RepoJournal
Supabase

@supabase

The open-source Firebase alternative powering thousands of startups

Pick a date

The Wire · Showcase

SUPABASE PATCHES CRITICAL VITEST RCE, SHIPS SCHEMA DEFAULT EXPRESSIONS

By RepoJournal · Filed · About Supabase

A critical arbitrary file read vulnerability in Vitest's UI server forced an emergency bump across the server stack, while ETL gains deterministic column defaults and safer SQL identifier handling.

The Vitest RCE [1] is the headline: CVE-2026-47429 allows remote code execution through the test UI server. Supabase locked it down by bumping to vitest ^4.1.0 with new `allowWrite` and `allowExec` defaults already correct for the codebase. A second vulnerability in esbuild's binary integrity check [2] required a surgical override via pnpm.overrides since esbuild is transitive through vite. Both fixes ship in server-v1.2.0-rc.73 [3]. On the ETL front, schema evolution now carries forward column default expressions [4], solving a critical gap in deterministic migrations. Table sync gains test coverage for the critical post-copy-to-streaming handoff [5], with failpoints around state boundaries to catch race conditions. SQL identifier quoting in xtask now uses `pg_escape` [6], eliminating a class of injection bugs in seed and formatting operations. CLI lands eight dependency updates including anthropic-ai SDK bumps [7] rolling into v2.107.0-beta.22 [8], while docker images for realtime and storage-api tick up to latest [9].

Action items

References

  1. [1] chore(deps): bump vitest to ^4.1.0 (CVE-2026-47429) ↗ supabase/server
  2. [2] chore(deps): override esbuild ^0.28.1 (Dependabot GHSA missing binary integrity check) ↗ supabase/server
  3. [3] server-v1.2.0-rc.73 ↗ supabase/server
  4. [4] feat(ddl): Add support for default expressions ↗ supabase/etl
  5. [5] test: table sync streaming handoff ↗ supabase/etl
  6. [6] fix(xtask): better quote identifiers ↗ supabase/etl
  7. [7] fix(deps): bump the npm-major group with 8 updates ↗ supabase/cli
  8. [8] v2.107.0-beta.22 ↗ supabase/cli
  9. [9] fix(docker): bump the docker-minor group in /apps/cli-go/pkg/config/templates with 2 updates ↗ supabase/cli

FAQ

What changed in Supabase on June 17, 2026?
A critical arbitrary file read vulnerability in Vitest's UI server forced an emergency bump across the server stack, while ETL gains deterministic column defaults and safer SQL identifier handling.
What should Supabase teams do about it?
Upgrade supabase/server to v1.2.0-rc.73 immediately - patches critical Vitest RCE • Review ETL column default handling in schema migrations before next production sync • Update CLI to v2.107.0-beta.22 for dependency security fixes
Which Supabase repositories shipped on June 17, 2026?
supabase/server, supabase/etl, supabase/cli

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.