RepoJournal
Supabase

@supabase

The open-source Firebase alternative powering thousands of startups

Pick a date

  1. Sat 2 may
  2. Mon 4 may
  3. Tue 5 may
  4. Wed 6 may
  5. Thu 7 may
  6. Fri 8 may
  7. Sat 9 may
  8. Mon 11 may
  9. Tue 12 may
  10. Wed 13 may
  11. Thu 14 may
  12. Fri 15 may
  13. Sat 16 may
  14. Sun 17 may
  15. Tue 19 may
  16. Wed 20 may
  17. Thu 21 may
  18. Sat 23 may
  19. Sun 24 may
  20. Mon 25 may
  21. Tue 26 may
  22. Wed 27 may
  23. Thu 28 may
  24. Fri 29 may
  25. Sat 30 may
  26. Sun 31 may
  27. Mon 1 jun
  28. Mon 8 jun
  29. Tue 9 jun
  30. Today 10 jun

The Wire · Showcase

SUPABASE HARDENS ANALYTICS SQL AGAINST INJECTION ATTACKS

By RepoJournal · Filed · About Supabase

A three-part security refactor shipped overnight to prevent SQL injection in BigQuery and ClickHouse analytics queries, closing a compile-time safety gap across the entire logs pipeline.

Supabase landed the final piece of its safe-analytics-sql series, with all three PRs now merged [1] [2] [3]. The work introduces a compile-time safety model for analytics queries that previously lacked protection against untrusted input from URL parameters and other sources. ServiceFlow.sql.ts got branded with SafeLogSqlFragment [3], completing the wire-boundary wrapper that now shields all five unified-logs query hooks [2] from direct interpolation risks. On the UI side, the team finished migrating deprecated Modal components out of Organization settings [4], swapping them for Dialog across subscription downgrade flows, OAuth app management, and member limit alerts. A smaller type-safety win landed in core: removing any-type annotations to let ratchet rules pass [5]. Over in realtime, supabase-js bumped to v2.106.2 [6], restoring signup user response and adding Hermes-safe React Native exports. Dashboard also got an IPv6 DNS connection fix [7] for tenant migrations, addressing a timing issue on disconnect [8], with the realtime service now at v2.98.3 [9].

Action items

References

  1. [1] feat: add safe SQL execution for analytics queries (BigQuery/ClickHouse) (#46287) supabase/supabase
  2. [2] feat(logs): route unified-logs hooks through executeAnalyticsSql (#46333) supabase/supabase
  3. [3] feat(logs): brand ServiceFlow.sql.ts with SafeLogSqlFragment (#46336) supabase/supabase
  4. [4] chore: migrate Organization settings `Modal` to `Dialog` (#46332) supabase/supabase
  5. [5] chore: remove any type to let ratchet rules pass (#46349) supabase/supabase
  6. [6] chore: update @supabase/supabase-js to v2.106.2 ↗ supabase/realtime
  7. [7] fix(dashboard): tenant db connect dns ipv6 (#1910) supabase/realtime
  8. [8] fix: timing issue on connection disconnect (#1908) supabase/realtime
  9. [9] v2.98.3 ↗ supabase/realtime

FAQ

What changed in Supabase on May 26, 2026?
A three-part security refactor shipped overnight to prevent SQL injection in BigQuery and ClickHouse analytics queries, closing a compile-time safety gap across the entire logs pipeline.
What should Supabase teams do about it?
Review the safe-analytics-sql refactor series if you maintain analytics queries or custom logging • Update supabase-js to v2.106.2 if you're on React Native with Hermes • Bump realtime to v2.98.3 for IPv6 DNS and disconnect fixes in self-hosted deployments
Which Supabase repositories shipped on May 26, 2026?
supabase/supabase, supabase/realtime

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.