RepoJournal
Supabase

@supabase

The open-source Firebase alternative powering thousands of startups

Pick a date

The Wire · Showcase

FLUTTER SIGNS OUT SMARTER, CLI TESTS GO LIVE, STUDIO WARNINGS CATCH CREDENTIAL LEAKS

By RepoJournal · Filed · About Supabase

Supabase Flutter now tells you why users signed out, the CLI can test against real infrastructure in CI, and Studio is screaming louder about Vercel preview leaks that push production credentials.

The Flutter SDK shipped typed sign-out reasons [1] [2], so your app knows if a user explicitly logged out, hit a session expiration, or lost a corrupted session. That's the signal listeners have been asking for to rebuild auth flows correctly. Meanwhile, the CLI got a live test harness [3] [4] that spins up real Supabase infrastructure in CI and exercises the built binary against it, catching integration gaps that unit tests miss. On the Studio side, the Vercel env-sync warning [5] is now impossible to miss. Users kept syncing their production credentials into preview deployments without realizing it, and the new alert makes that risk visceral. Flutter also fixed the long-standing Sentry spam where recovering a session with a dead refresh token would surface as an uncaught error [6], and updated `httpSend` to match supabase-js with per-event broadcast URLs and binary support [7]. On the CLI, the `serve` command had a regression where the Edge Runtime bootstrap script was embedding the full bundled template into the Docker entrypoint, causing spawn failures on long paths. That's fixed [8]. The `db diff` command was failing on empty glob matches in `schema_paths`. That's fixed too [9]. Flutter security: you now have a security policy [10].

Action items

References

  1. [1] feat(gotrue): surface the sign-out reason on the signedOut event ↗ supabase/supabase-flutter
  2. [2] feat(gotrue): surface the sign-out reason on the signedOut event (#1453) supabase/supabase-flutter
  3. [3] test(cli): supabox-backed live test suite + cli-e2e-ci dispatch (#5699) supabase/cli
  4. [4] test(cli): supabox-backed live test suite + cli-e2e-ci dispatch ↗ supabase/cli
  5. [5] [FE-3682] feat(studio): warn on Vercel preview/dev env var sync ↗ supabase/supabase
  6. [6] fix(gotrue): avoid duplicate auth error on recoverSession with invalid refresh token ↗ supabase/supabase-flutter
  7. [7] feat(realtime): update httpSend to per-event broadcast URL with binary support ↗ supabase/supabase-flutter
  8. [8] fix(cli): shorten serve argv ↗ supabase/cli
  9. [9] fix(cli): skip empty schema_paths globs in db diff ↗ supabase/cli
  10. [10] docs: add SECURITY.md (#1473) supabase/supabase-flutter

FAQ

What changed in Supabase on June 27, 2026?
Supabase Flutter now tells you why users signed out, the CLI can test against real infrastructure in CI, and Studio is screaming louder about Vercel preview leaks that push production credentials.
What should Supabase teams do about it?
Update Flutter SDK and implement signOutReason listener for auth recovery flows • Review Vercel env-sync settings in Studio to confirm preview toggles are off if you use previews • Upgrade CLI if you use `functions serve` or `db diff` with schema globs
Which Supabase repositories shipped on June 27, 2026?
supabase/supabase-flutter, supabase/cli, supabase/supabase

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.