RepoJournal
Supabase

@supabase

The open-source Firebase alternative powering thousands of startups

Pick a date

The Wire · Showcase

REALTIME TIGHTENS SECURITY WITH LEAST-PRIVILEGE USER, CLI FIXES CONFIG PUSH REGRESSION

By RepoJournal · Filed · About Supabase

Supabase Realtime v2.109.0 ships a major security hardening feature that lets the service run as a constrained database role instead of superuser, while the CLI ports critical Go behavior that was lost in the TypeScript rewrite.

The Realtime release introduces a least-privilege database user [6], letting Realtime connect as a controlled role post-migration instead of requiring full superuser access throughout runtime. That same release bumps the replication connection timeout from 30 seconds to 4 minutes [5], giving busy databases breathing room to establish replication slots without choking. Over in the CLI, v2.106.0's native TypeScript port broke `config push` by rejecting `[remotes.*]` blocks that target your project [7]. The fix restores Go's merge behavior, letting remote configs layer over the base without aborting. The team also shipped live e2e testing for the CLI [8], eliminating the replay-server bottleneck for real-world command validation. Across the dashboard, function search got its own dedicated content filter [1] so you're not wading through every SQL keyword match, and MFA-enforced org invites now show clear setup prompts instead of cryptic errors [2].

Action items

References

  1. [1] feat: allow to filter function by code (#46743) supabase/supabase
  2. [2] Improve UI for org invites if MFA is enforced (#47067) supabase/supabase
  3. [3] fix(storage): keep sortBy defaults when list() is given a partial sortBy ↗ supabase/supabase-js
  4. [4] fix(functions): honor a caller's Content-Type override regardless of casing ↗ supabase/supabase-js
  5. [5] fix: replication connection increase timeout ↗ supabase/realtime
  6. [6] feat: introduce least-privilege realtime user ↗ supabase/realtime
  7. [7] fix(cli): merge matching [remotes.*] block on config push (#5618) supabase/cli
  8. [8] test(cli-e2e): add live e2e suite covering the CLI command matrix ↗ supabase/cli

FAQ

What changed in Supabase on June 19, 2026?
Supabase Realtime v2.109.0 ships a major security hardening feature that lets the service run as a constrained database role instead of superuser, while the CLI ports critical Go behavior that was lost in the TypeScript rewrite.
What should Supabase teams do about it?
Pull Realtime v2.109.0 and test the least-privilege user setup in staging before prod • Upgrade supabase-js to pick up storage sortBy and functions Content-Type fixes [ref:7][ref:8] • Update CLI if you use config push with remote blocks
Which Supabase repositories shipped on June 19, 2026?
supabase/supabase, supabase/supabase-js, supabase/realtime, supabase/cli

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.