The Wire · Showcase
FLUTTER SIGNS OUT SMARTER, CLI TESTS GO LIVE, STUDIO WARNINGS CATCH CREDENTIAL LEAKS
By RepoJournal · Filed · About Supabase
Supabase Flutter now tells you why users signed out, the CLI can test against real infrastructure in CI, and Studio is screaming louder about Vercel preview leaks that push production credentials.
The Flutter SDK shipped typed sign-out reasons [1] [2], so your app knows if a user explicitly logged out, hit a session expiration, or lost a corrupted session. That's the signal listeners have been asking for to rebuild auth flows correctly. Meanwhile, the CLI got a live test harness [3] [4] that spins up real Supabase infrastructure in CI and exercises the built binary against it, catching integration gaps that unit tests miss. On the Studio side, the Vercel env-sync warning [5] is now impossible to miss. Users kept syncing their production credentials into preview deployments without realizing it, and the new alert makes that risk visceral. Flutter also fixed the long-standing Sentry spam where recovering a session with a dead refresh token would surface as an uncaught error [6], and updated `httpSend` to match supabase-js with per-event broadcast URLs and binary support [7]. On the CLI, the `serve` command had a regression where the Edge Runtime bootstrap script was embedding the full bundled template into the Docker entrypoint, causing spawn failures on long paths. That's fixed [8]. The `db diff` command was failing on empty glob matches in `schema_paths`. That's fixed too [9]. Flutter security: you now have a security policy [10].
Action items
- → Update Flutter SDK and implement signOutReason listener for auth recovery flows supabase/supabase-flutter [plan]
- → Review Vercel env-sync settings in Studio to confirm preview toggles are off if you use previews supabase/supabase [immediate]
- → Upgrade CLI if you use `functions serve` or `db diff` with schema globs supabase/cli [plan]
References
- [1] feat(gotrue): surface the sign-out reason on the signedOut event ↗ supabase/supabase-flutter
- [2] feat(gotrue): surface the sign-out reason on the signedOut event (#1453) supabase/supabase-flutter
- [3] test(cli): supabox-backed live test suite + cli-e2e-ci dispatch (#5699) supabase/cli
- [4] test(cli): supabox-backed live test suite + cli-e2e-ci dispatch ↗ supabase/cli
- [5] [FE-3682] feat(studio): warn on Vercel preview/dev env var sync ↗ supabase/supabase
- [6] fix(gotrue): avoid duplicate auth error on recoverSession with invalid refresh token ↗ supabase/supabase-flutter
- [7] feat(realtime): update httpSend to per-event broadcast URL with binary support ↗ supabase/supabase-flutter
- [8] fix(cli): shorten serve argv ↗ supabase/cli
- [9] fix(cli): skip empty schema_paths globs in db diff ↗ supabase/cli
- [10] docs: add SECURITY.md (#1473) supabase/supabase-flutter
FAQ
- What changed in Supabase on June 27, 2026?
- Supabase Flutter now tells you why users signed out, the CLI can test against real infrastructure in CI, and Studio is screaming louder about Vercel preview leaks that push production credentials.
- What should Supabase teams do about it?
- Update Flutter SDK and implement signOutReason listener for auth recovery flows • Review Vercel env-sync settings in Studio to confirm preview toggles are off if you use previews • Upgrade CLI if you use `functions serve` or `db diff` with schema globs
- Which Supabase repositories shipped on June 27, 2026?
- supabase/supabase-flutter, supabase/cli, supabase/supabase