Bump tar and supabase in /apps/web

[dependabot]

Removes tar. It's no longer used after updating ancestor dependency supabase. These dependencies need to be updated together.

Removes tar

Updates supabase from 1.226.4 to 2.107.0

Release notes

Sourced from supabase's releases.

v2.107.0

Supabase CLI v2.107.0 — 2026-06-17

Maintenance release with network reliability improvements, storage fixes, and continued TypeScript migration. Adds support for high-availability projects and enables pg-delta by default for new projects.

Highlights

• High-availability projects — Create HA projects through the CLI for redundancy and better uptime. (#5566)
• pg-delta enabled by default — New projects now use pg-delta as the schema diff engine for db diff and db pull by default. (#5511)
• IPv6 network reliability — db dump and db pull auto-retry via IPv4 pooler on IPv6-only networks. (#5493)

Bug fixes

• Symlinked files now upload properly during storage bucket seeding. (#5499)
• Blank passwords in project prompts now work. (#5569)
• Function import map paths now accept null values. (#5577)
• Custom domain API responses now handle all variants. (#5552)
• SSO provider responses with sparse fields are now accepted. (#5594)
• Local storage now works without requiring an access token. (#5595)
• Schema inspection patterns properly escape backslashes. (#5568)
• Local typegen and service operations no longer require authentication. (#5553)

TypeScript port progress

• Now served by the TypeScript shell: db lint, db advisors, inspect db, inspect report, test db, test new. Behavior matches the Go CLI. (#5579, #5565, #5554, #5522)

---

Plus 15 internal improvements and dependency updates.

Full changelog: supabase/cli@v2.106.0...v2.107.0

v2.107.0-beta.25

2.107.0-beta.25 (2026-06-17)

Features

• cli: port supabase db lint and db advisors to native TypeScript (#5579) (cc50dce)

v2.107.0-beta.24

2.107.0-beta.24 (2026-06-17)

Bug Fixes

• cli-go: allow local storage without access token (#5595) (55cfc3f)

v2.107.0-beta.23

2.107.0-beta.23 (2026-06-17)

Bug Fixes

... (truncated)

Changelog

Sourced from supabase's changelog.

Release Process

This document is the operational playbook for releasing the Supabase CLI TypeScript build. It covers three environments ("rings"):

1. Ring 1 — Local Verdaccio. Fastest feedback loop. Build and install the CLI from a local npm registry on your own machine. No network side-effects; no repo pushes.
2. Ring 2 — User-owned PoC repos. End-to-end validation through the exact same Homebrew / Scoop / GitHub-Release code paths production uses, but pointed at a reviewer's own GitHub account and a non-supabase artifact name. This is how ADR 0011 gates 2 and 3 are validated without risking the real production channels.
3. Ring 3 — Production. The real supabase npm package + supabase/homebrew-tap + supabase/scoop-bucket + GitHub Releases on supabase/cli. Driven by GitHub Actions (release.yml, which dispatches three channels — alpha, beta, stable — into the shared release-shared.yml).

flowchart LR
    local["Ring 1: Local Verdaccio<br/>pnpm cli-release<br/>--next or --legacy"]
    poc["Ring 2: User-owned PoC repos<br/>avallete/supabase-cli-release-poc<br/>avallete/homebrew-supabase-shim-poc<br/>avallete/scoop-bucket<br/>--name supabase-shim-poc"]
    prod["Ring 3: Production<br/>supabase/cli<br/>supabase/homebrew-tap<br/>supabase/scoop-bucket<br/>(default name: supabase)"]
local --&gt; poc --&gt; prod

Loading

Move outward one ring at a time. Only promote to production after Ring 2 has exercised the full channel end-to-end on a fresh machine.

See ADR 0011 for the decision record behind this process (why Bun SFE, why npm optionalDependencies, why nfpm, why no hosted apt/rpm repo, why unsigned).

---

Ring 1 — Local Verdaccio

Use this loop while iterating on build scripts, the Node shim, or anything that changes what gets packed into supabase or @supabase/cli-<platform>. It installs the CLI into a local npm registry and lets you npx --registry http://localhost:4873 supabase as if you'd installed from npm.

Start the registry in one terminal:

pnpm local-registry

Publish the CLI into it from another terminal (current platform only, faster than a cross-platform build):

# TS-native shell only ("next"):
pnpm cli-release --next
Legacy shell (TS shim + Go sidecar — requires Go on PATH and pnpm repos:install):
pnpm cli-release --legacy

Test it:

npx --registry http://localhost:4873 supabase@<printed-version> --version

[tools/release/local-release.ts](https://github.com/supabase/cli/blob/develop/tools/release/local-release.ts) does the heavy lifting: it builds the platform SFE (+ Go binary for --legacy) and the umbrella supabase package, materialises them in a tmp dir (so no workspace package.json is modified), and publishes both to Verdaccio. The cleanup is automatic even on failure.

... (truncated)

Commits

• cc50dce feat(cli): port supabase db lint and db advisors to native TypeScript (#5579)
• 892c463 fix(deps): bump the npm-major group with 8 updates (#5591)
• b29eecc fix(deps): bump the npm-major group with 6 updates (#5583)
• 2815a69 fix(cli): accept nullable function import map paths (#5577)
• 8b0896f feat(cli): port supabase inspect report to native TypeScript (#5565)
• 118bd27 fix(cli): handle blank project password prompt (#5569)
• d6648d7 fix(cli): escape backslashes in inspect schema patterns (#5568)
• ff83937 fix(deps): bump the npm-major group with 6 updates (#5573)
• 20c4c86 fix(deps): bump the npm-major group with 7 updates (#5572)
• ccd052e feat(cli): support high availability project creation (#5566)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for supabase since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 51d1bcde62

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Restore the omitted picomatch lock entry

In the GitHub workflows I checked, apps/web installs dependencies with npm ci (.github/workflows/pr.yml:29 and .github/workflows/cd.yml:37). With this lockfile, nvm use 20 && npm ci in apps/web fails before the build with Missing: picomatch@ from lock file, because this update removes the node_modules/svelte-check/node_modules/picomatch peer placeholder while svelte-check's nested fdir still declares picomatch as an optional peer. Regenerating the lockfile so that placeholder remains will keep CI/deploy installs working.

Useful? React with 👍 / 👎.