The Wire · Showcase
SUPABASE-JS HITS 2.110.1 AS SELF-HOSTED TIGHTENS SECURITY
By RepoJournal · Filed · About Supabase
The JavaScript SDK stack shipped a patch release while self-hosted Supabase closes critical OAuth and REST API exposure gaps that platform deployments have had for months.
Supabase-js, auth-js, realtime-js, and postgres-js all rolled to v2.110.1 [1], fixing deferred notification handling in the auth layer. The release is a routine patch but lands alongside two critical self-hosted hardening efforts: API_EXTERNAL_URL now defaults to include /auth/v1 [2], fixing out-of-box OAuth failures, and /rest/v1/ root access is now restricted to privileged keys [3], closing a gap where anon credentials could enumerate your entire OpenAPI spec. Self-hosted operators running exposed instances should treat both patches as priority. On the docs side, @supabase/server v1 reference docs went live [4], and framework quick starts got cleaned up for clarity [5]. The ETL pipeline is shipping hardening too: source migrations can now be gated behind a flag [6], letting you skip superuser-required event trigger creation, while text parsing and BigQuery encoding got tuned for CPU-heavy workloads [7]. Deferred streaming write durability landed in the ETL layer [8], giving you more granular control over replication durability semantics.
Action items
- → Update @supabase/*-js to 2.110.1 in your next dependency refresh supabase/supabase [plan]
- → Self-hosted: deploy both auth URL and REST API security patches immediately if running exposed instances supabase/supabase [immediate]
- → ETL operators: review run_source_migrations flag if you're hitting superuser permission walls supabase/etl [plan]
References
- [1] feat: update @supabase/*-js libraries to v2.110.1 (#47687) supabase/supabase
- [2] fix(self-hosted): change default api external url to contain /auth/v1 ↗ supabase/supabase
- [3] feat(self-hosted): restrict rest root anon ↗ supabase/supabase
- [4] docs: wire @supabase/server v1 into the reference pipeline (#47570) supabase/supabase
- [5] fix: Rephrasing and improved output for framework quick starts instructions ↗ supabase/supabase
- [6] feat(config): gate source migrations behind run_source_migrations flag ↗ supabase/etl
- [7] ref(perf): Improve text parsing, BigQuery encoding and logs ↗ supabase/etl
- [8] feat(etl): support deferred streaming write durability ↗ supabase/etl
FAQ
- What changed in Supabase on July 8, 2026?
- The JavaScript SDK stack shipped a patch release while self-hosted Supabase closes critical OAuth and REST API exposure gaps that platform deployments have had for months.
- What should Supabase teams do about it?
- Update @supabase/*-js to 2.110.1 in your next dependency refresh • Self-hosted: deploy both auth URL and REST API security patches immediately if running exposed instances • ETL operators: review run_source_migrations flag if you're hitting superuser permission walls
- Which Supabase repositories shipped on July 8, 2026?
- supabase/supabase, supabase/etl