fix(supabase): Consider sendDefaultPii for supabase integration

[mydea]

We did not consider sendDefaultPii for the supabase integration. However:

The Supabase integration captures the full request body of POST/PATCH/PUT/DELETE operations (database mutations) and attaches it as the 'db.body' span attribute (line 387). This body contains the actual data being inserted or updated in Supabase tables, which commonly includes PII such as user emails, names, addresses, and other sensitive fields. Unlike other integrations (e.g., the MCP server integration which checks sendDefaultPii), the Supabase integration performs no sendDefaultPii check and applies no filtering or redaction to the captured body. Additionally, query filter values from URL search parameters are captured at lines 351-355, which can also contain PII used in WHERE clauses.

This PR fixes this.

[github-actions]

size-limit report 📦

Path	Size	% Change	Change
@sentry/browser	25.96 kB	-	-
@sentry/browser - with treeshaking flags	24.44 kB	-	-
@sentry/browser (incl. Tracing)	43.89 kB	-	-
@sentry/browser (incl. Tracing + Span Streaming)	45.53 kB	-	-
@sentry/browser (incl. Tracing, Profiling)	48.84 kB	-	-
@sentry/browser (incl. Tracing, Replay)	83.09 kB	-	-
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags	72.59 kB	-	-
@sentry/browser (incl. Tracing, Replay with Canvas)	87.77 kB	-	-
@sentry/browser (incl. Tracing, Replay, Feedback)	100.03 kB	-	-
@sentry/browser (incl. Feedback)	42.78 kB	-	-
@sentry/browser (incl. sendFeedback)	30.64 kB	-	-
@sentry/browser (incl. FeedbackAsync)	35.64 kB	-	-
@sentry/browser (incl. Metrics)	27.25 kB	-	-
@sentry/browser (incl. Logs)	27.38 kB	-	-
@sentry/browser (incl. Metrics & Logs)	28.07 kB	-	-
@sentry/react	27.72 kB	-	-
@sentry/react (incl. Tracing)	46.13 kB	-	-
@sentry/vue	30.81 kB	-	-
@sentry/vue (incl. Tracing)	45.71 kB	-	-
@sentry/svelte	25.98 kB	-	-
CDN Bundle	28.66 kB	-	-
CDN Bundle (incl. Tracing)	46.12 kB	-	-
CDN Bundle (incl. Logs, Metrics)	30.03 kB	-	-
CDN Bundle (incl. Tracing, Logs, Metrics)	47.17 kB	-	-
CDN Bundle (incl. Replay, Logs, Metrics)	68.99 kB	-	-
CDN Bundle (incl. Tracing, Replay)	83.19 kB	-	-
CDN Bundle (incl. Tracing, Replay, Logs, Metrics)	84.22 kB	-	-
CDN Bundle (incl. Tracing, Replay, Feedback)	88.67 kB	-	-
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics)	89.75 kB	-	-
CDN Bundle - uncompressed	83.91 kB	-	-
CDN Bundle (incl. Tracing) - uncompressed	137.82 kB	-	-
CDN Bundle (incl. Logs, Metrics) - uncompressed	88.06 kB	-	-
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed	141.23 kB	-	-
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed	211.63 kB	-	-
CDN Bundle (incl. Tracing, Replay) - uncompressed	255.26 kB	-	-
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) - uncompressed	258.66 kB	-	-
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed	268.17 kB	-	-
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed	271.56 kB	-	-
@sentry/nextjs (client)	48.66 kB	-	-
@sentry/sveltekit (client)	44.33 kB	-	-
@sentry/node-core	58.52 kB	+0.02%	+10 B 🔺
@sentry/node	175.85 kB	+0.01%	+14 B 🔺
@sentry/node - without tracing	98.32 kB	+0.02%	+12 B 🔺
@sentry/aws-serverless	115.52 kB	-0.01%	-2 B 🔽

View base workflow run

[JPeer264]

I haven't worked with supabase yet, but it would be interesting to know if the query really contains sensitive data, usually it is stripped away.

Also FWIW the db.query and db.body are not in our convetions: https://getsentry.github.io/sentry-conventions/attributes/db/#db-query-text

[mydea]

I haven't worked with supabase yet, but it would be interesting to know if the query really contains sensitive data, usually it is stripped away.

as far as I can see (I also have no prior experience with the supabase integration) we monkey patch this ourselves and thus get all the content directly, so I assume there would be no sanitization from supabases side here?

Also FWIW the db.query and db.body are not in our convetions: https://getsentry.github.io/sentry-conventions/attributes/db/#db-query-text

good point, we should look at possibly adjusting this in a follow up!

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 32f9b58. Configure here.}

[cursor]

Body check change breaks array insert descriptions

Medium Severity

The condition for showing (...) in the span description changed from body ? to Object.keys(body).length ?, but the local body variable (line 358) is always Object.create(null) — always truthy but potentially empty. For array body inserts (e.g., .insert([{title: 'Test'}])), isPlainObject returns false for arrays, so body stays empty and Object.keys(body).length is 0. This removes the (...) marker from the description, breaking the existing browser integration test that expects 'insert(...) filter(columns, ) from(todos)'.

Additional Locations (1)

• packages/core/src/integrations/supabase.ts#L357-L363

 

^{Reviewed by Cursor Bugbot for commit 32f9b58. Configure here.}

[JPeer264]

I just checked it and it is Pii:

---

(no pii)

await supabase.from('todos').insert({
  task: 'PLAINTEXT-MARKER-abc123-secret',
  email: 'alice.secret@example.com',
  name: 'Alice Private',
})

Produces: https://sentry-sdks.sentry.io/explore/traces/trace/0fe31d6488d01268fd56d6f4577f7845/?node=span-1e3ecc6bd26bc043&project=4510555608449024&source=traces&statsPeriod=1h&targetId=0ed06734b3444fe7&timestamp=1777031451

Picture

---

(pii)

This one is quite interesting, as on the attributes it is "[Filtered]" but on the top it shows the query in plain text

await supabase
  .from('todos')
  .select('*')
  .eq('email', 'alice.secret@example.com')

Produces: https://sentry-sdks.sentry.io/explore/traces/trace/0fe31d6488d01268fd56d6f4577f7845/?node=span-72b3ea27d93fc700&project=4510555608449024&source=traces&statsPeriod=1h&targetId=0ed06734b3444fe7&timestamp=1777031451

Picture