supabase/supabase
Dependencies
Highlights of what the repo depends on. The exhaustive list is in pnpm-lock.yaml; this page calls out the parts a contributor should be aware of.
Pinned via pnpm catalog
pnpm-workspace.yaml declares a catalog block — every package that uses these versions imports them via "react": "catalog:" etc. Notable entries:
@sentry/nextjs ^10.26.0@supabase/ssr 0.10.2@supabase/auth-js 2.104.1@supabase/postgrest-js 2.104.1@supabase/realtime-js 2.104.1@supabase/supabase-js 2.104.1next 16.2.3react ^18.3.0,react-dom ^18.3.0tailwindcss ^3.4.19typescript ~6.0.0vite ^8.0.8vitest ^4.1.4radix-ui ^1.4.3recharts ^2.15.4valtio ^1.12.0zod 3.25.76lodash ^4.18.1,lodash-es ^4.18.1tsx 4.20.3
overrides
The workspace sets overrides to pin transitive dependencies that have had security advisories or compatibility issues:
tar ^7.5.11(multiple paths).serialize-javascript ^7.0.5.prismjs ^1.30.0.dompurify ^3.3.2.nodemailer ^7.0.11.esbuild ^0.25.2.webpack ^5.104.1.js-yaml ^4.1.1.form-data ^4.0.4.tmp ^0.2.4.unhead ^2.1.13.payload>undici ^7.18.2.
These are security pins; see the comments in pnpm-workspace.yaml for which advisories triggered each.
Patched dependencies
react-data-grid— patched viapatches/react-data-grid.patchfor the Studio table editor.
minimumReleaseAge
pnpm-workspace.yaml sets minimumReleaseAge: 4320 (~3 days in minutes) to avoid pulling in brand-new dependency versions automatically. The minimumReleaseAgeExclude list whitelists @ai-sdk/*, @supabase/*, and @supabase-labs/* so first-party releases are picked up immediately.
Studio-only headliners
@tanstack/react-queryv5 — data layer.@monaco-editor/react,monaco-editor— SQL and Edge Function editors.react-data-grid(patched) — table editor.@dnd-kit/*— drag-and-drop in the table editor and other surfaces.@xyflow/react,@dagrejs/dagre— graph visualizations (e.g. ExplainVisualizer).@graphiql/react,@graphiql/toolkit— GraphQL playground.@modelcontextprotocol/sdk,@supabase/mcp-server-supabase,@supabase/mcp-utils— MCP integration.ai,@ai-sdk/openai,@ai-sdk/amazon-bedrock,@ai-sdk/react,openai,@ai-sdk/mcp— AI SDK and providers.streamdown— streaming markdown rendering.tus-js-client— resumable uploads to Storage.recharts,react-simple-maps,d3-geo,react-grid-layout,framer-motion— viz / motion.libpg-query 17.6.0— wasm Postgres parser.cron-parser,cronstrue— cron handling fordatabase-cron-jobs.zxcvbn— password strength.
Docs / www headliners
next(catalog) — runtime.contentlayer2— content indexing indesign-system,ui-library,learn.cmdk— command menu.mdx-bundler, custom remark/rehype plugins underapps/docs/lib/mdx/.
Observability
@sentry/nextjs(catalog) — error tracking.@vercel/functions— Vercel server-utility helpers in Studio.
Testing
vitest,@vitest/coverage-v8,@vitest/ui(catalog).@testing-library/dom,@testing-library/react,@testing-library/user-event,@testing-library/jest-dom.msw— HTTP mocking.jsdom,jsdom-testing-mocks.playwright(ine2e/studio).
Build / dev
turbo 2.9.6— build orchestration.tsx(catalog) — TypeScript script runner.eslint ^9.0.0— linting.prettier ^3.8.0— formatting.rimraf ^6.0.0— clean targets.supabase ^2.76.10— Supabase CLI as a dev dependency for local-stack workflows.
Notable transitive concerns
node-ptyand@parcel/watcherare explicitly listed inonlyBuiltDependencies/ignoredBuiltDependenciesto control native-build behavior.libpg-queryships wasm; Studio'sevals:setupscript copies the wasm intoevals/for the Braintrust harness.
Updating dependencies
update-js-libs.ymlanddocs-js-libs-update.ymlare the scheduled workflows that bump dependencies.update-ssr.ymlkeeps@supabase/ssraligned with the rest of the@supabase/*family.
Engines
node >=22(perpackage.json).pnpm 10.24(packageManagerfield).
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.