Supabase vs Depot
Side-by-side trajectory, velocity, and editorial themes.
Supabase is reversing its biggest security default - public-schema tables no longer auto-exposed via PostgREST.
The headline shipping move is a deliberate change to Supabase's security posture: new projects can opt out of automatic Data API and GraphQL exposure for public-schema tables, with broader defaults flipping in May. Around it: an OAuth 2.1 compliance fix, an RLS Tester preview to make policy verification possible from the UI, and a steady drumbeat of platform improvements summarized in the monthly developer update.
Supabase is rebuilding the security defaults that made it fast to start with but easy to misconfigure. Combine the no-auto-expose change with the RLS Tester preview and the direction is clear: the platform is moving from convention-based exposure to explicit, testable access control. The OAuth compliance fix and developer updates suggest steady investment in standards conformance rather than new product surface this window.
Expect the no-auto-expose default to apply to existing projects (with a long opt-out runway), and the RLS Tester to graduate from preview into the dashboard as a first-class panel. Continued breaking-change drumbeat tied to OAuth/OIDC compliance is likely.
Depot is rounding out Depot CI into a credible GitHub Actions alternative, and just shipped nested virtualization.
Eight of the last ten changelog entries are Depot CI updates: a new workflow summary page, environment-aware secret and variable variants, CLI commands for metrics, JSON status output, live log streaming, workflow listing and inspection, run cancel/rerun/retry/dispatch, and a DEPOT_JOB_URL env var in every job. Registry got pull-through cache improvements with provider presets. The dominant theme is filling in the feature surface a serious CI platform needs.
Depot is methodically closing the gap between its CI product and the incumbents. The recent run reads like a checklist: workflow UX, secrets, metrics, log streaming, scriptable CLI surface — the table-stakes ergonomics teams expect before migrating off GitHub Actions or CircleCI. The May 20 nested virtualization release expands what kinds of workloads Depot CI can host at all, not just how nicely it hosts them, which is a different and more aggressive move.
Expect more workload-expansion moves following the nested virtualization release — likely Android-specific tooling, deeper matrix/sharding UX (the workflow page already groups matrix failures), and continued CLI parity work. The secrets-and-variables variant model looks set up to grow into broader policy-as-code for CI configuration.
See more alternatives to Supabase →
See more alternatives to Depot →