The Wire · Showcase
SUPABASE TIGHTENS SQL INJECTION DEFENSE WHILE STUDIO FIXES BREAK THE RENDER LOOP
By RepoJournal · Filed · About Supabase
A critical sanitization hardening in pg-format closes a control-phrase injection vector that could slip SQL commands through keyword validation, while the Studio team ships four fixes that restore table editing reliability and fix infinite render loops.
The pg-meta team patched a dangerous regex gap in pg-format's keyword() helper [1]. The original validation `/^[A-Za-z][A-Za-z0-9_]*$/` accepted space-separated phrases, meaning DROP TABLE and DELETE FROM would pass through as valid keywords. This is a hardening pass that tightens that regex to reject anything that looks like a control phrase. Ship this before your next build. On the Studio side, the team crushed four UI bugs that have been eating support tickets. The table editor was nuking unsaved columns on every refetch because a useEffect was re-initializing from server data without checking if the user had already typed something [2]. The new-project form was caught in a maximum-update-depth infinite loop because form.formState was in a dependency array, creating a new Proxy reference on every render [3]. The instance diagram was laying out read replicas with a hardcoded fake height instead of measuring actual node dimensions [4]. All three are merged and ready. On the CLI front, the team migrated CI pipelines to Blacksmith runners for faster builds [5] and fixed a cross-platform release workflow bug where Windows PowerShell was eating variable expansions [6]. The hidden flags system got refactored from a global registry to per-command scoping to prevent collisions [7].
Action items
- → Merge pg-format sanitization hardening before next deployment supabase/supabase [immediate]
- → Test table editor and new-project form thoroughly on your next staging deploy supabase/supabase [plan]
- → Monitor CLI release workflows for faster build times with Blacksmith runners supabase/cli [monitor]
- → Review fork PR CI gating changes in ETL for security approval flow supabase/etl [plan]
References
- [1] fix(pg-meta): tighten pg-format keyword() against control-phrase injection (#46076) supabase/supabase
- [2] fix(studio): preserve unsaved columns in table editor across refetches (#46073) supabase/supabase
- [3] fix(studio): prevent infinite render loop in new-project form (#46131) supabase/supabase
- [4] fix(studio): use measured node heights for instance diagram layout (#46075) supabase/supabase
- [5] ci: migrate CI and release workflows to Blacksmith runners (#5300) supabase/cli
- [6] fix(cli): fix smoke test shell and npm tag quoting in release workflow (#5294) supabase/cli
- [7] fix(cli): scope hidden flags per-command instead of globally ↗ supabase/cli
FAQ
- What changed in Supabase on May 20, 2026?
- A critical sanitization hardening in pg-format closes a control-phrase injection vector that could slip SQL commands through keyword validation, while the Studio team ships four fixes that restore table editing reliability and fix infinite render loops.
- What should Supabase teams do about it?
- Merge pg-format sanitization hardening before next deployment • Test table editor and new-project form thoroughly on your next staging deploy • Monitor CLI release workflows for faster build times with Blacksmith runners
- Which Supabase repositories shipped on May 20, 2026?
- supabase/supabase, supabase/cli