RepoJournal
Supabase

@supabase

The open-source Firebase alternative powering thousands of startups

Pick a date

The Wire · Showcase

GRPC PATCHES AUTHORIZATION BYPASS AS SUPABASE MODERNIZES REALTIME STACK

By RepoJournal · Filed · About Supabase

A critical authorization bypass in gRPC 1.56 to 1.79.2 could let attackers bypass request validation, and Supabase is patching across benchmarks while shipping realtime improvements.

The grpc-go team fixed a server-side authorization bypass where malformed :path headers missing the leading slash could bypass authorization checks [1]. Supabase's benchmarks repo jumped from gRPC 1.56.3 to 1.79.3 to close this gap [1]. On the realtime front, the team is dropping its fork of gen_rpc now that all upstream PRs hit the original EMQX repository [2], reducing maintenance burden. Svelte got two separate bumps in benchmarks: a major jump from 4.2.19 to 5.51.5 [3] followed by patch updates to 5.55.7 addressing XSS on hydration [4]. The supabase-js client in realtime bumped to v2.108.2, fixing auth session refresh failures and clarifying httpSend() errors [5]. On the docs side, external replication (ETL) terminology is now standardized across the platform [6], Edge Functions got a new error codes reference guide [7], and High Availability projects on Multigres now show which features (Realtime, Replication, PITR) are unavailable [8].

Action items

References

  1. [1] build(deps): bump google.golang.org/grpc from 1.56.3 to 1.79.3 in the go_modules group across 1 directory ↗ supabase/benchmarks
  2. [2] fix: update gen_rpc to original fork ↗ supabase/realtime
  3. [3] build(deps-dev): bump svelte from 4.2.19 to 5.51.5 in /web in the npm_and_yarn group across 1 directory ↗ supabase/benchmarks
  4. [4] build(deps): bump the npm_and_yarn group across 1 directory with 6 updates ↗ supabase/benchmarks
  5. [5] chore: update @supabase/supabase-js to v2.108.2 ↗ supabase/realtime
  6. [6] Standardize external replication (ETL) docs ↗ supabase/supabase
  7. [7] docs(functions): add error codes page ↗ supabase/supabase
  8. [8] chore: Disable some of the Studio features on Multigres projects ↗ supabase/supabase

FAQ

What changed in Supabase on June 16, 2026?
A critical authorization bypass in gRPC 1.56 to 1.79.2 could let attackers bypass request validation, and Supabase is patching across benchmarks while shipping realtime improvements.
What should Supabase teams do about it?
Verify benchmarks repo runs gRPC 1.79.3 or later in your local environment • Review Multigres HA feature restrictions in Studio to prevent user confusion • Monitor realtime stability after gen_rpc fork consolidation in next release
Which Supabase repositories shipped on June 16, 2026?
supabase/benchmarks, supabase/realtime, supabase/supabase

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.