Recent searches

No recent searches

Search options

Not available on photog.social.
photog.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A place for your photos and banter. Photog first is our motto Please refer to the site rules before posting.

Administered by:

Server stats:

242
active users

photog.social: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.4.3

#Supabase

0 posts0 participants0 posts today
jbz

💧 Supabase MCP can leak your entire SQL database

「 The cursor assistant operates the Supabase database with elevated access via the service_role, which bypasses all row-level security (RLS) protections. At the same time, it reads customer-submitted messages as part of its input. If one of those messages contains carefully crafted instructions, the assistant may interpret them as commands and execute SQL unintentionally 」

simonwillison.net/2025/Jul/6/s

Simon Willison’s WeblogSupabase MCP can leak your entire SQL databaseHere's yet another example of a lethal trifecta attack, where an LLM system combines access to private data, exposure to potentially malicious instructions and a mechanism to communicate data back …
#supabase#databreach#mcp
⚯ Michel de Cryptadamus ⚯

@neurovagrant

> "Lovable, for instance, uses AI models to create websites instantly. But for websites to do much of anything, they need to be connected to databases that store things like user accounts and payment information. Lovable doesn’t build those databases itself. It offers users an easy way to connect to a database service run by a startup called #Supabase."

as someone with what qualifies as a category expert on postgres who dove into building an app w/supabase last year, all i can say is that nothing about this surprises me.

universeodon.com/@cryptadamist

Universeodon Social Media⚯ Michel de Cryptadamus ⚯ (@cryptadamist@universeodon.com)@nixCraft@mastodon.social #supabase, even without the AI, is like custom made for security flaws. "sure, let's make everyone configure their app's permissions via postgres stored procedures and start out with everything publicly writeable. what could go wrong?"
Alejandro Baez

The work from #Supabase with using #pglite keeps getting better. Now you can connect to the database using the #postgres wire protocol. From your browser!! 🤯

I been using the postgres.new (now database.build) for experiments and trying out ideas. Excellent tool already. 😎

supabase.com/blog/database-bui

Supabase · Live Share: Connect to in-browser PGlite with any Postgres clientConnect any Postgres client to your postgres.new databases.
Idan Gazit

So, I’ve written something that is kind of like an ORM for #Supabase and #svelte.

But for many tables, some columns are only filled in when the row is written. Autoincrementing IDs, created_at timestamps, etc etc.

I'm not sure how I ought to handle this and keep everything typesafe. At creation time, I’m creating a record (object that looks like a row) but it's missing the autogenerated columns, which means my "optimistic" record is not a valid row record.

But I don't want to relax the type definition for a record since I want the record type to include those columns later on.

Not sure how other ORMs handle this situation.

Live feeds
About