Changelog

Edge Functions now support importing NPM packages from private registries. You will need to deploy your functions using Supabase CLI version v1.207.9 or above to make use of this feature.

How to use packages from private registries#

Create a .npmrc file within supabase/functions. This will allow you to import the private packages into multiple functions. Alternatively, you can place the .npmrc file directly inside supabase/functions/function-name directory.

Add your registry details in the .npmrc file. Follow this guide to learn more about the syntax of npmrc files.

After that, you can import the package directly in your function code or add it to the import_map.json (https://supabase.com/docs/guides/functions/import-maps#using-import-maps).

To test your function locally, run supabase functions serve. When you're ready, you can deploy it to hosted platform by running supabase functions deploy function-name

Disk size usage section under organization settings#

We've added a new disk size section for paid plans to give a quick overview of each project under the organization and their respective disk sizes for better visibility over the corresponding charges. This is only an initial iteration for this UI, we do plan to add historical statistics and more to improve visibility and transparency over what you're using and what you're paying for 🙂

PR: https://github.com/supabase/supabase/pull/29862

Link: https://supabase.com/dashboard/org/_/usage

Bug fixes and other improvements#

Table Editor

• Fix views filtering in table editor for local dashboard (PR)
• Fix exporting a table that contains columns of enum array types to CSV (PR)

SQL Editor

• Fix snippets not loading for local dashboard (PR)

Authentication

• Support searching by properties when viewing a user's raw JSON (PR)

We’ve announced a Vercel partnership, we’re hosting an AI hackathon with our friends at Y Combinator, and we raised $80M. Let’s dive right in:

Supabase + Vercel Partnership#

We released an official Vercel integration. You can quickly spin up Supabase projects from Vercel’s dashboard, with full support for Vercel templates like Supabase Starter and integrated billing through Vercel.

Full announcement

Revamped Users Management UI in Studio#

Our Frontend team revamped the Auth section in Studio. You now have access to more user details, ban-user functionality, authenticated logs grouped by user, sort columns based on your preference, and a few other features requested by the community.

Changelog

Edge Functions are 2x smaller and boot 3x faster#

The Edge Functions team has reduced function sizes by half and boot times by 300% in most cases when importing npm modules by lazy evaluating dependencies and reducing package section sizes as well as switching to the xxHash-3 hash algorithm.

Blog post

Supabase AI Hackathon at Y Combinator#

On November 22 + 23 we’re hosting an AI-focused hackathon at Y Combinator in San Francisco. We’re welcoming anyone to apply and build the next wave of AI applications. The panel of judges will include our founders, Paul Copplestone and Ant Wilson, and YC partners.

Full announcement

Launch Week 12 Hackathon Winners#

Many high quality projects were submitted for LW12’s hackathon but our panel of judges selected Whisker Jam as Best Overall Project because of its cuteness (who doesn’t love cats), funky musical instruments, and multiplayer functionality. Congratulations 👏 to @n0t_buddy who will receive the prize of mechanical keyboards.

Full list of winners | All the submissions

Quick Product Announcements#

• [Dashboard] Schema Visualizer nodes are now persisted [Changelog]

• [Edge Functions] Serverless image transformations with ImageMagick (via Wasm) [Docs]

• [Infra] Projects on compute instances XL and larger can create up to 5 Read Replicas [Changelog]

• [Storage] XHTML responses only work with a Custom Domain [Changelog]

• [Billing] Paid projects have an upgrade from Nano to Micro instance at no additional cost [Docs]

Community Highlights#

• Using Cursor to have AI build out a social network app powered by Next.js and Supabase [Video]
• Wordle Teams. Compete with friends, keep score to establish bragging rights in the ultimate app for Wordle enthusiasts [Repo]
• Next.js + TanStack Query + Supabase + Supabase Cache Helpers: a detailed tutorial on how to implement this stack in your application [Article]
• Supabase Auth: The Ultimate Authentication Solution for Cross-Platform Apps using React Native [Article]
• How to build local-first Expo Apps [Video]

Supabase $80 Million Series C#

We raised $80 million Series C in an up round that brings our total funding to $196 million. This round was led by Peak XV and Craft Ventures with participation by Avra Capital and previous investors Coatue, Felicis, and Y Combinator.

Full announcement

We improved the information architecture (IA) on our docs site.

Why?#

We’d outgrown the IA! As we added more features and guides, some sections grew to contain a miscellaneous collection of things that don’t belong together. They just had no better place to go.

With the new IA, it should be easier to find what you’re looking for.

Summary of changes#

• Two top-level menus, Build and Manage, to replace the old Build menu
• Build menu:
  • Local development / CLI is now primarily about local dev, CI/CD information has been moved to Deployment
  • Information on both Vercel and Supabase integrations now moved to Integrations section
  • New Deployment section covers everything needed to get your changes onto hosted Supabase (including branching, Terraform, CI/CD, and production checklists)
• Manage menu:
  • Platform management (formerly “Platform”) trimmed down to contain information about configuring your Supabase platform (including account management, project permissions, and billing)
  • New Monitoring and troubleshooting section contains troubleshooting guides and information on logging and telemetry

Improved users management UI#

One of our oldest pages on the dashboard has finally gotten an upgrade! 😄 We're taking the first steps towards a pattern of visualizing table data with a data grid, with the Auth users page being our first contender. Couple of stuff that we'd love to highlight that were improved and introduced:

Click on users to grab more details about them in a side panel (PR)#

Added a ban functionality within the danger zone at the bottom of the panel#

Search now also supports filtering for providers (PR)#

Columns can be sorted based on your preference (and will be persisted in local storage)#

https://github.com/user-attachments/assets/3f7890ca-04cf-4cb9-8046-63b3db9b6eb9

You can also now toggle column visibility, as well as apply sorts on columns#

View authentication logs of the user right from the panel (PR)#

These tooling should now allow you to customize the auth users view that best fits your workflow, and we definitely hope to keep making this better so as always, feel free to drop us any feedback good or bad, any bugs via the widget at the top right corner of the dashboard 🙂 We say this all the time and its a promise that we've kept - we look at every feedback that comes in 🤙

PR: https://github.com/supabase/supabase/pull/29105

Link: https://supabase.com/dashboard/project/_/auth/users

Timestamp helper for Logs Collections#

https://github.com/user-attachments/assets/80541e0a-4571-4193-ab9e-8d9af4b63d55

Hovering over the date/time string in the left most column of a row in any logs collection will now show a helper tooltip that will depict the time in 4 different formats: UTC, Local TZ, Relative time, and raw numerical timestamp. This will hopefully help with interpreting timestamps much easier and faster and alleviate any confusion around timezones! 🙂🕰️ We're also planning to use this pattern across the whole dashboard too wherever time data is involved 💪🏻

PR: https://github.com/supabase/supabase/pull/29530

Link: https://supabase.com/dashboard/project/_/logs/edge-logs

Other bug fixes and improvements#

General

• Added breakdown of security issues dropdown on project home page (PR)

Organization Settings

• Fixed tooltip not showing up for users with project scoped roles, to show which projects they have roles for (PR)

Table Editor

• Autofocus on search input when navigating to table editor (PR)
• Improved column type dropdown with searching for types (PR)
• Improved datetime editing in table editor grid + support for setting these column values to NULL (PR)

Edge Functions

• Added validations for adding/removing secrets on SUPABASE_ prefixed secrets (PR)

Reports

• Added database connections charts to database reports (PR)

Summary#

Returning XHTML responses from the Data APIs and Edge Functions is now only allowed if a Custom Domain is being used.

Additionally, you can now serve HTML and XHTML responses from the Storage service as well, if a Custom Domain is being used.

If your use-case requires serving these content types, you can continue to do so by using a Custom Domain add-on.

Affected projects have been notified in advance.

Background#

HTML responses (i.e. content-types that can be directly rendered by browsers) were historically disallowed for projects not using a custom domain, in order to prevent abuse on the shared domains used for provisioning Supabase projects. This change updates this behavior to process XHTML responses in the same manner, due to the same rationale.

These breaking changes are rolling out on October 15, 2024 and affects only organizations on the Enterprise plan that have implemented project permissions with members assigned the Developer role.

Supabase launched new granular access control for Enterprise organizations so that its members are given access to specific projects instead of the entire organization. You can check out our Launch Week 12 announcement to learn more.

We recently re-evaluated the access that the Developer role has and decided to implement changes to restrict them on a couple of resources to improve your project's security.

On October 15, 2024, we will turn off certain access that the Developer role currently has to your project's resources. The following table is to illustrate all of the breaking changes that will be going into effect:

You can learn more about our Platform Access Control here: https://supabase.com/docs/guides/platform/access-control.

If you have any questions or concerns please contact support.

Deployment of up to 5 read replicas now supported on larger compute sizes#

Previously, each project could only deploy up to 2 read replicas, but we're now raising this limit to 5 for projects on larger compute sizes (XL and above).

PR: https://github.com/supabase/supabase/pull/29250

Link: https://supabase.com/dashboard/project/_/settings/infrastructure

Catch queries that contains an update query without a where clause in SQL Editor#

Another effort to safeguard against running queries with unintended side effects - this time, we're checking for UPDATE queries without a WHERE clause - this check kicks in prior to running the query. We've also consolidated this warning with our existing warning against destructive operations to catch both cases if they exist in the same query.

PR: https://github.com/supabase/supabase/pull/28458

Link: https://supabase.com/dashboard/project/_/sql

Other bug fixes and improvements#

General

• Support querying a table via CMDK by opening the SQL editor (PR)
• Update Supabase Assistant with GPT 4o from 3.5 (PR)

Table Editor

• Improve pagination input field, by only navigating to page on Enter (PR)

SQL Editor

• Fix inability to share queries that are under favorites (PR)
• Fix moving snippets into folders (PR)

Storage Explorer

• Fix to prevent continuously retrying when a file of an invalid mime type is uploaded (PR)

Auth

• Support searching by UID (PR)
• Add confirmation modal when closing tab with unsaved changes on templates page (PR)
• Support adding/removing multiple redirect URLs (PR)

Database

• Fix index page crashing when creating an index on a table with no columns (PR)

Logs Explorer

• Layout shift and scroll fixes (PR)
• Prevent use of WITH, ILIKE or wildcards (PR)

The initial launch of Read Replicas allowed for up to two Read Replicas per project.

The limit for projects on XL compute add-ons and larger has now been raised to 5 Read Replicas per project.

Projects on compute add-ons smaller than XL are still allowed up to 2 Read Replicas per project.

As our user base has grown, we are taking steps to make sure we are able to continue to provide a safe, secure, robust free plan experience. To ensure that email-based auth continues to work for all users on Supabase, we're making changes if you're using the default email provider. This allows us to continue to offer our default provider in a more sustainable and resilient manner.

For maximum flexibility and control over your auth emails, we suggest one of the following:

• Use a custom SMTP provider instead
• Send emails through your own email provider using the email send hook

If you still want to use the default email provider, these are the changes being planned:

• Email template customization will be allowed and customized email templates will not be reverted to default.

• 26th September: If you do not have a custom SMTP server set up, emails can only be sent to email addresses in your project's organization. So for example, if your organization has the following members: person-a@example.com, person-b@example.com and person-c@example.com , this means that email messages from Auth will only be sent to these addresses.

These measures are taken to prevent abuse to our shared SMTP service. In the future, we may consider increasing the email rate limits once we see a drop in abuse.

Frequently asked questions#

Why such a short notice?#

Supabase uses a third-party email sending provider that has mandated we reduce email abuse significantly or they will be forced to block all email sending. A tragedy of the commons.

Can't Supabase switch to a different email sending partner?#

Yes, but we would run into the same issues. All email sending services are required to monitor abuse and force their customers to follow the same rules.

Can't Supabase send emails on their own, without a third party?#

Not really. You can't just send email on the web today without investing a lot of money and time (unblocking port 25, keeping IP addresses out of spam lists, etc.). This is not our core competency and do not have plans to start doing this today.

How long does it take to set up a custom SMTP provider?#

Fortunately this is very easy. You can use any email sending service for this, really popular ones include:

• Resend
• AWS SES
• Postmark
• SendGrid
• Zepto Mail
• Brevo

All you need to do is create an account, verify your sending domain and finally input the SMTP username and password in the Auth settings page.

What if I turn off email confirmations, can I use it then?#

Currently this behavior is not supported and we'll be rolling out a fix for it during the first week of October.

Confirming email addresses is where most of the email message activity for a project originates. Turning it off can be a viable option for some projects that are still in the early testing, development or experimental phase.

Be aware that even if you turn off email confirmations the forgot password or reset password flows in your app continue to function. They also send messages, and starting 26th September those messages will be delivered only to the members of the Supabase organization that owns the project. All other end-users will get a message similar to "Email address not authorized." Effectively, the forgot password / reset password flow will be broken for your project.

What if I want just username + password authentication and using <username>@<fakedomain> instead?#

Please don't do this. Part of the reason why we were forced to lock down these changes is bounced emails, probably from use cases like this.

Official username + password support is going to be made available in the coming year, and until then:

• Use a real domain, that you control
• Send emails to that domain, so set up a receiving server

But the best thing to do is:

• Set up a Send Email Auth Hook that does nothing. You don't even need to use a server or an Edge Function. Just define a Postgres function that just does nothing.

I'm using the admin API to generate links, and not really sending using Supabase's default provider. Do I need to do anything?#

All projects using generate link via the admin API without custom SMTP have been patched to allow the behavior. We still strongly urge those customers to set up custom SMTP regardless.

Just because you're mostly using the admin API to generate links to send in custom email messages, doesn't mean that the Auth server is not configured to use Supabase's shared SMTP service. Your Auth API can be called from your frontend at any time, especially in edge cases such as to handle forgot password or other similar flows, which you may not be handling via the admin API.

Therefore we urge all customers that do use the admin API to set up a custom SMTP sending service regardless.

If you are not interested in setting this up, you can instruct the Auth server to ignore all emails (pretend it's sending them) by configuring a Send Email Auth Hook as a Postgres function that does nothing.

How can I disable the warning banner?#

You can disable the warning banner by setting up a custom SMTP provider , or, if your project doesn't use email at all, by disabling the email provider.

Updates#

20th September 2024#

Email template customization will be allowed and customized email templates will not be reverted to default.

Team has decided that restricting email template customization is not viable and a big breaking change. We may need to do go back to this in the future if abuse continues and our other measures like allowing projects to only send messages to authorized email addresses do not improve the situation. We continue to urge all customers regardless of plan that use the default SMTP service for live applications to move to a custom SMTP provider as soon as able.

• 20th September: Email template customization will no longer be possible without setting up a custom SMTP provider. Email templates already customized can still be customized until 24th September.

• 24th September: Projects without a custom SMTP provider will have their custom email templates returned back to the default ones from Supabase. This means that any auth emails sent out from your project will use the default email template.