From a2e8882d9611f77c3a2df59ed91bf9f242e44e7d Mon Sep 17 00:00:00 2001
From: Charis <26616127+charislam@users.noreply.github.com>
Date: Tue, 17 Jun 2025 18:49:03 -0400
Subject: [PATCH 1/2] docs(mcp): recommend read-only, project-scoped mode by
 default (#36496)

---
 .../content/_partials/mcp_supabase_config.mdx | 44 ++++++++++++-------
 .../_partials/mcp_supabase_vscode_config.mdx  | 16 +++++--
 .../content/guides/getting-started/mcp.mdx    |  8 ++--
 3 files changed, 45 insertions(+), 23 deletions(-)

diff --git a/apps/docs/content/_partials/mcp_supabase_config.mdx b/apps/docs/content/_partials/mcp_supabase_config.mdx
index 213a6dedde87f..fd5068f69fbea 100644
--- a/apps/docs/content/_partials/mcp_supabase_config.mdx
+++ b/apps/docs/content/_partials/mcp_supabase_config.mdx
@@ -16,15 +16,18 @@
           "args": [
             "-y",
             "@supabase/mcp-server-supabase@latest",
-            "--access-token",
-            "<personal-access-token>"
-          ]
+            "--read-only",
+            "--project-ref=<project-ref>"
+          ],
+          "env": {
+            "SUPABASE_ACCESS_TOKEN": "<personal-access-token>"
+          }
         }
       }
     }
     ```
 
-    Replace `<personal-access-token>` with your personal access token.
+    Replace `<project-ref>` with your project ref, and `<personal-access-token>` with your personal access token.
 
   </TabPanel>
 
@@ -40,15 +43,18 @@
             "npx",
             "-y",
             "@supabase/mcp-server-supabase@latest",
-            "--access-token",
-            "<personal-access-token>"
-          ]
+            "--read-only",
+            "--project-ref=<project-ref>"
+          ],
+          "env": {
+            "SUPABASE_ACCESS_TOKEN": "<personal-access-token>"
+          }
         }
       }
     }
     ```
 
-    Replace `<personal-access-token>` with your personal access token.
+    Replace `<project-ref>` with your project ref, and `<personal-access-token>` with your personal access token.
 
     <Admonition type="note">
 
@@ -83,15 +89,18 @@
             "npx",
             "-y",
             "@supabase/mcp-server-supabase@latest",
-            "--access-token",
-            "<personal-access-token>"
-          ]
+            "--read-only",
+            "--project-ref=<project-ref>"
+          ],
+          "env": {
+            "SUPABASE_ACCESS_TOKEN": "<personal-access-token>"
+          }
         }
       }
     }
     ```
 
-    Replace `<personal-access-token>` with your personal access token.
+    Replace `<project-ref>` with your project ref, and `<personal-access-token>` with your personal access token.
 
     This assumes you have Windows Subsystem for Linux (WSL) enabled and `node`/`npx` are installed within the WSL environment.
 
@@ -107,15 +116,18 @@
           "args": [
             "-y",
             "@supabase/mcp-server-supabase@latest",
-            "--access-token",
-            "<personal-access-token>"
-          ]
+            "--read-only",
+            "--project-ref=<project-ref>"
+          ],
+          "env": {
+            "SUPABASE_ACCESS_TOKEN": "<personal-access-token>"
+          }
         }
       }
     }
     ```
 
-    Replace `<personal-access-token>` with your personal access token.
+    Replace `<project-ref>` with your project ref, and `<personal-access-token>` with your personal access token.
 
   </TabPanel>
 
diff --git a/apps/docs/content/_partials/mcp_supabase_vscode_config.mdx b/apps/docs/content/_partials/mcp_supabase_vscode_config.mdx
index df8aacc259e16..0117cb7d3e3aa 100644
--- a/apps/docs/content/_partials/mcp_supabase_vscode_config.mdx
+++ b/apps/docs/content/_partials/mcp_supabase_vscode_config.mdx
@@ -21,7 +21,7 @@
       "servers": {
         "supabase": {
           "command": "npx",
-          "args": ["-y", "@supabase/mcp-server-supabase@latest"],
+          "args": ["-y", "@supabase/mcp-server-supabase@latest", "--read-only", "--project-ref=<project-ref>"],
           "env": {
             "SUPABASE_ACCESS_TOKEN": "${input:supabase-access-token}"
           }
@@ -30,6 +30,8 @@
     }
     ```
 
+    Replace `<project-ref>` with your project ref.
+
   </TabPanel>
 
   <TabPanel id="windows" label="Windows">
@@ -47,7 +49,7 @@
       "servers": {
         "supabase": {
           "command": "cmd",
-          "args": ["/c", "npx", "-y", "@supabase/mcp-server-supabase@latest"],
+          "args": ["/c", "npx", "-y", "@supabase/mcp-server-supabase@latest", "--read-only", "--project-ref=<project-ref>"],
           "env": {
             "SUPABASE_ACCESS_TOKEN": "${input:supabase-access-token}"
           }
@@ -56,6 +58,8 @@
     }
     ```
 
+    Replace `<project-ref>` with your project ref.
+
     <Admonition type="note">
 
     Make sure that `node` and `npx` are available in your system `PATH`. Assuming `node` is installed, you can get the path by running:
@@ -93,7 +97,7 @@
       "servers": {
         "supabase": {
           "command": "wsl",
-          "args": ["npx", "-y", "@supabase/mcp-server-supabase@latest"],
+          "args": ["npx", "-y", "@supabase/mcp-server-supabase@latest",  "--read-only", "--project-ref=<project-ref>"],
           "env": {
             "SUPABASE_ACCESS_TOKEN": "${input:supabase-access-token}"
           }
@@ -102,6 +106,8 @@
     }
     ```
 
+    Replace `<project-ref>` with your project ref.
+
     This assumes you have Windows Subsystem for Linux (WSL) enabled and `node`/`npx` are installed within the WSL environment.
 
   </TabPanel>
@@ -121,7 +127,7 @@
       "servers": {
         "supabase": {
           "command": "npx",
-          "args": ["-y", "@supabase/mcp-server-supabase@latest"],
+          "args": ["-y", "@supabase/mcp-server-supabase@latest", "--read-only", "--project-ref=<project-ref>"],
           "env": {
             "SUPABASE_ACCESS_TOKEN": "${input:supabase-access-token}"
           }
@@ -130,6 +136,8 @@
     }
     ```
 
+    Replace `<project-ref>` with your project ref.
+
   </TabPanel>
 
 </Tabs>
diff --git a/apps/docs/content/guides/getting-started/mcp.mdx b/apps/docs/content/guides/getting-started/mcp.mdx
index fa87883024167..a0baa71716b76 100644
--- a/apps/docs/content/guides/getting-started/mcp.mdx
+++ b/apps/docs/content/guides/getting-started/mcp.mdx
@@ -23,7 +23,9 @@ First, go to your [Supabase settings](https://supabase.com/dashboard/account/tok
 
 ## Step 2: Configure in your AI tool
 
-MCP compatible tools can connect to Supabase using the [Supabase MCP server](https://github.com/supabase-community/supabase-mcp). Below are instructions for connecting to this server using popular AI tools:
+MCP compatible tools can connect to Supabase using the [Supabase MCP server](https://github.com/supabase-community/supabase-mcp).
+
+Follow the instructions for your AI tool to connect the Supabase MCP server. The configuration below uses read-only, project-scoped mode by default. We recommend these settings to prevent the agent from making unintended changes to your database. Note that read-only mode applies only to database operations. Write operations on project-management tools, such as `create_project`, are still available.
 
 ### Cursor
 
@@ -53,9 +55,9 @@ MCP compatible tools can connect to Supabase using the [Supabase MCP server](htt
 
 <div className="mb-8 not-prose [&>p]:flex [&>p]:flex-col [&>p]:gap-2">
   [![Install with NPX in VS
-  Code](https://img.shields.io/badge/VS_Code-NPM-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect/mcp/install?name=supabase&inputs=%5B%7B%22type%22%3A%22promptString%22%2C%22id%22%3A%22supabase-access-token%22%2C%22description%22%3A%22Supabase%20personal%20access%20token%22%2C%22password%22%3Atrue%7D%5D&config=%7B%22command%22%3A%22npx%22%2C%22args%22%3A%5B%22-y%22%2C%22%40supabase%2Fmcp-server-supabase%40latest%22%5D%2C%22env%22%3A%7B%22SUPABASE_ACCESS_TOKEN%22%3A%22%24%7Binput%3Asupabase-access-token%7D%22%7D%7D)
+  Code](https://img.shields.io/badge/VS_Code-NPM-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect/mcp/install?name=supabase&inputs=%5B%7B%22type%22%3A%22promptString%22%2C%22id%22%3A%22supabase-access-token%22%2C%22description%22%3A%22Supabase%20personal%20access%20token%22%2C%22password%22%3Atrue%7D%5D%26config%3D%7B%22command%22%3A%22npx%22%2C%22args%22%3A%5B%22-y%22%2C%22%40supabase%2Fmcp-server-supabase%40latest%22%2C%22--readonly%22%2C%22--project-ref%3D%24SUPABASE_MCP_PROJECT_REF%22%5D%2C%22env%22%3A%7B%22SUPABASE_ACCESS_TOKEN%22%3A%22%24%7Binput%3Asupabase-access-token%7D%22%2C%22SUPABASE_MCP_PROJECT_REF%22%3A%22%24%7Binput%3Asupabase-project-ref%7D%22%7D%7D)
   [![Install with NPX in VS Code
-  Insiders](https://img.shields.io/badge/VS_Code_Insiders-NPM-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect/mcp/install?name=supabase&inputs=%5B%7B%22type%22%3A%22promptString%22%2C%22id%22%3A%22supabase-access-token%22%2C%22description%22%3A%22Supabase%20personal%20access%20token%22%2C%22password%22%3Atrue%7D%5D&config=%7B%22command%22%3A%22npx%22%2C%22args%22%3A%5B%22-y%22%2C%22%40supabase%2Fmcp-server-supabase%40latest%22%5D%2C%22env%22%3A%7B%22SUPABASE_ACCESS_TOKEN%22%3A%22%24%7Binput%3Asupabase-access-token%7D%22%7D%7D&quality=insiders)
+  Insiders](https://img.shields.io/badge/VS_Code_Insiders-NPM-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect/mcp/install?name=supabase&inputs=%5B%7B%22type%22%3A%22promptString%22%2C%22id%22%3A%22supabase-access-token%22%2C%22description%22%3A%22Supabase%20personal%20access%20token%22%2C%22password%22%3Atrue%7D%5D%26config%3D%7B%22command%22%3A%22npx%22%2C%22args%22%3A%5B%22-y%22%2C%22%40supabase%2Fmcp-server-supabase%40latest%22%2C%22--readonly%22%2C%22--project-ref%3D%24SUPABASE_MCP_PROJECT_REF%22%5D%2C%22env%22%3A%7B%22SUPABASE_ACCESS_TOKEN%22%3A%22%24%7Binput%3Asupabase-access-token%7D%22%2C%22SUPABASE_MCP_PROJECT_REF%22%3A%22%24%7Binput%3Asupabase-project-ref%7D%22%7D%7D)
 </div>
 
 1.  Open [VS Code](https://code.visualstudio.com/) and create a `.vscode` directory in your project root if it doesn't exist.

From 77db22e7c0c90903270d13c66f88eb7f824ac32e Mon Sep 17 00:00:00 2001
From: James Parrott <80779630+JamesParrott@users.noreply.github.com>
Date: Wed, 18 Jun 2025 04:28:46 +0100
Subject: [PATCH 2/2] Bump node:20-slim to :22-slim in Supabase Studio
 Dockerfile (#36482)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Kevin Grüneberg <k.grueneberg1994@gmail.com>
---
 apps/studio/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/studio/Dockerfile b/apps/studio/Dockerfile
index 3fbac7d88bbb2..e0bba48dbed78 100644
--- a/apps/studio/Dockerfile
+++ b/apps/studio/Dockerfile
@@ -8,7 +8,7 @@
 #    docker builder prune
 #    docker build . -f apps/studio/Dockerfile --target production -t studio:latest --no-cache
 
-FROM node:20-slim AS base
+FROM node:22-slim AS base
 ENV PNPM_HOME="/pnpm"
 ENV PATH="$PNPM_HOME:$PATH"