Future React/Supabase patterns

`rules:
  - id: supabase-n-plus-one-query
    message: >
      Performance Alert: Potential "N+1" query detected. 
      You are executing a Supabase query inside a loop (map/forEach). 
      Instead of looping to fetch related data, use Supabase "embedding" 
      to fetch children in the parent query (e.g., `.select('*, posts(*)')`).
    severity: WARNING
    languages: [ts, tsx, js, jsx]
    patterns:
      - pattern-inside: |
          $ARR.map(async ($ITEM) => { ... })
      - pattern: |
          await $CLIENT.from(...)

  - id: supabase-service-role-leak
    message: >
      CRITICAL SECURITY: Service Role key usage detected in client-side code.
      Service Role keys bypass Row Level Security (RLS). 
      Only use `anon` keys in React/Vite components. 
      Move this logic to a Supabase Edge Function or backend server.
    severity: ERROR
    languages: [ts, tsx, js, jsx]
    patterns:
      - pattern-either:
          - pattern: |
              createClient(..., process.env.$KEY)
          - pattern: |
              createClient(..., import.meta.env.$KEY)
      - metavariable-regex:
          metavariable: "$KEY"
          regex: ".*(SERVICE_ROLE|SECRET).*"

  - id: supabase-unbounded-select
    message: >
      Performance Warning: Unbounded `.select('*')` detected.
      Fetching all columns without a `.limit()`, `.range()`, or `.single()` 
      can cause performance issues on large tables. 
      Consider specifying columns or adding a limiter.
    severity: INFO
    languages: [ts, tsx, js, jsx]
    patterns:
      - pattern: |
          $CLIENT.from(...).select('*')
      - pattern-not-inside: |
          $CLIENT.from(...).select('*').limit(...)
      - pattern-not-inside: |
          $CLIENT.from(...).select('*').range(...)
      - pattern-not-inside: |
          $CLIENT.from(...).select('*').single(...)
      - pattern-not-inside: |
          $CLIENT.from(...).select('*').maybeSingle(...)

  - id: react-dangerously-set-inner-html
    message: >
      Security Risk: Usage of `dangerouslySetInnerHTML`.
      This exposes the application to Cross-Site Scripting (XSS) attacks. 
      Ensure the content is sanitized (e.g., using DOMPurify) before rendering.
    severity: WARNING
    languages: [ts, tsx, js, jsx]
    pattern: |
      <... dangerouslySetInnerHTML={...} ...>

  - id: hardcoded-jwt-token
    message: >
      Security Risk: Hardcoded JWT or API Key detected.
      Do not commit secrets to the repo. Use environment variables.
    severity: ERROR
    languages: [ts, tsx, js, jsx]
    patterns:
      - pattern-regex: "eyJ[a-zA-Z0-9-_]+\\.[a-zA-Z0-9-_]+\\.[a-zA-Z0-9-_]+"`

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Future React/Supabase patterns #114

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Future React/Supabase patterns #114

Description

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions