Skip to content

fix(core): Guard nullish response in supabase PostgREST handler#20033

Merged
Lms24 merged 3 commits intodevelopfrom
fix/supabase-nullish-response
Mar 30, 2026
Merged

fix(core): Guard nullish response in supabase PostgREST handler#20033
Lms24 merged 3 commits intodevelopfrom
fix/supabase-nullish-response

Conversation

@antonis
Copy link
Copy Markdown
Contributor

@antonis antonis commented Mar 30, 2026
edited
Loading

Closes #20032

Context:

In the supabaseIntegration's PostgREST instrumentation, the .then() success handler accesses res.error without checking if res is nullish first. This causes crashes in environments like React Native where the response can be undefined.
A related error recently trended on the React Native SDK (see Linear comment)

Summary:

  • Added a null guard on res before accessing res.error in instrumentPostgRESTFilterBuilder, changing if (res.error) to if (res && res.error) — matching the existing pattern used in instrumentAuthOperation
  • The existing setHttpStatus block already had a proper guard (if (res && typeof res === 'object' && 'status' in res)), so only the error-handling path was affected
  • Span .end() and breadcrumb creation continue to work correctly regardless of whether res is nullish
  • Added a new test file for the supabase integration covering the nullish response scenario and existing utility functions

Before submitting a pull request, please take a look at our
Contributing guidelines and verify:

  • If you've added code that should be tested, please add tests.
  • Ensure your code lints and the test suite passes (yarn lint) & (yarn test).
  • Link an issue if there is one related to your pull request. If no issue is linked, one will be auto-generated and linked.

@antonis @claude
fix(core): Guard nullish response in supabase PostgREST handler
75bc15a 
The `.then()` success handler in `instrumentPostgRESTFilterBuilder` accessed
`res.error` without a null guard, causing a crash when `res` is undefined
(observed in React Native). This adds a guard matching the pattern already
used in `instrumentAuthOperation`.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 30, 2026
edited
Loading

Semver Impact of This PR

🟢 Patch (bug fixes)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

New Features ✨

Deps

  • Bump babel-loader from 10.0.0 to 10.1.1 by dependabot in #19997
  • Bump handlebars from 4.7.7 to 4.7.9 by dependabot in #20008

Nuxt

  • Add middleware instrumentation compatibility for Nuxt 5 by s1gr1d in #19968
  • Support parametrized SSR routes in Nuxt 5 by s1gr1d in #19977

Other

  • (browser) Replace element timing spans with metrics by logaretm in #19869
  • (bun) Add bunRuntimeMetricsIntegration by chargome in #19979
  • (core) Support embedding APIs in google-genai by nicohrubec in #19797
  • (node) Add nodeRuntimeMetricsIntegration by chargome in #19923

Bug Fixes 🐛

  • (core) Guard nullish response in supabase PostgREST handler by antonis in #20033
  • (e2e) Pin @opentelemetry/api to 1.9.0 in ts3.8 test app by logaretm in #19992
  • (node) Ensure startNewTrace propagates traceId in OTel environments by logaretm in #19963
  • (nuxt) Use virtual module for Nuxt pages data (SSR route parametrization) by s1gr1d in #20020
  • (opentelemetry) Convert seconds timestamps in span.end() to milliseconds by logaretm in #19958

Documentation 📚

  • (release) Update publishing-a-release.md by nicohrubec in #19982

Internal Changes 🔧

Core

  • Introduce instrumented method registry for AI integrations by nicohrubec in #19981
  • Consolidate getOperationName into one shared utility by nicohrubec in #19971

Deps

  • Bump amqplib from 0.10.7 to 0.10.9 by dependabot in #20000
  • Bump actions/upload-artifact from 6 to 7 by dependabot in #19569
  • Bump srvx from 0.11.12 to 0.11.13 by dependabot in #20001
  • Bump @apollo/server from 5.4.0 to 5.5.0 by dependabot in #20007

Deps Dev

  • Remove esbuild override in astro-5-cf-workers E2E test by isaacs in #20024
  • Bump node-forge from 1.3.2 to 1.4.0 by dependabot in #20012
  • Bump yaml from 2.8.2 to 2.8.3 by dependabot in #19985

Other

  • (deno) Expand Deno E2E test coverage by chargome in #19957
  • (e2e) Add e2e tests for nodeRuntimeMetricsIntegration by chargome in #19989

🤖 This preview updates automatically when you update the PR.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 30, 2026
edited
Loading

size-limit report 📦

⚠️ Warning: Base artifact is not the latest one, because the latest workflow run is not done yet. This may lead to incorrect results. Try to re-run all tests to get up to date results.

Path Size % Change Change
@sentry/browser 25.69 kB - -
@sentry/browser - with treeshaking flags 24.17 kB - -
@sentry/browser (incl. Tracing) 42.17 kB - -
@sentry/browser (incl. Tracing, Profiling) 46.79 kB - -
@sentry/browser (incl. Tracing, Replay) 80.98 kB - -
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags 70.6 kB - -
@sentry/browser (incl. Tracing, Replay with Canvas) 85.7 kB - -
@sentry/browser (incl. Tracing, Replay, Feedback) 97.97 kB - -
@sentry/browser (incl. Feedback) 42.48 kB - -
@sentry/browser (incl. sendFeedback) 30.35 kB - -
@sentry/browser (incl. FeedbackAsync) 35.4 kB - -
@sentry/browser (incl. Metrics) 26.96 kB - -
@sentry/browser (incl. Logs) 27.1 kB - -
@sentry/browser (incl. Metrics & Logs) 27.78 kB - -
@sentry/react 27.45 kB - -
@sentry/react (incl. Tracing) 44.52 kB - -
@sentry/vue 30.13 kB - -
@sentry/vue (incl. Tracing) 44.08 kB - -
@sentry/svelte 25.7 kB - -
CDN Bundle 28.39 kB - -
CDN Bundle (incl. Tracing) 43.2 kB - -
CDN Bundle (incl. Logs, Metrics) 29.76 kB - -
CDN Bundle (incl. Tracing, Logs, Metrics) 44.25 kB - -
CDN Bundle (incl. Replay, Logs, Metrics) 68.56 kB - -
CDN Bundle (incl. Tracing, Replay) 80.08 kB - -
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) 81.16 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback) 85.62 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) 86.67 kB - -
CDN Bundle - uncompressed 82.93 kB - -
CDN Bundle (incl. Tracing) - uncompressed 128.07 kB - -
CDN Bundle (incl. Logs, Metrics) - uncompressed 87.07 kB - -
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed 131.48 kB - -
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed 210.06 kB - -
CDN Bundle (incl. Tracing, Replay) - uncompressed 244.95 kB - -
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) - uncompressed 248.34 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed 257.86 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed 261.25 kB - -
@sentry/nextjs (client) 46.93 kB - -
@sentry/sveltekit (client) 42.67 kB - -
@sentry/node-core 56.51 kB +0.02% +11 B 🔺
@sentry/node 173.6 kB +0.01% +12 B 🔺
@sentry/node - without tracing 96.54 kB +0.01% +5 B 🔺
@sentry/aws-serverless 113.54 kB +0.01% +9 B 🔺

View base workflow run

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 30, 2026
edited
Loading

node-overhead report 🧳

Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.

Scenario Requests/s % of Baseline Prev. Requests/s Change %
GET Baseline 9,253 - 8,837 +5%
GET With Sentry 1,700 18% 1,654 +3%
GET With Sentry (error only) 5,888 64% 6,073 -3%
POST Baseline 1,190 - 1,202 -1%
POST With Sentry 588 49% 591 -1%
POST With Sentry (error only) 1,056 89% 1,051 +0%
MYSQL Baseline 3,269 - 3,229 +1%
MYSQL With Sentry 449 14% 487 -8%
MYSQL With Sentry (error only) 2,640 81% 2,640 -

View base workflow run

antonis and others added 2 commits March 30, 2026 09:33
@antonis @claude
fix: Use optional chaining and remove unused imports
4be0d44 
Address lint failures: use `res?.error` instead of `res && res.error`,
and remove unused imports in the test file.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
@antonis @claude
chore: Fix formatting in supabase test file
9d9b5b8 
Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
@antonis antonis marked this pull request as ready for review March 30, 2026 08:03
@antonis antonis requested review from Lms24 and alwx March 30, 2026 08:47
Lms24
Lms24 approved these changes Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@Lms24 Lms24 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch, thanks! Wasn't aware that a response from Supabase could be nullish but didn't think of the custom fetch implementation. Makes sense to guard for this!

@Lms24 Lms24 merged commit 119c06f into develop Mar 30, 2026
239 checks passed
@Lms24 Lms24 deleted the fix/supabase-nullish-response branch March 30, 2026 10:30
JPeer264 pushed a commit that referenced this pull request Mar 30, 2026
@antonis @claude @JPeer264
fix(core): Guard nullish response in supabase PostgREST handler (#20033)
87cb4ba 
Closes #20032

### Context:
In the `supabaseIntegration`'s PostgREST instrumentation, the `.then()`
success handler accesses `res.error` without checking if `res` is
nullish first. This causes crashes in environments like React Native
where the response can be `undefined`.
A related error recently trended on the React Native SDK (see Linear
comment)

### Summary:
- Added a null guard on `res` before accessing `res.error` in
`instrumentPostgRESTFilterBuilder`, changing `if (res.error)` to `if
(res && res.error)` — matching the existing pattern used in
`instrumentAuthOperation`
- The existing `setHttpStatus` block already had a proper guard (`if
(res && typeof res === 'object' && 'status' in res)`), so only the
error-handling path was affected
- Span `.end()` and breadcrumb creation continue to work correctly
regardless of whether `res` is nullish
- Added a new test file for the supabase integration covering the
nullish response scenario and existing utility functions

Before submitting a pull request, please take a look at our

[Contributing](https://github.com/getsentry/sentry-javascript/blob/master/CONTRIBUTING.md)
guidelines and verify:

- [x] If you've added code that should be tested, please add tests.
- [x] Ensure your code lints and the test suite passes (`yarn lint`) &
(`yarn test`).
- [x] Link an issue if there is one related to your pull request. If no
issue is linked, one will be auto-generated and linked.

---------

Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>
@sentry-release-bot sentry-release-bot bot mentioned this pull request Mar 31, 2026
Closed
46 tasks
@github-actions github-actions bot mentioned this pull request Mar 31, 2026
Closed
3 tasks
@antonis antonis mentioned this pull request Mar 31, 2026
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Lms24 Lms24 Lms24 approved these changes

@alwx alwx Awaiting requested review from alwx

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug: supabaseIntegration crashes when PostgREST response is nullish

2 participants

@antonis @Lms24