Changelog

Previously, it was possible to directly insert/update rows on the pg_cron extension's cron.job table. This bypasses security checks that would've been asserted when jobs are scheduled/modified via pg_cron functions.

You can see how to schedule/modify cron jobs using the examples in our docs.

Allow access to backups page while project is restoring to download scheduled backups#

PR: https://github.com/supabase/supabase/pull/19126 Link: https://supabase.com/dashboard/project/_/database/backups/scheduled

Show if a member has MFA enabled or not in organization settings page#

PR: https://github.com/supabase/supabase/pull/19012 Link: https://supabase.com/dashboard/org/_/team

Show which email support will reach out to after submitting a ticket#

PR: https://github.com/supabase/supabase/pull/19095 Link: https://supabase.com/dashboard/support/new

Added wildcard hints for bucket allowed MIME types in create/edit modal#

PR: https://github.com/supabase/supabase/pull/19062 Link: https://supabase.com/dashboard/project/_/storage/buckets

SQL Editor support downloading snippet as a migration, a seed file or a SQL file#

PR: https://github.com/supabase/supabase/pull/17341 Link: https://supabase.com/dashboard/project/_/sql/new

Table Editor fix freezing a column causes UI to crash#

Shout out to @tranhoangvuit for this one! 🙏 PR: https://github.com/supabase/supabase/pull/19127 Link: https://supabase.com/dashboard/project/_/editor

LinkedIn has modified the required scopes for their API and OAuth Applications created prior to 1st Aug 2023 do not contain the appropriate scopes. This could cause errors when attempting to sign in with OAuth via LinkedIn. If you have LinkedIn provider enabled on your project a follow up notification will be sent to your email as you could potentially have a LinkedIn OAuth application created before 1st Aug 2023 and be affected. As we don't have access to LinkedIn OAuth configuration we cannot tell with certainty when your OAuth application was created and have to reach out to all users with LinkedIn enabled.

To adjust to this change, we have introduced a new LinkedIn (OIDC) provider which contains the new required scopes and we have deprecated the existing LinkedIn provider.

If you are using a LinkedIn OAuth Application created before 1st August 2023 we ask that you create a new LinkedIn application and migrate your Dashboard credentials from the deprecated LinkedIn provider to the new LinkedIn (OIDC) provider as shown in the screenshot below. Please do so before 4th Jan 2024 as we will be removing the provider from the dashboard then.

Edge Functions has some predefined secrets: SUPABASE_DB_URL, SUPABASE_ANON_KEY, SUPABASE_SERVICE_ROLE_KEY. Previously, if you reset your DB password or JWT secret, these secrets will become stale. Now, these changes should be propagated into Edge Functions secrets. This fixes https://github.com/supabase/supabase/issues/12415.

If you've previously had this issue, you can reset your DB password using the old value to avoid downtime for your app. If you're resetting the JWT secret, you need to update your app to use the new API keys, which incurs some downtime.

Realtime runs migrations for tables under the realtime schema when it connects to databases. Sometimes this fails. These changes handle Realtime migration failures better.

https://github.com/supabase/realtime/compare/v2.25.22...v2.25.27

🙏 @filipecabaco

tldr:#

Support for column encryption in the table editor has been removed. You can still use it, but you must use SQL. Your data is already encrypted-at-rest, so this is an advanced feature that should be used sparingly.

How it was previously#

Previously, the Table Editor in the Supabase dashboard supported encrypting newly created columns using pgsodium’s Transparent Column Encryption (TCE).

Why we’re changing it#

While this makes it easy to use, we found that the easiness has led to a lot of “mis-use” of Encryption. We’ve decided to remove it from the UI for now because TCE has a few sharp edges and the dashboard makes it too easy to encrypt columns without considering trade-offs.

This mis-use led to multiple users frequently running into unrecoverable issues with encryption. A non-exhaustive list of issues which we observed users running into when using TCE through the dashboard includes the following:

• TCE is prone to inappropriate usage - we’ve seen users encrypting all kinds of stuff that does not need to be encrypted (e.g email address of sender/receivers). This incurs a performance penalty and results in a bad experience.
• TCE makes migrating between projects (or local to hosted) a problem as you’d also have to copy the root encryption key separately, although this is nonetheless by design. Developers should be aware that “just works” and “advanced encryption” are very difficult goals to align.
• Triggers (which are used by TCE) are executed in alphabetical order. When users add their own triggers on encrypted tables, they are frequently unaware if they are dealing with encrypted or unencrypted contents which has been a source of confusion.
• Upserting into an encrypted column could produce doubly encrypted content.
• Since TCE uses a view into an encrypted table, RLS rules that are applied on the underlying table do not apply to the views as views use the permissions of the creator rather than the query-er, leading to another source of confusion. There is a fix for this which is to add a security label to pg_sodium to make the view a security invoker.

If you want TCE, use SQL instead#

As of now, you can use TCE in SQL by following the pg_sodium documentation so users who already are using TCE can continue doing so via the SQL editor on the dashboard, while new users will have to learn the nuts and bolts of what they are doing before trying to use the feature.

If you use Deno Postgres or other Postgres clients to connect to your database instance from a Supabase Edge Function, those connections are now secured with SSL. You don't need to add any extra configurations to your client setup.

More details: https://supabase.com/docs/guides/functions/connect-to-postgres#ssl-connections

Databases larger than 100GB are being transitioned to using physical backups for their daily backups.

Physical backups are more performant, have lower impact on the db, and avoid holding locks for long periods of time. Restores continue to work as expected, but backups taken using this method can no longer be downloaded from the dashboard.

Over the next few months, we'll be introducing functionality to restore to a separate, new database, allowing for the perusal of the backed up data without disruption to the original project.

Please refer to https://supabase.com/docs/guides/platform/backups#daily-backups-process for additional details.

Postgres 12 is deprecated as of 14th October 2023 and support for it will be fully removed on 27th November 2023.

Postgres 15 comes with numerous features, bug fixes and performance improvements. Check out the announcement blog posts to find out what each version introduces.

• Postgres 13 Launch
• Postgres 14 Launch
• Postgres 15 Launch

Deprecation Timeline#

• 15th October: All users are notified via email about Postgres 12 Deprecation.
• 27th October: Users can self serve upgrade to Postgres 15 from our dashboard. If you want to upgrade your database to Postgres 15 before 27th October, reach out to our support. A dashboard notification will be sent about this deprecation.
• 13th November: Users are notified via email.
• 27th November: All Postgres 12 databases are automatically upgraded to Postgres 15.

You will receive three notifications via email before 27th November notifying you about the deprecation of Postgres 12 and deprecation of IPv4 and PGBouncer.

Updates#

• The deadline for the migration has been updated to 26th January 2024.
• You can now purchase a IPv4 address from the add-ons page here if you want to keep using your IPv4 address. More info here.

Moving to IPV6 for Database Connection Strings#

With IPv4 addresses becoming increasingly scarce and cloud providers starting to charge for it, we won’t be assigning IPv4 addresses to Supabase projects from January 15th 2024. db.projectref.supabase.co will start resolving to a IPv6 address instead. If you plan on connecting to your database directly, you must ensure that your network can communicate over IPv6. Supavisor will continue to return IPv4 addresses, so you can update your applications to connect to Supavisor instead.

There will be a few minutes of downtime during this migration.

Switching to Supavisor#

We recently announced Supavisor, our new connection pooler. Supavisor is a direct replacement for PgBouncer. Using our own pooler is going to let us do things like load balancing queries across read replicas, query results caching, and a lot more.

Supavisor is now enabled for all projects created on or after Wednesday September 27th 2023. All existing projects will have Supavisor enabled by October 15th 2023.

Supavisor does not currently support Network Restrictions. Network restrictions support will be enabled from 24th January 2024. If you are blocked on the migration because of this, please reach out to support and we will extend the deadline for your project.

You don’t need to change anything in your application, except for the URL. The pooler connection string is available in the database settings in your dashboard.

For example, if you use PgBouncer to connect:

you just need to update the connection string to:

PgBouncer and IPv4 deprecation timeline#

PgBouncer will be available to use along side Supavisor until January 31st 2024.

The full timeline is:

• 27 September 2023: Supavisor is available for all new projects.
• 15 October 2023: Supavisor will be available for all projects, including existing projects. We will notify you via email when it is enabled for your project. PgBouncer is officially deprecated after this date.
• 15th January 2024 26th January 2024: You will need to start using Supavisor before then.
• 29th January 2024: Your Supabase database domain (db.projectref.supabase.co) will start resolving to IPv6 addresses. PgBouncer will be removed. Projects will be migrated over starting this day. No changes are required if your network supports communicating via IPv6. If it doesn't, update your applications to use Supavisor which will continue to return IPv4 addresses.

You will receive deprecation notices throughout November, December, and January.

FAQs#

Do I need to change anything if I use supabase-js?#

For projects which only use the database REST API provided by PostgREST (via supabase-js) there is no action needed.

Will Supabase APIs also be switched to IPv6?#

projectref.supabase.co will continue to return IPv4 addresses. Only the database domain db.projectref.supabase.co will return a IPv6 address.

How do I know if my network supports IPv6?#

Check if you are able to request your IPv6 address via curl -6 https://ifconfig.co/ip

What do I do if I have issues switching?#

If you have issues with Supavisor please contact support!

Can I pay for a IPv4 address to directly access the database via IPv4 instead of going through Supavisor?#

You can purchase the IPv4 addon for 4$/project in the project add-on page here. PGBouncer will still be removed for users with the IPv4 add-on.

Can I use PgBouncer and Supavisor at the same time?#

While we are providing the ability to use PgBouncer or Supavisor during this migration you cannot use both at the same time. With the default configuration using both will exhaust your database connections because they both will try and spin up a connection pool.

The solution is to temporarily increase your databases connection limit with a custom Postgres config to accommodate both connection pools.

How can I tell if I need to make a change?#

If the URL you use to connect to your Supabase Database looks like this, you're using the API, and no changes are necessary:

https://[YOUR-PROJECT-ID].supabase.co

If the URL you use to connect looks like either of these options, you're already using Supavisor, and no further changes are necessary:

postgres://[db-user]:[db-password]@aws-0-[aws-region].pooler.supabase.com:6543/[db-name]?options=reference%3D[project-ref] or postgres://[db-user].[project-ref]:[db-password]@aws-0-[aws-region].pooler.supabase.com:6543/[db-name]

If the URL you use to connect looks like this, you are using pgBouncer, and you need to upgrade (notice port 6543):

postgresql://[db-user]:[db-password]@db.[project-ref]supabase.co:6543/[db-name]

If the URL you use to connect looks like this, you are connecting directly, and will either need to be able to connect via IPv6, OR you will need to update to the Supavisor URL:

postgresql://[db-user]:[db-password]@db.[project-ref].supabase.co:5432/[db-name]

How will I know if my project has been migrated to IPv6?#

In the database settings page, the label when connection pooling is disabled, reads Will resolve to IPv6 if your project has not been migrated. If your project has been migrated to IPv6, it reads `Resolves to IPv6'.

What are the errors that I might see when connecting to the database if my network doesn't support IPv6?#

The error thrown will depend on how you are connecting to the database. Here are some examples of error messages you might see

• (dial tcp [2001:db8:3333:4444:5555:6666:7777:8888]:5432: connect: no route to host)
• connect to db.example.supabase.co (2001:db8:3333:4444:5555:6666:7777:8888) port 5432 (tcp) failed: Network is unreachable
• could not translate host name "db.example.supabase.co" to address: nodename nor servname provided, or not known
• ENETUNREACH 2001:db8:3333:4444:5555:6666:7777:8888
• Error: P1001: Can't reach database server at db.example.supabase.co:5432
• (2001:db8:3333:4444:5555:6666:7777:8888), port 5432 failed: could not create socket: Address family not supported by protocol

Note that these errors may manifest in cases other than your client network not supporting IPv6, but if you run into these errors after your project was migrated, it is likely that it is due to IPv6 support.

How will I know if PgBouncer has been removed from my project?#

The database settings page does not show PgBouncer connection settings. If you see a warning label called PgBouncer pending removal, it means that PgBouncer has not been removed from your project. If you see no such label, PgBouncer has already been removed from your project.

Does Supavisor support prepared statements?#

Prepared statements are supported with session mode. You can change your pool mode to session in your dashboard.

You can also use a session mode pool with your Supavisor pooler url and port 5432 (vs 6543). If you need to run something using prepared statements while your production application uses transaction mode you can use this port to do that.

Initial support for prepared statements with transaction mode landed but some bugs were found and should be fixed shortly.

What do I do if I am using Prisma?#

If you are using Prisma, please check out our updated Prisma Guide for instructions on how to configure your connections for both querying and migrations.

How do I update my Vercel Supabase integration?#

The environment variables POSTGRES_URL and POSTGRES_PRISMA_URL point to Supavisor and POSTGRES_URL_NON_POOLING points to Supavisor in session mode. Redeploy your Vercel application to pick up the latest environment variables. This is required since Vercel does not support IPv6.

How do I use direct database connections in my Vercel application instead of using the connection pooler?#

Enable the IPv4 add-on. Set the direct connection url as a environment variable not managed by the Supabase integration. You can now use the environment variable in your application.

Do I need to make any changes if I am using the CLI?#

If you are using a version before 1.136.3, please upgrade to a later version of the CLI and run supabase link. If you haven’t run supabase link since 1st January 2024, please run it again after upgrading. This will enable the CLI to communicate to the database from IPv4 only environments because the communication happens via Supavisor. This change is required if you are using from the CLI from an environment without IPv6 support, like Github actions or possibly from your home network.

Special Considerations for .NET users using npgSQL#

You will need to add Pooling=false to your Supavisor connection string.

Why can't I upgrade my database version anymore?#

We are in the midst of transitioning all projects to IPv6. As part of this process, If your project is still being assigned an IPv4 address then pg_upgrade will be temporarily disabled for your project until the transition is completed.