npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

supabase-security

v0.4.2

Published

Audit Supabase security issues (RLS, grants, exposed functions) AND prove leaks live via active anon-key probe. Other auditors infer; this one fetches and shows the bytes leaked.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

renzom13renzom13

Keywords

supabasesecurityrlsauditpostgresai-skill

Readme

supabase-security

Audit and harden any Supabase project. Local-only, no SaaS, your token never leaves your machine. v0.3 ships with active anon-key probe — confirms each leak live, not just inferred.

Run it without installing anything → apify.com/renzomacar/supabase-security-auditor (paste project ref + PAT, get HTML report)

Want me to run it for you? Tiers from $5 single-fix bundle → $99 full report → $249 multi-tenant auditperufitlife.github.io/supabase-security-skill (one landing covers all five — Supabase, PocketBase, Appwrite, Hasura, Firebase)

🤖 Use it in GitHub Actions — drop this into .github/workflows/security.yml:

- uses: Perufitlife/[email protected]
  with:
    project-ref: ${{ vars.SUPABASE_PROJECT_REF }}
    token: ${{ secrets.SUPABASE_ACCESS_TOKEN }}
    fail-on: critical

🔁 Want this running on a cron? RLS Monitor does weekly diff-based scans + email alerts when new findings appear — $29/mo, your keys never leave your CI.

📦 Need all 5 BaaS stacks at once? The BaaS Security Pack bundles every scanner + sample reports + fix-SQL libraries — one $99 download.

$ supabase-security <project-ref> --html report.html
HTML report written to report.html
Findings: 0 critical, 5 high, 2 medium

npm downloads GitHub stars Glama license node

Sister tools for other BaaS platforms (same --discover flag, all MIT): pocketbase-security · appwrite-security · firebase-security · nhost-security

Why

On May 30, 2026 Supabase changes its default for new projects: tables in public no longer auto-expose to the Data API. On October 30, 2026 that becomes the enforced default for all existing projects.

If you've been on Supabase for more than a few months, you almost certainly have:

  • Tables granted CRUD to anon by default (because that was the default).
  • One or two tables where RLS got missed.
  • SECURITY DEFINER functions that are technically callable by anon.

This tool surfaces all of that in a single HTML report you can share with your team, plus copy-paste SQL to fix each issue.

What it finds (real example)

I ran this against my own apps. Two projects, similar size:

| Project | Tables | Critical | High | Medium | |---|---|---|---|---| | Internal CRM (auth-only) | 55 | 0 | 11 | 2 | | Public web app | 139 | 17 before fix | 5 | 2 |

The public app had 17 tables with RLS disabled and full CRUD to anon. They were leaking to anyone who pulled the anon key out of the JS bundle. Fixed in one SQL transaction generated by this tool.

Install

No install needed — clone and run:

git clone https://github.com/Perufitlife/supabase-security-skill
cd supabase-security-skill
SUPABASE_ACCESS_TOKEN=sbp_xxx node scripts/audit.js YOUR_PROJECT_REF --html report.html

Or as an Agent Skill for Claude Code, Cursor, Cline:

# (when published to skills marketplace)
npx skills add Perufitlife/supabase-security-skill

Then say: "audit my Supabase project ref xxx".

Get a Personal Access Token

https://supabase.com/dashboard/account/tokens → "Generate new token". Read access is sufficient.

Checks performed

| # | Check | Severity | |---|---|---| | 1 | Table has RLS disabled and anon grants | CRITICAL | | 2 | SECURITY DEFINER function (non-trigger) executable by anon | HIGH | | 3 | Public storage bucket | HIGH | | 4 | Default privileges still grant CRUD to anon (future-table risk) | MEDIUM | | 5 | Auth signups enabled without email confirmation | MEDIUM | | 6 | RLS-locked table still has direct anon grants (defense-in-depth) | LOW |

Every finding ships with copy-paste fix SQL. The HTML report has a "Copy all SQL" button to apply everything in one go.

How it differs from the alternatives

| | This | SupaExplorer | AuditYourApp | |---|---|---|---| | Where your project ref goes | Your machine | Their SaaS | Their SaaS | | Cost | Free, MIT | $6.75–$187 | $29/mo–$499 | | Source code | Public | Closed | Closed | | Generates fix SQL | Yes | Pro tier | Pro tier | | Runs in CI | Trivially | API tier | API tier |

This is fewer features than the SaaS players. The trade-off is full control of the data and zero recurring cost.

Run in CI

# .github/workflows/supabase-security.yml
- run: |
    npx -y github:Perufitlife/supabase-security-skill \
      ${{ secrets.SUPABASE_PROJECT_REF }} \
      --html report.html
- uses: actions/upload-artifact@v4
  with: { name: supabase-security-report, path: report.html }

Limits — read these before trusting it

  • Doesn't audit per-object Storage RLS (would mean iterating every file).
  • Can't revoke supabase_admin default privileges via SQL — that needs the Dashboard toggle. The report tells you so.
  • App APIs that are intentionally exposed to anon (e.g. a get_public_stats() RPC) will appear as findings. You decide which are intentional.
  • Alpha. If you find a false positive or missed check, open an issue with the SQL output of the relevant pg_* query and I'll fix it.

Roadmap

  • [ ] Storage object-level scan
  • [ ] pg_cron scheduled-job audit
  • [ ] Edge Function secrets scan (env var leak detection)
  • [ ] Apify actor wrapper (one-click HTML report, no install)
  • [ ] MCP server with audit and apply-fix tools (preview + rollback)

License

MIT.