RepoJournal
Supabase

@supabase

The open-source Firebase alternative powering thousands of startups

Pick a date

The Wire · Showcase

SUPABASE-JS HITS 2.110.1 AS SELF-HOSTED TIGHTENS SECURITY

By RepoJournal · Filed · About Supabase

The JavaScript SDK stack shipped a patch release while self-hosted Supabase closes critical OAuth and REST API exposure gaps that platform deployments have had for months.

Supabase-js, auth-js, realtime-js, and postgres-js all rolled to v2.110.1 [1], fixing deferred notification handling in the auth layer. The release is a routine patch but lands alongside two critical self-hosted hardening efforts: API_EXTERNAL_URL now defaults to include /auth/v1 [2], fixing out-of-box OAuth failures, and /rest/v1/ root access is now restricted to privileged keys [3], closing a gap where anon credentials could enumerate your entire OpenAPI spec. Self-hosted operators running exposed instances should treat both patches as priority. On the docs side, @supabase/server v1 reference docs went live [4], and framework quick starts got cleaned up for clarity [5]. The ETL pipeline is shipping hardening too: source migrations can now be gated behind a flag [6], letting you skip superuser-required event trigger creation, while text parsing and BigQuery encoding got tuned for CPU-heavy workloads [7]. Deferred streaming write durability landed in the ETL layer [8], giving you more granular control over replication durability semantics.

Action items

References

  1. [1] feat: update @supabase/*-js libraries to v2.110.1 (#47687) supabase/supabase
  2. [2] fix(self-hosted): change default api external url to contain /auth/v1 ↗ supabase/supabase
  3. [3] feat(self-hosted): restrict rest root anon ↗ supabase/supabase
  4. [4] docs: wire @supabase/server v1 into the reference pipeline (#47570) supabase/supabase
  5. [5] fix: Rephrasing and improved output for framework quick starts instructions ↗ supabase/supabase
  6. [6] feat(config): gate source migrations behind run_source_migrations flag ↗ supabase/etl
  7. [7] ref(perf): Improve text parsing, BigQuery encoding and logs ↗ supabase/etl
  8. [8] feat(etl): support deferred streaming write durability ↗ supabase/etl

FAQ

What changed in Supabase on July 8, 2026?
The JavaScript SDK stack shipped a patch release while self-hosted Supabase closes critical OAuth and REST API exposure gaps that platform deployments have had for months.
What should Supabase teams do about it?
Update @supabase/*-js to 2.110.1 in your next dependency refresh • Self-hosted: deploy both auth URL and REST API security patches immediately if running exposed instances • ETL operators: review run_source_migrations flag if you're hitting superuser permission walls
Which Supabase repositories shipped on July 8, 2026?
supabase/supabase, supabase/etl

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.