create-nextblock 0.10.3 → 0.10.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "create-nextblock",
3
- "version": "0.10.3",
3
+ "version": "0.10.5",
4
4
  "description": "",
5
5
  "main": "index.js",
6
6
  "bin": {
@@ -8144,6 +8144,42 @@ VALUES ('security_settings', '{"trusted_device_days": 30, "enforce_staff_2fa": t
8144
8144
  ON CONFLICT (key) DO NOTHING;
8145
8145
 
8146
8146
 
8147
+ -- >>> FROM: 00000000000035_reassert_advisor_fixes.sql <<<
8148
+ -- 00000000000035_reassert_advisor_fixes.sql
8149
+ -- Re-assert two Supabase Advisor (database linter) fixes that were first applied in
8150
+ -- migration 00000000000028 but can be lost when a database is restored/reset to a
8151
+ -- pre-028 state while its migration history still records 028 as applied (so the forward
8152
+ -- tooling never re-runs it). These two advisors reappeared, so we re-apply the fixes in a
8153
+ -- forward-only, idempotent way. No application behaviour changes.
8154
+ --
8155
+ -- 1. 0011 function_search_path_mutable
8156
+ -- public.handle_ucp_cart_sessions_update() needs a pinned search_path.
8157
+ -- 2. 0029 authenticated_security_definer_function_executable
8158
+ -- public.duplicate_block_definition(uuid) must run as SECURITY INVOKER (it already
8159
+ -- keeps its own ADMIN/WRITER role check and is gated by custom_block_definitions RLS).
8160
+
8161
+ -- 1. Pin the search_path. Re-create the function with SET search_path baked into its
8162
+ -- definition (not just an ALTER) so a future CREATE OR REPLACE can't silently drop it.
8163
+ -- The body only calls now() (pg_catalog, always implicitly searched), so an empty
8164
+ -- search_path is safe. CREATE OR REPLACE keeps the function OID, so the existing
8165
+ -- trg_handle_ucp_cart_sessions_update trigger and the service_role grant are preserved.
8166
+ CREATE OR REPLACE FUNCTION public.handle_ucp_cart_sessions_update()
8167
+ RETURNS trigger
8168
+ LANGUAGE plpgsql
8169
+ SET search_path = ''
8170
+ AS $$
8171
+ BEGIN
8172
+ NEW.updated_at = now();
8173
+ RETURN NEW;
8174
+ END;
8175
+ $$;
8176
+
8177
+ -- 2. Ensure the duplicate helper runs with the caller's privileges. The function body
8178
+ -- (unchanged) still raises 42501 for non-ADMIN/WRITER callers, and its SELECT/INSERT
8179
+ -- are gated by custom_block_definitions RLS, so it does not need definer privileges.
8180
+ ALTER FUNCTION public.duplicate_block_definition(uuid) SECURITY INVOKER;
8181
+
8182
+
8147
8183
  -- Step D: Anchor preserved profiles
8148
8184
  INSERT INTO public.profiles (id, updated_at, full_name, avatar_url, website, role)
8149
8185
  SELECT preserved_user.id, NULL, NULL, NULL, NULL, 'ADMIN'
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@nextblock-cms/template",
3
- "version": "0.10.3",
3
+ "version": "0.10.5",
4
4
  "private": true,
5
5
  "scripts": {
6
6
  "dev": "next dev",