2.0</li>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/49c6e42949280fa0d70fb327633591be54efbfb6"><code>49c6e42</code></a>
build(deps): bump sigstore from 4.1.0 to 4.1.1</li>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/2211273e8121ecf9ecb7d6c7c0fcd55526d530c7"><code>2211273</code></a>
[dependabot skip] chore: update generated content</li>
<li>Additional commits viewable in <a
href="https://github.com/docker/setup-buildx-action/compare/d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5...bb05f3f5519dd87d3ba754cc423b652a5edd6d2c">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Julien Goux <hi@jgoux.dev>
…ps/cli-go/pkg/config/templates in the docker-minor group (#5834)

Bumps the docker-minor group in /apps/cli-go/pkg/config/templates with 1
update: supabase/storage-api.

Updates `supabase/storage-api` from v1.63.1 to v1.64.1


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=supabase/storage-api&package-manager=docker&previous-version=v1.63.1&new-version=v1.64.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…/primitive errors (#5831)

## What changed

Any `Flag.choice(...)`/`Flag.choiceWithValue(...)`-backed flag (`--size`
on
`projects create`/`branches create`, `--dns-resolver`,
`--output-format`,
`--output`/`-o`, `--agent`) showed a doubled "Expected: Expected ..."
prefix
when given an invalid value, e.g.:

```
Invalid value for flag --size: "nano". Expected: Expected "micro" | "small" | ... , got "nano"
```

Root cause: several `Primitive`s under `effect@4.0.0-beta.93`'s
`effect/unstable/cli` (`choice` — used by
`Flag.choice`/`Flag.choiceWithValue`
— plus the schema-backed `integer`, `float`, `boolean`, and `date`) fail
with
a raw message that already starts with the word "Expected" (e.g.
`` `Expected ${validChoices}, got ${value}` `` for `choice`, or
`Expected a valid date, got Invalid Date` for `date`), and
`CliError.InvalidValue`'s own `message` getter (`CliError.ts:359-364`)
independently prepends its own `"Expected: "` label on top of that —
producing the doubling for any flag or argument backed by one of these
primitives. This is a bug in the vendored `effect` beta package itself,
not
in this repo's code.

Workaround (until upstream `effect` is fixed) added to the shared CLI
error-formatting layer (`subcommand-flag-suggestions.ts`), which already
carries similar per-tag rewrites for
`UnrecognizedOption`/`UnknownSubcommand`:
collapse the literal `"Expected: Expected "` substring down to a single
`"Expected "` whenever it appears in an `InvalidValue` error's rendered
message. Collapsing the exact doubled substring (rather than rebuilding
the
surrounding "Invalid value for ..." template ourselves) keeps the fix
tied
to the precise defect, covers every affected primitive uniformly, and
lets
every other part of the message keep tracking upstream's own wording if
it
changes.

Verified against `go-parity-auditor`: Go's real CLI shows a completely
different message for the same scenario (`Error: invalid argument
"bogus"
for "--size" flag: must be one of [ large | medium | ... ]`, from
`apps/cli-go/internal/utils/enum.go` wrapped by cobra/pflag). Full
byte-parity with Go's wording is out of scope here — this ticket is
specifically about the doubled-prefix defect in the TS/Effect-native
message, not a "TS wording differs from Go" report; rewriting every
`Flag.choice` flag's phrasing to match Go's template would be a
separate,
larger change.

## Known related (not fixed here)

The underlying `Primitive.choice` failure text also appends a redundant
`, got "X"` suffix, so the invalid value still appears twice in the
final
message (once right after the flag name, once after "got"). That's a
pre-existing wart in the same vendored `effect` failure string, not
something this fix introduces, and collapsing it would mean
post-processing
`effect`'s `expected` string further — bigger than this "doubled prefix"
ticket calls for. Left as-is.

Fixes CLI-1898
…5830)

## What changed

Go's `changedFlags(cmd)` (`apps/cli-go/cmd/root_analytics.go:52-76`)
walks `cmd.Parent()` at every ancestor collecting `PersistentFlags()`
(global/root flags: `--debug`, `--yes`, `--experimental`,
`--create-ticket`, `--output`, `--dns-resolver`, `--agent`, `--profile`,
`--workdir`, `--network-id`) in addition to a command's own flags, then
reports booleans and enum-typed flags verbatim in `cli_command_executed`
telemetry.

The TS port's `withLegacyCommandInstrumentation` had no way to resolve
*any* global/persistent flag's value — only the invoking command's own
locally-declared `flags` option was ever consulted. So a changed global
flag always fell back to the literal string `"<redacted>"`, even a
boolean like `--debug`, diverging from Go's `flags: {debug: true}`.

This adds `legacyGlobalFlagValues` (`shared/legacy/global-flags.ts`) to
resolve every global flag's live value via `Effect.serviceOption` (a
no-op outside the real CLI tree, so it adds no `R` requirement and no
per-command wiring), and threads it into `buildFlagsMap` as a fallback
used only when a changed CLI flag name isn't already declared in the
invoking command's own `flags` record — mirroring Go's ancestor-walk
precedence (a command's own flag always wins on a name collision, e.g.
`db diff`'s local `--output` file-path flag shadowing the global
`--output` enum, exactly as it does in Go's cobra tree).

`safeFlags`/`config`-based safety classification is now restricted to
values that actually came from the handler's own `flags` record, so a
future per-command safe/choice annotation can never be misapplied to an
unrelated global flag's value purely by CLI-name collision (raised in
review).

Scope is deliberately narrow: this fixes the 4 boolean globals
(`--debug`, `--yes`, `--experimental`, `--create-ticket`) immediately.
The 3 global choice flags (`--output`, `--dns-resolver`, `--agent`)
remain redacted — that gap is the already-tracked CLI-1904, not this
ticket.

Fixes CLI-1896.

## Why

Found during CLI-1868's review (architect-reviewer finding) as a
systemic gap affecting all ~73 `withLegacyCommandInstrumentation({ flags
})` call sites — it was previously unreachable for `telemetry
enable`/`disable` specifically (hardcoded to `analytics: false`), but
CLI-1868 made it reachable there, surfacing the gap.

## Reviewer-relevant context

- One judgement call deliberately left open: global choice flags
(`--output`/`--dns-resolver`/`--agent`) still redact. This is
intentional — CLI-1904 already tracks teaching the safety pipeline about
global `EnumFlag`s, and folding it into this change would blur two
independent tickets.
- Heads-up for whoever owns the CLI PostHog dashboards: `flags.debug`
(and `yes`/`experimental`/`create-ticket`) will now emit real booleans
going forward instead of the literal string `"<redacted>"` for these
four flags specifically. Any saved insight/funnel doing exact-string
matching on `"<redacted>"` for these keys will stop matching after this
ships.
#5832)

## What kind of change does this PR introduce?

Bug fix (Go-parity divergence).

## What is the current behavior?

`sso update`'s `--domains`/`--add-domains`/`--remove-domains` mutex
checks emitted custom, hand-written messages (`"only one of --domains or
--add-domains may be set"`) instead of cobra's real
`validateExclusiveFlagGroups` template (`flag_groups.go:204`), and gated
"is this flag set" on the *parsed value's* `.length > 0` rather than
cobra's actual `pflag.Changed` semantics — so `--domains=` (explicit but
empty) was silently treated as unset, the same "changed vs truthy" class
of bug CLI-1860 fixed for `functions download`'s `--use-docker`.

Fixes
[CLI-1902](https://linear.app/supabase/issue/CLI-1902/sso-update-use-cobras-mutual-exclusivity-error-template-for-domains).

## What is the new behavior?

Reuses the `hasExplicitLongFlag`/`cobraMutuallyExclusiveErrorMessage`
helpers already hoisted to `shared/cli/cobra-flag-groups.ts` (#5804) so
`sso update` emits cobra's byte-exact error text for
`--domains`/`--add-domains`/`--remove-domains`, keyed off raw argv
rather than the parsed flag value.

While reviewing, three independent reviewer passes
(architect/engineer/DX) converged on two more in-scope gaps in the same
handler that were cheap to close alongside the ticket's stated fix:

- `--metadata-file`/`--metadata-url` had the identical divergence (Go
also registers this pair with `MarkFlagsMutuallyExclusive`,
`cmd/sso.go:178`) — folded into the same cobra-parity check rather than
leaving one mutex group byte-exact and the other hand-written in the
same command.
- The mutex checks ran *after* the provider-ID UUID validation, but
cobra runs `ValidateFlagGroups` before `RunE` (`command.go:1010,1014`)
while Go's UUID check lives inside `RunE` (`cmd/sso.go:90-91`) — so a
flag-group violation must win over an invalid provider ID when both
apply. Reordered to match.

Added regression tests for the exact cobra error text (both `--domains`
groups and the metadata group), the changed-vs-truthy gap, the
two-groups-not-a-3-way-group behavior, the group-check ordering when all
three domain flags collide, and the mutex-before-UUID precedence — plus
a flag-parser unit test proving `--domains=` really resolves to `[]`.

`update.handler.ts`'s pre-existing branch-coverage gaps (GET/PUT
network-failure paths, `--skip-url-validation`, no-access-token,
malformed GET body) are unrelated to this change and were left alone;
independently verified via `git stash` that none of them were introduced
by this diff.
Coly010 and others added 18 commits July 9, 2026 10:03
…und (#5837)

## What changed

Files
[Effect-TS/effect#6312](Effect-TS/effect#6312)
for the doubled `"Expected: Expected ..."` prefix bug in
`effect@4.0.0-beta.93`'s CLI primitive parsers
(`Primitive.choice`/schema-backed `integer`/`float`/`boolean`/`date`),
per [review feedback on
#5831](#5831 (review)),
and adds a `TODO` in `invalid-value-message.ts` linking to it, so the
workaround is easy to find and remove once upstream fixes the underlying
bug.
…reate (#5840)

## What changed

`supabase db reset --local` now runs full Go-parity config validation
(`legacyCheckDbToml`, matching Go's `flags.LoadConfig`) at the top of
its local branch, before `AssertSupabaseDbIsRunning`/the destructive
container recreate — the same pre-destructive-work gate `db start` and
`db push` already have. A broken `supabase/config.toml` (unterminated
TOML, an undecryptable `encrypted:` vault secret, an unparseable
`env(VAR)` boolean, an explicit empty `project_id`) now aborts before
the local database is ever recreated, instead of only surfacing later
(or never) during bucket seeding.

A genuinely **missing** `config.toml` is still tolerated, unchanged:
Go's `Config.Load` defaults `project_id` to the current directory's
basename when no config file exists, so `Validate` never rejects it —
this is exactly the mechanism the `cli-e2e` parity suite relies on when
it runs `db push --local` / `db reset --local` from a project with no
`config.toml`. Only a config file that is *present but broken* is now
caught earlier.

`db reset --local`'s post-recreate bucket-seeding step catches a
`LegacySeedConfigLoadError` from its own config reload and
warns-and-continues rather than failing the command. An earlier version
of this PR removed that fallback (reasoning: Go loads `config.toml`
exactly once into memory, so it can never reach "recreate succeeded,
then a later reload of the same file fails"). A Codex review on this PR
caught that this doesn't transfer to the TS port: the new pre-recreate
gate resolves `env(VAR)` via the Go-parity nested-env reader (sees
`supabase/.env.development`, the project root, etc.), but the
post-recreate reload goes through `@supabase/config`'s narrower loader
(`supabase/.env`/`.env.local` only) — so a genuinely Go-valid config can
pass the gate and the real recreate, then hard-fail only at the later,
narrower reload, after the local database has already been dropped and
rebuilt. The fallback is restored, with a comment naming the actual
env-file-set gap instead of generic "loader strictness."

## Why

Linear
[CLI-1877](https://linear.app/supabase/issue/CLI-1877/reject-directlocal-db-push-db-reset-without-project-config-go):
a Codex P1 finding on #5715 flagged that the native `db reset`/`db
push`/`db start` port tolerates a missing project config more broadly
than Go, and that `db reset --local`'s config validation happened too
late relative to the destructive recreate.

Investigation (via `go-parity-auditor`, cross-checked against the
compiled Go binary) found the issue's literal premise — "reject
direct/local db push + db reset without project config" — does **not**
match current Go behavior: Go tolerates a missing config file by
defaulting `project_id` to the cwd basename, and the TS port already
matches that. Implementing a hard reject-on-missing-config would have
been a *new* divergence from Go and would have broken the
currently-green `cli-e2e` parity tests (exactly the regression risk the
issue's own "deferred from #5715" note called out). `db start`'s and `db
push`'s validation-ordering guarantees were also found to already be
correct and already covered by existing tests. The one real, narrow gap
was `db reset --local`'s ordering guarantee being implicit — buried
inside a config resolver whose test double bypasses it entirely — rather
than explicit and independently testable. This PR closes that gap.

## Test plan

- Added regression tests in `reset.integration.test.ts` for a local
reset: malformed config.toml, an unparseable boolean, an undecryptable
vault secret, and an explicit empty `project_id`, all asserting the
destructive recreate never runs; a test pinning that a broken config
wins over the "not running" error; and a test confirming a genuinely
missing config.toml is still tolerated.
- `pnpm check:all` and the full `apps/cli` unit + integration suite
(4758 tests) pass.
- Ran the 4-agent `review-changes` procedure
(architect/engineer/security/DX) against the diff and worked every
finding; see "Judgement calls" below for what a `review-adjudicator`
settled and what remains a documented, deliberate trade-off.

## Judgement calls / open notes

- The `review-changes` engineer pass flagged that rewriting a
pre-existing test orphaned the bucket-seed warn-and-skip branch,
regressing coverage. A `review-adjudicator` pass at the time concluded
there was no Go-parity reason to keep that fallback and recommended
deleting it (done in the second commit) — a subsequent Codex review on
the open PR found a concrete Go-valid config shape (an `env(VAR)` value
sourced from `supabase/.env.development`) that the deletion broke, so
the fallback was restored with an accurate comment (see "What changed"
above).
- The new pre-recreate gate is currently unreachable in production (the
resolver's own internal read already validates first and would already
reject a broken config identically) — it exists for defense-in-depth and
so the "validate before destroy" guarantee is enforced directly by the
handler and stays covered by a test even if the resolver is ever mocked
or refactored to stop validating. Both the architect and DX review
passes flagged this as worth calling out explicitly rather than as a
blocking issue.
- Not addressed here (flagged by review but out of scope):
`LegacyDbConfigResolver.resolve` could return the validated config it
already reads, so callers stop re-parsing `config.toml` up to 2-3 times
on the local reset path. This is a pre-existing, codebase-wide pattern
(`db push` does the same double-read), not something introduced by this
PR, and is better done as its own resolver-contract refactor.

Fixes CLI-1877.
…5841)

## What kind of change does this PR introduce?

Bug fix — legacy-shell child exit-code and delegated-path semantics.

## What is the current behavior?

Fixes
[CLI-1879](https://linear.app/supabase/issue/CLI-1879/legacy-shell-child-exit-code-delegated-path-semantics-finalizers-json).

Three related gaps around Go-delegated subprocess paths in the legacy
shell:

1. `LegacyGoProxy.exec`/`execCapture`
(`shared/legacy/go-proxy.layer.ts`) called `ProcessControl.exit()`
directly on a non-zero child exit or "binary not found". That's a real
`process.exit()` — it skips every `Effect.ensuring` finalizer between
the call site and `runCli` (telemetry flush, command instrumentation),
and loses the child's exact exit code (collapsing everything to whatever
`process.exit()` was called with, with no chance for `runCli`'s own
exit-code logic to run).
2. Because `execCapture`'s non-zero-exit branch hard-exited the process,
it never reached `withJsonErrorHandling`, so a `--output-format
json`/`stream-json` `db reset --experimental` failure emitted no
structured error envelope at all — the process just died mid-flight.
3. `db reset --experimental --linked` (no resolved version)
unconditionally resolved the linked DB connection — including
minting/verifying a temporary Postgres login role over the Management
API — before checking whether the remaining flow delegates to the Go
child. On that branch the resolved connection was never used: the
delegated Go child re-runs its own `ParseDatabaseConfig` (and mints its
own temp role) once it starts, so the TS-side mint was pure duplicate
privileged work.

(A fourth item from the same issue — forwarding `--linked=false`'s
target selector verbatim to the delegated child — was already correctly
implemented and already covered by a passing test; no code change was
needed there.)

## What is the new behavior?

- New `LegacyGoChildExitError`
(`shared/legacy/legacy-go-child-exit.error.ts`) carries a spawned
child's exact exit code via Effect's `Runtime.errorExitCode` marker.
`LegacyGoProxy.exec`/`execCapture` and the hidden `db __db-bootstrap`
seam now fail with this typed error instead of calling
`ProcessControl.exit()`, so the failure flows through the normal Effect
channel: finalizers run first, then `runCli`/`withJsonErrorHandling`
exit with the child's real code — in every output format, including a
Ctrl-C mid-recreate (e.g. exit `130`) instead of a generic `1`.
- `runCli`'s `handledProgram` special-cases `LegacyGoChildExitError` (by
concrete type) to skip its own generic `output.fail` stderr line, since
the child already printed its own detailed failure to the inherited
stderr and Go itself never prints a second line on top of that. This is
deliberately **not** keyed on Effect's shared `Runtime.errorReported`
marker — `CliError.ShowHelp` also sets that marker, and gating on it
would have silently suppressed the Go-parity `Error: required flag(s)
"..." not set` message for every missing-required-flag error. (Caught by
architect review before merge; regression test added.)
- `withJsonErrorHandling` now reads `Runtime.getErrorExitCode` instead
of hardcoding `1` when setting the process exit code, so the exact code
propagates under `json`/`stream-json` too, not just text mode.
- `db reset --experimental --linked` now checks whether it's about to
delegate to the Go child *before* calling
`LegacyDbConfigResolver.resolve()`, skipping the redundant temp-role
mint on that path. The linked-project-cache finalizer is unaffected (it
already reads a separately pre-loaded ref, exactly so this case still
works).
- Updated `SIDE_EFFECTS.md`'s exit-code tables for `db reset`/`db start`
to reflect the child's exact code, and touched-up a couple of stale doc
comments describing the old `process.exit()`-based behavior.

### Deliberately left open (judgement calls, not blockers)

- The JSON error envelope for a delegated linked+experimental
connection/mint failure is now a generic `"supabase-go exited with code
N (see stderr for details)"` rather than the specific TS error the old
(duplicate-minting) code path used to surface. This is an accepted
tradeoff: the real detail is on the inherited stderr, and Go itself has
no JSON error-envelope concept to hold this to a parity standard
against.
- The bootstrap seam's JSON error `code` field changes from
`LegacyDbBootstrapError` to `LegacyGoChildExitError` for a non-zero
child exit specifically. Nothing in this codebase treats that field as a
stable public contract (most `Legacy*Error` tags already leak their raw
class name into it), so this wasn't treated as a compatibility break.
- The sibling `db __shadow` seam (`legacy-pgdelta.seam.layer.ts`)
intentionally keeps its own generic domain error rather than adopting
`LegacyGoChildExitError` — its failure is a TS-authored summary over
noisy docker/pgdelta stderr (not a passthrough of a real user-facing Go
child), and Go itself collapses shadow-DB failures to a generic exit
`1`. Left a comment in place explaining the divergence so a future
reader doesn't "fix" it into inconsistency.

## Test plan

New/updated coverage in `go-proxy.layer.unit.test.ts`,
`run.unit.test.ts`, `json-error-handling.unit.test.ts`,
`reset.integration.test.ts`, and `start.integration.test.ts` — exact
exit-code propagation, finalizers running after a non-zero exit, the
JSON error envelope, the skipped pre-delegation resolve (and that the
sibling `--db-url` delegate path still resolves), and a regression guard
for the `ShowHelp`/`MissingOption` suppression bug caught during review.
…abled remote precedence (CLI-1878) (#5839)

## What

Closes the remaining gaps in
[CLI-1878](https://linear.app/supabase/issue/CLI-1878/legacy-shell-full-viper-env-override-semantics-project-env-remote):
full viper env-override semantics (project `.env`, remote precedence,
malformed bools) in the TS legacy shell.

A `go-parity-auditor` pass determined most of the issue's original
claims had already been fixed by an earlier PR (#5715) —
project-`.env`-aware `SUPABASE_YES`/`SUPABASE_EXPERIMENTAL` resolvers,
remote-config precedence, malformed-bool-fails-the-load,
explicit-flag-beats-env, and case-agnostic `env(...)` resolution all
already exist for `db push`/`db reset`/`db pull`/`config
push`/`migration down`/`repair`/declarative-schema. This PR closes the
**5 concrete gaps** that pass left open:

1. **`gen signing-key`** — the overwrite-confirmation prompt only
consulted the shell env for `SUPABASE_YES`. Go's `flags.LoadConfig`
loads the project `.env` before the prompt (`signingkeys.go:99,130`).
2. **`storage rm`** — same gap for the delete-confirmation prompt (both
the `--local` and default `--linked` branches of Go's
`ParseDatabaseConfig` load the project `.env` first).
3. **`migration fetch`** — same gap for the migrations-dir overwrite
prompt (defaults to `--linked`, same `ParseDatabaseConfig` path).
4. **standalone `seed buckets`** — its fallback `yes` resolution (used
when `db reset` doesn't pass a pre-resolved value) had the same gap. `db
reset`'s own passthrough was already correct.
5. **`[remotes.*].auth.enabled` remote precedence** — this key was
missing from `LEGACY_ENV_OVERRIDABLE_KEYS`, so a linked remote's
`auth.enabled` TOML value could lose to a `SUPABASE_AUTH_ENABLED` env
var instead of winning, unlike every other allowlisted key (Go's
`mergeRemoteConfig` applies the whole matched block above
`AutomaticEnv`).

Each of the 4 handler fixes follows the existing `legacyLoadProjectEnv`
+ `legacyResolveYesWithProjectEnv` pattern already used by `db
push`/`config push`/`migration down`/`repair`.

### Fixed along the way

- `migration fetch`'s new project-`.env` load initially ran *before* the
`[db-url linked local]` flag-conflict check — an ordering regression
relative to Go and sibling `migration down`/`repair` (caught by
`architect-reviewer`). Reordered so the flag check runs first; added a
regression test that fails without the fix.

## Behavior changes to be aware of

- `gen signing-key`, `storage rm`, `migration fetch`, and `seed buckets`
now honor `SUPABASE_YES` set only in
`supabase/.env`/`.env.local`/`.env.<env>[.local]` (previously they only
saw the shell env). This is a pure Go-parity fix, but on an earlier
build of this TS legacy shell it was inert — a stale `SUPABASE_YES=true`
left in a project's `.env` will now silently auto-confirm these
destructive prompts.
- A linked project's `[remotes.<name>].auth.enabled` TOML value now
correctly beats a `SUPABASE_AUTH_ENABLED` env var (previously the
reverse). If anything relied on the env var overriding a remote block's
explicit `auth.enabled`, that no longer happens.

## Test plan

- `bun run test:core` — all unit + integration tests green (300 tests
across the touched files, full suite unaffected).
- `bun run check:all` — types/lint/fmt/knip clean.
- New regression tests (integration, per this workspace's testing
pyramid):
- `signing-key.integration.test.ts` — project-`.env` `SUPABASE_YES`
auto-confirms the overwrite even with a piped `n` (defensively clears
any leaked shell `SUPABASE_YES` first).
  - `rm.integration.test.ts` — same, for the delete confirmation.
- `buckets.integration.test.ts` — same, for the standalone `seed
buckets` overwrite prompt.
- `fetch.integration.test.ts` — same, for the migrations-dir overwrite
prompt; plus a new test locking in the flag-conflict-before-env-read
ordering fix (verified it fails without the reorder).
- `legacy-db-config.toml-read.unit.test.ts` — 2 new unit tests for
`auth.enabled`: a matched remote block beats the env var, and a control
case where the env var still wins when the block omits the key.
- Relocated one pre-existing test's fixture
(`fetch.integration.test.ts`, "reports a write failure"): the
file-collision now lives at `<workdir>/supabase/migrations` instead of
`<workdir>/supabase` itself, since the latter would break the new
project-`.env` read before ever reaching the `mkdir` under test.
Verified this preserves the original test's coverage.

## Judgement calls deliberately left open

- **`[y/N] y` echo doesn't say *why* it auto-confirmed.**
`supabase-dx-reviewer` flagged that the prompt echo is byte-identical
whether the answer came from `--yes`, the shell env, or a forgotten
project `.env` value — but explicitly recommended *not* annotating it,
since that would diverge from Go's byte-identical `console.PromptYesNo`
output (this is a strict 1:1 port). Not changed here; a source
annotation would need to land in the Go CLI first if ever desired.
- **DB-bootstrap seam explicit `--experimental=false` forwarding.**
`go-parity-auditor` flagged (but could not fully confirm, since it
didn't trace the hidden `db __db-bootstrap` subprocess) that
`legacy-db-bootstrap.seam.layer.ts` forwards `--experimental` to the Go
child only when true, never an explicit false — for `db reset
--experimental=false` with `SUPABASE_EXPERIMENTAL=true` inherited by the
child, the child might re-resolve `true` independently. Flagged as a
caveat, not a confirmed gap; out of scope here.
- **`storage.enabled`/`realtime.enabled` don't read any `SUPABASE_*` env
override at all** in `legacy-db-config.toml-read.ts`, unlike
`auth.enabled`. This is a latent divergence noted by `go-parity-auditor`
but is outside CLI-1878's 5 named items; left as a separate follow-up.

🤖 Generated with the `issue-autopilot` skill.
Implement an automated contribution gate that enforces the Supabase CLI
contribution workflow for external pull requests. The gate requires PRs
from external contributors to link to an open GitHub issue carrying the
`open-for-contribution` label, while exempting maintainers and bots.

## Changes

- **Contribution gate script** (`contribution-gate.ts`): Pure decision
logic and GitHub I/O for evaluating PRs against the gate policy.
Supports two modes:
- Single-PR mode: reacts to individual PRs on `pull_request_target`
events
- All-PRs sweep mode: evaluates every open PR on-demand via
`workflow_dispatch`
  
- **Gate tests** (`contribution-gate.test.ts`): Comprehensive unit tests
for the decision logic and orchestration, with injected I/O for
network-free testing

- **Workflow** (`contribution-gate.yml`): GitHub Actions workflow that
runs the gate reactively on PR open/reopen/edit and supports manual
sweeps with dry-run capability

- **Documentation**:
- `MAINTAINERS.md`: Internal guide for maintainers on applying the
`open-for-contribution` label and running manual sweeps
- Updated `CONTRIBUTING.md`: Contributor-facing workflow requiring
issues to be opened first and labeled before PR submission
- Updated issue templates and PR template: Guidance on the new workflow
  - Updated issue config: Link to contribution workflow

## Implementation details

- Non-conforming PRs are auto-closed with explanatory comments directing
contributors to the workflow
- Cross-repository closing keywords are rejected as a security measure
(contributors cannot control external repos)
- Repository name matching is case-insensitive
- Internal authors (OWNER, MEMBER, COLLABORATOR) and bots are exempt
from the gate
- The workflow checks out the base branch, ensuring only trusted code
executes

https://claude.ai/code/session_01YY1sNQLXPxaeN6JX1NFSWj

---------

Co-authored-by: Claude <noreply@anthropic.com>
…ing (#5842)

## What kind of change does this PR introduce?

Bug fix (Go-parity gap).

## What is the current behavior?

`config push`'s secret-hashing logic
(`config-sync/config-sync.secret.ts`) treats dotenvx `encrypted:` secret
values (e.g. `[auth.captcha] secret = "encrypted:..."`) as unresolved:
it hashes them to `""`, which silently gates them out of both the diff
and the update-request body. The remote secret is left untouched with no
error and no feedback — the user has no idea their encrypted secret was
never pushed.

Go decrypts every `config.Secret` field during `config.Load` (before any
network call) and pushes the plaintext, or aborts the whole command with
`failed to parse config: <cause>` if it can't decrypt.

Fixes
[CLI-1881](https://linear.app/supabase/issue/CLI-1881/config-push-decrypt-dotenvx-encrypted-secrets-instead-of-skipping).

## What is the new behavior?

- `config-sync.secret.ts` (`secretHash`/`secretPlaintext`) now decrypts
an `encrypted:` value with the existing `legacy-vault-decrypt.ts`
decryptor (already used by `db push`/`db reset`/`migration up|down`)
before hashing it for the diff or sending it as plaintext in the auth
update body — the ciphertext itself is never pushed.
- `push.handler.ts` now runs a document-wide "assert every
`config.Secret` is decryptable" pre-check immediately after loading
`config.toml`, before the cost-matrix call or any other network request
— mirroring Go's `config.Load` timing, where the decrypt hook runs over
the *whole* document (not just `auth.*`) regardless of which fields the
current command actually reads. An undecryptable secret anywhere (even
one `config push` never itself pushes, e.g. `studio.openai_api_key`)
aborts with Go's exact `failed to parse config: <cause>` message and
zero network calls.
- Reused/exported `legacyAssertDecryptableSecrets` from
`legacy-db-config.toml-read.ts` (previously private, used only by the
db-config family) rather than duplicating the scan logic — its return
type was generalized from a db-config-specific error class to a plain
message string so each caller can wrap it in its own domain error.
- Removed the now-stale "not implemented" note from `config push`'s
`SIDE_EFFECTS.md` and documented the new `DOTENV_PRIVATE_KEY`(`_*`) env
vars + the new abort exit condition.

## Test plan

- New unit tests in `config-sync.secret.unit.test.ts` covering
decrypt-before-hash, multi-key fallback, and the two failure messages
(reusing the Go test vector from `apps/cli-go/pkg/config/secret_test.go`
/ `legacy-vault-decrypt.unit.test.ts`).
- Three new `push.integration.test.ts` cases:
- an `encrypted:` captcha secret decrypts and the **plaintext** (not
ciphertext) reaches the `updateAuthServiceConfig` PATCH body;
- an undecryptable `encrypted:` secret aborts with `failed to parse
config: missing private key` and **zero** network calls, even with
`auth.enabled = false` (proving the check isn't auth-gated);
- an undecryptable `studio.openai_api_key` (a field `config push` never
reads or pushes) also aborts before any network call, proving the
pre-check is genuinely document-wide.
- Full `apps/cli` `types:check`, `lint:check`, `fmt:check`, and the
touched `unit`/`integration` Vitest projects (`config-sync.secret`,
`auth.sync`, `legacy-vault-decrypt`, `legacy-db-config.toml-read`,
`push.integration`) all pass.

Parity confirmed against `apps/cli-go/pkg/config/secret.go` +
`internal/config/push/push.go` via `go-parity-auditor` before
implementation (abort timing before any network call, error-message
format, `DOTENV_PRIVATE_KEY` env-loading order, and that Go always
pushes decrypted plaintext, never ciphertext).

Reviewed by `architect-reviewer`, `engineer-reviewer`,
`security-reviewer`, and `supabase-dx-reviewer` (all APPROVE/SHIP IT) —
every actionable finding from that pass is folded into this PR already
(removed a dead defensive branch that broke 100%-branch-coverage,
hardened a hex-decode error message so it can't echo malformed key
fragments, clarified a shared helper's doc comment, added the
`studio.openai_api_key` test, and tidied `SIDE_EFFECTS.md` wording).

## Judgement calls left open (deliberately, not blocking)

- **Non-matching `[remotes.*]` blocks aren't covered by the
document-wide pre-check.** `@supabase/config`'s `loadProjectConfig`
strips the `remotes` key from its returned document once a block matches
the target ref, so an undecryptable secret hiding in a *different,
unused* remote block escapes the check (Go's decode hook would still
abort on it, since it decodes the whole file). Narrow edge case — only
matters with multiple remotes where the unused one has a broken secret —
and safe-direction (we succeed where Go would abort; we never push
ciphertext). Documented in `SIDE_EFFECTS.md`'s KNOWN GAPS and in the
shared helper's doc comment.
- **A secret reached via `env(VAR)` indirection where the referenced var
only resolves through the wider env-file set
`legacy-db-config.toml-read.ts`/Go's `loadNestedEnv` reads (not
`@supabase/config`'s narrower `supabase/.env`/`.env.local`)** is a
pre-existing, CLI-1489-adjacent asymmetry between the two env-resolution
paths — out of scope here; the code takes the parity-correct (wider)
source for the pre-check, consistent with the shared helper's other
caller.

🤖 Generated with [Claude Code](https://claude.com/claude-code)
The contribution gate identified internal maintainers solely from the
PR's `author_association`, which GitHub only reports as `MEMBER` when a
user's organization membership is public. A private org member (e.g. a
`supabase/cli` team member who keeps membership private) is reported as
`CONTRIBUTOR`/`NONE`, so the gate wrongly closed their PRs as
"no-linked-issue" (see #5847).

Resolve maintainer status from the author's effective repository
permission (`admin`/`write`), which reflects team/org-granted access
that `author_association` does not surface, falling back to it only when
the cheap signals (bot, public internal association) are inconclusive.
The permission endpoint needs just `Metadata: read`, already covered by
the workflow's `contents: read`.


Claude-Session: https://claude.ai/code/session_01D41gYiFBSU7adE4ppnUUKg

---------

Co-authored-by: Claude <noreply@anthropic.com>
…n /apps/cli-go in the go-minor group across 1 directory (#5849)

Bumps the go-minor group with 1 update in the /apps/cli-go directory:
[github.com/posthog/posthog-go](https://github.com/posthog/posthog-go).

Updates `github.com/posthog/posthog-go` from 1.17.2 to 1.17.4
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/posthog/posthog-go/releases">github.com/posthog/posthog-go's
releases</a>.</em></p>
<blockquote>
<h2>1.17.4</h2>
<h2>Unreleased</h2>
<h2>1.17.3</h2>
<h2>Unreleased</h2>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/PostHog/posthog-go/blob/main/CHANGELOG.md">github.com/posthog/posthog-go's
changelog</a>.</em></p>
<blockquote>
<h2>1.17.4</h2>
<h3>Patch Changes</h3>
<ul>
<li>25e43f8: Stop duplicating <code>distinct_id</code> inside
<code>/flags</code> person properties.</li>
</ul>
<h2>1.17.3</h2>
<h3>Patch Changes</h3>
<ul>
<li>dafed74: Retry remote feature flag requests after transient 502 and
504 responses.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/PostHog/posthog-go/commit/93b96811028c9203b26a2708d6998c7700083771"><code>93b9681</code></a>
chore: release v1.17.4 [version bump] [skip ci]</li>
<li><a
href="https://github.com/PostHog/posthog-go/commit/25e43f8ecdc251dd07d2279408febd4dcdf838ec"><code>25e43f8</code></a>
fix: stop duplicating distinct_id in flags person properties (<a
href="https://redirect.github.com/posthog/posthog-go/issues/250">#250</a>)</li>
<li><a
href="https://github.com/PostHog/posthog-go/commit/01e60bf351811cc17b55983319d9c5f1be980691"><code>01e60bf</code></a>
chore: release v1.17.3 [version bump] [skip ci]</li>
<li><a
href="https://github.com/PostHog/posthog-go/commit/dafed74b9e5ae43d6d5f47933870663cadf23218"><code>dafed74</code></a>
fix: Retry flags requests on 502 and 504 (<a
href="https://redirect.github.com/posthog/posthog-go/issues/251">#251</a>)</li>
<li><a
href="https://github.com/PostHog/posthog-go/commit/ed70fae25d9395d370ad17b79e81b81a63458096"><code>ed70fae</code></a>
fix: make TCP drop recovery test deterministic (<a
href="https://redirect.github.com/posthog/posthog-go/issues/248">#248</a>)</li>
<li><a
href="https://github.com/PostHog/posthog-go/commit/2b6e1878570f91ba7a155720923bbf3b98cc9216"><code>2b6e187</code></a>
ci: update SDK harness to 0.9.0 (<a
href="https://redirect.github.com/posthog/posthog-go/issues/247">#247</a>)</li>
<li><a
href="https://github.com/PostHog/posthog-go/commit/856a0d4668cce148d56b197cd08e3cd0d3ab50b8"><code>856a0d4</code></a>
fix: satisfy SDK compliance harness 0.8.0 (<a
href="https://redirect.github.com/posthog/posthog-go/issues/245">#245</a>)</li>
<li>See full diff in <a
href="https://github.com/posthog/posthog-go/compare/v1.17.2...v1.17.4">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/posthog/posthog-go&package-manager=go_modules&previous-version=1.17.2&new-version=1.17.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the npm-major group with 7 updates:

| Package | From | To |
| --- | --- | --- |
| [undici](https://github.com/nodejs/undici) | `8.5.0` | `8.6.0` |
|
[@anthropic-ai/claude-agent-sdk](https://github.com/anthropics/claude-agent-sdk-typescript)
| `0.3.198` | `0.3.199` |
|
[@anthropic-ai/sdk](https://github.com/anthropics/anthropic-sdk-typescript)
| `0.109.1` | `0.110.0` |
|
[posthog-node](https://github.com/PostHog/posthog-js/tree/HEAD/packages/node)
| `5.39.2` | `5.39.4` |
|
[@typescript/native-preview](https://github.com/microsoft/typescript-go)
| `7.0.0-dev.20260701.1` | `7.0.0-dev.20260702.3` |
| [knip](https://github.com/webpro-nl/knip/tree/HEAD/packages/knip) |
`6.23.0` | `6.24.0` |
| [tldts](https://github.com/remusao/tldts) | `6.1.86` | `7.4.6` |

Updates `undici` from 8.5.0 to 8.6.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/nodejs/undici/releases">undici's
releases</a>.</em></p>
<blockquote>
<h2>v8.6.0</h2>
<h2>What's Changed</h2>
<ul>
<li>build(deps-dev): bump proxy from 4.0.0 to 4.1.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/nodejs/undici/pull/5433">nodejs/undici#5433</a></li>
<li>update accept-encoding header in fetch by <a
href="https://github.com/KhafraDev"><code>@​KhafraDev</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/5439">nodejs/undici#5439</a></li>
<li>fix: drop response chunks after the response stream is destroyed (<a
href="https://redirect.github.com/nodejs/undici/issues/5356">#5356</a>)
by <a href="https://github.com/cesarvspr"><code>@​cesarvspr</code></a>
in <a
href="https://redirect.github.com/nodejs/undici/pull/5357">nodejs/undici#5357</a></li>
<li>fix: handle incomplete multi-byte UTF-8 sequences in setEncoding()
by <a href="https://github.com/joecwu"><code>@​joecwu</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/5003">nodejs/undici#5003</a></li>
<li>fix(retry): keep flow-control wired to the active connection across
resumes by <a
href="https://github.com/bogomya"><code>@​bogomya</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/5405">nodejs/undici#5405</a></li>
<li>test: cover connect lookup option by <a
href="https://github.com/vibhor-aggr"><code>@​vibhor-aggr</code></a> in
<a
href="https://redirect.github.com/nodejs/undici/pull/5411">nodejs/undici#5411</a></li>
<li>test: fail on unexpected reconnect disconnect by <a
href="https://github.com/vibhor-aggr"><code>@​vibhor-aggr</code></a> in
<a
href="https://redirect.github.com/nodejs/undici/pull/5412">nodejs/undici#5412</a></li>
<li>build(deps-dev): bump esbuild from 0.28.0 to 0.28.1 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/nodejs/undici/pull/5419">nodejs/undici#5419</a></li>
<li>fix(proxy): fail the request when the CONNECT tunnel drops instead
of looping by <a
href="https://github.com/cesarvspr"><code>@​cesarvspr</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/5441">nodejs/undici#5441</a></li>
<li>feat(docs): migrate to doc-kit by <a
href="https://github.com/avivkeller"><code>@​avivkeller</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/5438">nodejs/undici#5438</a></li>
<li>build(deps-dev): bump undici from 6.25.0 to 6.27.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/nodejs/undici/pull/5445">nodejs/undici#5445</a></li>
<li>fetch: fix issue 4058 by <a
href="https://github.com/KhafraDev"><code>@​KhafraDev</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/5456">nodejs/undici#5456</a></li>
<li>docs: add Interceptors API reference page by <a
href="https://github.com/enjoykumawat"><code>@​enjoykumawat</code></a>
in <a
href="https://redirect.github.com/nodejs/undici/pull/5446">nodejs/undici#5446</a></li>
<li>Document H1 keep-alive trust tradeoff by <a
href="https://github.com/mcollina"><code>@​mcollina</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/5457">nodejs/undici#5457</a></li>
<li>fix(h2): deliver an early final response to an Expect: 100-continue
request by <a href="https://github.com/jeswr"><code>@​jeswr</code></a>
in <a
href="https://redirect.github.com/nodejs/undici/pull/5470">nodejs/undici#5470</a></li>
<li>fix(types): correct deleteCookie attributes by <a
href="https://github.com/Ram-blip"><code>@​Ram-blip</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/5461">nodejs/undici#5461</a></li>
<li>fix(h1): complete paused parser on socket end instead of crashing by
<a href="https://github.com/ronag"><code>@​ronag</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/5474">nodejs/undici#5474</a></li>
<li>build(deps): bump github/codeql-action/init from 4.36.1 to 4.36.2 by
<a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/nodejs/undici/pull/5476">nodejs/undici#5476</a></li>
<li>build(deps): bump github/codeql-action/upload-sarif from 4.36.1 to
4.36.2 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/nodejs/undici/pull/5481">nodejs/undici#5481</a></li>
<li>build(deps): bump fastify/github-action-merge-dependabot from 3.12.0
to 3.15.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/nodejs/undici/pull/5480">nodejs/undici#5480</a></li>
<li>build(deps): bump codecov/codecov-action from 6.0.1 to 7.0.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/nodejs/undici/pull/5478">nodejs/undici#5478</a></li>
<li>build(deps): bump actions/checkout from 6.0.3 to 7.0.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/nodejs/undici/pull/5482">nodejs/undici#5482</a></li>
<li>build(deps): bump github/codeql-action from 4.36.1 to 4.36.2 by <a
href="https://github.com/trivikr"><code>@​trivikr</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/5484">nodejs/undici#5484</a></li>
<li>build(deps): bump github/codeql-action/analyze from 4.36.1 to 4.36.2
by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/nodejs/undici/pull/5477">nodejs/undici#5477</a></li>
<li>feat: support HTTP QUERY method (RFC 10008) by <a
href="https://github.com/mcollina"><code>@​mcollina</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/5459">nodejs/undici#5459</a></li>
<li>fix: requeue h2 requests after goaway by <a
href="https://github.com/mcollina"><code>@​mcollina</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/5473">nodejs/undici#5473</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/joecwu"><code>@​joecwu</code></a> made
their first contribution in <a
href="https://redirect.github.com/nodejs/undici/pull/5003">nodejs/undici#5003</a></li>
<li><a href="https://github.com/bogomya"><code>@​bogomya</code></a> made
their first contribution in <a
href="https://redirect.github.com/nodejs/undici/pull/5405">nodejs/undici#5405</a></li>
<li><a
href="https://github.com/enjoykumawat"><code>@​enjoykumawat</code></a>
made their first contribution in <a
href="https://redirect.github.com/nodejs/undici/pull/5446">nodejs/undici#5446</a></li>
<li><a href="https://github.com/jeswr"><code>@​jeswr</code></a> made
their first contribution in <a
href="https://redirect.github.com/nodejs/undici/pull/5470">nodejs/undici#5470</a></li>
<li><a href="https://github.com/Ram-blip"><code>@​Ram-blip</code></a>
made their first contribution in <a
href="https://redirect.github.com/nodejs/undici/pull/5461">nodejs/undici#5461</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/nodejs/undici/compare/v8.5.0...v8.6.0">https://github.com/nodejs/undici/compare/v8.5.0...v8.6.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/nodejs/undici/commit/6f86196a0d4bbc8034c4e150a0aec4f6b2bf8742"><code>6f86196</code></a>
Bumped v8.6.0 (<a
href="https://redirect.github.com/nodejs/undici/issues/5491">#5491</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/61ddd8e1180cb0274207a35f15045da3691433be"><code>61ddd8e</code></a>
fix: requeue h2 requests after goaway (<a
href="https://redirect.github.com/nodejs/undici/issues/5473">#5473</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/c5085ef04534cd25e6e2601d0efc3c74ac62e82c"><code>c5085ef</code></a>
feat: support HTTP QUERY method (RFC 10008) (<a
href="https://redirect.github.com/nodejs/undici/issues/5459">#5459</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/c144fd60584b700dcbdd9e312bba4e40d4bab3a2"><code>c144fd6</code></a>
build(deps): bump github/codeql-action/analyze from 4.36.1 to 4.36.2 (<a
href="https://redirect.github.com/nodejs/undici/issues/5477">#5477</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/782ad387c8e82d66b52599b08dae49dff9b3b037"><code>782ad38</code></a>
build(deps): bump github/codeql-action from 4.36.1 to 4.36.2 (<a
href="https://redirect.github.com/nodejs/undici/issues/5484">#5484</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/c4e045a3dc5acfabd619d93d8af658fc600aef1e"><code>c4e045a</code></a>
build(deps): bump actions/checkout from 6.0.3 to 7.0.0 (<a
href="https://redirect.github.com/nodejs/undici/issues/5482">#5482</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/de960dbbdd5ec8e84184419f0eb8402c52113ee8"><code>de960db</code></a>
build(deps): bump codecov/codecov-action from 6.0.1 to 7.0.0 (<a
href="https://redirect.github.com/nodejs/undici/issues/5478">#5478</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/1132de86409e2f7d44c9faf4d82d7714fcc55204"><code>1132de8</code></a>
build(deps): bump fastify/github-action-merge-dependabot (<a
href="https://redirect.github.com/nodejs/undici/issues/5480">#5480</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/3acb7ba08ea89e76f02426c1f9308c4e945032d2"><code>3acb7ba</code></a>
build(deps): bump github/codeql-action/upload-sarif (<a
href="https://redirect.github.com/nodejs/undici/issues/5481">#5481</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/88c4254079a0b82a579b55230416b1ca213bde19"><code>88c4254</code></a>
build(deps): bump github/codeql-action/init from 4.36.1 to 4.36.2 (<a
href="https://redirect.github.com/nodejs/undici/issues/5476">#5476</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/nodejs/undici/compare/v8.5.0...v8.6.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `@anthropic-ai/claude-agent-sdk` from 0.3.198 to 0.3.199
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/anthropics/claude-agent-sdk-typescript/releases">@​anthropic-ai/claude-agent-sdk's
releases</a>.</em></p>
<blockquote>
<h2>v0.3.199</h2>
<h2>What's changed</h2>
<ul>
<li>Added <code>requestId</code> to <code>canUseTool</code> callback
options for correlating out-of-band permission responses, and support
for returning <code>null</code> to suppress the SDK's automatic control
response</li>
<li>Added <code>blocked</code> field to <code>workflow_agent</code>
progress events indicating when an agent was blocked by the auto-mode
safety classifier</li>
<li>Added <code>mode:&quot;mask&quot;</code> and per-credential
<code>injectHosts</code> to <code>sandbox.credentials</code> settings
types for injecting masked credentials into sandboxed commands</li>
</ul>
<h2>Update</h2>
<pre lang="sh"><code>npm install @anthropic-ai/claude-agent-sdk@0.3.199
# or
yarn add @anthropic-ai/claude-agent-sdk@0.3.199
# or
pnpm add @anthropic-ai/claude-agent-sdk@0.3.199
# or
bun add @anthropic-ai/claude-agent-sdk@0.3.199
</code></pre>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/anthropics/claude-agent-sdk-typescript/blob/main/CHANGELOG.md">@​anthropic-ai/claude-agent-sdk's
changelog</a>.</em></p>
<blockquote>
<h2>0.3.199</h2>
<ul>
<li>Added <code>requestId</code> to <code>canUseTool</code> callback
options for correlating out-of-band permission responses, and support
for returning <code>null</code> to suppress the SDK's automatic control
response</li>
<li>Added <code>blocked</code> field to <code>workflow_agent</code>
progress events indicating when an agent was blocked by the auto-mode
safety classifier</li>
<li>Added <code>mode:&quot;mask&quot;</code> and per-credential
<code>injectHosts</code> to <code>sandbox.credentials</code> settings
types for injecting masked credentials into sandboxed commands</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/anthropics/claude-agent-sdk-typescript/commit/a0c02d6d999582c360b11116c429d58dc6f17270"><code>a0c02d6</code></a>
chore: Update CHANGELOG.md</li>
<li>See full diff in <a
href="https://github.com/anthropics/claude-agent-sdk-typescript/compare/v0.3.198...v0.3.199">compare
view</a></li>
</ul>
</details>
<br />

Updates `@anthropic-ai/sdk` from 0.109.1 to 0.110.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/anthropics/anthropic-sdk-typescript/releases">@​anthropic-ai/sdk's
releases</a>.</em></p>
<blockquote>
<h2>sdk: v0.110.0</h2>
<h2>0.110.0 (2026-07-02)</h2>
<p>Full Changelog: <a
href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.109.1...sdk-v0.110.0">sdk-v0.109.1...sdk-v0.110.0</a></p>
<h3>Features</h3>
<ul>
<li><strong>api:</strong> add agent-memory-2026-07-22 beta header (<a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/a470e10aaad12078e3e5f2bb9adf6c2652ea9ca0">a470e10</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/anthropics/anthropic-sdk-typescript/blob/main/CHANGELOG.md">@​anthropic-ai/sdk's
changelog</a>.</em></p>
<blockquote>
<h2>0.110.0 (2026-07-02)</h2>
<p>Full Changelog: <a
href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.109.1...sdk-v0.110.0">sdk-v0.109.1...sdk-v0.110.0</a></p>
<h3>Features</h3>
<ul>
<li><strong>api:</strong> add agent-memory-2026-07-22 beta header (<a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/a470e10aaad12078e3e5f2bb9adf6c2652ea9ca0">a470e10</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/anthropics/anthropic-sdk-typescript/commit/4f2eb8071993780d79610b9eda26db96f7653843"><code>4f2eb80</code></a>
chore: release main (<a
href="https://redirect.github.com/anthropics/anthropic-sdk-typescript/issues/1107">#1107</a>)</li>
<li>See full diff in <a
href="https://github.com/anthropics/anthropic-sdk-typescript/compare/sdk-v0.109.1...sdk-v0.110.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `posthog-node` from 5.39.2 to 5.39.4
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/PostHog/posthog-js/releases">posthog-node's
releases</a>.</em></p>
<blockquote>
<h2>posthog-node@5.39.4</h2>
<h2>5.39.4</h2>
<h3>Patch Changes</h3>
<ul>
<li><a
href="https://redirect.github.com/PostHog/posthog-js/pull/4047">#4047</a>
<a
href="https://github.com/PostHog/posthog-js/commit/0c11747de9ca10a48f840fff1814c33c71742736"><code>0c11747</code></a>
Thanks <a
href="https://github.com/marandaneto"><code>@​marandaneto</code></a>! -
Stop duplicating <code>distinct_id</code> inside <code>/flags</code>
person properties.
(2026-07-02)</li>
<li>Updated dependencies [<a
href="https://github.com/PostHog/posthog-js/commit/5e7e132757682e4f91d40601506b635f346c7b67"><code>5e7e132</code></a>]:
<ul>
<li><code>@​posthog/core</code><a
href="https://github.com/1"><code>@​1</code></a>.39.5</li>
</ul>
</li>
</ul>
<h2>posthog-node@5.39.3</h2>
<h2>5.39.3</h2>
<h3>Patch Changes</h3>
<ul>
<li><a
href="https://redirect.github.com/PostHog/posthog-js/pull/4055">#4055</a>
<a
href="https://github.com/PostHog/posthog-js/commit/64e04ba043b25d1f88435c5885132000d3117bb0"><code>64e04ba</code></a>
Thanks <a
href="https://github.com/marandaneto"><code>@​marandaneto</code></a>! -
Retry <code>/flags</code> requests that receive HTTP 502 or 504
responses across SDKs that use the shared core flags client.
(2026-07-02)</li>
<li>Updated dependencies [<a
href="https://github.com/PostHog/posthog-js/commit/64e04ba043b25d1f88435c5885132000d3117bb0"><code>64e04ba</code></a>]:
<ul>
<li><code>@​posthog/core</code><a
href="https://github.com/1"><code>@​1</code></a>.39.4</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/PostHog/posthog-js/blob/main/packages/node/CHANGELOG.md">posthog-node's
changelog</a>.</em></p>
<blockquote>
<h2>5.39.4</h2>
<h3>Patch Changes</h3>
<ul>
<li><a
href="https://redirect.github.com/PostHog/posthog-js/pull/4047">#4047</a>
<a
href="https://github.com/PostHog/posthog-js/commit/0c11747de9ca10a48f840fff1814c33c71742736"><code>0c11747</code></a>
Thanks <a
href="https://github.com/marandaneto"><code>@​marandaneto</code></a>! -
Stop duplicating <code>distinct_id</code> inside <code>/flags</code>
person properties.
(2026-07-02)</li>
<li>Updated dependencies [<a
href="https://github.com/PostHog/posthog-js/commit/5e7e132757682e4f91d40601506b635f346c7b67"><code>5e7e132</code></a>]:
<ul>
<li><code>@​posthog/core</code><a
href="https://github.com/1"><code>@​1</code></a>.39.5</li>
</ul>
</li>
</ul>
<h2>5.39.3</h2>
<h3>Patch Changes</h3>
<ul>
<li><a
href="https://redirect.github.com/PostHog/posthog-js/pull/4055">#4055</a>
<a
href="https://github.com/PostHog/posthog-js/commit/64e04ba043b25d1f88435c5885132000d3117bb0"><code>64e04ba</code></a>
Thanks <a
href="https://github.com/marandaneto"><code>@​marandaneto</code></a>! -
Retry <code>/flags</code> requests that receive HTTP 502 or 504
responses across SDKs that use the shared core flags client.
(2026-07-02)</li>
<li>Updated dependencies [<a
href="https://github.com/PostHog/posthog-js/commit/64e04ba043b25d1f88435c5885132000d3117bb0"><code>64e04ba</code></a>]:
<ul>
<li><code>@​posthog/core</code><a
href="https://github.com/1"><code>@​1</code></a>.39.4</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/PostHog/posthog-js/commit/0ba87cb40e3f70428cbb8718dc4c012cfa4c5f30"><code>0ba87cb</code></a>
chore: update versions and lockfile [version bump]</li>
<li><a
href="https://github.com/PostHog/posthog-js/commit/0c11747de9ca10a48f840fff1814c33c71742736"><code>0c11747</code></a>
fix: stop duplicating distinct_id in flags person properties (<a
href="https://github.com/PostHog/posthog-js/tree/HEAD/packages/node/issues/4047">#4047</a>)</li>
<li><a
href="https://github.com/PostHog/posthog-js/commit/4eb8b2189098ee1f09eaf66e2d0fa21bcafbe54b"><code>4eb8b21</code></a>
chore: update versions and lockfile [version bump]</li>
<li><a
href="https://github.com/PostHog/posthog-js/commit/dd90e558b5fe6ec370b8dbd04da8faedba293421"><code>dd90e55</code></a>
test(node): make local polling tests deterministic (<a
href="https://github.com/PostHog/posthog-js/tree/HEAD/packages/node/issues/4043">#4043</a>)</li>
<li>See full diff in <a
href="https://github.com/PostHog/posthog-js/commits/posthog-node@5.39.4/packages/node">compare
view</a></li>
</ul>
</details>
<br />

Updates `@typescript/native-preview` from 7.0.0-dev.20260701.1 to
7.0.0-dev.20260702.3
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/microsoft/typescript-go/commits">compare
view</a></li>
</ul>
</details>
<br />

Updates `knip` from 6.23.0 to 6.24.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/webpro-nl/knip/releases">knip's
releases</a>.</em></p>
<blockquote>
<h2>Release 6.24.0</h2>
<ul>
<li>chore: update year in license (<a
href="https://github.com/webpro-nl/knip/tree/HEAD/packages/knip/issues/1833">#1833</a>)
(32bc844dfd3895884b11fea5ef94bf3fa1974946) - thanks <a
href="https://github.com/trueberryless"><code>@​trueberryless</code></a>!</li>
<li>ci: pin github actions (<a
href="https://github.com/webpro-nl/knip/tree/HEAD/packages/knip/issues/1835">#1835</a>)
(82a8d0913105a637e9eeccfe3b785be90c873e2a) - thanks <a
href="https://github.com/trueberryless"><code>@​trueberryless</code></a>!</li>
<li>Assume Node 24+/Bun and remove compilation step
(d9ef038429bec06c37fdb520e5c7353c8cae6ce7)</li>
<li>Don't report working-directory scripts as unlisted binaries (resolve
<a
href="https://github.com/webpro-nl/knip/tree/HEAD/packages/knip/issues/1834">#1834</a>)
(aea7923438f0a8f459458578526f358b02497f77)</li>
<li>Add <code>pnpm run lint</code> to CI workflow
(ec9aa1cabb58c97b8ecc4815e6cdd6421fe2a89e)</li>
<li>feat: add settings for Zed editor to use oxlint and oxfmt (<a
href="https://github.com/webpro-nl/knip/tree/HEAD/packages/knip/issues/1836">#1836</a>)
(111f2e0a17999e3ffdf4c097cd42ba08acd48508) - thanks <a
href="https://github.com/trueberryless"><code>@​trueberryless</code></a>!</li>
<li>fix: remove format_on_save: true settings from Zed settings to
respect user settings (<a
href="https://github.com/webpro-nl/knip/tree/HEAD/packages/knip/issues/1838">#1838</a>)
(dc2a64043035d426eb99a9d1e0eb873d02a09e7d) - thanks <a
href="https://github.com/trueberryless"><code>@​trueberryless</code></a>!</li>
<li>feat: add Renovate for GitHub actions only (<a
href="https://github.com/webpro-nl/knip/tree/HEAD/packages/knip/issues/1839">#1839</a>)
(ffce88c86f95822ee2a7cf8407e987a3ec79b097) - thanks <a
href="https://github.com/trueberryless"><code>@​trueberryless</code></a>!</li>
<li>Ignore import() in JSDoc examples (<a
href="https://github.com/webpro-nl/knip/tree/HEAD/packages/knip/issues/1844">#1844</a>)
(6f090f90f04e8202700ed68977faa1dc626ff235) - thanks <a
href="https://github.com/cyphercodes"><code>@​cyphercodes</code></a>!</li>
<li>Don't report types used only in module augmentations as unused
(resolve <a
href="https://github.com/webpro-nl/knip/tree/HEAD/packages/knip/issues/1843">#1843</a>)
(7901abd3c4b496f212445bff9768efc9548ded61)</li>
<li>Restore CI intent (0d739beab2e224385f449d62d6cc7d904107946e)</li>
<li>feat: add less, stylus compilers and astro, svelte, vue import
resolution (<a
href="https://github.com/webpro-nl/knip/tree/HEAD/packages/knip/issues/1845">#1845</a>)
(5525759f33a5664e4882aebe239e9c17eeb29f92) - thanks <a
href="https://github.com/trueberryless"><code>@​trueberryless</code></a>!</li>
<li>Don't report built-in compiler dependencies as unused
(3c9d4adf369f0064399d9da7b4f11f0467180bf5)</li>
<li>feat: add scss handling to stencil plugin (<a
href="https://github.com/webpro-nl/knip/tree/HEAD/packages/knip/issues/1846">#1846</a>)
(acba6b85ab05f70385228872fafea2b08290d0f6) - thanks <a
href="https://github.com/johnjenkins"><code>@​johnjenkins</code></a>!</li>
<li>fix(reporters): always print the issue-type title for a single group
(<a
href="https://github.com/webpro-nl/knip/tree/HEAD/packages/knip/issues/1848">#1848</a>)
(cf997b2408cc0814c2d310d1e8c8680340153fa1) - thanks <a
href="https://github.com/morgan-coded"><code>@​morgan-coded</code></a>!</li>
<li>Export Issue, IssueRecords and IssueType types (resolve <a
href="https://github.com/webpro-nl/knip/tree/HEAD/packages/knip/issues/1840">#1840</a>)
(260f19230f42c9dceaac97d55bf34d17902c5b38)</li>
<li>Squeeze every bit of perf out around compilers
(bb0eeb6e33d050dab736134b5b692a3d6413f358)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/webpro-nl/knip/commit/2979803b8c929dcd6254e1cea174101fb16820e4"><code>2979803</code></a>
Release knip@6.24.0</li>
<li><a
href="https://github.com/webpro-nl/knip/commit/bb0eeb6e33d050dab736134b5b692a3d6413f358"><code>bb0eeb6</code></a>
Squeeze every bit of perf out around compilers</li>
<li><a
href="https://github.com/webpro-nl/knip/commit/260f19230f42c9dceaac97d55bf34d17902c5b38"><code>260f192</code></a>
Export Issue, IssueRecords and IssueType types (resolve <a
href="https://github.com/webpro-nl/knip/tree/HEAD/packages/knip/issues/1840">#1840</a>)</li>
<li><a
href="https://github.com/webpro-nl/knip/commit/cf997b2408cc0814c2d310d1e8c8680340153fa1"><code>cf997b2</code></a>
fix(reporters): always print the issue-type title for a single group (<a
href="https://github.com/webpro-nl/knip/tree/HEAD/packages/knip/issues/1848">#1848</a>)</li>
<li><a
href="https://github.com/webpro-nl/knip/commit/acba6b85ab05f70385228872fafea2b08290d0f6"><code>acba6b8</code></a>
feat: add scss handling to stencil plugin (<a
href="https://github.com/webpro-nl/knip/tree/HEAD/packages/knip/issues/1846">#1846</a>)</li>
<li><a
href="https://github.com/webpro-nl/knip/commit/3c9d4adf369f0064399d9da7b4f11f0467180bf5"><code>3c9d4ad</code></a>
Don't report built-in compiler dependencies as unused</li>
<li><a
href="https://github.com/webpro-nl/knip/commit/5525759f33a5664e4882aebe239e9c17eeb29f92"><code>5525759</code></a>
feat: add less, stylus compilers and astro, svelte, vue import
resolution (<a
href="https://github.com/webpro-nl/knip/tree/HEAD/packages/knip/issues/1">#1</a>...</li>
<li><a
href="https://github.com/webpro-nl/knip/commit/7901abd3c4b496f212445bff9768efc9548ded61"><code>7901abd</code></a>
Don't report types used only in module augmentations as unused (resolve
<a
href="https://github.com/webpro-nl/knip/tree/HEAD/packages/knip/issues/1843">#1843</a>)</li>
<li><a
href="https://github.com/webpro-nl/knip/commit/6f090f90f04e8202700ed68977faa1dc626ff235"><code>6f090f9</code></a>
Ignore import() in JSDoc examples (<a
href="https://github.com/webpro-nl/knip/tree/HEAD/packages/knip/issues/1844">#1844</a>)</li>
<li><a
href="https://github.com/webpro-nl/knip/commit/aea7923438f0a8f459458578526f358b02497f77"><code>aea7923</code></a>
Don't report working-directory scripts as unlisted binaries (resolve <a
href="https://github.com/webpro-nl/knip/tree/HEAD/packages/knip/issues/1834">#1834</a>)</li>
<li>See full diff in <a
href="https://github.com/webpro-nl/knip/commits/knip@6.24.0/packages/knip">compare
view</a></li>
</ul>
</details>
<br />

Updates `tldts` from 6.1.86 to 7.4.6
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/remusao/tldts/releases">tldts's
releases</a>.</em></p>
<blockquote>
<h2>v7.4.6</h2>
<h4>:scroll: Update Public Suffix List</h4>
<ul>
<li><code>tldts-experimental</code>, <code>tldts</code>
<ul>
<li>Update upstream public suffix list <a
href="https://redirect.github.com/remusao/tldts/pull/2626">#2626</a> (<a
href="https://github.com/remusao"><code>@​remusao</code></a>)</li>
</ul>
</li>
</ul>
<h4>:nut_and_bolt: Dependencies</h4>
<ul>
<li>Bump sigstore from 4.1.0 to 4.1.1 <a
href="https://redirect.github.com/remusao/tldts/pull/2629">#2629</a> (<a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a>)</li>
<li>Bump <code>@​babel/core</code> from 7.24.7 to 7.29.7 <a
href="https://redirect.github.com/remusao/tldts/pull/2618">#2618</a> (<a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a>)</li>
<li>Bump form-data from 4.0.5 to 4.0.6 <a
href="https://redirect.github.com/remusao/tldts/pull/2611">#2611</a> (<a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a>)</li>
<li>Bump rollup from 4.61.1 to 4.62.2 <a
href="https://redirect.github.com/remusao/tldts/pull/2612">#2612</a> (<a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a>)</li>
<li>Bump rollup-plugin-sourcemaps2 from 0.5.7 to 0.5.8 <a
href="https://redirect.github.com/remusao/tldts/pull/2619">#2619</a> (<a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a>)</li>
<li>Bump typescript-eslint from 8.60.1 to 8.62.1 <a
href="https://redirect.github.com/remusao/tldts/pull/2624">#2624</a> (<a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a>)</li>
<li>Bump <code>@​sigstore/core</code> from 3.1.0 to 3.2.1 <a
href="https://redirect.github.com/remusao/tldts/pull/2625">#2625</a> (<a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a>)</li>
<li>Bump <code>@​sigstore/verify</code> from 3.1.0 to 3.1.1 <a
href="https://redirect.github.com/remusao/tldts/pull/2628">#2628</a> (<a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a>)</li>
<li><code>tldts-core</code>, <code>tldts-experimental</code>,
<code>tldts-icann</code>, <code>tldts-tests</code>,
<code>tldts-utils</code>, <code>tldts</code>
<ul>
<li>Bump <code>@​types/node</code> from 25.9.1 to 26.1.0 <a
href="https://redirect.github.com/remusao/tldts/pull/2627">#2627</a> (<a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a>)</li>
</ul>
</li>
</ul>
<h4>Authors: 2</h4>
<ul>
<li><a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a></li>
<li>Rémi (<a
href="https://github.com/remusao"><code>@​remusao</code></a>)</li>
</ul>
<h2>v7.4.5</h2>
<h4>:scroll: Update Public Suffix List</h4>
<ul>
<li><code>tldts-experimental</code>, <code>tldts</code>
<ul>
<li>Update upstream public suffix list <a
href="https://redirect.github.com/remusao/tldts/pull/2617">#2617</a> (<a
href="https://github.com/remusao"><code>@​remusao</code></a>)</li>
</ul>
</li>
</ul>
<h4>Authors: 1</h4>
<ul>
<li>Rémi (<a
href="https://github.com/remusao"><code>@​remusao</code></a>)</li>
</ul>
<h2>v7.4.4</h2>
<h4>:scroll: Update Public Suffix List</h4>
<ul>
<li><code>tldts-experimental</code>, <code>tldts</code>
<ul>
<li>Update upstream public suffix list <a
href="https://redirect.github.com/remusao/tldts/pull/2614">#2614</a> (<a
href="https://github.com/remusao"><code>@​remusao</code></a>)</li>
</ul>
</li>
</ul>
<h4>Authors: 1</h4>
<ul>
<li>Rémi (<a
href="https://github.com/remusao"><code>@​remusao</code></a>)</li>
</ul>
<h2>v7.4.3</h2>
<h4>:scroll: Update Public Suffix List</h4>
<ul>
<li><code>tldts-experimental</code>, <code>tldts</code>
<ul>
<li>Update upstream public suffix list <a
href="https://redirect.github.com/remusao/tldts/pull/2605">#2605</a> (<a
href="https://github.com/remusao"><code>@​remusao</code></a>)</li>
</ul>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/remusao/tldts/blob/master/CHANGELOG.md">tldts's
changelog</a>.</em></p>
<blockquote>
<h1>v7.4.6 (Thu Jul 02 2026)</h1>
<h4>:scroll: Update Public Suffix List</h4>
<ul>
<li><code>tldts-experimental</code>, <code>tldts</code>
<ul>
<li>Update upstream public suffix list <a
href="https://redirect.github.com/remusao/tldts/pull/2626">#2626</a> (<a
href="https://github.com/remusao"><code>@​remusao</code></a>)</li>
</ul>
</li>
</ul>
<h4>:nut_and_bolt: Dependencies</h4>
<ul>
<li>Bump sigstore from 4.1.0 to 4.1.1 <a
href="https://redirect.github.com/remusao/tldts/pull/2629">#2629</a> (<a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a>)</li>
<li>Bump <code>@​babel/core</code> from 7.24.7 to 7.29.7 <a
href="https://redirect.github.com/remusao/tldts/pull/2618">#2618</a> (<a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a>)</li>
<li>Bump form-data from 4.0.5 to 4.0.6 <a
href="https://redirect.github.com/remusao/tldts/pull/2611">#2611</a> (<a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a>)</li>
<li>Bump rollup from 4.61.1 to 4.62.2 <a
href="https://redirect.github.com/remusao/tldts/pull/2612">#2612</a> (<a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a>)</li>
<li>Bump rollup-plugin-sourcemaps2 from 0.5.7 to 0.5.8 <a
href="https://redirect.github.com/remusao/tldts/pull/2619">#2619</a> (<a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a>)</li>
<li>Bump typescript-eslint from 8.60.1 to 8.62.1 <a
href="https://redirect.github.com/remusao/tldts/pull/2624">#2624</a> (<a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a>)</li>
<li>Bump <code>@​sigstore/core</code> from 3.1.0 to 3.2.1 <a
href="https://redirect.github.com/remusao/tldts/pull/2625">#2625</a> (<a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a>)</li>
<li>Bump <code>@​sigstore/verify</code> from 3.1.0 to 3.1.1 <a
href="https://redirect.github.com/remusao/tldts/pull/2628">#2628</a> (<a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a>)</li>
<li><code>tldts-core</code>, <code>tldts-experimental</code>,
<code>tldts-icann</code>, <code>tldts-tests</code>,
<code>tldts-utils</code>, <code>tldts</code>
<ul>
<li>Bump <code>@​types/node</code> from 25.9.1 to 26.1.0 <a
href="https://redirect.github.com/remusao/tldts/pull/2627">#2627</a> (<a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a>)</li>
</ul>
</li>
</ul>
<h4>Authors: 2</h4>
<ul>
<li><a
href="https://github.com/dependabot%5Bbot%5D"><code>@​dependabot[bot]</code></a></li>
<li>Rémi (<a
href="https://github.com/remusao"><code>@​remusao</code></a>)</li>
</ul>
<hr />
<h1>v7.4.5 (Sun Jun 28 2026)</h1>
<h4>:scroll: Update Public Suffix List</h4>
<ul>
<li><code>tldts-experimental</code>, <code>tldts</code>
<ul>
<li>Update upstream public suffix list <a
href="https://redirect.github.com/remusao/tldts/pull/2617">#2617</a> (<a
href="https://github.com/remusao"><code>@​remusao</code></a>)</li>
</ul>
</li>
</ul>
<h4>Authors: 1</h4>
<ul>
<li>Rémi (<a
href="https://github.com/remusao"><code>@​remusao</code></a>)</li>
</ul>
<hr />
<h1>v7.4.4 (Tue Jun 23 2026)</h1>
<h4>:scroll: Update Public Suffix List</h4>
<ul>
<li><code>tldts-experimental</code>, <code>tldts</code>
<ul>
<li>Update upstream public suffix list <a
href="https://redirect.github.com/remusao/tldts/pull/2614">#2614</a> (<a
href="https://github.com/remusao"><code>@​remusao</code></a>)</li>
</ul>
</li>
</ul>
<h4>Authors: 1</h4>
<ul>
<li>Rémi (<a
href="https://github.com/remusao"><code>@​remusao</code></a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/remusao/tldts/commit/92ee2b31e72433487577a6c027ad7ec69aa8c8fe"><code>92ee2b3</code></a>
Bump version to: v7.4.6 [skip ci]</li>
<li><a
href="https://github.com/remusao/tldts/commit/cd23a4106ee0ed11cecf7ec7ed9bc308743d99ca"><code>cd23a41</code></a>
Update CHANGELOG.md [skip ci]</li>
<li><a
href="https://github.com/remusao/tldts/commit/11b91adfef769de8dbd8c87b1ed0809e0371e9a2"><code>11b91ad</code></a>
Update upstream public suffix list (<a
href="https://redirect.github.com/remusao/tldts/issues/2626">#2626</a>)</li>
<li><a
href="https://github.com/remusao/tldts/commit/3136742bd2a089b2c9592cbbcc3de6c229bba5a9"><code>3136742</code></a>
Bump sigstore from 4.1.0 to 4.1.1 (<a
href="https://redirect.github.com/remusao/tldts/issues/2629">#2629</a>)</li>
<li><a
href="https://github.com/remusao/tldts/commit/258820f15ee126878921c2359921d27efef4ca31"><code>258820f</code></a>
Bump <code>@​babel/core</code> from 7.24.7 to 7.29.7 (<a
href="https://redirect.github.com/remusao/tldts/issues/2618">#2618</a>)</li>
<li><a
href="https://github.com/remusao/tldts/commit/e32bbb0fbece80aab696ce8abc89a22d5d4f6ee3"><code>e32bbb0</code></a>
Bump form-data from 4.0.5 to 4.0.6 (<a
href="https://redirect.github.com/remusao/tldts/issues/2611">#2611</a>)</li>
<li><a
href="https://github.com/remusao/tldts/commit/8b65da192769c0f1abc96ffe7d8b0a872fce80a8"><code>8b65da1</code></a>
Bump rollup from 4.61.1 to 4.62.2 (<a
href="https://redirect.github.com/remusao/tldts/issues/2612">#2612</a>)</li>
<li><a
href="https://github.com/remusao/tldts/commit/496e7f4cc06e5a85ad71dd040963a243b61962f5"><code>496e7f4</code></a>
Bump rollup-plugin-sourcemaps2 from 0.5.7 to 0.5.8 (<a
href="https://redirect.github.com/remusao/tldts/issues/2619">#2619</a>)</li>
<li><a
href="https://github.com/remusao/tldts/commit/0adcc645852f4ebacf3db76eaa62da4c79f4c9bf"><code>0adcc64</code></a>
Bump typescript-eslint from 8.60.1 to 8.62.1 (<a
href="https://redirect.github.com/remusao/tldts/issues/2624">#2624</a>)</li>
<li><a
href="https://github.com/remusao/tldts/commit/6401b1448e797716c13778679bc7d2eb022126a8"><code>6401b14</code></a>
Bump <code>@​sigstore/core</code> from 3.1.0 to 3.2.1 (<a
href="https://redirect.github.com/remusao/tldts/issues/2625">#2625</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/remusao/tldts/compare/v6.1.86...v7.4.6">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by <a
href="https://www.npmjs.com/~GitHub%20Actions">GitHub Actions</a>, a new
releaser for tldts since your current version.</p>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…s-major group (#5852)

Bumps the actions-major group with 1 update:
[docker/login-action](https://github.com/docker/login-action).

Updates `docker/login-action` from 4.3.0 to 4.4.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/docker/login-action/releases">docker/login-action's
releases</a>.</em></p>
<blockquote>
<h2>v4.4.0</h2>
<ul>
<li>Skip empty <code>registry-auth</code> secret mask by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/login-action/pull/1035">docker/login-action#1035</a></li>
<li>Bump <code>@​aws-sdk/client-ecr</code> and
<code>@​aws-sdk/client-ecr-public</code> to 3.1077.0 <a
href="https://redirect.github.com/docker/login-action/pull/1034">docker/login-action#1034</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/docker/login-action/compare/v4.3.0...v4.4.0">https://github.com/docker/login-action/compare/v4.3.0...v4.4.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/docker/login-action/commit/af1e73f918a031802d376d3c8bbc3fe56130a9b0"><code>af1e73f</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/login-action/issues/1034">#1034</a>
from docker/dependabot/npm_and_yarn/aws-sdk-dependen...</li>
<li><a
href="https://github.com/docker/login-action/commit/da722bde43bacb027adfc67d42dbaa4c0f9e550b"><code>da722bd</code></a>
[dependabot skip] chore: update generated content</li>
<li><a
href="https://github.com/docker/login-action/commit/2916ad60bd5cb72f07aa54c69fdcc61749c09b7a"><code>2916ad6</code></a>
build(deps): bump the aws-sdk-dependencies group across 1 directory with
2 up...</li>
<li><a
href="https://github.com/docker/login-action/commit/ca0a662f786e4cfddce972005bd68f3dafc3a903"><code>ca0a662</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/login-action/issues/1035">#1035</a>
from crazy-max/fix-registry-auth-empty-mask</li>
<li><a
href="https://github.com/docker/login-action/commit/c455755a579833bf0d2e4e54e3beb413ef10cc80"><code>c455755</code></a>
chore: update generated content</li>
<li><a
href="https://github.com/docker/login-action/commit/48351901f89581a7c12870c787d3f06d1f498438"><code>4835190</code></a>
skip empty registry-auth secret mask</li>
<li><a
href="https://github.com/docker/login-action/commit/992421c6e6806a7f6df609d1bfff374f9eca3004"><code>992421c</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/login-action/issues/1033">#1033</a>
from docker/dependabot/github_actions/docker/bake-ac...</li>
<li><a
href="https://github.com/docker/login-action/commit/b249b43765525dd7951068267a34cf63f22ab4f0"><code>b249b43</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/login-action/issues/1032">#1032</a>
from docker/dependabot/github_actions/docker/bake-ac...</li>
<li><a
href="https://github.com/docker/login-action/commit/1b67977736863551a88ff218642a2d7628b10520"><code>1b67977</code></a>
build(deps): bump docker/bake-action from 7.2.0 to 7.3.0</li>
<li><a
href="https://github.com/docker/login-action/commit/9d49d6a3234c78daa10c3c12183ef7b6caa8e69e"><code>9d49d6a</code></a>
build(deps): bump docker/bake-action/subaction/matrix</li>
<li>See full diff in <a
href="https://github.com/docker/login-action/compare/c99871dec2022cc055c062a10cc1a1310835ceb4...af1e73f918a031802d376d3c8bbc3fe56130a9b0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=docker/login-action&package-manager=github_actions&previous-version=4.3.0&new-version=4.4.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…emplates with 3 updates (#5851)

Bumps the docker-minor group in /apps/cli-go/pkg/config/templates with 3
updates: supabase/realtime, supabase/storage-api and supabase/logflare.

Updates `supabase/realtime` from v2.112.9 to v2.112.10

Updates `supabase/storage-api` from v1.64.1 to v1.66.2

Updates `supabase/logflare` from 1.46.0 to 1.47.0


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…te error on parse failures (CLI-1901) (#5844)

## What kind of change does this PR introduce?

Bug fix (legacy shell shared CLI runtime).

## What is the current behavior?

Fixes
[CLI-1901](https://linear.app/supabase/issue/CLI-1901/legacy-cli-required-flagchoice-parse-errors-double-print-and-dump-help),
originally surfaced as a side-finding during #5803's review (CLI-1859,
`gen bearer-jwt --role required`).

Any legacy command whose flag parsing fails with a
`CliError.ShowHelp`-wrapped error carrying a non-empty `errors` array
(missing required flag, invalid `Flag.choice` value, unrecognized flag,
etc.) printed a broken, non-Go-parity error:

```
$ supabase sso add --project-ref <ref>
DESCRIPTION
  Add and configure a new connection to a SSO identity provider...
USAGE
  supabase sso add [flags]
FLAGS
  ...
[... 20-30 line help doc, printed to STDOUT ...]

ERROR
  Missing required flag: --type
Error: required flag(s) "type" not set
Try rerunning the command with --debug to troubleshoot the error.
```

Root cause: the vendored `effect@4.0.0-beta.93` CLI library's
`Command.runWith`
(`.repos/effect/packages/effect/src/unstable/cli/Command.ts`) always
dumps the full help doc via `Console.log` and, when `errors.length > 0`,
also `Console.error`s the same errors — before this repo's own Go-parity
renderer (`normalize-error.ts` + `run.ts`'s `handledProgram`) renders
its own line for the same failure. This breaks stdout-piping scripts
(e.g. `TOKEN=$(supabase gen bearer-jwt --role "$ROLE")` with an empty
`$ROLE`) and violates this repo's own Go-parity contract
(`apps/cli/CLAUDE.md`).

## What is the new behavior?

`run.ts` gains `withoutParseErrorHelpDump`, which wraps
`Command.runWith(rootCommand, ...)(args)` with a buffering
`Console.Console` and, once the run's outcome is known, disposes of the
buffered writes per `classifyParseErrorConsoleOutput` — a three-way
split that mirrors Go cobra's *actual* behavior (verified directly
against the built `apps/cli-go/supabase-go` binary, not just assumed):

- **`drop`** — a missing required flag (`MissingOption`). Go's
`PersistentPreRunE` sets `SilenceUsage = true` (`cmd/root.go:97`)
*before* `ValidateRequiredFlags` runs, so this is a single clean stderr
line, nothing on stdout.
- **`flush-help-doc-to-stderr`** — every other genuine parse/validation
failure (unrecognized flag, invalid `Flag.choice` value, missing
positional argument, unknown subcommand). These are raised during
`ParseFlags`/`ValidateArgs`, *before* `SilenceUsage` is set — Go still
shows a usage block for these, always on stderr, never stdout. The
library's help doc isn't byte-identical to cobra's shorter usage
template (see judgement calls below), but it's now on the right stream
with no duplicate.
- **`flush-unchanged`** — success, `--help`, `--version`,
`--completions`, and the bare-group-command help dump (`errors: []`,
exit 0) — all untouched.

In every genuine-failure case, the library's own duplicate
`Console.error` render is dropped; this repo's own `handledProgram` +
`normalizeCause` render the single Go-parity line instead.

`normalize-error.ts`'s `ShowHelp`-envelope unwrap was also extended:
since the library's duplicate render is now gone, a wrapped inner error
with no Go-parity-specific mapping (`UnrecognizedOption`,
`DuplicateOption`, `MissingArgument`, `UnknownSubcommand`, or a
non-doubled-prefix `InvalidValue`) now falls back to that inner error's
own `.message` instead of the useless generic "Help requested" envelope
text — otherwise removing the duplicate would have silently regressed
those tags from "informative, but printed twice" to "printed once,
uselessly."

Tests: pure-predicate unit tests for the three-way classifier
(`run.unit.test.ts`), integration tests exercising the real
buffering/flush wiring against `legacyBranchesCommand` and a synthetic
required-flag command via a `Console.Console` test double
(`run.integration.test.ts` — not `vi.spyOn`, which reliably breaks call
detection when spying `console.log` and `console.error` in the same test
under this repo's Bun+Vitest combination), and e2e tests proving the
real subprocess stdout/stderr streams against `branches --bogus-flag`
and `sso add` (missing/invalid `--type`, the issue's own named repro
target).

### Judgement calls left open

- **Wording, not structure**: some of this repo's existing error wording
still differs from Go's exact text for these paths (e.g. Go's bare
`required flag(s) "type" not set` vs this repo's `Error: required
flag(s) "type" not set` with an extra `Error: ` prefix; Go's `invalid
argument "bogus" for "-t, --type" flag: must be one of [ saml ]` vs this
repo's `Invalid value for flag --type: "bogus". Expected "saml", got
"bogus"`). Both pre-date this fix and are unrelated to the
stdout-pollution/duplicate-print bug it targets — flagged by review as a
possible follow-up, not fixed here to keep this PR's diff focused.
- **Usage-block content, not stream**: the help/usage text now correctly
lands on stderr (never stdout) for the `flush-help-doc-to-stderr` class,
but its *content* is this library's own (longer) help doc, not cobra's
shorter usage template. True byte-parity there would need a second,
purpose-built "usage-only" formatter — out of scope for this fix.
- **Pre-existing terminal-escape echo**: user-supplied argv tokens (e.g.
an unrecognized flag name) are echoed verbatim into error messages with
no control-character stripping. Unaffected in kind by this change (just
relocated/de-duplicated); flagged by security review as low-priority and
better suited to its own issue if the team wants to harden it.
- The issue's secondary, explicitly-optional finding
(`internal/command.ts:243` misreporting `Flag.optional` status in
`--output-format json` help docs) is a separate, unrelated code path in
the same vendored module — deliberately left unaddressed here to keep
this PR scoped to the double-print/stdout-dump bug.
…numFlag parity) (#5855)

## What changed

Go's `isEnumFlag` (`apps/cli-go/cmd/root_analytics.go:110-116`)
unconditionally reports the value of any `*utils.EnumFlag`-backed pflag
verbatim in `cli_command_executed` telemetry — no per-flag annotation
needed. `--output`, `--dns-resolver`, and `--agent` are all registered
as `*utils.EnumFlag` on `rootCmd.PersistentFlags()`
(`cmd/root.go:330,331,333`), so Go always sends their real value.

The TS port's `withLegacyCommandInstrumentation` already auto-detects
`Flag.choice` flags declared in a command's own `config` (CLI-1866), and
already resolves global/persistent flag values as a fallback when a
command doesn't declare that CLI name locally (CLI-1896). But CLI-1896
deliberately scoped out the 3 global *choice* flags — nothing taught the
global-fallback path that a resolved value might itself be a safe enum,
so `--output`/`--dns-resolver`/`--agent` always fell through to
`"<redacted>"`.

This adds `GLOBAL_CHOICE_FLAG_NAMES`
(`legacy-command-instrumentation.ts`), derived from
`LEGACY_GLOBAL_FLAGS` by reusing the existing `getChoiceFlagNames`
helper (so the choice-detection predicate has exactly one home), and
consults it only on the global-fallback path — i.e. only when the
invoking command's own `flags` record doesn't already declare that CLI
name. A command that registers its own differently-typed local flag
under the same CLI name (`db diff`'s local string `output:
Flag.string("output")`, `cmd/db.go:622`) still shadows the global and
stays redacted, matching Go's `isEnumFlag` type-asserting that command's
own non-enum flag object instead of root's persistent `EnumFlag`.
Verified this is the real wiring, not a hypothetical: `db diff` passes
`output` in its own `flags` record with no matching `config` entry, so
`isFromHandler` is structurally `true` for it and the new global set is
never consulted.

Also verified Go's separate `output_format` telemetry property
(`PropOutputFormat`) is independent of the generic `flags.output` entry
— both already fire in Go too, so no double-counting concern from
un-redacting `flags.output`.

Fixes CLI-1904.

## Why

Found during CLI-1866's review as a pre-existing gap in the same problem
class, tracked separately since it was out of scope for that PR's diff,
then explicitly deferred again by CLI-1896 ("the 3 global choice flags
... remain redacted — that gap is the already-tracked CLI-1904, not this
ticket").

## Reviewer-relevant context

- All 4 `review-changes` agents (architect, engineer, security, DX)
reviewed this diff and approved with no blocking findings. Two
converging nits were fixed in a follow-up commit: deduped the
choice-detection predicate (`GLOBAL_CHOICE_FLAG_NAMES` now derives from
`getChoiceFlagNames` instead of re-implementing it) and clarified the
two `AGENTS.md` telemetry bullets.
- One deliberately-deferred judgement call from engineer-reviewer: no
command's own `*.integration.test.ts` today exercises
`withLegacyCommandInstrumentation`'s PostHog-capture behavior for *any*
flag (that coverage is entirely the job of
`legacy-command-instrumentation.unit.test.ts`'s own scenario suite) —
this is a pre-existing, repo-wide pattern, not something this PR narrows
or regresses. Adding integration-tier telemetry assertions to `db
diff`/`db query` specifically would set a new cross-cutting test
precedent well beyond this fix's scope, so left as a possible future
hardening rather than folded in here.
… globbing (#5856)

## Current Behavior

`legacyMatchPattern` (the glob matcher backing `[db.seed].sql_paths` and
`db reset --version`) treated a leading `!` inside a `[...]` bracket
class the same as `^` — shell/fnmatch-style negation. Go's `path.Match`
(which `apps/cli-go`'s `fs.Glob`/`afero.Glob` actually use for this)
only negates on `^`; `!` is an ordinary literal class member. So a
pattern like `[!a].sql` matched `b.sql` in the TS port where the Go CLI
would not, meaning `db push --include-seed` / `db reset` could read,
hash, and execute seed SQL outside the set the user's Go-compatible
config intended.

Verified directly against the real Go stdlib source
(`$GOROOT/src/path/match.go`) available on this machine, and against
`apps/cli-go/pkg/config/config.go` (`fs.Glob`) and
`apps/cli-go/internal/migration/repair/repair.go` (`GetMigrationFile` /
`afero.Glob`) — both go through the same `path.Match` grammar.

## New Behavior

Rather than patching the bug in place, this fixes it by deleting the
duplicate: `apps/cli/src/legacy/shared/legacy-path-match.ts`
(`legacyPathMatch`) is already a byte-faithful, already-tested port of
Go's `path.Match` — introduced earlier for the sibling `db
new`/migration seed pipeline (`legacy-seed.ts`) — with correct `^`-only
negation, escapes, and malformed-pattern (`ErrBadPattern`) detection.
`legacyMatchPattern` and its `matchClass`/`match` helpers are removed,
and both call sites are rewired onto `legacyPathMatch`:

- `legacy-seed-ops.ts`'s own seed glob (`globOne`)
- `reset.handler.ts`'s `--version` migration-file glob
(behavior-identical here — `v` is validated as digits-only before the
glob ever runs, so no bracket syntax is reachable on this path)

A follow-up commit closes a related gap all four `review-changes`
reviewers independently flagged: `legacyGlobSeedFiles` was discarding
`legacyPathMatch`'s `badPattern` signal, so a malformed pattern (e.g. an
unterminated `[` class) fell through to the generic `no files matched
pattern` warning instead of Go's `failed to glob files: syntax error in
pattern` (`fs.Glob`'s up-front `Match(pattern, "")` validation). The
sibling pipeline (`legacy-seed.ts:resolveSeedFiles`) already did this
correctly — mirrored it here now that both pipelines share
`legacyPathMatch`.

**Behavior change worth calling out for release notes:** any existing
`[db.seed].sql_paths` config relying on `[!x]` as shell-style negation
will now select a different (Go-correct) set of seed files with no error
— e.g. `[!0-9]` now means "the literal characters `!`, `0`-`9`", not
"not a digit". Use `[^x]` for negation, matching Go/the real Go CLI.
This is a correctness fix (the legacy shell's contract is strict Go
parity), but it is a silent behavior change for anyone who had
unknowingly depended on the old, non-Go-compatible negation.

## Related Issue(s)

Fixes https://linear.app/supabase/issue/CLI-1880

## Notes for reviewers

`review-changes` (architect/engineer/security/DX, run against the first
commit) all returned APPROVE/SHIP IT. Judgement calls deliberately left
open rather than expanded into this PR:

- The two seed pipelines (`legacy-seed-ops.ts` and `legacy-seed.ts`)
still duplicate the outer `fs.Glob`-style directory-walk/dedup logic
(both now delegate the leaf matcher to `legacyPathMatch`, but the
surrounding glob-resolution code is still two separate ports). Flagged
by the architect reviewer as a good candidate for a follow-up
consolidation, out of scope for this fix.
- `sql_paths`' glob dialect (Go `path.Match` semantics, `^`-only
negation, no POSIX classes) isn't documented anywhere user-facing
(`packages/config/src/db.ts`). Flagged by the DX reviewer as worth a
docs follow-up, not blocking.
…in /apps/cli-go in the go-minor group across 1 directory (#5858)

Bumps the go-minor group with 1 update in the /apps/cli-go directory:
[github.com/stripe/pg-schema-diff](https://github.com/stripe/pg-schema-diff).

Updates `github.com/stripe/pg-schema-diff` from 1.0.5 to 1.0.7
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/stripe/pg-schema-diff/releases">github.com/stripe/pg-schema-diff's
releases</a>.</em></p>
<blockquote>
<h2>v1.0.7</h2>
<h2>Security fixes</h2>
<p>Fixes two additional SQL injection sinks identified via the same root
cause as v1.0.6 (enum labels, <a
href="https://redirect.github.com/stripe/pg-schema-diff/issues/295">#295</a>).
Schema-derived values were re-emitted into generated DDL without proper
escaping.</p>
<h3>Policy role names (<code>policy_sql_generator.go</code>)</h3>
<p><code>AppliesTo</code> role names (sourced from
<code>pg_roles.rolname</code>) were interpolated raw into <code>CREATE
POLICY ... TO</code> and <code>ALTER POLICY ... TO</code> statements. A
user with <code>CREATEROLE</code> privilege could plant a role whose
name contains an embedded double-quote to inject arbitrary SQL during
plan execution.</p>
<p><strong>Fix</strong>: Added <code>escapeRoleNames()</code> helper
that applies <code>EscapeIdentifier</code> to each role name, preserving
<code>PUBLIC</code> as an unquoted SQL keyword.</p>
<h3>Function/procedure names (<code>schema.go</code>
<code>buildProcName</code>)</h3>
<p>The function used hand-rolled quoting
(<code>fmt.Sprintf(&quot;\&quot;%s\&quot;(%s)&quot;, name, ...)</code>)
that did not double embedded double-quotes. A user with <code>CREATE
FUNCTION</code> privilege could create a function with
<code>&quot;</code> in its name to inject SQL when <code>DROP
FUNCTION</code>/<code>DROP PROCEDURE</code> statements are
generated.</p>
<p><strong>Fix</strong>: Replaced the hand-rolled quoting with
<code>EscapeIdentifier(name)</code>.</p>
<h2>What's Changed</h2>
<ul>
<li>fix: escape policy role names and function/procedure names in
generated SQL (<a
href="https://redirect.github.com/stripe/pg-schema-diff/issues/296">#296</a>)</li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/stripe/pg-schema-diff/compare/v1.0.6...v1.0.7">https://github.com/stripe/pg-schema-diff/compare/v1.0.6...v1.0.7</a></p>
<h2>v1.0.6</h2>
<h2>Security fix</h2>
<p>Escapes enum labels in generated SQL to prevent a second-order SQL
injection.</p>
<p>Enum labels were interpolated into generated DDL using raw
<code>fmt.Sprintf(&quot;'%s'&quot;, val)</code>. A label containing a
single quote could break out of the string literal and inject arbitrary
SQL, which then executes with the plan runner's (often superuser)
privileges when <code>pg-schema-diff</code> generates migration SQL —
enabling RCE via <code>COPY ... TO PROGRAM</code>.</p>
<p>All three enum sinks (<code>CREATE TYPE ... AS ENUM</code>,
<code>ALTER TYPE ... ADD VALUE</code>, and the <code>BEFORE</code>
ordering clause) now route through a new <code>EscapeLiteral</code>
helper that doubles single quotes and strips null bytes.</p>
<p>See <a
href="https://redirect.github.com/stripe/pg-schema-diff/issues/295">#295</a>
for details and test evidence.</p>
<p><strong>Recommendation:</strong> upgrade to <code>v1.0.6</code>,
especially if you run <code>pg-schema-diff</code> against databases
where lower-privileged users can create enum types.</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/stripe/pg-schema-diff/commit/6208f8f3ceccae8ca634055dc47907a6a864cb76"><code>6208f8f</code></a>
fix: escape policy role names and function names in generated SQL (<a
href="https://redirect.github.com/stripe/pg-schema-diff/issues/296">#296</a>)</li>
<li><a
href="https://github.com/stripe/pg-schema-diff/commit/4ff84db14685190757157e2c08026aa4e3b7e859"><code>4ff84db</code></a>
fix: escape enum labels in generated SQL to prevent SQL injection (<a
href="https://redirect.github.com/stripe/pg-schema-diff/issues/295">#295</a>)</li>
<li>See full diff in <a
href="https://github.com/stripe/pg-schema-diff/compare/v1.0.5...v1.0.7">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/stripe/pg-schema-diff&package-manager=go_modules&previous-version=1.0.5&new-version=1.0.7)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the npm-major group with 3 updates:
[@anthropic-ai/claude-agent-sdk](https://github.com/anthropics/claude-agent-sdk-typescript),
[@clack/prompts](https://github.com/bombshell-dev/clack/tree/HEAD/packages/prompts)
and
[@typescript/native-preview](https://github.com/microsoft/typescript-go).

Updates `@anthropic-ai/claude-agent-sdk` from 0.3.199 to 0.3.201
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/anthropics/claude-agent-sdk-typescript/releases">@​anthropic-ai/claude-agent-sdk's
releases</a>.</em></p>
<blockquote>
<h2>v0.3.201</h2>
<h2>What's changed</h2>
<ul>
<li>Updated to parity with Claude Code v2.1.201</li>
</ul>
<h2>Update</h2>
<pre lang="sh"><code>npm install @anthropic-ai/claude-agent-sdk@0.3.201
# or
yarn add @anthropic-ai/claude-agent-sdk@0.3.201
# or
pnpm add @anthropic-ai/claude-agent-sdk@0.3.201
# or
bun add @anthropic-ai/claude-agent-sdk@0.3.201
</code></pre>
<h2>v0.3.200</h2>
<h2>What's changed</h2>
<ul>
<li>Added <code>'manual'</code> as an accepted alias for the
<code>'default'</code> permission mode in SDK inputs</li>
<li>Fixed <code>onSetPermissionMode</code> callback not firing for
SDK-hosted Remote Control sessions</li>
<li>Fixed <code>set_model</code> control request accepting unrecognized
model strings; invalid models are now rejected before latching</li>
</ul>
<h2>Update</h2>
<pre lang="sh"><code>npm install @anthropic-ai/claude-agent-sdk@0.3.200
# or
yarn add @anthropic-ai/claude-agent-sdk@0.3.200
# or
pnpm add @anthropic-ai/claude-agent-sdk@0.3.200
# or
bun add @anthropic-ai/claude-agent-sdk@0.3.200
</code></pre>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/anthropics/claude-agent-sdk-typescript/blob/main/CHANGELOG.md">@​anthropic-ai/claude-agent-sdk's
changelog</a>.</em></p>
<blockquote>
<h2>0.3.201</h2>
<ul>
<li>Updated to parity with Claude Code v2.1.201</li>
</ul>
<h2>0.3.200</h2>
<ul>
<li>Added <code>'manual'</code> as an accepted alias for the
<code>'default'</code> permission mode in SDK inputs</li>
<li>Fixed <code>onSetPermissionMode</code> callback not firing for
SDK-hosted Remote Control sessions</li>
<li>Fixed <code>set_model</code> control request accepting unrecognized
model strings; invalid models are now rejected before latching</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/anthropics/claude-agent-sdk-typescript/commit/6809c4ca30f74667391c1f30dc5023e518110326"><code>6809c4c</code></a>
chore: Update CHANGELOG.md</li>
<li><a
href="https://github.com/anthropics/claude-agent-sdk-typescript/commit/8d7e23f1ff86a20eed96ba64e2ac1ed44b68af14"><code>8d7e23f</code></a>
chore: Update CHANGELOG.md</li>
<li>See full diff in <a
href="https://github.com/anthropics/claude-agent-sdk-typescript/compare/v0.3.199...v0.3.201">compare
view</a></li>
</ul>
</details>
<br />

Updates `@clack/prompts` from 1.6.0 to 1.7.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/bombshell-dev/clack/releases">@​clack/prompts's
releases</a>.</em></p>
<blockquote>
<h2><code>@​clack/prompts</code><a
href="https://github.com/1"><code>@​1</code></a>.7.0</h2>
<h3>Minor Changes</h3>
<ul>
<li><a
href="https://redirect.github.com/bombshell-dev/clack/pull/574">#574</a>
<a
href="https://github.com/bombshell-dev/clack/commit/8f1c380683cfb5fb7a094610342046ae1603e28e"><code>8f1c380</code></a>
Thanks <a
href="https://github.com/dreyfus92"><code>@​dreyfus92</code></a>! - Add
<code>showInstructions</code> option to <code>select</code>,
<code>multiselect</code>, and <code>groupMultiselect</code>. Keyboard
hints remain shown by default; pass <code>showInstructions: false</code>
to hide them.</li>
</ul>
<h3>Patch Changes</h3>
<ul>
<li>
<p><a
href="https://redirect.github.com/bombshell-dev/clack/pull/582">#582</a>
<a
href="https://github.com/bombshell-dev/clack/commit/4b249539e28eecc16c13b3a1bd0ba447e9f38d06"><code>4b24953</code></a>
Thanks <a href="https://github.com/43081j"><code>@​43081j</code></a>! -
Handle empty arrays in various prompts and utilities.</p>
</li>
<li>
<p>Updated dependencies [<a
href="https://github.com/bombshell-dev/clack/commit/4b249539e28eecc16c13b3a1bd0ba447e9f38d06"><code>4b24953</code></a>]:</p>
<ul>
<li><code>@​clack/core</code><a
href="https://github.com/1"><code>@​1</code></a>.4.3</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/bombshell-dev/clack/blob/main/packages/prompts/CHANGELOG.md">@​clack/prompts's
changelog</a>.</em></p>
<blockquote>
<h2>1.7.0</h2>
<h3>Minor Changes</h3>
<ul>
<li><a
href="https://redirect.github.com/bombshell-dev/clack/pull/574">#574</a>
<a
href="https://github.com/bombshell-dev/clack/commit/8f1c380683cfb5fb7a094610342046ae1603e28e"><code>8f1c380</code></a>
Thanks <a
href="https://github.com/dreyfus92"><code>@​dreyfus92</code></a>! - Add
<code>showInstructions</code> option to <code>select</code>,
<code>multiselect</code>, and <code>groupMultiselect</code>. Keyboard
hints remain shown by default; pass <code>showInstructions: false</code>
to hide them.</li>
</ul>
<h3>Patch Changes</h3>
<ul>
<li>
<p><a
href="https://redirect.github.com/bombshell-dev/clack/pull/582">#582</a>
<a
href="https://github.com/bombshell-dev/clack/commit/4b249539e28eecc16c13b3a1bd0ba447e9f38d06"><code>4b24953</code></a>
Thanks <a href="https://github.com/43081j"><code>@​43081j</code></a>! -
Handle empty arrays in various prompts and utilities.</p>
</li>
<li>
<p>Updated dependencies [<a
href="https://github.com/bombshell-dev/clack/commit/4b249539e28eecc16c13b3a1bd0ba447e9f38d06"><code>4b24953</code></a>]:</p>
<ul>
<li><code>@​clack/core</code><a
href="https://github.com/1"><code>@​1</code></a>.4.3</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/bombshell-dev/clack/commit/dc5bce8aae84a57b5863124adfaa839c1db1fa23"><code>dc5bce8</code></a>
[ci] release (<a
href="https://github.com/bombshell-dev/clack/tree/HEAD/packages/prompts/issues/575">#575</a>)</li>
<li><a
href="https://github.com/bombshell-dev/clack/commit/4b249539e28eecc16c13b3a1bd0ba447e9f38d06"><code>4b24953</code></a>
chore: enable strict index checks (<a
href="https://github.com/bombshell-dev/clack/tree/HEAD/packages/prompts/issues/582">#582</a>)</li>
<li><a
href="https://github.com/bombshell-dev/clack/commit/8f1c380683cfb5fb7a094610342046ae1603e28e"><code>8f1c380</code></a>
feat(prompts): add showInstructions opt-out (<a
href="https://github.com/bombshell-dev/clack/tree/HEAD/packages/prompts/issues/574">#574</a>)</li>
<li><a
href="https://github.com/bombshell-dev/clack/commit/06c16c7b65b69dee44301e7e6c8f1110c6da4149"><code>06c16c7</code></a>
chore: update license copyright to Bombshell contributors (<a
href="https://github.com/bombshell-dev/clack/tree/HEAD/packages/prompts/issues/572">#572</a>)</li>
<li>See full diff in <a
href="https://github.com/bombshell-dev/clack/commits/@clack/prompts@1.7.0/packages/prompts">compare
view</a></li>
</ul>
</details>
<br />

Updates `@typescript/native-preview` from 7.0.0-dev.20260702.3 to
7.0.0-dev.20260703.1
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/microsoft/typescript-go/commits">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…n /apps/cli-go in the go-minor group across 1 directory (#5865)

Bumps the go-minor group with 1 update in the /apps/cli-go directory:
[github.com/posthog/posthog-go](https://github.com/posthog/posthog-go).

Updates `github.com/posthog/posthog-go` from 1.17.4 to 1.17.5
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/posthog/posthog-go/releases">github.com/posthog/posthog-go's
releases</a>.</em></p>
<blockquote>
<h2>1.17.5</h2>
<h2>Unreleased</h2>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/PostHog/posthog-go/blob/main/CHANGELOG.md">github.com/posthog/posthog-go's
changelog</a>.</em></p>
<blockquote>
<h2>1.17.5</h2>
<h3>Patch Changes</h3>
<ul>
<li>fe66557: Change the default capture delivery budget from 10 attempts
to 4 (<code>DefaultMaxAttempts</code>) when
<code>Config.MaxRetries</code> is unset, aligning with the cross-SDK
Capture V1 parity standard (posthog-rs uses the same envelope). This
affects <strong>both</strong> the v0 (<code>/batch/</code>) and v1 send
paths, since they share the attempt budget. Callers that set
<code>MaxRetries</code> explicitly are unaffected.</li>
<li>3d8404a: Unify the capture retry backoff ceiling at 30s.
<code>DefaultBackoff</code>'s cap changes from 10s to 30s (default only
— override via <code>Config.RetryAfter</code>), and the Capture V1 send
now clamps a server <code>Retry-After</code> to the same 30s so a
hostile or buggy header cannot park a batch goroutine.
<code>Retry-After</code> still acts as a minimum; the configured backoff
is never truncated. This aligns the default retry behavior with
posthog-rs and posthog-python.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/PostHog/posthog-go/commit/d7f8a22426389425e7874d302cedfbe86731a179"><code>d7f8a22</code></a>
chore: release v1.17.5 [version bump] [skip ci]</li>
<li><a
href="https://github.com/PostHog/posthog-go/commit/fe66557ddc3141ada0c1d9538186037c641614d9"><code>fe66557</code></a>
feat(capture): default to 4 delivery attempts (down from 10) (<a
href="https://redirect.github.com/posthog/posthog-go/issues/256">#256</a>)</li>
<li><a
href="https://github.com/PostHog/posthog-go/commit/3d8404afd554d1557a57c45deba05501a8288d44"><code>3d8404a</code></a>
fix(capture): unify retry backoff ceiling at 30s (<a
href="https://redirect.github.com/posthog/posthog-go/issues/255">#255</a>)</li>
<li><a
href="https://github.com/PostHog/posthog-go/commit/6affc1549498bbd8f8ee3fe5beaaab6da5d13ca1"><code>6affc15</code></a>
ci: Standardize SDK release failure telemetry (<a
href="https://redirect.github.com/posthog/posthog-go/issues/252">#252</a>)</li>
<li>See full diff in <a
href="https://github.com/posthog/posthog-go/compare/v1.17.4...v1.17.5">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/posthog/posthog-go&package-manager=go_modules&previous-version=1.17.4&new-version=1.17.5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
….2.2 in the actions-major group (#5871)

Bumps the actions-major group with 1 update:
[aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials).

Updates `aws-actions/configure-aws-credentials` from 6.2.1 to 6.2.2
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/aws-actions/configure-aws-credentials/releases">aws-actions/configure-aws-credentials's
releases</a>.</em></p>
<blockquote>
<h2>v6.2.2</h2>
<h2><a
href="https://github.com/aws-actions/configure-aws-credentials/compare/v6.2.1...v6.2.2">6.2.2</a>
(2026-07-07)</h2>
<h3>Miscellaneous Chores</h3>
<ul>
<li>release 6.2.2 (<a
href="https://github.com/aws-actions/configure-aws-credentials/commit/d01d678e65d6d2bd9d5ca7a95d6f07b00e25f2c2">d01d678</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/aws-actions/configure-aws-credentials/blob/main/CHANGELOG.md">aws-actions/configure-aws-credentials's
changelog</a>.</em></p>
<blockquote>
<h1>Changelog</h1>
<p>All notable changes to this project will be documented in this file.
See <a
href="https://github.com/conventional-changelog/standard-version">standard-version</a>
for commit guidelines.</p>
<h2><a
href="https://github.com/aws-actions/configure-aws-credentials/compare/v6.2.1...v6.2.2">6.2.2</a>
(2026-07-07)</h2>
<h3>Miscellaneous Chores</h3>
<ul>
<li>release 6.2.2 (<a
href="https://github.com/aws-actions/configure-aws-credentials/commit/d01d678e65d6d2bd9d5ca7a95d6f07b00e25f2c2">d01d678</a>)</li>
</ul>
<h2><a
href="https://github.com/aws-actions/configure-aws-credentials/compare/v6.2.0...v6.2.1">6.2.1</a>
(2026-06-26)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>enforce allowed-account-ids on all auth paths (<a
href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1847">#1847</a>)
(<a
href="https://github.com/aws-actions/configure-aws-credentials/commit/4d281fbc56a82e63c3fc14f2cc22361f34c97493">4d281fb</a>)</li>
</ul>
<h2><a
href="https://github.com/aws-actions/configure-aws-credentials/compare/v6.1.3...v6.2.0">6.2.0</a>
(2026-06-01)</h2>
<h3>Features</h3>
<ul>
<li>add additional session tags by default (<a
href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1775">#1775</a>)
(<a
href="https://github.com/aws-actions/configure-aws-credentials/commit/e0ba7685077379a14a82d01fefd511490344ebfc">e0ba768</a>)</li>
<li>add more retry logic and better logging (<a
href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1764">#1764</a>)
(<a
href="https://github.com/aws-actions/configure-aws-credentials/commit/540d0c13aedb8d55501d220bd2f0b3cdedfe84e8">540d0c1</a>)</li>
<li>add regex validation to role-session-name (<a
href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1765">#1765</a>)
(<a
href="https://github.com/aws-actions/configure-aws-credentials/commit/e35449909c6ede5083a48ba4b8bbfaaa1cf09ba1">e354499</a>)</li>
<li>Allow custom session tags to be passed when assuming a role (<a
href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1759">#1759</a>)
(<a
href="https://github.com/aws-actions/configure-aws-credentials/commit/61f50f630f383628add73c1eab3f1935ba07da2b">61f50f6</a>)</li>
<li>expose run id in STS client user-agent (<a
href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1774">#1774</a>)
(<a
href="https://github.com/aws-actions/configure-aws-credentials/commit/29d1be30273e7ef371d59fccf6ec54572c64ec89">29d1be3</a>)</li>
<li>support custom STS endpoints (<a
href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1762">#1762</a>)
(<a
href="https://github.com/aws-actions/configure-aws-credentials/commit/8d52d05d7a4521fa52b39de50cb6114b12e5c332">8d52d05</a>)</li>
</ul>
<h3>Bug Fixes</h3>
<ul>
<li>skip credential check on output-env-credentials: false (<a
href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1778">#1778</a>)
(<a
href="https://github.com/aws-actions/configure-aws-credentials/commit/58e7c47adf77846879008deadfeeef8a6969fe6c">58e7c47</a>)</li>
<li>assumeRole failing from session tag size too large (<a
href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1808">#1808</a>)
(<a
href="https://github.com/aws-actions/configure-aws-credentials/commit/d6f5dc331b44474b19a52caaf85fa4d637b13c8e">d6f5dc3</a>)</li>
</ul>
<h2><a
href="https://github.com/aws-actions/configure-aws-credentials/compare/v6.1.2...v6.1.3">6.1.3</a>
(2026-05-28)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>fix: allow kubelet token symlink in <a
href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1805">#1805</a></li>
</ul>
<h2><a
href="https://github.com/aws-actions/configure-aws-credentials/compare/v6.1.1...v6.1.2">6.1.2</a>
(2026-05-26)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>additional filesystem checks (<a
href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1799">#1799</a>)
(<a
href="https://github.com/aws-actions/configure-aws-credentials/commit/c39f282697aca8a78c522ecf1f7da9899a31432c">c39f282</a>)</li>
</ul>
<h2><a
href="https://github.com/aws-actions/configure-aws-credentials/compare/v6.1.0...v6.1.1">6.1.1</a>
(2026-05-05)</h2>
<h3>Miscellaneous Chores</h3>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/aws-actions/configure-aws-credentials/commit/517a711dbcd0e402f90c77e7e2f81e849156e31d"><code>517a711</code></a>
chore(main): release 6.2.2 (<a
href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1876">#1876</a>)</li>
<li><a
href="https://github.com/aws-actions/configure-aws-credentials/commit/d01d678e65d6d2bd9d5ca7a95d6f07b00e25f2c2"><code>d01d678</code></a>
chore: release 6.2.2</li>
<li><a
href="https://github.com/aws-actions/configure-aws-credentials/commit/8efa52b2848773c500aa10726e251480b1a9eef6"><code>8efa52b</code></a>
chore(deps-dev): bump vitest dependencies (<a
href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1874">#1874</a>)</li>
<li><a
href="https://github.com/aws-actions/configure-aws-credentials/commit/8e1eed5c14c0831e3e8d3e79a355207770cfc534"><code>8e1eed5</code></a>
chore(deps-dev): bump <code>@​smithy/property-provider</code> from 4.4.4
to 4.4.6 (<a
href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1869">#1869</a>)</li>
<li><a
href="https://github.com/aws-actions/configure-aws-credentials/commit/112421a93aaa67421f2d14d7c469df0e5ca60e47"><code>112421a</code></a>
chore(deps-dev): bump <code>@​biomejs/biome</code> from 2.5.1 to 2.5.2
(<a
href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1868">#1868</a>)</li>
<li><a
href="https://github.com/aws-actions/configure-aws-credentials/commit/fbc01c6585c59a56334d4803ca1f3f249a5fba3f"><code>fbc01c6</code></a>
chore(deps-dev): bump <code>@​types/node</code> from 26.0.1 to 26.1.0
(<a
href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1871">#1871</a>)</li>
<li><a
href="https://github.com/aws-actions/configure-aws-credentials/commit/b12ca875eb3037b4cfbc4aa347bd62e1b475d439"><code>b12ca87</code></a>
chore(deps-dev): bump memfs from 4.57.8 to 4.58.0 (<a
href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1873">#1873</a>)</li>
<li><a
href="https://github.com/aws-actions/configure-aws-credentials/commit/d314f7f43d28771d47678a1ad87f05976e241846"><code>d314f7f</code></a>
chore: Update dist</li>
<li><a
href="https://github.com/aws-actions/configure-aws-credentials/commit/a53b65b84a3cea262b96b50376e409283f6f818b"><code>a53b65b</code></a>
chore(deps): bump <code>@​aws-sdk/client-sts</code> from 3.1076.0 to
3.1080.0 (<a
href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1867">#1867</a>)</li>
<li><a
href="https://github.com/aws-actions/configure-aws-credentials/commit/338d2c18392e9b3ace741e4547b315bda30f7b02"><code>338d2c1</code></a>
chore(deps-dev): bump sigstore from 4.1.0 to 4.1.1 (<a
href="https://redirect.github.com/aws-actions/configure-aws-credentials/issues/1864">#1864</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/aws-actions/configure-aws-credentials/compare/254c19bd240aabef8777f48595e9d2d7b972184b...517a711dbcd0e402f90c77e7e2f81e849156e31d">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=aws-actions/configure-aws-credentials&package-manager=github_actions&previous-version=6.2.1&new-version=6.2.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@supabase-cli-releaser supabase-cli-releaser Bot requested a review from a team as a code owner July 14, 2026 03:09
@supabase-cli-releaser supabase-cli-releaser Bot added the do not merge Approve to apply; do not merge. label Jul 14, 2026
if (value.startsWith(ENCRYPTED_PREFIX)) return "";
const hmac = createHmac("sha256", projectId).update(value).digest("hex");
const plaintext = decryptIfNeeded(value, dotenvPrivateKeys);
const hmac = createHmac("sha256", projectId).update(plaintext).digest("hex");

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 249b9ec577

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment on lines +91 to +98
const args = [
"db",
"__db-bootstrap",
...modeArgs,
...networkArgs,
...profileArgs,
...experimentalArgs,
];

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Forward explicit workdir into the bootstrap child

When db start or local db reset is invoked with an explicit --workdir/SUPABASE_WORKDIR, this seam starts the hidden Go child with only cwd: cliConfig.workdir and does not pass that workdir as a flag/env. In the Go child, ChangeWorkDir falls back to getProjectRoot(CurrentDirAbs) whenever WORKDIR is unset (apps/cli-go/internal/utils/misc.go:239-242), so an explicit workdir that intentionally has no supabase/config.toml can be replaced by an ancestor project. The child can then load the ancestor config/project id and create/reset/cleanup the wrong local containers; pass the resolved workdir through to the child.

Useful? React with 👍 / 👎.

Comment on lines +178 to +181
const projectId = legacyResolveLocalProjectId(
Option.getOrUndefined(cliConfig.projectId),
Option.getOrUndefined(tomlProjectId),
cliConfig.workdir,

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Include project dotenv when deriving the db container

When SUPABASE_PROJECT_ID is defined only in project dotenv files, Go sees it because config Load calls loadNestedEnv before AutomaticEnv/validation (apps/cli-go/pkg/config/config.go:786-790). This preflight lookup only uses the ambient cliConfig.projectId plus TOML/workdir, so it inspects supabase_db_<wrong id> and misses an already-running stack that was started with the dotenv project id; db start then enters the bootstrap path instead of returning "already running". Resolve the project env here before deriving the container id.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

do not merge Approve to apply; do not merge.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants