• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

supabase / cli / 29132273044
65%

Build:
DEFAULT BRANCH: develop
Ran 11 Jul 2026 12:18AM UTC
Jobs 1
Files 229
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

11 Jul 2026 12:10AM UTC coverage: 65.08%. Remained the same
29132273044

push

github

web-flow
fix(deps): bump github.com/stripe/pg-schema-diff from 1.0.5 to 1.0.7 in /apps/cli-go in the go-minor group across 1 directory (#5858)

Bumps the go-minor group with 1 update in the /apps/cli-go directory:
[github.com/stripe/pg-schema-diff](https://github.com/stripe/pg-schema-diff).

Updates `github.com/stripe/pg-schema-diff` from 1.0.5 to 1.0.7
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/stripe/pg-schema-diff/releases">github.com/stripe/pg-schema-diff's
releases</a>.</em></p>
<blockquote>
<h2>v1.0.7</h2>
<h2>Security fixes</h2>
<p>Fixes two additional SQL injection sinks identified via the same root
cause as v1.0.6 (enum labels, <a
href="https://redirect.github.com/stripe/pg-schema-diff/issues/295">#295</a>).
Schema-derived values were re-emitted into generated DDL without proper
escaping.</p>
<h3>Policy role names (<code>policy_sql_generator.go</code>)</h3>
<p><code>AppliesTo</code> role names (sourced from
<code>pg_roles.rolname</code>) were interpolated raw into <code>CREATE
POLICY ... TO</code> and <code>ALTER POLICY ... TO</code> statements. A
user with <code>CREATEROLE</code> privilege could plant a role whose
name contains an embedded double-quote to inject arbitrary SQL during
plan execution.</p>
<p><strong>Fix</strong>: Added <code>escapeRoleNames()</code> helper
that applies <code>EscapeIdentifier</code> to each role name, preserving
<code>PUBLIC</code> as an unquoted SQL keyword.</p>
<h3>Function/procedure names (<code>schema.go</code>
<code>buildProcName</code>)</h3>
<p>The function used hand-rolled quoting
(<code>fmt.Sprintf(&quot;\&quot;%s\&quot;(%s)&quot;, name, ...)</code>)
that did not double embedded double-quotes. A user with <code>CREATE
FUNCTION</code> privilege could create a function with
<code>&quot;</code> in its name to inject SQL when <code>DROP
FUNCTION</code>/<code>DROP PROCEDURE</code> statements are
generated.</p>
<p><strong>Fix</strong>: Replaced the hand-rolled quoting wit... (continued)

11145 of 17125 relevant lines covered (65.08%)

10.49 hits per line

Coverage Regressions

Lines Coverage ∆ File
2
82.41
0.0% internal/storage/rm/rm.go
Jobs
ID Job ID Ran Files Coverage
1 29132273044.1 11 Jul 2026 12:18AM UTC 229
65.08
GitHub Action Run
Source Files on build 29132273044
  • Tree
  • List 229
  • Changed 1
  • Source Changed 0
  • Coverage Changed 1
Coverage ∆ File Lines Relevant Covered Missed Hits/Line
  • Back to Repo
  • Github Actions Build #29132273044
  • bba5486d on github
  • Prev Build on gh-readonly-queue/develop/pr-5856-7c047c59ac1e8e42b14b996b2a54d4f9ca1557d4 (#29099643096)
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc