Essential Points
- Object listing is up to 14.8x faster on datasets with 60 million or more rows
- The legacy prefixes table and its 6 triggers are fully eliminated
- A path traversal vulnerability is patched, closing a direct file access exploit
- Orphan objects from direct SQL deletes are now fully prevented
Supabase pushed one of its most consequential storage updates on March 5, 2026. The release does not add flashy features; it fixes the foundations every production app depends on: query performance, data integrity, and security.
If your app handles millions of objects or relies on Supabase Storage for user uploads, these changes affect listing speed, access control, and database reliability all at once.
What Changed in Object Listing Performance
The biggest change is architectural. Supabase removed the prefixes table along with its 6 associated database triggers, replacing the entire mechanism with a hybrid skip-scan algorithm and cursor-based pagination.
The result is object listing up to 14.8x faster on datasets exceeding 60 million rows. For apps that power media libraries, e-commerce catalogs, or document storage systems, this translates directly into faster API responses and lower database load.
Security Vulnerabilities Now Closed
Two security issues are resolved in this release.
First, a path traversal vulnerability has been patched. This class of bug allows an attacker to craft file paths that escape their intended directory, potentially accessing files outside their authorized bucket scope.
Second, orphan objects can no longer be created through direct SQL deletes. Previously, deleting a row directly in the database without going through the storage API left underlying files orphaned or metadata records inconsistent. The March 2026 update prevents this entirely.
How the New Architecture Compares
The old system used a prefixes table as an index layer for bucket navigation. Every object write or delete triggered 6 corresponding database triggers to keep this table in sync. At scale, this trigger chain introduced latency and failure points.
The replacement skip-scan algorithm paired with cursor-based pagination replaces the offset-based approach, which degrades at depth.
| Mechanism | Old System | New System |
|---|---|---|
| Index strategy | Prefixes table + 6 triggers | Hybrid skip-scan algorithm |
| Pagination style | Offset-based | Cursor-based |
| Listing speed (60M+ rows) | Baseline | Up to 14.8x faster |
| Path traversal protection | Vulnerable | Patched |
| Orphan object risk | Present | Eliminated |
What This Means for Developers
If you use the standard Supabase Storage SDK or the S3-compatible API, these changes are transparent. No code changes are required. The improvements apply automatically at the infrastructure level.
However, teams running custom SQL directly against the storage schema should audit their delete patterns. Code that deleted storage metadata rows via raw SQL will now encounter updated constraints. Moving all delete operations through the Supabase Storage API is the recommended path.
Context: Supabase Storage’s Evolution
This update is part of a longer reliability arc. Supabase Storage added S3 protocol compatibility in April 2024, making it interoperable with thousands of existing tools and libraries. Resumable uploads for files up to 50GB using the TUS protocol shipped in April 2023.
The broader March 5, 2026 Developer Update also ships Log Drains on Pro, enabling Postgres, Auth, Storage, Edge Functions, and Realtime logs to stream to Datadog, Grafana Loki, Sentry, Axiom, and S3. AI-powered table filters are also available under Feature Previews in the dashboard. The storage performance and security improvements are the headline changes in this release.
Limitations and Considerations
The 14.8x performance benchmark applies specifically to large-scale listing operations on datasets exceeding 60 million rows. Projects with smaller object counts will benefit, but gains are proportionally smaller. Teams relying on direct database access to storage internal tables should plan a migration to the official SDK or API, as internal schema changes from this update may affect raw SQL patterns that bypass the storage layer.
Frequently Asked Questions (FAQs)
Do I need to update my code to benefit from these changes?
No code changes are required for most developers. The skip-scan algorithm and cursor-based pagination improvements apply automatically at the infrastructure level. Teams using direct SQL against the storage schema should migrate to the official Supabase Storage SDK or API to remain compatible.
What is the path traversal vulnerability that was fixed?
A path traversal vulnerability allows an attacker to craft file paths that escape their intended directory, potentially accessing unauthorized files within a storage bucket. Supabase patched this vector in the March 5, 2026 storage release, preventing crafted paths from resolving outside their authorized scope.
What are orphan objects and why do they matter?
Orphan objects occur when a storage metadata record is deleted directly via SQL without using the storage API, leaving files untracked or inconsistent. These create data integrity and reliability risks at scale. The March 2026 update prevents this scenario entirely by enforcing consistency at the database level.
How does the hybrid skip-scan algorithm improve listing speed?
The hybrid skip-scan algorithm replaces the old prefixes table and its 6 triggers. Combined with cursor-based pagination replacing the prior offset-based approach, the new system benchmarks at up to 14.8x faster listing speed on datasets with 60 million or more rows.
Is Supabase Storage still S3-compatible after these updates?
Yes. Supabase Storage has supported the S3 protocol since April 2024. The March 2026 updates improve performance and security at the infrastructure layer without changing S3 compatibility or any existing API contracts.
What other features shipped in the March 2026 Supabase update?
The same March 5, 2026 Developer Update includes Log Drains on Pro for streaming Postgres, Auth, Storage, Edge Functions, and Realtime logs to Datadog, Grafana Loki, Sentry, Axiom, and S3. AI-powered table filters also launched under Feature Previews in the dashboard.
Should I be concerned about breaking changes from this storage update?
Standard SDK and API usage is fully unaffected. Developers writing raw SQL directly against storage internal tables should audit their delete operations. Any deletes bypassing the official storage API may encounter new constraints introduced to prevent orphan objects in this release.
How does Supabase Storage’s listing performance compare to before this update?
Before this update, listing operations on large datasets relied on the prefixes table with 6 database triggers, which degraded at scale. The March 2026 architecture change delivers up to 14.8x faster listing on 60 million or more row datasets without any changes required from developers.
