Supabase

Public schema tables no longer auto-expose to the Data API — explicit Postgres grants are now required, becoming the default for new projects on May 30.¹

A new cross-runtime server SDK handles auth without the boilerplate. @supabase/server provides stateless auth, RLS-scoped clients, and CORS handling on Edge Functions, Vercel, Deno, Bun, and Cloudflare Workers from a single package.²

Auth gained support for any OAuth2 or OIDC identity provider. GitHub Enterprise, regional IdPs, and any standards-compliant provider now connect directly, with PKCE on by default.³ Rate limits reload live without a server restart.

The platform is now ISO/IEC 27001:2022 certified. The certificate covers the full information security management system.⁴ Storage also shipped a rewrite that cuts object listing time by up to 14.8x on large datasets, replacing the prefixes table and its triggers with a skip-scan algorithm, and closed a path traversal vulnerability.⁵

Database branching no longer requires a GitHub connection. Branches can be created directly from the dashboard on all plans; GitHub integration also opened up to the free tier.⁶

The Supabase CLI gained new commands and flags across recent releases. Backup list and restore ported to native TypeScript, SSL enforcement migrated off the Go binary, and a --no-apply flag landed on the declarative schema sync command.⁷ JS SDK v2.106.2 fixed signup response handling and added a React Native export condition for Hermes-safe module resolution.⁸