From b82b3f1f39ad56b5e5dcd558b4be73814d85fbdf Mon Sep 17 00:00:00 2001 From: Chris Gwilliams <517923+encima@users.noreply.github.com> Date: Fri, 3 Apr 2026 21:47:37 +0300 Subject: [PATCH 01/11] enable safeupdate for anon, authenticator and authenticator roles by default, loadable by postgres --- .../20260403172611_safeupdate-data-api-enable.sql | 15 +++++++++++++++ nix/ext/pg-safeupdate.nix | 12 ++++++------ nix/tests/expected/pg-safeupdate.out | 2 +- nix/tests/expected/roles.out | 12 ++++++------ nix/tests/sql/pg-safeupdate.sql | 2 +- 5 files changed, 29 insertions(+), 14 deletions(-) create mode 100644 migrations/db/migrations/20260403172611_safeupdate-data-api-enable.sql diff --git a/migrations/db/migrations/20260403172611_safeupdate-data-api-enable.sql b/migrations/db/migrations/20260403172611_safeupdate-data-api-enable.sql new file mode 100644 index 0000000000..ea7192ae7b --- /dev/null +++ b/migrations/db/migrations/20260403172611_safeupdate-data-api-enable.sql @@ -0,0 +1,15 @@ +-- migrate:up +ALTER ROLE anon SET local_preload_libraries = '$libdir/plugins/safeupdate'; +ALTER ROLE authenticator SET local_preload_libraries = '$libdir/plugins/safeupdate'; +ALTER ROLE authenticated SET local_preload_libraries = '$libdir/plugins/safeupdate'; +ALTER ROLE authenticator RESET session_preload_libraries; +ALTER ROLE postgres SET local_preload_libraries = '$libdir/plugins/safeupdate'; + +ALTER ROLE anon SET safeupdate.enabled = 1; +ALTER ROLE authenticator SET safeupdate.enabled = 1; +ALTER ROLE authenticated SET safeupdate.enabled = 1; +ALTER ROLE postgres SET safeupdate.enabled = 0; + + +-- migrate:down + diff --git a/nix/ext/pg-safeupdate.nix b/nix/ext/pg-safeupdate.nix index 97921c9c6c..814ec58234 100644 --- a/nix/ext/pg-safeupdate.nix +++ b/nix/ext/pg-safeupdate.nix @@ -28,9 +28,9 @@ let runHook preInstall mkdir -p $out/share/postgresql/extension - + mkdir -p $out/lib/plugins # Install versioned library - install -Dm755 ${pname}${postgresql.dlSuffix} $out/lib/${pname}-${version}${postgresql.dlSuffix} + install -Dm755 ${pname}${postgresql.dlSuffix} $out/lib/plugins/${pname}-${version}${postgresql.dlSuffix} runHook postInstall ''; @@ -64,15 +64,15 @@ pkgs.buildEnv { paths = packages; nativeBuildInputs = [ makeWrapper ]; pathsToLink = [ - "/lib" + "/lib/plugins" "/share/postgresql/extension" ]; postBuild = '' - ln -sfn ${pname}-${latestVersion}${postgresql.dlSuffix} $out/lib/${pname}${postgresql.dlSuffix} + ln -sfn ${pname}-${latestVersion}${postgresql.dlSuffix} $out/lib/plugins/${pname}${postgresql.dlSuffix} # checks (set -x - test "$(ls -A $out/lib/${pname}*${postgresql.dlSuffix} | wc -l)" = "${ + test "$(ls -A $out/lib/plugins/${pname}*${postgresql.dlSuffix} | wc -l)" = "${ toString (numberOfVersionsBuilt + 1) }" ) @@ -83,7 +83,7 @@ pkgs.buildEnv { numberOfVersions = numberOfVersionsBuilt; inherit pname latestOnly; defaultSettings = { - shared_preload_libraries = [ "safeupdate" ]; + local_preload_libraries = [ "safeupdate" ]; }; pgRegressTestName = "pg-safeupdate"; version = diff --git a/nix/tests/expected/pg-safeupdate.out b/nix/tests/expected/pg-safeupdate.out index f9100116ac..21948552e4 100644 --- a/nix/tests/expected/pg-safeupdate.out +++ b/nix/tests/expected/pg-safeupdate.out @@ -1,4 +1,4 @@ -load 'safeupdate'; +load '$libdir/plugins/safeupdate'; set safeupdate.enabled=1; create schema v; create table v.foo( diff --git a/nix/tests/expected/roles.out b/nix/tests/expected/roles.out index a457f40297..fc06a2f9c3 100644 --- a/nix/tests/expected/roles.out +++ b/nix/tests/expected/roles.out @@ -60,11 +60,11 @@ select from pg_roles r where rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections') order by rolname; - rolname | rolconfig -----------------------------+--------------------------------------------------------------------------------- - anon | {statement_timeout=3s} - authenticated | {statement_timeout=8s} - authenticator | {session_preload_libraries=safeupdate,statement_timeout=8s,lock_timeout=8s} + rolname | rolconfig +----------------------------+------------------------------------------------------------------------------------------------------------------------------- + anon | {statement_timeout=3s,"local_preload_libraries=\"$libdir/plugins/safeupdate\"",safeupdate.enabled=1} + authenticated | {statement_timeout=8s,"local_preload_libraries=\"$libdir/plugins/safeupdate\"",safeupdate.enabled=1} + authenticator | {statement_timeout=8s,lock_timeout=8s,"local_preload_libraries=\"$libdir/plugins/safeupdate\"",safeupdate.enabled=1} dashboard_user | pg_checkpoint | pg_database_owner | @@ -83,7 +83,7 @@ order by rolname; pgsodium_keyiduser | pgsodium_keymaker | pgtle_admin | - postgres | {"search_path=\"\\$user\", public, extensions"} + postgres | {"search_path=\"\\$user\", public, extensions","local_preload_libraries=\"$libdir/plugins/safeupdate\"",safeupdate.enabled=0} service_role | supabase_admin | {"search_path=\"$user\", public, auth, extensions",log_statement=none} supabase_auth_admin | {search_path=auth,idle_in_transaction_session_timeout=60000,log_statement=none} diff --git a/nix/tests/sql/pg-safeupdate.sql b/nix/tests/sql/pg-safeupdate.sql index 790ec79fa1..fe25137a13 100644 --- a/nix/tests/sql/pg-safeupdate.sql +++ b/nix/tests/sql/pg-safeupdate.sql @@ -1,4 +1,4 @@ -load 'safeupdate'; +load '$libdir/plugins/safeupdate'; set safeupdate.enabled=1; From 85247b50f0a5c8b84e637a9400ba0efe95824a58 Mon Sep 17 00:00:00 2001 From: Chris Gwilliams <517923+encima@users.noreply.github.com> Date: Fri, 3 Apr 2026 23:32:36 +0300 Subject: [PATCH 02/11] fix: update oriole tests for roles --- nix/tests/expected/z_multigres-orioledb-17_roles.out | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/nix/tests/expected/z_multigres-orioledb-17_roles.out b/nix/tests/expected/z_multigres-orioledb-17_roles.out index a307b2014b..43713224a8 100644 --- a/nix/tests/expected/z_multigres-orioledb-17_roles.out +++ b/nix/tests/expected/z_multigres-orioledb-17_roles.out @@ -57,11 +57,11 @@ select from pg_roles r where rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections') order by rolname; - rolname | rolconfig -----------------------------+--------------------------------------------------------------------------------- - anon | {statement_timeout=3s} - authenticated | {statement_timeout=8s} - authenticator | {session_preload_libraries=safeupdate,statement_timeout=8s,lock_timeout=8s} + rolname | rolconfig +----------------------------+------------------------------------------------------------------------------------------------------------------------------- + anon | {statement_timeout=3s,"local_preload_libraries=\"$libdir/plugins/safeupdate\"",safeupdate.enabled=1} + authenticated | {statement_timeout=8s,"local_preload_libraries=\"$libdir/plugins/safeupdate\"",safeupdate.enabled=1} + authenticator | {statement_timeout=8s,lock_timeout=8s,"local_preload_libraries=\"$libdir/plugins/safeupdate\"",safeupdate.enabled=1} dashboard_user | pg_checkpoint | pg_database_owner | @@ -77,7 +77,7 @@ order by rolname; pg_write_server_files | pgbouncer | pgtle_admin | - postgres | {"search_path=\"\\$user\", public, extensions"} + postgres | {"search_path=\"\\$user\", public, extensions","local_preload_libraries=\"$libdir/plugins/safeupdate\"",safeupdate.enabled=0} service_role | supabase_admin | {"search_path=\"\\$user\", public, auth, extensions",log_statement=none} supabase_auth_admin | {search_path=auth,idle_in_transaction_session_timeout=60000,log_statement=none} From 8ea8b793b492262d9c4f50967177e09c1eaf616e Mon Sep 17 00:00:00 2001 From: Chris Gwilliams <517923+encima@users.noreply.github.com> Date: Tue, 14 Apr 2026 16:43:14 +0300 Subject: [PATCH 03/11] modify session_preload_libraries for anon, authenticator and authenticated --- .../20260403172611_safeupdate-data-api-enable.sql | 7 +++---- nix/tests/expected/roles.out | 10 +++++----- 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/migrations/db/migrations/20260403172611_safeupdate-data-api-enable.sql b/migrations/db/migrations/20260403172611_safeupdate-data-api-enable.sql index ea7192ae7b..48f631d89f 100644 --- a/migrations/db/migrations/20260403172611_safeupdate-data-api-enable.sql +++ b/migrations/db/migrations/20260403172611_safeupdate-data-api-enable.sql @@ -1,8 +1,7 @@ -- migrate:up -ALTER ROLE anon SET local_preload_libraries = '$libdir/plugins/safeupdate'; -ALTER ROLE authenticator SET local_preload_libraries = '$libdir/plugins/safeupdate'; -ALTER ROLE authenticated SET local_preload_libraries = '$libdir/plugins/safeupdate'; -ALTER ROLE authenticator RESET session_preload_libraries; +ALTER ROLE anon SET session_preload_libraries = '$libdir/plugins/safeupdate'; +ALTER ROLE authenticator SET session_preload_libraries = 'supautils, $libdir/plugins/safeupdate'; +ALTER ROLE authenticated SET session_preload_libraries = '$libdir/plugins/safeupdate'; ALTER ROLE postgres SET local_preload_libraries = '$libdir/plugins/safeupdate'; ALTER ROLE anon SET safeupdate.enabled = 1; diff --git a/nix/tests/expected/roles.out b/nix/tests/expected/roles.out index fc06a2f9c3..8aa7116890 100644 --- a/nix/tests/expected/roles.out +++ b/nix/tests/expected/roles.out @@ -60,11 +60,11 @@ select from pg_roles r where rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections') order by rolname; - rolname | rolconfig -----------------------------+------------------------------------------------------------------------------------------------------------------------------- - anon | {statement_timeout=3s,"local_preload_libraries=\"$libdir/plugins/safeupdate\"",safeupdate.enabled=1} - authenticated | {statement_timeout=8s,"local_preload_libraries=\"$libdir/plugins/safeupdate\"",safeupdate.enabled=1} - authenticator | {statement_timeout=8s,lock_timeout=8s,"local_preload_libraries=\"$libdir/plugins/safeupdate\"",safeupdate.enabled=1} + rolname | rolconfig +----------------------------+----------------------------------------------------------------------------------------------------------------------------------- + anon | {statement_timeout=3s,"session_preload_libraries=\"$libdir/plugins/safeupdate\"",safeupdate.enabled=1} + authenticated | {statement_timeout=8s,"session_preload_libraries=\"$libdir/plugins/safeupdate\"",safeupdate.enabled=1} + authenticator | {"session_preload_libraries=\"supautils, $libdir/plugins/safeupdate\"",statement_timeout=8s,lock_timeout=8s,safeupdate.enabled=1} dashboard_user | pg_checkpoint | pg_database_owner | From 4f0a4ee578d0b385c6c4be8842e705c5ef239f59 Mon Sep 17 00:00:00 2001 From: Chris Gwilliams <517923+encima@users.noreply.github.com> Date: Tue, 14 Apr 2026 19:25:22 +0300 Subject: [PATCH 04/11] remove session preload libraries from anon and authenticated --- .../migrations/20260403172611_safeupdate-data-api-enable.sql | 2 -- nix/tests/expected/roles.out | 4 ++-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/migrations/db/migrations/20260403172611_safeupdate-data-api-enable.sql b/migrations/db/migrations/20260403172611_safeupdate-data-api-enable.sql index 48f631d89f..7886926896 100644 --- a/migrations/db/migrations/20260403172611_safeupdate-data-api-enable.sql +++ b/migrations/db/migrations/20260403172611_safeupdate-data-api-enable.sql @@ -1,7 +1,5 @@ -- migrate:up -ALTER ROLE anon SET session_preload_libraries = '$libdir/plugins/safeupdate'; ALTER ROLE authenticator SET session_preload_libraries = 'supautils, $libdir/plugins/safeupdate'; -ALTER ROLE authenticated SET session_preload_libraries = '$libdir/plugins/safeupdate'; ALTER ROLE postgres SET local_preload_libraries = '$libdir/plugins/safeupdate'; ALTER ROLE anon SET safeupdate.enabled = 1; diff --git a/nix/tests/expected/roles.out b/nix/tests/expected/roles.out index 8aa7116890..bf8d4bb958 100644 --- a/nix/tests/expected/roles.out +++ b/nix/tests/expected/roles.out @@ -62,8 +62,8 @@ where rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_ order by rolname; rolname | rolconfig ----------------------------+----------------------------------------------------------------------------------------------------------------------------------- - anon | {statement_timeout=3s,"session_preload_libraries=\"$libdir/plugins/safeupdate\"",safeupdate.enabled=1} - authenticated | {statement_timeout=8s,"session_preload_libraries=\"$libdir/plugins/safeupdate\"",safeupdate.enabled=1} + anon | {statement_timeout=3s,safeupdate.enabled=1} + authenticated | {statement_timeout=8s,safeupdate.enabled=1} authenticator | {"session_preload_libraries=\"supautils, $libdir/plugins/safeupdate\"",statement_timeout=8s,lock_timeout=8s,safeupdate.enabled=1} dashboard_user | pg_checkpoint | From 04f4c152973665d83ddac3521f0062135a656810 Mon Sep 17 00:00:00 2001 From: Chris Gwilliams <517923+encima@users.noreply.github.com> Date: Wed, 15 Apr 2026 08:47:34 +0300 Subject: [PATCH 05/11] restrict migration changes to postgres role --- .../20260403172611_safeupdate-data-api-enable.sql | 3 --- nix/tests/expected/roles.out | 10 +++++----- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/migrations/db/migrations/20260403172611_safeupdate-data-api-enable.sql b/migrations/db/migrations/20260403172611_safeupdate-data-api-enable.sql index 7886926896..43912a4032 100644 --- a/migrations/db/migrations/20260403172611_safeupdate-data-api-enable.sql +++ b/migrations/db/migrations/20260403172611_safeupdate-data-api-enable.sql @@ -2,9 +2,6 @@ ALTER ROLE authenticator SET session_preload_libraries = 'supautils, $libdir/plugins/safeupdate'; ALTER ROLE postgres SET local_preload_libraries = '$libdir/plugins/safeupdate'; -ALTER ROLE anon SET safeupdate.enabled = 1; -ALTER ROLE authenticator SET safeupdate.enabled = 1; -ALTER ROLE authenticated SET safeupdate.enabled = 1; ALTER ROLE postgres SET safeupdate.enabled = 0; diff --git a/nix/tests/expected/roles.out b/nix/tests/expected/roles.out index bf8d4bb958..f742b4a7b7 100644 --- a/nix/tests/expected/roles.out +++ b/nix/tests/expected/roles.out @@ -60,11 +60,11 @@ select from pg_roles r where rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections') order by rolname; - rolname | rolconfig -----------------------------+----------------------------------------------------------------------------------------------------------------------------------- - anon | {statement_timeout=3s,safeupdate.enabled=1} - authenticated | {statement_timeout=8s,safeupdate.enabled=1} - authenticator | {"session_preload_libraries=\"supautils, $libdir/plugins/safeupdate\"",statement_timeout=8s,lock_timeout=8s,safeupdate.enabled=1} + rolname | rolconfig +----------------------------+------------------------------------------------------------------------------------------------------------------------------- + anon | {statement_timeout=3s} + authenticated | {statement_timeout=8s} + authenticator | {"session_preload_libraries=\"supautils, $libdir/plugins/safeupdate\"",statement_timeout=8s,lock_timeout=8s} dashboard_user | pg_checkpoint | pg_database_owner | From f678eab4b12a1d1b33281c29ce775e8fcf3c712a Mon Sep 17 00:00:00 2001 From: Chris Gwilliams <517923+encima@users.noreply.github.com> Date: Wed, 15 Apr 2026 09:27:38 +0300 Subject: [PATCH 06/11] fix: oriole test --- nix/tests/expected/z_multigres-orioledb-17_roles.out | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nix/tests/expected/z_multigres-orioledb-17_roles.out b/nix/tests/expected/z_multigres-orioledb-17_roles.out index 43713224a8..97ee46ce7d 100644 --- a/nix/tests/expected/z_multigres-orioledb-17_roles.out +++ b/nix/tests/expected/z_multigres-orioledb-17_roles.out @@ -59,9 +59,9 @@ where rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_ order by rolname; rolname | rolconfig ----------------------------+------------------------------------------------------------------------------------------------------------------------------- - anon | {statement_timeout=3s,"local_preload_libraries=\"$libdir/plugins/safeupdate\"",safeupdate.enabled=1} - authenticated | {statement_timeout=8s,"local_preload_libraries=\"$libdir/plugins/safeupdate\"",safeupdate.enabled=1} - authenticator | {statement_timeout=8s,lock_timeout=8s,"local_preload_libraries=\"$libdir/plugins/safeupdate\"",safeupdate.enabled=1} + anon | {statement_timeout=3s} + authenticated | {statement_timeout=8s} + authenticator | {"session_preload_libraries=\"supautils, $libdir/plugins/safeupdate\"",statement_timeout=8s,lock_timeout=8s} dashboard_user | pg_checkpoint | pg_database_owner | From 5dd89a71d3c242a4a31646f7cda6b8a1f71fc638 Mon Sep 17 00:00:00 2001 From: Chris Gwilliams <517923+encima@users.noreply.github.com> Date: Wed, 15 Apr 2026 12:35:20 +0300 Subject: [PATCH 07/11] fix: remove supautils from migration --- .../db/migrations/20260403172611_safeupdate-data-api-enable.sql | 2 +- nix/tests/expected/roles.out | 2 +- nix/tests/expected/z_multigres-orioledb-17_roles.out | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/migrations/db/migrations/20260403172611_safeupdate-data-api-enable.sql b/migrations/db/migrations/20260403172611_safeupdate-data-api-enable.sql index 43912a4032..91186e148b 100644 --- a/migrations/db/migrations/20260403172611_safeupdate-data-api-enable.sql +++ b/migrations/db/migrations/20260403172611_safeupdate-data-api-enable.sql @@ -1,5 +1,5 @@ -- migrate:up -ALTER ROLE authenticator SET session_preload_libraries = 'supautils, $libdir/plugins/safeupdate'; +ALTER ROLE authenticator SET session_preload_libraries = '$libdir/plugins/safeupdate'; ALTER ROLE postgres SET local_preload_libraries = '$libdir/plugins/safeupdate'; ALTER ROLE postgres SET safeupdate.enabled = 0; diff --git a/nix/tests/expected/roles.out b/nix/tests/expected/roles.out index f742b4a7b7..c4c3941529 100644 --- a/nix/tests/expected/roles.out +++ b/nix/tests/expected/roles.out @@ -64,7 +64,7 @@ order by rolname; ----------------------------+------------------------------------------------------------------------------------------------------------------------------- anon | {statement_timeout=3s} authenticated | {statement_timeout=8s} - authenticator | {"session_preload_libraries=\"supautils, $libdir/plugins/safeupdate\"",statement_timeout=8s,lock_timeout=8s} + authenticator | {"session_preload_libraries=\"$libdir/plugins/safeupdate\"",statement_timeout=8s,lock_timeout=8s} dashboard_user | pg_checkpoint | pg_database_owner | diff --git a/nix/tests/expected/z_multigres-orioledb-17_roles.out b/nix/tests/expected/z_multigres-orioledb-17_roles.out index 97ee46ce7d..e9b664cf91 100644 --- a/nix/tests/expected/z_multigres-orioledb-17_roles.out +++ b/nix/tests/expected/z_multigres-orioledb-17_roles.out @@ -61,7 +61,7 @@ order by rolname; ----------------------------+------------------------------------------------------------------------------------------------------------------------------- anon | {statement_timeout=3s} authenticated | {statement_timeout=8s} - authenticator | {"session_preload_libraries=\"supautils, $libdir/plugins/safeupdate\"",statement_timeout=8s,lock_timeout=8s} + authenticator | {"session_preload_libraries=\"$libdir/plugins/safeupdate\"",statement_timeout=8s,lock_timeout=8s} dashboard_user | pg_checkpoint | pg_database_owner | From 4fd6386a64ce2b779c71909d550994cfa402f3eb Mon Sep 17 00:00:00 2001 From: Chris Gwilliams <517923+encima@users.noreply.github.com> Date: Fri, 17 Apr 2026 09:32:02 +0300 Subject: [PATCH 08/11] symlink safeupdate to original path so as not to break any Data API usage --- .../db/migrations/20260403172611_safeupdate-data-api-enable.sql | 1 - nix/ext/pg-safeupdate.nix | 2 ++ nix/tests/expected/roles.out | 2 +- nix/tests/expected/z_multigres-orioledb-17_roles.out | 2 +- 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/migrations/db/migrations/20260403172611_safeupdate-data-api-enable.sql b/migrations/db/migrations/20260403172611_safeupdate-data-api-enable.sql index 91186e148b..b5320f56d7 100644 --- a/migrations/db/migrations/20260403172611_safeupdate-data-api-enable.sql +++ b/migrations/db/migrations/20260403172611_safeupdate-data-api-enable.sql @@ -1,5 +1,4 @@ -- migrate:up -ALTER ROLE authenticator SET session_preload_libraries = '$libdir/plugins/safeupdate'; ALTER ROLE postgres SET local_preload_libraries = '$libdir/plugins/safeupdate'; ALTER ROLE postgres SET safeupdate.enabled = 0; diff --git a/nix/ext/pg-safeupdate.nix b/nix/ext/pg-safeupdate.nix index a600bb470b..df86f164cb 100644 --- a/nix/ext/pg-safeupdate.nix +++ b/nix/ext/pg-safeupdate.nix @@ -32,6 +32,7 @@ let mkdir -p $out/lib/plugins # Install versioned library install -Dm755 ${pname}${postgresql.dlSuffix} $out/lib/plugins/${pname}-${version}${postgresql.dlSuffix} + ln -sfn plugins/${pname}-${version}${postgresql.dlSuffix} $out/lib/${pname}-${version}${postgresql.dlSuffix} runHook postInstall ''; @@ -87,6 +88,7 @@ pkgs.buildEnv { numberOfVersions = numberOfVersionsBuilt; inherit pname latestOnly; defaultSettings = { + shared_preload_libraries = ["safeupdate"]; local_preload_libraries = [ "safeupdate" ]; }; pgRegressTestName = "pg-safeupdate"; diff --git a/nix/tests/expected/roles.out b/nix/tests/expected/roles.out index c4c3941529..b0b81aba90 100644 --- a/nix/tests/expected/roles.out +++ b/nix/tests/expected/roles.out @@ -64,7 +64,7 @@ order by rolname; ----------------------------+------------------------------------------------------------------------------------------------------------------------------- anon | {statement_timeout=3s} authenticated | {statement_timeout=8s} - authenticator | {"session_preload_libraries=\"$libdir/plugins/safeupdate\"",statement_timeout=8s,lock_timeout=8s} + authenticator | {session_preload_libraries=safeupdate,statement_timeout=8s,lock_timeout=8s} dashboard_user | pg_checkpoint | pg_database_owner | diff --git a/nix/tests/expected/z_multigres-orioledb-17_roles.out b/nix/tests/expected/z_multigres-orioledb-17_roles.out index e9b664cf91..61bc84f72e 100644 --- a/nix/tests/expected/z_multigres-orioledb-17_roles.out +++ b/nix/tests/expected/z_multigres-orioledb-17_roles.out @@ -61,7 +61,7 @@ order by rolname; ----------------------------+------------------------------------------------------------------------------------------------------------------------------- anon | {statement_timeout=3s} authenticated | {statement_timeout=8s} - authenticator | {"session_preload_libraries=\"$libdir/plugins/safeupdate\"",statement_timeout=8s,lock_timeout=8s} + authenticator | {session_preload_libraries=safeupdate,statement_timeout=8s,lock_timeout=8s} dashboard_user | pg_checkpoint | pg_database_owner | From 80e2da698ee3d62b9ab949356f41564498cc9087 Mon Sep 17 00:00:00 2001 From: Chris Gwilliams <517923+encima@users.noreply.github.com> Date: Fri, 17 Apr 2026 11:42:03 +0300 Subject: [PATCH 09/11] fix formatting --- nix/ext/pg-safeupdate.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nix/ext/pg-safeupdate.nix b/nix/ext/pg-safeupdate.nix index df86f164cb..4c62aaaeed 100644 --- a/nix/ext/pg-safeupdate.nix +++ b/nix/ext/pg-safeupdate.nix @@ -88,7 +88,7 @@ pkgs.buildEnv { numberOfVersions = numberOfVersionsBuilt; inherit pname latestOnly; defaultSettings = { - shared_preload_libraries = ["safeupdate"]; + shared_preload_libraries = [ "safeupdate" ]; local_preload_libraries = [ "safeupdate" ]; }; pgRegressTestName = "pg-safeupdate"; From e730a8a4d3b956c544a972ea4e8ea47b05c10c0a Mon Sep 17 00:00:00 2001 From: Chris Gwilliams <517923+encima@users.noreply.github.com> Date: Fri, 17 Apr 2026 12:57:19 +0300 Subject: [PATCH 10/11] symlink should be postbuild --- nix/ext/pg-safeupdate.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nix/ext/pg-safeupdate.nix b/nix/ext/pg-safeupdate.nix index 4c62aaaeed..ed1327884e 100644 --- a/nix/ext/pg-safeupdate.nix +++ b/nix/ext/pg-safeupdate.nix @@ -32,7 +32,6 @@ let mkdir -p $out/lib/plugins # Install versioned library install -Dm755 ${pname}${postgresql.dlSuffix} $out/lib/plugins/${pname}-${version}${postgresql.dlSuffix} - ln -sfn plugins/${pname}-${version}${postgresql.dlSuffix} $out/lib/${pname}-${version}${postgresql.dlSuffix} runHook postInstall ''; @@ -71,6 +70,7 @@ pkgs.buildEnv { ]; postBuild = '' ln -sfn ${pname}-${latestVersion}${postgresql.dlSuffix} $out/lib/plugins/${pname}${postgresql.dlSuffix} + ln -sfn plugins/${pname}${postgresql.dlSuffix} $out/lib/${pname}${postgresql.dlSuffix} # checks (set -x From b7c6774a2ab4957da9e0ccd834291ea406243f9d Mon Sep 17 00:00:00 2001 From: Chris Gwilliams <517923+encima@users.noreply.github.com> Date: Fri, 17 Apr 2026 20:33:18 +0300 Subject: [PATCH 11/11] Update nix/ext/pg-safeupdate.nix Co-authored-by: Steve Chavez --- nix/ext/pg-safeupdate.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nix/ext/pg-safeupdate.nix b/nix/ext/pg-safeupdate.nix index ed1327884e..b74a3f0c45 100644 --- a/nix/ext/pg-safeupdate.nix +++ b/nix/ext/pg-safeupdate.nix @@ -31,6 +31,7 @@ let mkdir -p $out/share/postgresql/extension mkdir -p $out/lib/plugins # Install versioned library + # we use the plugins path because loading libraries with `local_preload_libraries` is restricted to this path only, see https://postgresqlco.nf/doc/en/param/local_preload_libraries/ install -Dm755 ${pname}${postgresql.dlSuffix} $out/lib/plugins/${pname}-${version}${postgresql.dlSuffix} runHook postInstall