The Wire · Showcase
REALTIME TIGHTENS SECURITY WITH LEAST-PRIVILEGE USER, CLI FIXES CONFIG PUSH REGRESSION
By RepoJournal · Filed · About Supabase
Supabase Realtime v2.109.0 ships a major security hardening feature that lets the service run as a constrained database role instead of superuser, while the CLI ports critical Go behavior that was lost in the TypeScript rewrite.
The Realtime release introduces a least-privilege database user [6], letting Realtime connect as a controlled role post-migration instead of requiring full superuser access throughout runtime. That same release bumps the replication connection timeout from 30 seconds to 4 minutes [5], giving busy databases breathing room to establish replication slots without choking. Over in the CLI, v2.106.0's native TypeScript port broke `config push` by rejecting `[remotes.*]` blocks that target your project [7]. The fix restores Go's merge behavior, letting remote configs layer over the base without aborting. The team also shipped live e2e testing for the CLI [8], eliminating the replay-server bottleneck for real-world command validation. Across the dashboard, function search got its own dedicated content filter [1] so you're not wading through every SQL keyword match, and MFA-enforced org invites now show clear setup prompts instead of cryptic errors [2].
Action items
- → Pull Realtime v2.109.0 and test the least-privilege user setup in staging before prod supabase/realtime [plan]
- → Upgrade supabase-js to pick up storage sortBy and functions Content-Type fixes [ref:7][ref:8] supabase/supabase-js [plan]
- → Update CLI if you use config push with remote blocks supabase/cli [immediate]
- → Review dashboard MFA invite flow in staging if your org enforces MFA supabase/supabase [monitor]
References
- [1] feat: allow to filter function by code (#46743) supabase/supabase
- [2] Improve UI for org invites if MFA is enforced (#47067) supabase/supabase
- [3] fix(storage): keep sortBy defaults when list() is given a partial sortBy ↗ supabase/supabase-js
- [4] fix(functions): honor a caller's Content-Type override regardless of casing ↗ supabase/supabase-js
- [5] fix: replication connection increase timeout ↗ supabase/realtime
- [6] feat: introduce least-privilege realtime user ↗ supabase/realtime
- [7] fix(cli): merge matching [remotes.*] block on config push (#5618) supabase/cli
- [8] test(cli-e2e): add live e2e suite covering the CLI command matrix ↗ supabase/cli
FAQ
- What changed in Supabase on June 19, 2026?
- Supabase Realtime v2.109.0 ships a major security hardening feature that lets the service run as a constrained database role instead of superuser, while the CLI ports critical Go behavior that was lost in the TypeScript rewrite.
- What should Supabase teams do about it?
- Pull Realtime v2.109.0 and test the least-privilege user setup in staging before prod • Upgrade supabase-js to pick up storage sortBy and functions Content-Type fixes [ref:7][ref:8] • Update CLI if you use config push with remote blocks
- Which Supabase repositories shipped on June 19, 2026?
- supabase/supabase, supabase/supabase-js, supabase/realtime, supabase/cli