Changelog

What's Changing?#

The week of June 1, 2026, the analytics (Logflare) and vector services will be removed from the default docker-compose.yml and moved into an opt-in overlay file: docker-compose.logs.yml (PR #45327).

The default docker compose up -d will start a leaner stack without log aggregation. To keep using Logs Explorer in Studio, you'll need to include the overlay:

The base docker-compose.yml will also set ENABLED_FEATURES_LOGS_ALL: false on Studio by default, so the Logs menu item won't appear in the UI unless you bring up the overlay.

Why?#

• Analytics (Logflare) is a heavy service in the default self-hosted Supabase stack. Making it an opt-in reduces CPU and memory footprint.
• Studio, Auth, Storage, PostgREST, and Realtime all work without analytics or vector.

Am I Affected?#

You are affected if all of the following are true:

• You run self-hosted Supabase from the ./docker directory
• You pull updates from master without overriding the compose invocation
• You actively use Logs Explorer in Studio

You are not affected if you:

• Use the Supabase platform
• Use the Supabase CLI for local development (supabase start) - it's a different deployment option
• Don't use Logs Explorer (analytics and vector silently going away)
• Already maintain a customized compose configuration

What Should I Do?#

If you use Logs Explorer#

Add the overlay to your docker compose invocation:

You'll need to include both -f flags on every docker compose command (up, down, logs, ps, etc.) for the overlay to apply consistently. If that's inconvenient, set COMPOSE_FILE=docker-compose.yml:docker-compose.logs.yml in your .env and the flags become implicit.

If you don't use Logs Explorer#

No action needed. Pull the new compose files and docker compose up -d will just work, with a smaller resource footprint. Existing analytics and vector containers and their volumes will stop being managed - you can remove them once you've confirmed the stack is healthy:

Rollout#

What's Changing?#

The week of June 15, 2026, the default docker-compose.yml in self-hosted Supabase will switch the database role used by Studio and postgres-meta from supabase_admin to postgres:

• studio.environment.POSTGRES_USER_READ_WRITE will default to postgres
• meta.environment.PG_META_DB_USER will default to postgres

This aligns self-hosted Supabase with the platform behavior introduced in late 2022, which removed superuser access from the dashboard SQL editor and shifted ownership of user-created objects to postgres. Self-hosted has been running with the legacy behavior until now.

⚠️ Existing instances that pull this change need to run a one-time ownership migration script for the public schema, or new operations from Studio may fail on objects still owned by supabase_admin.

Why?#

• Self-hosted has been three-plus years behind the platform on this. Behavior between deployment models should be consistent.
• The postgres role is non-superuser, so this reduces the privilege surface used by Studio's day-to-day operations.
• Migrations and scripts that work on the platform may currently fail on self-hosted because of the ownership mismatch - this closes that gap.

Am I Affected?#

You are affected if all of the following are true:

• You run self-hosted Supabase from the ./docker directory
• You pull updates from master without overriding POSTGRES_USER_READ_WRITE or PG_META_DB_USER
• You have an existing instance with database objects created via Studio (which would currently be owned by supabase_admin)

You are not affected if you:

• Use the Supabase platform - this has been the default since 2022
• Use the Supabase CLI for local development (supabase start) - it's a different deployment option
• Are starting a fresh self-hosted deployment - objects created via Studio will be owned by postgres from the start

What Should I Do?#

If you have an existing self-hosted Supabase instance, follow the Remove superuser access guide:

1. Run the included script to reassign ownership of objects in the public schema from supabase_admin to postgres:
   
   

   _10

   sh utils/reassign-owner.sh

   
   
2. Pull the new docker-compose.yml (or manually set POSTGRES_USER_READ_WRITE: postgres and PG_META_DB_USER: postgres if you maintain a customized compose file)
3. Restart the stack
4. Verify in the Studio SQL editor that select current_user; returns postgres

The script only touches the public schema. Supabase-managed schemas (auth, storage, realtime, etc.) and any custom schemas you've created are left intact. If you have objects in custom schemas that you want migrated, you'll need to reassign their ownership manually.

If you'd rather defer this for now, set POSTGRES_USER_READ_WRITE and PG_META_DB_USER back to supabase_admin in your override file. This is a default change, not a removal - but we recommend completing the migration soon to stay aligned with platform behavior.

Rollout#

What's Changing?#

The week of June 15, 2026, the default db image in the self-hosted Supabase docker-compose.yml will move from Postgres 15 to Postgres 17.

⚠️ If your database uses timescaledb, plv8, plcoffee, or plls, you cannot upgrade to the Supabase images of PG 17 - these extensions are no longer included.

This affects the default image tag only. Pinning to a specific supabase/postgres 15.x tag will continue to work, and the PG 15 images on Docker Hub will remain available.

Existing Postgres 15 data directories will not auto-upgrade. Bringing up the new compose file against a PG 15 volume will fail to start - PG 17 cannot read a PG 15 data directory directly.

Why?#

• Postgres 17 is what we currently default to on the Supabase platform, and aligning the self-hosted default keeps behavior consistent across deployment models.
• PG 15 has been the self-hosted default for a long time; PG 17 brings several years of upstream improvements.
• Pinning to PG 15 remains supported for anyone who needs more time.

Am I Affected?#

You are affected if all of the following are true:

• You run self-hosted Supabase from the ./docker directory
• You pull updates from master without pinning the supabase/postgres image tag
• Your existing data is on Postgres 15

You are not affected if you:

• Use the Supabase platform
• Use the Supabase CLI for local development (supabase start) - it's a different deployment option
• Pin to a specific Postgres 15 image and don't update
• Are starting a fresh self-hosted deployment - you'll get PG 17 from the start after the default is switched

What Should I Do?#

If you have a self-hosted Supabase instance with data to preserve, you have two options.

Option 1: Upgrade in place (via a utility script)#

This is the recommended path for existing data. Read the upgrade how-to guide to learn more.

Before running the script, create your own backup of ./volumes/db/data and the pgsodium key.

The script will perform the following steps (high-level):

1. Pulls the Postgres 17 binaries and upgrade scripts
2. Stops the Supabase stack
3. Disables incompatible extensions and runs pg_upgrade in a temporary PG 15 container
4. Re-enables extensions, applies patches, and runs VACUUM ANALYZE in a temporary PG 17 container
5. Swaps data directories (the original is kept as ./volumes/db/data.bak.pg15)
6. Restarts the stack on Postgres 17

Rollback to PG 15 is supported - the script keeps the original data directory, and the guide has the exact steps.

Option 2: Stay on Postgres 15 and migrate later#

Pin the PG 15 image in your docker-compose file:

This is the lowest-friction option if you're not ready to upgrade. We'll continue publishing PG 15 images, but new features and fixes will land on PG 17 first (and subsequently on PG 18).

Rollout#

Supabase support for Postgres 14 is deprecated as of 1st July 2026 and support for it will be fully removed from this date on.

All projects still on a deprecated Postgres version on the 1st July 2026 will automatically be upgraded to the latest Postgres version available. If extensions that are no longer supported are being used, the projects will be paused instead and no longer serve traffic.

Why upgrade?#

Postgres 17 brings significant improvements to performance, security, and reliability. Depending on your current version, upgrading gives you access to between 2–3 years of cumulative fixes and enhancements—over 700 individual improvements if you're coming from Postgres 14.

Key benefits include:#

• Performance: Faster vacuuming, improved query planning, better parallel query execution, and optimised memory handling
• Security: Multiple CVE fixes and enhanced authentication options including configurable SCRAM iteration counts
• New capabilities: The MERGE command, logical replication on standbys, incremental backup support, and improved partitioning performance
• Better observability: New pg_stat_io view and enhanced monitoring across the board

Before you upgrade#

1. Plan for downtime#

The upgrade process requires taking your project offline temporarily. Smaller databases typically complete in around 15 minutes, while larger databases can take an hour or more depending on your compute size and disk configuration (an estimate of the downtime is provided when you begin the upgrade in the dashboard). We recommend scheduling your upgrade during a low-traffic period. If you're unsure what to expect for your project, please reach out to our Support team for guidance.

2. Test your applications#

Using a new Postgres 17 project, confirm that your existing applications work and that there are no compatibility issues or breaking changes that impact you.

3. Check for deprecated extensions#

If your project uses any of the following extensions, you'll need to remove them before upgrading to Postgres 17:

• timescaledb
• plv8, pls, plcoffee
• pgjwt

These extensions are no longer included in Postgres 17 on Supabase (see changelog entry) You can check which extensions are currently installed by running SELECT * FROM pg_extension; or by visiting your Extensions dashboard.

For guidance on alternatives and migration paths, please see our upgrade documentation.

4. Prepare your project#

You can reduce the time it takes for your project to upgrade by performing a vacuum on larger tables, reindexing larger indexes and removing/archiving any unused data in the database.

How to upgrade#

Those organization owners with active projects on Postgres 14 will receive a series of emails, starting from this week, listing the projects they own that need upgrading and outlining the steps required.

You can upgrade directly from your dashboard:

1. Go to Project Settings → Infrastructure
2. Click Upgrade project
3. Follow the prompts to complete the upgrade

Direct link: https://supabase.com/dashboard/project/_/settings/infrastructure

Questions?#

If you're unsure whether your project is ready to upgrade, or if you have questions about the deprecated extensions, our Support team is here to help.

Thanks for building with Supabase.

— The Supabase Team

As part of our ongoing commitment to providing a secure and reliable experience for all developers, we will drop support for Node.js 20 in accordance with our Support Policy.

Affected libraries#

All packages published from the supabase-js monorepo:

@supabase/supabase-js

@supabase/auth-js

@supabase/realtime-js

@supabase/functions-js

@supabase/storage-js

@supabase/postgrest-js

Timeline#

End of Support for Node.js 20: June 30, 2026

Why?#

Node.js 20 reached its official end of life on April 30, 2026 (as scheduled in the Node.js release plan) and no longer receives security updates or critical fixes. Continuing to support unsupported runtimes introduces risks for both developers and end users.

What You Need to Do

Please upgrade to a supported Node.js version (22 or later) before June 30, 2026 to ensure continued compatibility with future releases of our libraries.

Thank you for your attention and continued support. If you have any questions, feel free to reach out through GitHub Discussions or our community channels.

Here's everything that happened with Supabase in the last month:

Custom OAuth/OIDC providers for Supabase Auth#

Connect any OAuth2 or OpenID Connect identity provider to your Supabase project, including GitHub Enterprise, regional IdPs, and any standards-compliant provider, with PKCE enabled by default.

[Blog]

New tables in the public schema are no longer auto-exposed to the Data API#

Starting April 28, new Supabase projects can opt out of automatic Data API exposure for public schema tables. Explicit Postgres grants are now required to make a table reachable via PostgREST or GraphQL. This becomes the default for all new projects on May 30.

[GitHub Discussion]

Supabase is now ISO 27001 certified#

Supabase is certified to ISO/IEC 27001:2022, covering the information security management system across the entire platform.

[Blog]

Stripe Sync Engine moves to Stripe#

The Stripe Sync Engine, originally built by Supabase, is now part of the Stripe GitHub org. It is open source and maintained by Stripe going forward.

[Blog]

Supabase brand survey#

Help shape the direction of Supabase. The brand survey takes a few minutes and closes soon.

[Take the survey]

@supabase/server#

A new SDK that handles auth, client creation, CORS, and context injection across runtimes. Works on Edge Functions, Vercel Functions, Deno, Bun, and Cloudflare Workers.

[Blog] [Docs]

Quick Product Announcements#

• The Supabase app in the Stripe Marketplace is now generally available. [Stripe Marketplace]
• Branching without Git is now the default. Create branches directly from the dashboard without a GitHub integration. [Blog]
• Data API settings revamped: new per-table and per-function toggles let you control which tables are exposed to PostgREST and GraphQL, with a default-privileges switch at project creation. [Docs]
• The Supabase changelog now has RSS feeds, tag filtering, and a .md feed, plus links to copy any entry as Markdown or ask Claude/ChatGPT. [Changelog]
• Wrappers v0.6.0 ships with a new OpenAPI FDW, Snowflake timeout support, Clerk CRUD, and several bug fixes. [GitHub] [Docs]
• Supabase Agent Skills: an open-source set of instructions that teach AI coding agents how to build on Supabase correctly. [Blog]
• Terraform Provider v1.9.0 adds Edge Functions resource, Edge Function secrets resource, and a network bans data source. [Docs]

Made with Supabase#

• Replist: Track your repertoire, sharpen your practice, and connect with the musicians you play with. [Website]
• Grepture: Trace, evaluate, and protect every LLM call. Drop-in SDK. 80+ detection rules. [Website]
• Causo: Agents that connect you with best fit partners at VCs. [Website]
• Screenfully: An app demo creator on your phone. No need to connect to a Mac. [Website]
• Anamap: Cartos by Anamap is an AI agent that investigates your dashboards, site behavior, and code releases to find the root cause of metric drops in plain English. [Website]
• Crewform: Build your AI team with Crewform. Orchestrate specialized, autonomous agents to collaborate on complex tasks and connect outputs to your stack. [GitHub]

Community Highlights#

• The Supabase GitHub repo hit 100K stars and 8 million developers. [Blog]
• Introducing the OSSCAR: An index of the fastest-growing open-source orgs. [Blog]
• The State of Startups 2026 survey is still open. [Survey]
• How I Scaled My NextJS + Supabase App to 25,000 Users [YouTube]
• Stop Building Custom Auth — Auth0 vs Supabase: One Saved Us 3 Months of Engineering Work [Blog]

What's changing#

The /v1/oauth/token endpoint currently returns HTTP 201 Created on success. On May 26, 2026, this will change to HTTP 200 OK.

Why#

OAuth 2.1 (section 3.2.3) mandates a 200 response from token endpoints. Returning 201 is non-compliant and has caused token exchange failures with some strict OAuth clients.

Am I affected?#

You're only affected if your integration explicitly checks for a 201 status code from this endpoint. For example, the following popular client implementations check for a successful 2XX range and are unaffected:

• MCP TypeScript SDK — uses response.ok
• Vercel AI SDK (@ai-sdk/mcp) — uses response.ok
• axios — resolves for any 2XX by default

If you're unsure, search your codebase for explicit 201 checks against this endpoint.

What should I do?#

Rather than hardcoding a check for either 200 or 201, we recommend checking for a successful 2XX response range — e.g. response.ok in the Fetch API. This is consistent with how popular OAuth client libraries handle token responses and will be resilient to either status code.

Timeline#

New tables in the public schema will no longer be exposed to the Data API automatically.

When this change takes effect#

• Starting today (April 28, 2026), you can create new Supabase projects where tables in the public schema are not exposed to the Data API and GraphQL API by default. You can enable this setting at project creation.
• On May 18, 2026, pg_graphql will not be enabled by default. More details here.
• On May 30, 2026 this setting becomes the default for all new projects.
• On October 30, 2026 the setting will be applied it to all existing projects.

Once the change is rolled out to your project, new tables you create in public schema require an explicit opt-in (via a Postgres grant ) before the Data API can see them. Existing tables are not affected in your project, they keep their current grants and stay reachable. This change applies to projects that use the Data API, Supabase's auto-generated REST and GraphQL layer, which is what supabase-js and our other client libraries call. If your app reads and writes Postgres over a direct connection (via psql, ORM or an app server with a connection string), this change will not affect you.

What's changing#

Previously, when you create a Supabase project with default settings, select, insert, update, and delete are granted to every table in the public schema to the anon, authenticated and service_role roles. Every table you create becomes reachable via the Data API on creation.

From today, the project creation screen includes a setting to opt out of those default grants. When the “Automatically expose new tables” checkbox is unchecked, you opt-in to the new behavior and tables aren’t exposed to the Data API by default. On May 30, 2026 the opt-out becomes the default for all new projects.

RLS behavior remains unchanged. Grants are a separate layer: they control whether a role can access a table at all, while RLS controls which rows that role can see.

If a grant is missing, PostgREST returns a clear error rather than a silent failure:

The hint shows you which role is missing which privilege, along with the GRANT needed to fix it.

Before → After#

Why#

When Supabase launched, a human reviewed each schema change and enabled RLS on new tables as they went. The default grants made this convenient: create a table, and it showed up in your client.

That model doesn’t scale, and it’s easy to accidentally expose new tables before you’ve secured them.Today, agents, CLI scripts, and AI platforms create tables too, and many of those operations do not have a human reviewing the diff.

Explicit grants make access a deliberate, code-level decision. The PostgREST error response above includes a precise hint, so an agent can self-correct when a grant is missing instead of producing a broken request.

Without a grant, the API cannot see the table, regardless of how you created it (SQL editor, migrations, Management API, MCP, CLI, or an AI coding tool). Postgres enforces this at the role layer, so the guarantee holds regardless of the creation path.

We’re moving the platform toward declarative code. Explicit Postgres grants are reviewable, diffable, and greppable. They also give you per-role control: anon and authenticated need different privileges in most schemas, and an explicit grant makes that difference visible in your migrations. This was always possible, now it's the default.

Currently, the default grants expose every table in public over the Data API on creation, including tables a developer forgot to protect.

This is the next step in a series of platform default changes we have shipped over the past quarter:

• a Data API exposure badge in the Dashboard
• granular per-table grants
• an RLS-on-by-default toggle
• the schema enumeration restriction in March

Who is affected#

You are unaffected if you only talk to your database over a direct Postgres connection--you can stop reading.

You need to act if any of the following is true:

1. Your app reads or writes tables in the public schema via the Data API (PostgREST, GraphQL, supabase-js, any of the client libraries, or direct HTTP to /rest/v1/ or /graphql/v1 )
2. Your migrations or provisioning flow create tables in public without explicit GRANT statements.
3. Your AI coding tool, CLI script, or Management API call creates tables and expects them to be reachable over the Data API on creation.

The change reaches you on one of three dates:

• From Today, if you opt out of the "Automatically expose new tables and functions" setting during project creation.
• May 30, 2026, when the new behavior becomes the default for all new projects.
• October 30, 2026, when the new behavior is enforced on all existing projects.

Between now and then, Security Advisor will flag affected tables, and we’ll email active projects so you can review access, add grants, and verify your app.

What to do#

For new tables you want to expose via the Data API, make explicit grants part of your table-creation flow. Without an explicit GRANT , a role will not have access to the created table.

Treat these three steps as a unit. If the grant is missing, Postgres rejects the query before RLS comes into play.

If you use an AI coding tool to create tables, update its system prompt or adopt the Supabase agent skill, which includes the grants step, and which we keep updated as the platform changes. Skills are easy to install, and handle grants correctly by default. Agents can self-correct from the PostgREST error hint returned as well.

If you run your own migration framework, or a platform that provisions Supabase projects for your own customers, bundle the GRANT statements alongside your ENABLE ROW LEVEL SECURITY and policy statements in the same migration.

Opting in on existing projects#

You do not have to wait for October 30. To adopt the new behavior on an existing project today, run the same revoke statements the dashboard runs at project creation.

Open the SQL Editor for your project and run:

These four statements change the defaults for future tables and sequences that the postgres role creates in the public schema.

Existing objects keep their current grants, so your running app stays reachable.

From this point on, new tables you create in the public schema need explicit GRANT statements before the Data API can see them.

If you also want to tighten grants on existing tables you do not want reachable via the Data API, revoke them per table:

The Data API exposure badge in the Table Editor and the Security Advisor list the tables worth reviewing.

FAQ#

Does this affect tables in the storage, auth, realtime, or custom schemas?

No. The change touches default privileges in the public schema. Tables in storage, auth, realtime, and any custom schemas you expose via the Data API keep their current grants and their current defaults.

I opted in on an existing project, created new tables, and my app is broken. How do I roll back?

Open the SQL Editor and run two blocks.

1) Restore defaults for future tables

Future tables will now behave as they did before the revoke:

2) Fix existing tables

alter default privileges only affects future objects, so tables you created since the revoke stay without grants. Grant them in bulk:

After running both blocks, your project matches the pre-revoke state. If you added tables you want to keep private, revoke those individually after the bulk grant:

Rollout timeline#

Communications timeline#

We email owners and admins of every active project, including projects with no Security-Advisor-flagged tables today.

After October 30, any new table created in public without an explicit grant stops being reachable via the Data API, so a project with no flagged tables today still breaks the first time someone adds a new one.

From today through October 30, the Security Advisor flags affected tables per project and shows the remediation SQL, so you do not have to hunt for them yourself.

If you have a question, create a support ticket here.

Verify the correctness of your RLS policies with the RLS tester#

Verifying the correctness of your RLS policies set up has always been a gap, as highlighted by a number of GitHub discussions like here and here. As such, we're piloting a dedicated UI for RLS testing (using role impersonation as the base), in which you'll be able to

• Run a SQL query as a user (not logged in / logged in - this is the role impersonation part)
• See which RLS policies are being evaluated as part of the query
• And hopefully be able to debug which policies are not set up correctly
• (Side note) We also added partial support for testing client library code instead of just SQL
  • This is powered by the AI Assistant which will then infer the code into SQL
  • e.g const { data } = await client.from('colors').select('*')
  • Given that this is by AI, as always do verify the output!

Note: Only SELECT queries are supported for now to simplify things. Testing mutation queries (INSERT, UPDATE, DELETE) could trigger side effects such as triggering a database trigger, especially if it involves an external request such as an edge function or HTTP call - we're keeping them out of this preview while we work out a safe way to support them.

Changes are currently set as a feature preview which you can access by clicking on your Profile picture in the top navigation bar . We'll iterate as we get feedback from everyone so please do let us know what you think! 🙂🙏

Related PR: https://github.com/supabase/supabase/pull/45121

What we'd like to know from you#

• Any bugs or issues that you might have run into while using the RLS tester
• Any ideas or suggestions that you reckon will improve the DX based on how you currently verify the correctness of your RLS policies
• Feel free to leave any feedback in this thread too! (Both good and bad!) 🙂🙏

All official Supabase client libraries now automatically retry failed database queries when they encounter transient network errors — no code changes required.

What changed#

When a GET or HEAD request to PostgREST fails with a transient error (HTTP 520, HTTP 503, or a network-level failure), the client transparently retries the request up to 3 times with exponential backoff (1s → 2s → 4s, capped at 30s). Each retry includes an X-Retry-Count header so server-side logs can observe retry behavior.

Only idempotent methods (GET and HEAD) are retried. POST, PATCH, PUT, and DELETE requests are never retried automatically.

Versions#

Configuration#

Retries are enabled by default. You can opt out globally or per-request:

JavaScript

Swift

Flutter/Dart

Python