Grafana vs Supabase
Side-by-side trajectory, velocity, and editorial themes.
Grafana ships fleet-wide CVE patches across five branches while Dynamic Dashboards anchor the new 13.0 line.
Grafana is on a brisk monthly minor cadence — 12.2, 12.3, 12.4, and 13.0 all landed between late March and mid-April, with 13.0 making Dynamic Dashboards GA as the new dashboarding primitive. Today they cut a coordinated security release across every supported branch (11.6, 12.2, 12.3, 12.4, 13.0) patching the same set of around ten CVEs. The dual pattern — fast feature iteration on top, broad LTS coverage underneath — is intact.
The platform is consolidating around Dynamic Dashboards as the default authoring model and pushing Git-driven workflows (Git Sync, templates, shared queries) into the everyday loop. Logs and Drilldown experiences keep getting structural rewrites rather than cosmetic polish, suggesting Grafana sees the exploration UX as the differentiation lever against newer observability vendors. Maintenance discipline is a feature here, not background work: synchronized multi-branch CVE releases keep enterprise customers on a buyable upgrade path.
Expect a 13.1 minor inside the next month continuing on Dynamic Dashboards, Git Sync, and Drilldown threads, plus follow-up patch releases as the post-disclosure window for these CVEs closes. A public write-up explaining the ten-CVE batch is likely if any of the bugs turn out to be remotely exploitable.
Supabase is reversing its biggest security default - public-schema tables no longer auto-exposed via PostgREST.
The headline shipping move is a deliberate change to Supabase's security posture: new projects can opt out of automatic Data API and GraphQL exposure for public-schema tables, with broader defaults flipping in May. Around it: an OAuth 2.1 compliance fix, an RLS Tester preview to make policy verification possible from the UI, and a steady drumbeat of platform improvements summarized in the monthly developer update.
Supabase is rebuilding the security defaults that made it fast to start with but easy to misconfigure. Combine the no-auto-expose change with the RLS Tester preview and the direction is clear: the platform is moving from convention-based exposure to explicit, testable access control. The OAuth compliance fix and developer updates suggest steady investment in standards conformance rather than new product surface this window.
Expect the no-auto-expose default to apply to existing projects (with a long opt-out runway), and the RLS Tester to graduate from preview into the dashboard as a first-class panel. Continued breaking-change drumbeat tied to OAuth/OIDC compliance is likely.
See more alternatives to Grafana →
See more alternatives to Supabase →