Credential access
Reads Supabase tokens, database passwords, env files, and project config.
agent safety
Agent safety answer
supabase CLI manages hosted projects, databases, functions, and local dev state.
Remote mutation
Can deploy functions, run migrations, and change project state.
Publish/artifact risk
Publishes functions, migrations, and generated API artifacts.
Recommended control
Gate deploy, db push, secrets, link, and token commands.
Agent-use guidance
Allow local status and generation; require approval for remote database or function changes.
安装
使用 Automic Vault 安装
Automic Vault
sudo av install brew:supabasemacOS
Homebrewverified · 100%
brew install supabaselocal Homebrew formula metadata
Windows
Scoopverified · 92%
scoop install main/supabaseScoop official bucket manifest trees · bucket/supabase.json · source: api.github.com
软件包管理器来源
平台说明
- 没有特定于此软件包的平台说明。
概览
软件包摘要
Postgres development platform
主页
命令和别名
- supabase
受保护工具覆盖
Trivially Accessible Supabase Tokens
Supabase CLI stores access tokens in the macOS Keychain through go-keyring, which creates items through `/usr/bin/security`. Those items allow `/usr/bin/security` to read the token non-interactively. Our isotope builds a signed Supabase CLI and replaces the Go credential backend on macOS so new Keychain items trust the Supabase executable instead of the security tool.
Risk classifier
green risk · low confidence · appliance
Why
- narrow executable package without higher-risk signals
Signals
- metadata:no-higher-risk-signals
Install behavior
- No Homebrew post-install hook is recorded in formula metadata.
- Homebrew bottle metadata is available for 6 platform targets.
- Installs with 1 runtime dependencies.
本地 README 摘录
Automic Vault Fork Notes
This repository is the Automic Vault fork of Supabase CLI.
Automic Vault is a macOS-first secret and execution control system that keeps sensitive credentials behind explicit human approval in the Automic Vault GUI app instead of exposing them directly to terminal tools.
This fork currently adds the following behavior on top of upstream supabase/cli:
- An
protected tool:supabasepackage recipe that builds and signs both the
Bun/TypeScript supabase launcher and the Go supabase-go helper.
- Direct macOS Keychain access from the signed
supabase-gobinary instead
of github.com/zalando/go-keyring shelling out to /usr/bin/security, so Keychain trust is attached to the Supabase executable.
- A macOS-only
automicvaultGo build tag for the secure credential backend,
while default upstream builds continue to use go-keyring.
- A hazard detector for insecure Supabase CLI installs, including the
plaintext fallback token at ~/.supabase/access-token and Keychain ACLs that allow /usr/bin/security to read Supabase secrets.
- A hidden
supabase-go av-migratecommand used by the Automic Vault protected tool
migration hook to rewrite insecure Keychain items and move fallback access tokens into the signed Supabase credential backend.
- Test seams that keep the credential tests deterministic without touching the
user's real Keychain.
来源: local coverage notes
覆盖来源
来源摘录
Caveats
- Existing insecure Supabase CLI Keychain items and plaintext fallback access tokens are migrated when the isotope migration runs.
- This currently replaces the Homebrew core supabase formula.
可执行文件
已安装的可执行文件
| 命令 | 类型 | 暴露范围 | 备注 |
|---|---|---|---|
supabase | cli | global executable |
新鲜度
版本和新鲜度
这些信号区分页生成时间、软件包管理器活动和上游发布比较。只有存在证据 URL 和可比较版本时,才会提示版本落后。
页面生成时间2026-06-10
管理器版本2.105.0
管理器更新时间2026-06-05
本地数据ok
上游not checked
检测到的最新版本not detected
https://supabase.com/docs/reference/cli/about
- infoRelease/tag comparison is only available for GitHub repositories.https://supabase.com/docs/reference/cli/aboutnone confidence
安装元数据
软件包元数据
| Package key | brew:supabase |
|---|---|
| Version | 2.105.0 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/supabase |
| Homepage | https://supabase.com/docs/reference/cli/about |
| Repository | https://github.com/supabase/cli |
| Upstream docs | https://supabase.com/docs/guides/local-development/cli/getting-started |
| License | MIT |
| Source archive | https://registry.npmjs.org/supabase/-/supabase-2.105.0.tgz |
| Last updated | 2026-06-05T17:13:10Z |
| Pulse | updated |
| Dependencies | node |
| Bottle | available (arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
Source database details
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | supabase |
| Version Scheme | 0 |
| Revision | 0 |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Other package-manager records
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
Scoop95%
main/supabase
scoop install main/supabase- normalized package name match
- Matched by: Supabase
来源线索
由仓库数据生成
此页面由 av-web 从 scripts/generate-pkg-sqlite.py 生成的私有软件包 SQLite 工件提供。
使用的来源
- Geiger risk classifier
- Nucleus package database
- av.db category and tag curation
- cross-ecosystem install command graph
- curated agent safety answer
- external package-manager database matches
- local coverage README
- package relationship graph
- package version freshness
- package-page enrichment
- secret-handling manifest