Skip to content

fix(postgrest): enforce type safety for table and view names in from() method#2058

Merged
mandarini merged 2 commits intosupabase:masterfrom
7ttp:fix/postgrest-from-type-safety
Feb 11, 2026
Merged

fix(postgrest): enforce type safety for table and view names in from() method#2058
mandarini merged 2 commits intosupabase:masterfrom
7ttp:fix/postgrest-from-type-safety

Conversation

@7ttp
Copy link
Contributor

@7ttp 7ttp commented Jan 26, 2026
edited by coderabbitai bot
Loading

Problem

The from() method's implementation signature accepted any string,
defeating TypeScript's type safety and allowing typos or invalid table/view names to pass compile time checks.

Solution

Constrained the implementation signature parameter type to
(string & keyof Schema['Tables']) | (string & keyof Schema['Views']),
ensuring only valid schema-defined table and view names are accepted

Related

Summary by CodeRabbit

  • Breaking Changes

    • Type-level validation for query targets is stricter: references must match valid tables or views from your schema.

  • Improvements

    • Invalid table/view references are detected at development time rather than runtime, improving reliability and developer experience.

@7ttp 7ttp requested review from a team as code owners January 26, 2026 10:52
@coderabbitai
Copy link

coderabbitai bot commented Jan 26, 2026
edited
Loading

📝 Walkthrough

Walkthrough

The PostgrestClient.from method signature was updated to accept only valid table or view keys from the Schema, replacing the previous open string parameter with a union type that enforces type-level validation while preserving existing runtime behavior.

Changes

Cohort / File(s) Summary
Core API
packages/core/postgrest-js/src/PostgrestClient.ts		 Tightened from(relation) parameter type to (string & keyof Schema['Tables']) | (string & keyof Schema['Views']), narrowing allowed relation names at the type level while keeping runtime validation and URL construction unchanged.
Type Tests
packages/core/postgrest-js/test/index.test-d.ts		 Expanded type-safety tests to assert view names are validated like table names (adds negative case for nonexistent_view), reflecting the stricter from signature.

Sequence Diagram(s)

(omitted)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 Hopping through types with stricter grace,
No more tables hiding in dark space,
Schema whispers which names are real,
Compile-time catches reveal the deal!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately and concisely describes the primary change: enforcing type safety for table and view names in the from() method.
Linked Issues check ✅ Passed The PR fully implements the requirement from issue #1654 by replacing the permissive signature with a union type that only accepts schema-defined table and view names.
Out of Scope Changes check ✅ Passed All changes are directly related to enforcing type safety for the from() method as required by the linked issue; no unrelated modifications detected.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Important

Action Needed: IP Allowlist Update

If your organization protects your Git platform with IP whitelisting, please add the new CodeRabbit IP address to your allowlist:

  • 136.113.208.247/32 (new)
  • 34.170.211.100/32
  • 35.222.179.152/32

Failure to add the new IP will result in interrupted reviews.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

steve-chavez
steve-chavez reviewed Jan 26, 2026
View reviewed changes
@7ttp
Copy link
Contributor Author

7ttp commented Feb 3, 2026

The type tests were already there,
just added a line for invalid view names to match the existing table validation 😁💚

avallete
avallete approved these changes Feb 3, 2026
View reviewed changes
Copy link
Member

@avallete avallete left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One question but LGTM

avallete
avallete reviewed Feb 3, 2026
View reviewed changes
Copy link
Member

@avallete avallete left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Flagging here that I wonder if that will break for clients that don't use Database introspected types. It might require a BC release.

@7ttp
Copy link
Contributor Author

7ttp commented Feb 3, 2026

Flagging here that I wonder if that will break for clients that don't use Database introspected types. It might require a BC release.

For users with generated Database types, this adds compile time safety.
For users without types, Database defaults to any, and since keyof any resolves to string | number | symbol,
any string still works fine.
So it's backward compatible ig for untyped users while adding safety for typed users

thanks for the review @steve-chavez & @avallete 😁💚

@7ttp
Copy link
Contributor Author

7ttp commented Feb 11, 2026

@mandarini

@mandarini mandarini merged commit b8c75b0 into supabase:master Feb 11, 2026
21 of 22 checks passed
@7ttp 7ttp deleted the fix/postgrest-from-type-safety branch February 11, 2026 12:47
GuzekAlan added a commit to software-mansion-labs/supabase-js that referenced this pull request Feb 19, 2026
@GuzekAlan @7ttp
@mandarini @dependabot @supabase-releaser
chore(realtime): merge master (#50)
3c4518c 
* fix(postgrest): enforce type safety for table and view names in from() method (supabase#2058)

* docs(auth): clarify updateUserById does not trigger client listeners (supabase#2114)

* fix(auth): resolve Firefox content script Promise.then() security errors in locks (supabase#2112)

* build(deps): bump qs from 6.14.1 to 6.14.2 in the npm_and_yarn group across 1 directory (supabase#2118)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(release): version 2.96.0 changelogs (supabase#2121)

Co-authored-by: supabase-releaser[bot] <supabase-releaser[bot]@users.noreply.github.com>

* docs(supabase): document UNUSED_EXTERNAL_IMPORT build warning as false positive (supabase#2122)

* feat(auth): add skipAutoInitialize option to prevent constructor auto-init (supabase#2123)

* chore(release): version 2.97.0 changelogs (supabase#2124)

Co-authored-by: supabase-releaser[bot] <supabase-releaser[bot]@users.noreply.github.com>

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: Vaibhav <[email protected]>
Co-authored-by: Katerina Skroumpelou <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: supabase-releaser[bot] <223506987+supabase-releaser[bot]@users.noreply.github.com>
Co-authored-by: supabase-releaser[bot] <supabase-releaser[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@avallete avallete avallete approved these changes

@steve-chavez steve-chavez steve-chavez approved these changes

@mandarini mandarini mandarini approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Remove signature to allow any table name for from

4 participants

@7ttp @steve-chavez @mandarini @avallete