You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
v2.109.0 (also confirmed absent in v2.109.1 and main)
Operating system
macOS
Installation method
brew
Command
supabase db advisors --local --type security
Actual output
Connecting to local database...
No issues found
Expected behavior
db advisors --local should report rls_disabled_in_public for an RLS-disabled,API-reachable public table, matching the hosted Security Advisor so it can be trusted as a pre-deploy CI gate. Right now it gives a false all-clear for the entire class of API-exposure lints.
Steps to reproduce
supabase init && supabase start
In the local DB, create an exposed, RLS-off table:
createtablepublic.leaky (id int);
grantselectonpublic.leaky to anon, authenticated;
Run the security advisors locally and list the lint names:
=> rls_disabled_in_public is absent (only rls_enabled_no_policy appears).
Prove the cause is the unset GUC:
alter role postgres setpgrst.db_schemas='public'; -- then reconnect
Re-run step 3 => rls_disabled_in_public (ERROR) now appears.
Crash report ID
No response
Docker and service versions
Additional context
Actual behavior
The only security lint ever returned locally is rls_enabled_no_policy. rls_disabled_in_public - and every other API-exposure lint (auth_users_exposed, security_definer_view, materialized_view_in_api, foreign_table_in_api, sensitive_columns_exposed, the pgmq queue lint) - is never emitted, even for a public table that clearly qualifies (RLS disabled AND granted to anon/authenticated).
No error is printed; the findings are silently absent.
rls_disabled_in_public was correctly detected only on Supabase cloud, not in my CI steps before.
Root cause (traced to source):
The --local path runs an embedded splinter snapshot via a direct connection as postgres: apps/cli-go/internal/db/advisors/advisors.go (//go:embed templates/lints.sql).
In that snapshot, rls_disabled_in_public (and ~6 other API-exposure lints) gate on:
The advisors setup SQL does not set pgrst.db_schemas, and a directly-connected postgres session has it unset → string_to_array(NULL,',') → empty array → nspname = any('{}') is false for every table. So the lints silently match nothing.
Affected area
Local development
Supabase CLI version
v2.109.0 (also confirmed absent in v2.109.1 and main)
Operating system
macOS
Installation method
brew
Command
Actual output
Connecting to local database... No issues foundExpected behavior
db advisors --localshould reportrls_disabled_in_publicfor an RLS-disabled,API-reachable public table, matching the hosted Security Advisor so it can be trusted as a pre-deploy CI gate. Right now it gives a false all-clear for the entire class of API-exposure lints.Steps to reproduce
supabase init && supabase startrls_disabled_in_publicis absent (onlyrls_enabled_no_policyappears).rls_disabled_in_public(ERROR) now appears.Crash report ID
No response
Docker and service versions
Additional context
Actual behavior
The only security lint ever returned locally is
rls_enabled_no_policy.rls_disabled_in_public- and every other API-exposure lint (auth_users_exposed, security_definer_view, materialized_view_in_api, foreign_table_in_api, sensitive_columns_exposed, the pgmq queue lint) - is never emitted, even for a public table that clearly qualifies (RLS disabled AND granted to anon/authenticated).No error is printed; the findings are silently absent.
rls_disabled_in_publicwas correctly detected only on Supabase cloud, not in my CI steps before.Root cause (traced to source):
--localpath runs an embedded splinter snapshot via a direct connection aspostgres:apps/cli-go/internal/db/advisors/advisors.go(//go:embed templates/lints.sql).rls_disabled_in_public(and ~6 other API-exposure lints) gate on:pgrst.db_schemas, and a directly-connectedpostgressession has it unset →string_to_array(NULL,',')→ empty array →nspname = any('{}')is false for every table. So the lints silently match nothing.supabase db remote commitfails with errorError: ERROR: prepared statement "lrupsc_1_0" already exists (SQLSTATE 42P05)#168 (2026-06-17) withcoalesce(current_setting('pgrst.db_schemas','t'), 'public'):fix: default API-exposure lints to public schema when pgrst.db_schemas is unset splinter#168
But the CLI's vendored snapshot has not been updated - the
coalescefallback isabsent in v2.109.0, v2.109.1, and main (grep of the embedded lints.sql).
Suggested fix (either):
supabase db remote commitfails with errorError: ERROR: prepared statement "lrupsc_1_0" already exists (SQLSTATE 42P05)#168, orpgrst.db_schemasfrom the project's[api].schemasbefore running the lints.Note:
db advisorsis currently undocumented in the CLI reference(https://supabase.com/docs/reference/cli/supabase-db-advisors has no content), and
#3839 requested this capability - so this may just be an unfinished edge.