The Wire · Showcase
BIGQUERY VIEW LOGIC FIXED, NPM SECURITY GUIDE GOES LIVE, CLI GAINS TABLE EXPOSURE CONTROL
By RepoJournal · Filed · About Supabase
Supabase shipped fixes across three critical surfaces: ETL now properly recreates BigQuery views on schema changes, a comprehensive npm supply-chain hardening guide hits docs, and the CLI gains granular control over Data API table exposure.
The ETL team closed a BigQuery logic gap where views weren't being recreated after schema DDL, even when pointing to the same sequenced physical table [1]. This matters because downstream analytics pipelines depend on view consistency after schema evolution. In parallel, the security desk published a comprehensive guide for hardening npm installs of @supabase/* packages, covering lockfile hygiene, minimum-release-age quarantine across all package managers, provenance verification, and lifecycle script controls [2]. This guide shipped to supabase.com/docs after being drafted in supabase-js [3], and the SDK repo now redirects to the canonical URL [3]. On the CLI front, a new `[api].auto_expose_new_tables` configuration option lets teams control whether newly-created tables, views, sequences, and functions in the public schema are automatically reachable through Data API roles [6]. This aligns with Cloud's new toggle for granular default privileges. The studio team also wired keyboard shortcuts into the Integrations Marketplace [4], shipped the State of Startups 2026 results page with live survey data [5], and the CLI backfilled legacy telemetry payloads to match the Go CLI implementation [7]. Infrastructure-side, a flaky functions dev watcher test got stabilized with an in-memory fake watcher layer [8], and the Docker mirror image workflow was repaired to work without a checked-out apps/cli-go directory [9].
Action items
- → Review the new npm security guide if you manage supply-chain risk for @supabase/* dependencies supabase/supabase [plan]
- → Evaluate auto_expose_new_tables config for local development and staging environments supabase/cli [plan]
- → Update any external links pointing to the old npm security guide to supabase.com/docs/guides/security/npm-security supabase/supabase-js [monitor]
References
- [1] fix(bigquery): Recreate view on schema change in BigQuery ↗ supabase/etl
- [2] docs: add guide for securing npm installs against supply-chain attacks ↗ supabase/supabase
- [3] docs(repo): move npm security guide to supabase.com/docs ↗ supabase/supabase-js
- [4] feat(studio): keyboard shortcuts for integrations ↗ supabase/supabase
- [5] feat(www): wire up State of Startups 2026 results page ↗ supabase/supabase
- [6] feat(config,stack): add auto_expose_new_tables configuration option (#5239) supabase/cli
- [7] feat(cli): align legacy telemetry payload with Go CLI (#5359) supabase/cli
- [8] test(cli): stabilize functions dev watcher test (#5358) supabase/cli
- [9] fix(docker): repair mirror image workflow dispatch (#5363) supabase/cli
FAQ
- What changed in Supabase on May 27, 2026?
- Supabase shipped fixes across three critical surfaces: ETL now properly recreates BigQuery views on schema changes, a comprehensive npm supply-chain hardening guide hits docs, and the CLI gains granular control over Data API table exposure.
- What should Supabase teams do about it?
- Review the new npm security guide if you manage supply-chain risk for @supabase/* dependencies • Evaluate auto_expose_new_tables config for local development and staging environments • Update any external links pointing to the old npm security guide to supabase.com/docs/guides/security/npm-security
- Which Supabase repositories shipped on May 27, 2026?
- supabase/etl, supabase/supabase, supabase/supabase-js, supabase/cli