惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Microsoft Azure Blog
Microsoft Azure Blog
Cloudbric
Cloudbric
I
InfoQ
V
V2EX
博客园_首页
The Register - Security
The Register - Security
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
S
Secure Thoughts
Vercel News
Vercel News
Forbes - Security
Forbes - Security
云风的 BLOG
云风的 BLOG
PCI Perspectives
PCI Perspectives
L
LINUX DO - 最新话题
D
DataBreaches.Net
H
Hacker News: Front Page
Application and Cybersecurity Blog
Application and Cybersecurity Blog
B
Blog RSS Feed
A
About on SuperTechFans
N
News and Events Feed by Topic
Apple Machine Learning Research
Apple Machine Learning Research
Help Net Security
Help Net Security
Attack and Defense Labs
Attack and Defense Labs
N
Netflix TechBlog - Medium
Spread Privacy
Spread Privacy
F
Full Disclosure
Recorded Future
Recorded Future
AWS News Blog
AWS News Blog
博客园 - 【当耐特】
The Cloudflare Blog
T
Threatpost
T
Tor Project blog
Google DeepMind News
Google DeepMind News
C
CXSECURITY Database RSS Feed - CXSecurity.com
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Recent Announcements
Recent Announcements
M
MIT News - Artificial intelligence
A
Arctic Wolf
C
Check Point Blog
Stack Overflow Blog
Stack Overflow Blog
T
Threat Research - Cisco Blogs
Security Archives - TechRepublic
Security Archives - TechRepublic
Hacker News - Newest:
Hacker News - Newest: "LLM"
WordPress大学
WordPress大学
Cyberwarzone
Cyberwarzone
小众软件
小众软件
C
Cyber Attacks, Cyber Crime and Cyber Security
P
Proofpoint News Feed
Security Latest
Security Latest
The Last Watchdog
The Last Watchdog

Supabase Blog

AI Agents Know About Supabase. They Don't Always Use It Right. Custom OIDC Providers for Supabase Auth 100,000 GitHub stars Supabase docs over SSH Navigating Regional Network Blocks Supabase Joins the Stripe Projects Developer Preview Log Drains: Now available on Pro Supabase incident on February 12, 2026 Hydra joins Supabase X / Twitter OAuth 2.0 is now available for Supabase Auth BKND joins Supabase Supabase is now an official Claude connector Supabase PrivateLink is now available Introducing: Postgres Best Practices When to use Read Replicas vs. bigger compute Introducing TRAE SOLO integration with Supabase Supabase Security Retro: 2025 Sync Stripe Data to Your Supabase Database in One Click Building ChatGPT Apps with Supabase Edge Functions and mcp-use Own Your Observability: Supabase Metrics API Introducing iceberg-js: A JavaScript Client for Apache Iceberg Introducing Supabase for Platforms Adding Async Streaming to Postgres Foreign Data Wrappers Build "Sign in with Your App" using Supabase Auth Introducing Seven New Email Templates for Supabase Auth The new Supabase power for Kiro Introducing Supabase ETL Introducing Analytics Buckets Introducing Vector Buckets Snap, Inc. Launches Snap Cloud, Powered by Supabase Triplit joins Supabase Supabase Series E 1000 Y Combinator Founders Choose Supabase gm 👋 web3, welcome aboard to Sign in with Web3 (Solana, Ethereum) Announcing the Supabase Remote MCP Server Enterprise speed, enterprise standards with Bolt Cloud + Supabase PostgREST 13 Lovable Cloud + Supabase: The Default Platform for AI Builders Processing large jobs with Edge Functions, Cron, and Queues Defense in Depth for MCP Servers OrioleDB Patent: now freely available to the Postgres community Supabase Launch Week 15 Hackathon Winner Announcement The Vibe Coder's Guide to Supabase Environments Testing for Vibe Coders: From Zero to Production Confidence The Vibe Coding Master Checklist Vibe Coding: Best Practices for Prompting Supabase Auth: Build vs. Buy Top 10 Launches of Launch Week 15 Supabase Launch Week 15 Hackathon Storage: 10x Larger Uploads, 3x Cheaper Cached Egress, and 2x Egress Quota Persistent Storage and 97% Faster Cold Starts for Edge Functions Algolia Connector for Supabase New Observability Features in Supabase Improved Security Controls and A New Home for Security Introducing Branching 2.0 Stripe-To-Postgres Sync Engine as standalone Library Supabase Analytics Buckets with Iceberg Support Create a Supabase backend using Figma Make Introducing JWT Signing Keys Supabase UI: Platform Kit Build a Personalized AI Assistant with Postgres Announcing Multigres: Vitess for Postgres Building on open table formats Open Data Standards: Postgres, OTel, and Iceberg Simplifying back-end complexity with Supabase Data APIs PostgreSQL Event Triggers without superuser access Top 10 Launches of Launch Week 14 Supabase MCP Server Data API Routes to Nearest Read Replica Declarative Schemas for Simpler Database Management Realtime: Broadcast from Database Keeping Tabs on What's New in Supabase Studio Edge Functions: Deploy from the Dashboard + Deno 2.1 Automatic Embeddings in Postgres Introducing the Supabase UI Library Supabase Auth: Bring Your Own Clerk Postgres Language Server: Initial Release Migrating from Fauna to Supabase Migrating from the MongoDB Data API to Supabase Dedicated Poolers Postgres as a Graph Database: (Ab)using pgRouting AI Hackathon at Y Combinator Calendars in Postgres using Foreign Data Wrappers Supabase Launch Week 13 Hackathon Winners How to Hack the Base! Running Durable Workflows in Postgres using DBOS database.build v2: Bring-your-own-LLM Restore to a New Project Hack the Base! with Supabase Top 10 Launches of Launch Week 13 Supabase Queues High Performance Disk Supabase Cron Supabase CLI v2: Config as Code Supabase Edge Functions: Introducing Background Tasks, Ephemeral Storage, and WebSockets Supabase AI Assistant v2 OrioleDB Public Alpha Executing Dynamic JavaScript Code on Supabase with Edge Functions ClickHouse Partnership, improved Postgres Replication, and Disk Management Live Share: Connect to in-browser PGlite with any Postgres client
Supabase Storage: major performance, security, and reliability updates
Fabrizio Fenoglio · 2026-03-05 · via Supabase Blog

Supabase Storage: major performance, security, and reliability updates

Today, we're shipping a large set of updates to Supabase Storage that improve performance at scale, close security vulnerabilities, and reduce the most common causes of support issues. These changes affect every project using Storage, and they are live in all regions now.

Storage has grown a lot. Projects now hold tens of millions of objects, and that scale exposed real problems: write performance degraded under concurrent uploads, certain SQL patterns could accidentally orphan objects, and a path traversal vulnerability existed in the file backend. We knew about these problems from support tickets and our own benchmarks. This release fixes all of them.

The biggest change is a full rewrite of how Storage lists objects. The old system used a prefixes table with six triggers and twelve helper functions to keep folder structure in sync. On large buckets, those triggers slowed down every write. We replaced the entire system with a hybrid skip-scan algorithm that derives folder structure on-the-fly from the objects table. We also replaced OFFSET-based pagination with cursor-based pagination, which runs in constant time regardless of how deep you page. On a table with 60 million rows, deep pagination is up to 14.8 times faster. There is no write penalty. The prefixes table, level column, and two indexes have been dropped entirely.

These changes are already live. The Storage API handles everything automatically. If you are not using the listV2 endpoint, we recommend that you switch to it to get even more performance benefits!

Path traversal prevention#

The file backend can no longer read or write files outside the configured storage path. Previously, a crafted path could escape the storage root. This is now closed. GitHub

Preventing accidental deletes via direct SQL#

Running DELETE FROM storage.objects directly in SQL was the most common cause of orphan objects, where the database row was removed but the file in S3 or the file backend was not. A new statement-level trigger now rejects DELETE on Storage schema tables unless the session variable storage.allow_delete_query is set to true. The Storage API sets this flag automatically, so normal operations are unaffected. Direct SQL deletes are blocked by default. GitHub

Object listing rewrite#

The old prefixes table required a write on every object insert, update, and delete to keep folder structure in sync. At high concurrency and large object counts, this became a bottleneck. Enterprise customers with 60 million or more objects were hitting real limits on write throughput.

The new skip-scan algorithm removes all of that. Folder structure is computed at read time from the objects table. Pagination uses a cursor instead of OFFSET, so page 1,000 is just as fast as page 1.

Benchmark on 60 million rows: up to 14.8x faster for deep pagination.

Query cancellation and statement timeouts#

When a client disconnects, in-flight Postgres queries are now cancelled using the native Postgres cancel protocol. This works with pgBouncer. A configurable 30-second query statement timeout has also been added via the DB_STATEMENT_TIMEOUT environment variable. GitHub

Idempotent migrations#

All Storage migrations are now fully idempotent. You can clear the storage.migrations table and safely replay the entire chain without errors. CI now runs the full migration suite twice and compares pg_dump output to verify. This should eliminate the class of support tickets around stuck migrations. GitHub

TUS zombie lock fix#

A race condition in the S3 locker for TUS resumable uploads could leave an orphaned lock that never expired. This happened when a lock was released during a renewal cycle, between the S3 GET and PUT. The renewal now checks whether the lock was already released before completing. This race condition is now closed. GitHub

Orphan object scanner improvements#

The orphan object scanner has been updated with several fixes: it now uses a trailing slash in S3 prefixes to prevent false-positive matches (for example, images no longer matches images2), supports multiple buckets via comma-delimited IDs, and adds a configurable DELETE_LIMIT for batch control. GitHub

OpenTelemetry metrics#

Storage now uses OpenTelemetry for metrics instead of prom-client. Metrics can be pushed to any OTel-compatible backend. Prometheus scraping is still available at /metrics via the OTel Prometheus exporter. This release also includes a revamped Grafana dashboard and an OTel Collector config. GitHub

Server execution time in logs#

Request logs now include server-side execution time. GitHub

  • Duplicate slash in TUS upload URLs: TUS resumable upload URLs were generated with a double slash. This is fixed. GitHub
  • PutVector body limit: The body size limit for the PutVector endpoint has been raised from 1.6 MB to 20 MB. GitHub
  • Invalid S3 response header overrides: Invalid values in response-content-type and similar overrides no longer crash requests. They are silently dropped. GitHub
  • Missing content-type fallback: When S3 returned no Content-Type, the adapter was returning the misspelled application/octa-stream. It now correctly falls back to application/octet-stream. GitHub
  • Linux file backend xattr collision: On Linux, the file backend was using the same extended attribute for both content-type and etag. Multipart uploads were overwriting the content-type with the ETag value. Each property now uses a distinct xattr name. GitHub
  • Migration type ordering: Generated migration_types.ts now always sorts migrations by ID. GitHub
  • AWS stream buffer fix: Fixes a stream buffering issue in the S3 adapter during multipart uploads, required for the AWS SDK upgrade. GitHub
  • Case preservation in list v1: A regression introduced in the search optimization was returning all prefixes in lower case. Original case is now preserved. GitHub

These changes are live for all projects. No code changes are required.