Skip to content

Future React/Supabase patterns #114

Open
Open
Future React/Supabase patterns#114
@noelsaw1

Description

@noelsaw1
noelsaw1
opened on Feb 10, 2026

`rules:

  • id: supabase-n-plus-one-query
    message: >
    Performance Alert: Potential "N+1" query detected.
    You are executing a Supabase query inside a loop (map/forEach).
    Instead of looping to fetch related data, use Supabase "embedding"
    to fetch children in the parent query (e.g., .select('*, posts(*)')).
    severity: WARNING
    languages: [ts, tsx, js, jsx]
    patterns:

    • pattern-inside: |
      $ARR.map(async ($ITEM) => { ... })
    • pattern: |
      await $CLIENT.from(...)

  • id: supabase-service-role-leak
    message: >
    CRITICAL SECURITY: Service Role key usage detected in client-side code.
    Service Role keys bypass Row Level Security (RLS).
    Only use anon keys in React/Vite components.
    Move this logic to a Supabase Edge Function or backend server.
    severity: ERROR
    languages: [ts, tsx, js, jsx]
    patterns:

    • pattern-either:
      • pattern: |
        createClient(..., process.env.$KEY)
      • pattern: |
        createClient(..., import.meta.env.$KEY)
    • metavariable-regex:
      metavariable: "$KEY"
      regex: ".(SERVICE_ROLE|SECRET)."

  • id: supabase-unbounded-select
    message: >
    Performance Warning: Unbounded .select('*') detected.
    Fetching all columns without a .limit(), .range(), or .single()
    can cause performance issues on large tables.
    Consider specifying columns or adding a limiter.
    severity: INFO
    languages: [ts, tsx, js, jsx]
    patterns:

    • pattern: |
      $CLIENT.from(...).select('*')
    • pattern-not-inside: |
      $CLIENT.from(...).select('*').limit(...)
    • pattern-not-inside: |
      $CLIENT.from(...).select('*').range(...)
    • pattern-not-inside: |
      $CLIENT.from(...).select('*').single(...)
    • pattern-not-inside: |
      $CLIENT.from(...).select('*').maybeSingle(...)

  • id: react-dangerously-set-inner-html
    message: >
    Security Risk: Usage of dangerouslySetInnerHTML.
    This exposes the application to Cross-Site Scripting (XSS) attacks.
    Ensure the content is sanitized (e.g., using DOMPurify) before rendering.
    severity: WARNING
    languages: [ts, tsx, js, jsx]
    pattern: |
    <... dangerouslySetInnerHTML={...} ...>

  • id: hardcoded-jwt-token
    message: >
    Security Risk: Hardcoded JWT or API Key detected.
    Do not commit secrets to the repo. Use environment variables.
    severity: ERROR
    languages: [ts, tsx, js, jsx]
    patterns:

    • pattern-regex: "eyJ[a-zA-Z0-9-]+\.[a-zA-Z0-9-]+\.[a-zA-Z0-9-_]+"`

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions