chore: sync upstream/master + bump @supabase/pg to 8.21.1#34
Merged
Conversation
* cleanup: Remove duplicate test * cleanup: Remove nonsense test * cleanup: Simplify promise rejection test * test: Fix and tighten assertion that would always pass because of the `SELECTR` typo. * cleanup: Add missing `await`s when using `assert.rejects` in tests; remove unneeded function wrappers
* Revert unneeded pg-native→libpq dependency range adjustment This reverts part of commit 1025d12. * dev: Upgrade libpq/nan in lockfile for Node 26 compatibility
…F2 (brianc#3669) * fix: apply SASLprep (RFC 4013) to passwords before SCRAM-SHA-256 PBKDF2 `pg`'s SCRAM-SHA-256 client passes the raw password into PBKDF2 with no normalization, while PostgreSQL's server (and libpq) apply SASLprep (B.1 mapping -> NFKC -> prohibition + bidi check) when computing the stored verifier. Passwords whose NFKC form differs from themselves (e.g. containing U+00A8 dieresis, U+2011 non-breaking hyphen, U+00BC vulgar one quarter, NBSP, soft hyphen) authenticate with psql/libpq but fail against pg with `28P01`. Wire `@mongodb-js/saslprep` (the maintained fork used by mongodb's official Node driver) into `continueSession` before `crypto.deriveKey`, with a try/catch fallback to the raw password on prohibited / bidi violations to match `libpq`'s `pg_saslprep` behavior. Also adds: - Unit tests covering the soft-hyphen B.1 mapping equivalence, the Roman-numeral-IX NFKC asymmetry, the prohibited-char fallback, and a deterministic snapshot for the original bug-report password. - A gated integration test block (SCRAM_TEST_PGUSER_UNICODE / SCRAM_TEST_PGPASSWORD_UNICODE) covering raw + NFKC-equivalent + wrong password. - A `scram_unicode_test` role (password `U&'IX-\2168'`) provisioned in CI plus matching env vars so the new integration tests run on every Node version. - A Cloudflare Workers regression guard that exercises `sasl.continueSession` to ensure `@mongodb-js/saslprep` resolves cleanly under workerd. - A `pg@8.21.0` CHANGELOG entry. * fix: inline SASLprep, drop @mongodb-js/saslprep dependency Per review feedback on brianc#3669: ship the SASLprep step as a small in-tree function instead of pulling a runtime dep with an unpinned transitive. The function performs only the three byte-changing steps from RFC 4013 (Table C.1.2 -> SPACE, Table B.1 -> empty, NFKC) and skips the prohibition (RFC 4013 section 2.3) and bidi (RFC 3454 section 6) checks, since libpq is forgiving on those paths and Postgres's own SASLprep is similarly lenient. Removes the try/catch fallback (no code path throws). The deterministic snapshot tests stay byte-for-byte valid because none of them touch U+200B, the only edge case where the inline impl diverges from `@mongodb-js/saslprep`. RFC 3454 places U+200B in Table B.1 (mapped to nothing); the dep maps it to SPACE. PostgreSQL's saslprep.c follows the RFC, so the inline impl matches libpq more closely on that codepoint. The B.1 unit-test rename ("passes ASCII control characters through normalization unchanged") keeps the same snapshot bytes since BEL is unchanged by all three steps. Co-authored-by: charmander <charmander@noreply.github.com> * Revert unrelated no-op changes to yarn.lock now that the associated dependency isn’t being added. * cleanup: Allow Prettier to format some lines * cleanup: Remove changelog entry for unreleased pg version normally added as part of the release process * refactor: Simplify comments in sasl.js and remove unused test cases Updated comments in sasl.js to clarify the password normalization process and removed redundant test cases from vitest-cf.test.ts, streamlining the codebase. * Remove redundant NFKC-only SASLprep test Confirmed in pull request comments that the “macOS/iOS” thing was an AI inventing an unneeded justification, and NFKC is already covered by another test. * fix: SASLprep zero-width space the same way PostgreSQL does As mentioned in the test comment, RFC 3454 defines appendix B for mapping tables and appendix C for prohibition tables. RFC 4013 SASLprep is probably misusing that list of non-ASCII spaces, and says nothing about the overlap. (At least it’s obsoleted.) * cleanup: Simplify regex character classes with ranges --------- Co-authored-by: charmander <charmander@noreply.github.com> Co-authored-by: Charmander <~@charmander.me>
Pulls in 4 upstream commits since #31: - 0ac3edd fix: apply SASLprep (RFC 4013) to passwords before SCRAM-SHA-256 PBKDF2 — security/correctness fix in packages/pg/lib/crypto/sasl.js. Adds an inline saslprep() helper (RFC 3454 Tables C.1.2 + B.1 mapping followed by NFKC normalization) and calls it in continueSession() before crypto.deriveKey, so passwords whose NFKC form differs from the raw form authenticate correctly against PostgreSQL (which applies SASLprep server-side, matching libpq/psql behaviour). Without it, affected accounts get 28P01 from any consumer using @supabase/pg while psql/libpq accept the same credentials. This supersedes the manual port we'd staged in PRs #32/#33; closing those in favour of pulling the upstream version verbatim. - 63c921b ci: Node 26 followup (brianc#3670) — touches only upstream's ci.yml (we don't run that workflow). - be880d4 Assorted test fixes and cleanup (brianc#3672) — test-only reshuffles in packages/pg/test/. - c73a645 test: Ensure failure to throw at all doesn't pass (brianc#3671) — sasl-scram-tests harness fix that catches a previously silent assertion-skipping bug. Versioning: @supabase/pg → 8.21.1 (patch — sole runtime change is the SASLprep security fix). @supabase/pg-protocol untouched (no source under packages/pg-protocol/ changed since #31), stays at 1.13.1 — its deploy workflow won't trigger on this merge per its paths filter. Merge mechanics: only conflict was the same modify-vs-delete on .github/workflows/ci.yml as in #31. Kept it deleted. Every patched file we own (connection.js, parser.ts, native/client.js, native/ query.js, defaults.js, client.js, package.jsons, README) was untouched by upstream, so the merge auto-resolved with no manual intervention beyond removing ci.yml. Also took upstream's packages/pg-native/package.json libpq pin loosening (^1.11.0 → ^1.8.15) — the constraint widening helps libpq native builds on older toolchains. Hygiene: also adds *.tsbuildinfo to .gitignore — TypeScript incremental build artifacts had been silently leaking into git status from local validation runs of pg-protocol.
soedirgo
approved these changes
May 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Pulls in 4 upstream commits since #31. Bumps
@supabase/pg→ 8.21.1 (patch — sole runtime change is the SASLprep security fix).@supabase/pg-protocolis unchanged (no source underpackages/pg-protocol/since #31), stays at1.13.1and its deploy workflow won't trigger on this merge per itspathsfilter.Why
0ac3eddefix: apply SASLprep (RFC 4013) to passwords before SCRAM-SHA-256 PBKDF2 (fix: apply SASLprep (RFC 4013) to passwords before SCRAM-SHA-256 PBKDF2 brianc/node-postgres#3669) — security/correctness fix inpackages/pg/lib/crypto/sasl.js. Adds an inlinesaslprep()helper (RFC 3454 Tables C.1.2 + B.1 mapping followed by NFKC normalization) and calls it incontinueSession()beforecrypto.deriveKey, so passwords whose NFKC form differs from the raw form authenticate correctly against PostgreSQL (which applies SASLprep server-side, matchinglibpq/psqlbehaviour). Without it, affected accounts get28P01from any consumer using@supabase/pgwhilepsql/libpqaccept the same credentials. This supersedes the manual port we'd staged in fix: apply SASLprep (RFC 4013) to passwords before SCRAM-SHA-256 PBKDF2 #32/fix: apply SASLprep (RFC 4013) to passwords before SCRAM-SHA-256 PBKDF2 #33 — closing those in favour of pulling the upstream version verbatim.63c921bbci: Node 26 followup (ci: Node 26 followup brianc/node-postgres#3670) — touches only upstream'sci.yml(we don't run that workflow).be880d45Assorted test fixes and cleanup (Assorted test fixes and cleanup brianc/node-postgres#3672) — test-only reshuffles inpackages/pg/test/.c73a6457test: Ensure failure to throw at all doesn't pass (test: Ensure failure to throw at all doesn’t pass brianc/node-postgres#3671) —sasl-scram-testsharness fix that catches a previously silent assertion-skipping bug.How (merge mechanics)
Same single conflict as #31: modify-vs-delete on
.github/workflows/ci.yml(upstream modified, we deleted). Kept it deleted. Every patched file we own (connection.js,parser.ts,native/client.js,native/query.js,defaults.js,client.js, allpackage.jsons, README) was untouched by upstream, so the merge auto-resolved with no manual intervention beyond removingci.yml.Also took upstream's
packages/pg-native/package.jsonlibpqpin loosening (^1.11.0→^1.8.15) — the constraint widening helpslibpqnative builds on older toolchains and is preserved by the auto-merge against our supabase URL changes.Hygiene
Adds
*.tsbuildinfoto.gitignore— TypeScript incremental build artifacts had been silently leaking intogit statusfrom local validation runs ofpg-protocol. One-line gitignore addition; the two leaked files were unstaged and removed before commit.Validation
node --checkpasses onlib/crypto/sasl.jsand every modified test file.npm publish --dry-runfor@supabase/pg@8.21.1produces the expectedsupabase-pg-8.21.1.tgztarball.pgintegration tests will run post-publish viapostgres-metaCI, same pattern as chore: upgrade fork to upstream pg@8.20.0 #29 / chore: sync upstream/master + bump @supabase/pg to 8.21.0, pg-protocol to 1.13.1 #31.After merge
Only
deploy-pg.ymlwill trigger (packages/pg/**changed).deploy-pg-protocol.ymlwill skip per itspathsfilter (packages/pg-protocol/**unchanged). Expected outcome:@supabase/pg@8.21.1published to npm.