Tags: supabase/ssr
Tags
chore(main): release 0.10.2 (#198) 🤖 I have created a release *beep* *boop* --- ## [0.10.2](v0.10.1...v0.10.2) (2026-04-09) ### Bug Fixes * **ci:** remove packageManager field ([#197](#197)) ([6bf0226](6bf0226)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: supabase-releaser[bot] <223506987+supabase-releaser[bot]@users.noreply.github.com>
chore(main): release 0.10.1 (#195) 🤖 I have created a release *beep* *boop* --- ## [0.10.1](v0.10.0...v0.10.1) (2026-04-08) ### Bug Fixes * **auth:** respect user-provided auth options in createBrowserClient ([#167](#167)) ([5f04837](5f04837)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: supabase-releaser[bot] <223506987+supabase-releaser[bot]@users.noreply.github.com>
chore(main): release 0.10.0 (#180) 🤖 I have created a release *beep* *boop* --- ## [0.10.0](v0.9.0...v0.10.0) (2026-03-30) ### Features * pass cache headers to setAll to prevent CDN caching of auth responses ([#176](#176)) ([14962d2](14962d2)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: supabase-releaser[bot] <223506987+supabase-releaser[bot]@users.noreply.github.com>
build(deps-dev): bump picomatch from 2.3.1 to 2.3.2 in the npm_and_ya… …rn group across 1 directory (#185) Bumps the npm_and_yarn group with 1 update in the / directory: [picomatch](https://github.com/micromatch/picomatch). Updates `picomatch` from 2.3.1 to 2.3.2 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/micromatch/picomatch/releases">picomatch's">https://github.com/micromatch/picomatch/releases">picomatch's releases</a>.</em></p> <blockquote> <h2>2.3.2</h2> <p>This is a security release fixing several security relevant issues.</p> <h2>What's Changed</h2> <ul> <li>fix: exception when glob pattern contains constructor by <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/Jason3S"><code>@Jason3S</code></a">https://github.com/Jason3S"><code>@Jason3S</code></a> in <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://redirect.github.com/micromatch/picomatch/pull/144">micromatch/picomatch#144</a></li">https://redirect.github.com/micromatch/picomatch/pull/144">micromatch/picomatch#144</a></li> <li>Fix for <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/micromatch/picomatch/security/advisories/GHSA-c2c7-rcm5-vvqj">CVE-2026-33671</a></li">https://github.com/micromatch/picomatch/security/advisories/GHSA-c2c7-rcm5-vvqj">CVE-2026-33671</a></li> <li>Fix for <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/micromatch/picomatch/security/advisories/GHSA-3v7f-55p6-f55p">CVE-2026-33672</a></li">https://github.com/micromatch/picomatch/security/advisories/GHSA-3v7f-55p6-f55p">CVE-2026-33672</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/micromatch/picomatch/compare/2.3.1...2.3.2">https://github.com/micromatch/picomatch/compare/2.3.1...2.3.2</a></p">https://github.com/micromatch/picomatch/compare/2.3.1...2.3.2">https://github.com/micromatch/picomatch/compare/2.3.1...2.3.2</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md">picomatch's">https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md">picomatch's changelog</a>.</em></p> <blockquote> <h1>Release history</h1> <p><strong>All notable changes to this project will be documented in this file.</strong></p> <p>The format is based on <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"http://keepachangelog.com/en/1.0.0/">Keep" rel="nofollow">http://keepachangelog.com/en/1.0.0/">Keep a Changelog</a> and this project adheres to <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"http://semver.org/spec/v2.0.0.html">Semantic" rel="nofollow">http://semver.org/spec/v2.0.0.html">Semantic Versioning</a>.</p> <!-- raw HTML omitted --> <ul> <li>Changelogs are for humans, not machines.</li> <li>There should be an entry for every single version.</li> <li>The same types of changes should be grouped.</li> <li>Versions and sections should be linkable.</li> <li>The latest version comes first.</li> <li>The release date of each versions is displayed.</li> <li>Mention whether you follow Semantic Versioning.</li> </ul> <!-- raw HTML omitted --> <!-- raw HTML omitted --> <p>Changelog entries are classified using the following labels <em>(from <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"http://keepachangelog.com/">keep-a-changelog</a></em>):</p" rel="nofollow">http://keepachangelog.com/">keep-a-changelog</a></em>):</p> <ul> <li><code>Added</code> for new features.</li> <li><code>Changed</code> for changes in existing functionality.</li> <li><code>Deprecated</code> for soon-to-be removed features.</li> <li><code>Removed</code> for now removed features.</li> <li><code>Fixed</code> for any bug fixes.</li> <li><code>Security</code> in case of vulnerabilities.</li> </ul> <!-- raw HTML omitted --> <h2>4.0.0 (2024-02-07)</h2> <h3>Fixes</h3> <ul> <li>Fix bad text values in parse <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://redirect.github.com/micromatch/picomatch/issues/126">#126</a">https://redirect.github.com/micromatch/picomatch/issues/126">#126</a>, thanks to <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/connor4312"><code>@connor4312</code></a></li">https://github.com/connor4312"><code>@connor4312</code></a></li> </ul> <h3>Changed</h3> <ul> <li>Remove process global to work outside of node <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://redirect.github.com/micromatch/picomatch/issues/129">#129</a">https://redirect.github.com/micromatch/picomatch/issues/129">#129</a>, thanks to <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/styfle"><code>@styfle</code></a></li">https://github.com/styfle"><code>@styfle</code></a></li> <li>Add sideEffects to package.json <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://redirect.github.com/micromatch/picomatch/issues/128">#128</a">https://redirect.github.com/micromatch/picomatch/issues/128">#128</a>, thanks to <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/frandiox"><code>@frandiox</code></a></li">https://github.com/frandiox"><code>@frandiox</code></a></li> <li>Removed <code>os</code>, make compatible browser environment. See <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://redirect.github.com/micromatch/picomatch/issues/124">#124</a">https://redirect.github.com/micromatch/picomatch/issues/124">#124</a>, thanks to <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/gwsbhqt"><code>@gwsbhqt</code></a></li">https://github.com/gwsbhqt"><code>@gwsbhqt</code></a></li> </ul> <h2>3.0.1</h2> <h3>Fixes</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/micromatch/picomatch/commit/81cba8d4b767cab3cb29d26eb4f691eed75b73b2"><code>81cba8d</code></a">https://github.com/micromatch/picomatch/commit/81cba8d4b767cab3cb29d26eb4f691eed75b73b2"><code>81cba8d</code></a> Publish 2.3.2</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/micromatch/picomatch/commit/fc1f6b69006e9435caf8fb40d8aff378bc0b7bce"><code>fc1f6b6</code></a">https://github.com/micromatch/picomatch/commit/fc1f6b69006e9435caf8fb40d8aff378bc0b7bce"><code>fc1f6b6</code></a> Merge commit from fork</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/micromatch/picomatch/commit/eec17aee5428a7249e9ca5adbb8a0d28fa29619b"><code>eec17ae</code></a">https://github.com/micromatch/picomatch/commit/eec17aee5428a7249e9ca5adbb8a0d28fa29619b"><code>eec17ae</code></a> Merge commit from fork</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/micromatch/picomatch/commit/78f8ca4362d9e66cadea97b93e292f10096452ed"><code>78f8ca4</code></a">https://github.com/micromatch/picomatch/commit/78f8ca4362d9e66cadea97b93e292f10096452ed"><code>78f8ca4</code></a> Merge pull request <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://redirect.github.com/micromatch/picomatch/issues/156">#156</a">https://redirect.github.com/micromatch/picomatch/issues/156">#156</a> from micromatch/backport-144</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/micromatch/picomatch/commit/3f4f10eaa65bf3a52e8f2999674cd27e11fa3c9b"><code>3f4f10e</code></a">https://github.com/micromatch/picomatch/commit/3f4f10eaa65bf3a52e8f2999674cd27e11fa3c9b"><code>3f4f10e</code></a> Merge pull request <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://redirect.github.com/micromatch/picomatch/issues/144">#144</a">https://redirect.github.com/micromatch/picomatch/issues/144">#144</a> from Jason3S/jdent-object-properties</li> <li>See full diff in <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/micromatch/picomatch/compare/2.3.1...2.3.2">compare">https://github.com/micromatch/picomatch/compare/2.3.1...2.3.2">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/supabase/ssr/network/alerts). </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
ci: include changelogs in supabase js update pr (#186) Include release notes in the automated PR that updates supabase-js across the repo. - Looks at what version is installed - It includes all changelogs between installed version and to-be-installed version
chore: update @supabase/supabase-js to v2.100.1 (#184) This PR updates `@supabase/supabase-js` to v2.100.1. **Source**: supabase-js-stable-release This PR was created automatically. Co-authored-by: supabase-workflow-trigger[bot] <266661614+supabase-workflow-trigger[bot]@users.noreply.github.com>
chore: update @supabase/supabase-js to v2.100.0 (#183) This PR updates `@supabase/supabase-js` to v2.100.0. **Source**: supabase-js-stable-release This PR was created automatically. Co-authored-by: supabase-workflow-trigger[bot] <266661614+supabase-workflow-trigger[bot]@users.noreply.github.com>
build(deps-dev): bump flatted from 3.3.1 to 3.4.2 in the npm_and_yarn… … group across 1 directory (#182) Bumps the npm_and_yarn group with 1 update in the / directory: [flatted](https://github.com/WebReflection/flatted). Updates `flatted` from 3.3.1 to 3.4.2 <details> <summary>Commits</summary> <ul> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/WebReflection/flatted/commit/3bf09091c3562e17a0647bc06710dd6097079cf7"><code>3bf0909</code></a">https://github.com/WebReflection/flatted/commit/3bf09091c3562e17a0647bc06710dd6097079cf7"><code>3bf0909</code></a> 3.4.2</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/WebReflection/flatted/commit/885ddcc33cf9657caf38c57c7be45ae1c5272802"><code>885ddcc</code></a">https://github.com/WebReflection/flatted/commit/885ddcc33cf9657caf38c57c7be45ae1c5272802"><code>885ddcc</code></a> fix CWE-1321</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/WebReflection/flatted/commit/0bdba705d130f00892b1b8fcc80cf4cdea0631e3"><code>0bdba70</code></a">https://github.com/WebReflection/flatted/commit/0bdba705d130f00892b1b8fcc80cf4cdea0631e3"><code>0bdba70</code></a> added flatted-view to the benchmark</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/WebReflection/flatted/commit/2a02dce7c641dec31194c67663f9b0b12e62da20"><code>2a02dce</code></a">https://github.com/WebReflection/flatted/commit/2a02dce7c641dec31194c67663f9b0b12e62da20"><code>2a02dce</code></a> 3.4.1</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/WebReflection/flatted/commit/fba4e8f2e113665da275b19cd0f695f3d98e9416"><code>fba4e8f</code></a">https://github.com/WebReflection/flatted/commit/fba4e8f2e113665da275b19cd0f695f3d98e9416"><code>fba4e8f</code></a> Merge pull request <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://redirect.github.com/WebReflection/flatted/issues/89">#89</a">https://redirect.github.com/WebReflection/flatted/issues/89">#89</a> from WebReflection/python-fix</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/WebReflection/flatted/commit/5fe86485e6df7f7f34a07a2a85498bd3e17384e7"><code>5fe8648</code></a">https://github.com/WebReflection/flatted/commit/5fe86485e6df7f7f34a07a2a85498bd3e17384e7"><code>5fe8648</code></a> added "when in Rome" also a test for PHP</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/WebReflection/flatted/commit/53517adbefe724fe472b2f9ebcdb01910d0ae3f0"><code>53517ad</code></a">https://github.com/WebReflection/flatted/commit/53517adbefe724fe472b2f9ebcdb01910d0ae3f0"><code>53517ad</code></a> some minor improvement</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/WebReflection/flatted/commit/b3e2a0c387bf446435fec45ad7f05299f012346f"><code>b3e2a0c</code></a">https://github.com/WebReflection/flatted/commit/b3e2a0c387bf446435fec45ad7f05299f012346f"><code>b3e2a0c</code></a> Fixing recursion issue in Python too</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/WebReflection/flatted/commit/c4b46dbcbf782326e54ea1b65d3ebb1dc7a23fad"><code>c4b46db</code></a">https://github.com/WebReflection/flatted/commit/c4b46dbcbf782326e54ea1b65d3ebb1dc7a23fad"><code>c4b46db</code></a> Add SECURITY.md for security policy and reporting</li> <li><a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/WebReflection/flatted/commit/f86d071e0f70de5a7d8200198824a3f07fc9c988"><code>f86d071</code></a">https://github.com/WebReflection/flatted/commit/f86d071e0f70de5a7d8200198824a3f07fc9c988"><code>f86d071</code></a> Create dependabot.yml for version updates</li> <li>Additional commits viewable in <a href="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/WebReflection/flatted/compare/v3.3.1...v3.4.2">compare">https://github.com/WebReflection/flatted/compare/v3.3.1...v3.4.2">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/supabase/ssr/network/alerts). </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
feat: pass cache headers to setAll to prevent CDN caching of auth res… …ponses (#176) ### What `SetAllCookies` now receives a required second argument `headers: Record<string, string>` alongside the cookies array. When `applyServerStorage` calls `setAll` after a token refresh or any auth state change, it passes the following headers: ```ts { 'Cache-Control': 'private, no-cache, no-store, must-revalidate, max-age=0', 'Expires': '0', 'Pragma': 'no-cache', } ``` Users must apply these headers to their HTTP response in their `setAll` implementation: ```ts // Next.js middleware cookies: { setAll(cookiesToSet, headers) { cookiesToSet.forEach(({ name, value, options }) => response.cookies.set(name, value, options) ) Object.entries(headers).forEach(([key, value]) => response.headers.set(key, value) ) } } ``` ```ts // Nuxt server middleware cookies: { setAll(cookiesToSet, headers) { cookiesToSet.forEach(({ name, value, options }) => setCookie(event, name, value, options) ) Object.entries(headers).forEach(([key, value]) => setHeader(event, key, value) ) } } ``` ### Why See: supabase/supabase-js#1682 When `@supabase/ssr` refreshes a session server-side, the new JWT is written to the response via `Set-Cookie`. If a CDN (CloudFront, Vercel Edge, Cloudflare, etc.) caches that response and serves it to a different user, that user's browser stores the cached token and is signed in as the wrong person. This has been confirmed in production by multiple users. The library knows exactly when this happens, which is inside `applyServerStorage`, triggered by the `TOKEN_REFRESHED` event, but previously gave the user no way to know they needed to set cache headers. The fix surfaces that information directly in the `setAll` callback. ### Breaking change `SetAllCookies` now has a required second argument. Existing `setAll` implementations that do not declare the second parameter will **not** receive a TypeScript error (TypeScript allows functions with fewer parameters to satisfy a type expecting more), but they will silently miss applying the headers. All official quickstart examples and docs will be updated to include the headers. ### What was considered and ruled out - **`serverRefresh: false` option**: Rejected. The server must be able to refresh an expired token before rendering auth-gated pages — skipping server-side refresh entirely breaks the core SSR auth flow. - **Docs-only fix**: Insufficient. Users who copy an outdated quickstart or don't read the changelog stay insecure without knowing it. - **Optional `headers?` argument**: Also insufficient for the same reason — optional typing gives users an escape hatch and TypeScript won't warn them. - **Setting headers on the fetch request**: auth-js previously added `cache: no-store` to outgoing fetch requests (PR #847) and had to revert it (PR #886) because it broke Cloudflare's fetch handling. That was a different mechanism (Next.js Data Cache on outgoing requests). Our change operates at the HTTP response level via the user's `setAll` callback and does not touch fetch options. ### Files changed - `src/types.ts` — `SetAllCookies` type updated with required `headers` second argument and JSDoc - `src/cookies.ts` — `applyServerStorage` passes cache headers; browser-only `setAll` call sites pass `{}` - `src/cookies.spec.ts` — existing tests updated; new assertion verifies `applyServerStorage` passes the correct headers Related: supabase/supabase-js#1682
PreviousNext