RepoJournal
Supabase

@supabase

The open-source Firebase alternative powering thousands of startups

Pick a date

  1. Sat 2 may
  2. Mon 4 may
  3. Tue 5 may
  4. Wed 6 may
  5. Thu 7 may
  6. Fri 8 may
  7. Sat 9 may
  8. Mon 11 may
  9. Tue 12 may
  10. Wed 13 may
  11. Thu 14 may
  12. Fri 15 may
  13. Sat 16 may
  14. Sun 17 may
  15. Tue 19 may
  16. Wed 20 may
  17. Thu 21 may
  18. Sat 23 may
  19. Sun 24 may
  20. Mon 25 may
  21. Tue 26 may
  22. Wed 27 may
  23. Thu 28 may
  24. Fri 29 may
  25. Sat 30 may
  26. Sun 31 may
  27. Mon 1 jun
  28. Mon 8 jun
  29. Tue 9 jun
  30. Today 10 jun

The Wire · Showcase

SUPABASE-JS BREAKS IN SANDBOXED BROWSERS — PATCH NOW

By RepoJournal · Filed · About Supabase

createClient crashed in restricted-storage environments (sandboxed iframes, in-app webviews, privacy modes) due to unsafe sessionStorage access in the realtime layer [ref:8].

The supabase-js client was throwing synchronously with SecurityError when initialized in browsers that restrict storage access—Facebook Messenger, Instagram, Google Performance Max webviews, and sandboxed iframes without same-origin flags all hit this wall [1]. This is live: v2.105.4 ships the fix [2], and v3.0.0-next.27 guards the same vulnerability in the next-generation client [5]. Both releases also patch separate auth and postgrest issues: v2.105.4 hardens JSON parse error handling in getItemAsync and restores abort detection in fetch catches [2]. Storage layer shipped v1.58.11 with a critical range-read fix for file backend uploads [3]—the parser now handles optional range headers correctly and eliminates an off-by-one error in part copy operations [4]. Postgres images across versions (15.14.1, 17.6.0, and 17.6.0-orioledb) are staged and ready .

Action items

References

  1. [1] fix(realtime): guard sessionStorage access in restricted-storage browsers ↗ supabase/supabase-js
  2. [2] v2.105.4 ↗ supabase/supabase-js
  3. [3] v1.58.11 ↗ supabase/storage
  4. [4] fix: range reads for file backend ↗ supabase/storage
  5. [5] v3.0.0-next.27 ↗ supabase/supabase-js

FAQ

What changed in Supabase on May 9, 2026?
createClient crashed in restricted-storage environments (sandboxed iframes, in-app webviews, privacy modes) due to unsafe sessionStorage access in the realtime layer .
What should Supabase teams do about it?
Update supabase-js to v2.105.4 if you serve embedded webviews or restricted-storage environments • Upgrade storage to v1.58.11 if you're using file backend with multipart uploads • Test v3.0.0-next.27 in staging if you're on the next branch
Which Supabase repositories shipped on May 9, 2026?
supabase/supabase-js, supabase/storage

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.