igm/publisher-dashboard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add db-dump and db-migrate scripts to strip \restrict lines

Browse Source 
PostgreSQL 17.6+ adds random \restrict/\unrestrict tokens to pg_dump
output (CVE-2025-8714 security fix), causing schema.sql to appear
changed on every dump even when the schema hasn't changed.

These wrapper scripts run dbmate and strip the \restrict lines from
the output to keep schema.sql stable.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
igm
2026-01-12 12:33:20 +08:00
parent 44a480179b
commit 848d9e9af1
5 changed files with 42 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
CLAUDE.md
View File

@@ -1,5 +1,13 @@
# Claude Code Notes # Claude Code Notes
## Database Scripts
Use the wrapper scripts instead of running dbmate directly:
- `./scripts/db-dump` - Dump schema without random `\restrict` tokens
- `./scripts/db-migrate` - Run migrations and dump clean schema
PostgreSQL 17.6+ adds random `\restrict`/`\unrestrict` lines to pg_dump output (CVE-2025-8714 fix), causing schema.sql to show as changed on every dump. These scripts strip those lines.
## Development Server ## Development Server
Before starting the dev server, check if it's already running: Before starting the dev server, check if it's already running:

2
README.md
View File

@@ -111,6 +111,8 @@ bun run dev
| `bun run lint:fix` | Fix linting issues | | `bun run lint:fix` | Fix linting issues |
| `bun run test` | Run tests | | `bun run test` | Run tests |
| `bun run db:codegen` | Generate database types | | `bun run db:codegen` | Generate database types |
| `./scripts/db-dump` | Dump database schema (strips `\restrict` lines) |
| `./scripts/db-migrate` | Run migrations (strips `\restrict` lines) |
## CLI ## CLI

2
db/schema.sql
View File

@@ -1,4 +1,3 @@
\restrict F9AizESreuRieL4inRcHWWg3hyNET0FgnBDFBBBU3cZGPEpHjb591l8S2iglpap
-- Dumped from database version 17.7 -- Dumped from database version 17.7
-- Dumped by pg_dump version 17.7 -- Dumped by pg_dump version 17.7
@@ -1084,7 +1083,6 @@ ALTER TABLE ONLY public.user_devices
-- PostgreSQL database dump complete -- PostgreSQL database dump complete
-- --
\unrestrict F9AizESreuRieL4inRcHWWg3hyNET0FgnBDFBBBU3cZGPEpHjb591l8S2iglpap
-- --

16
scripts/db-dump Executable file
View File

@@ -0,0 +1,16 @@
#!/usr/bin/env bash
# Wrapper for dbmate dump that strips PostgreSQL's \restrict lines.
# PostgreSQL 17.6+ adds random \restrict/\unrestrict tokens to pg_dump output
# (CVE-2025-8714 security fix), causing schema.sql to change on every dump.
set -euo pipefail
SCHEMA_FILE="${DBMATE_SCHEMA_FILE:-./db/schema.sql}"
dbmate dump "$@"
# Strip \restrict and \unrestrict lines (they start with backslash)
if [[ -f "$SCHEMA_FILE" ]]; then
grep -v '^\\' "$SCHEMA_FILE" > "${SCHEMA_FILE}.tmp"
mv "${SCHEMA_FILE}.tmp" "$SCHEMA_FILE"
fi

16
scripts/db-migrate Executable file
View File

@@ -0,0 +1,16 @@
#!/usr/bin/env bash
# Wrapper for dbmate migrate that strips PostgreSQL's \restrict lines.
# PostgreSQL 17.6+ adds random \restrict/\unrestrict tokens to pg_dump output
# (CVE-2025-8714 security fix), causing schema.sql to change on every dump.
set -euo pipefail
SCHEMA_FILE="${DBMATE_SCHEMA_FILE:-./db/schema.sql}"
dbmate migrate "$@"
# Strip \restrict and \unrestrict lines (they start with backslash)
if [[ -f "$SCHEMA_FILE" ]]; then
grep -v '^\\' "$SCHEMA_FILE" > "${SCHEMA_FILE}.tmp"
mv "${SCHEMA_FILE}.tmp" "$SCHEMA_FILE"
fi