From e7b516945756b698c007b9259221d53b5a8eec5d Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 15 Jul 2026 15:36:33 +0000 Subject: [PATCH 1/5] ci(validate-deps): replace retired pnpm audit with OSV-Scanner MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit npm retired the audit endpoint (HTTP 410, "This endpoint is being retired. Use the bulk advisory endpoint instead.") on 2026-07-13, and pnpm has not migrated to the bulk advisory endpoint. As a result `pnpm audit --audit-level=high` fails unconditionally on every branch and PR, turning the Validate Package Dependencies check permanently red (issue #2974). Replace the step with google/osv-scanner-action (pinned by commit SHA), which reads pnpm-lock.yaml directly against the OSV database and exits non-zero when any advisory matches — restoring a working blocking security gate without depending on the retired npm endpoint. Also update the release hardening checklist in docs/HARDENING.md to use osv-scanner, since `pnpm audit` no longer works locally either. Note: OSV-Scanner gates on any severity rather than only high/critical. Specific advisories can be accepted via an osv-scanner.toml [[IgnoredVulns]] entry instead of lowering the gate. Fixes #2974 Co-Authored-By: Claude Opus 4.8 Claude-Session: https://claude.ai/code/session_015JoYhorCUhGc8bgFYsErfE --- .github/workflows/validate-deps.yml | 23 ++++++++++++++++++----- docs/HARDENING.md | 3 ++- 2 files changed, 20 insertions(+), 6 deletions(-) diff --git a/.github/workflows/validate-deps.yml b/.github/workflows/validate-deps.yml index 4e6b140002..48d5c5b252 100644 --- a/.github/workflows/validate-deps.yml +++ b/.github/workflows/validate-deps.yml @@ -56,11 +56,24 @@ jobs: - name: Verify Changesets "fixed" group covers every public package run: node scripts/check-changeset-fixed.mjs - - name: Check for dependency issues - run: | - # Fail the workflow if high-severity vulnerabilities are found - # This enforces security compliance before merging - pnpm audit --audit-level=high + # Fail the workflow if known vulnerabilities are found — enforces + # security compliance before merging. + # + # Previously this ran `pnpm audit --audit-level=high`, but npm retired the + # audit endpoint (HTTP 410, "This endpoint is being retired. Use the bulk + # advisory endpoint instead.") and pnpm has not migrated, so `pnpm audit` + # now fails unconditionally on every branch (see issue #2974). OSV-Scanner + # reads pnpm-lock.yaml directly against the OSV database and exits non-zero + # when any advisory matches, restoring a working blocking gate. + # + # Note: OSV-Scanner blocks on any severity, not just high/critical. To + # accept a specific advisory, add an osv-scanner.toml `[[IgnoredVulns]]` + # entry rather than lowering the gate. + - name: Audit dependencies for known vulnerabilities (OSV-Scanner) + uses: google/osv-scanner-action/osv-scanner-action@8dc09193bb540e09b23da07ad7e30bd33bf87018 # v2.3.8 + with: + scan-args: |- + --lockfile=pnpm-lock.yaml - name: List outdated packages if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' diff --git a/docs/HARDENING.md b/docs/HARDENING.md index 5b6667a2a8..ee7dd9d4b5 100644 --- a/docs/HARDENING.md +++ b/docs/HARDENING.md @@ -223,7 +223,8 @@ Run the production hardening checklist before each release: - [ ] `revokeSessionsOnPasswordReset: true` - [ ] CORS origin list is explicit, not `*` - [ ] `enforceProjectMembership: true` on scoped routes -- [ ] `pnpm audit` clean (no `high`/`critical`) +- [ ] `osv-scanner --lockfile=pnpm-lock.yaml` clean (npm retired the + `pnpm audit` endpoint — see issue #2974; CI enforces this via OSV-Scanner) - [ ] `pnpm outdated` reviewed - [ ] Backups: restore tested in the last 30 days - [ ] Audit log: `sys_audit_log` is append-only at the DB level From 149c312fb387122ace992b40bca4a723abf643ab Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 15 Jul 2026 15:37:59 +0000 Subject: [PATCH 2/5] ci(validate-deps): trigger workflow on changes to its own file So edits to the dependency-validation gates are exercised on the PR that introduces them, rather than only when a dependency manifest changes. Co-Authored-By: Claude Opus 4.8 Claude-Session: https://claude.ai/code/session_015JoYhorCUhGc8bgFYsErfE --- .github/workflows/validate-deps.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/validate-deps.yml b/.github/workflows/validate-deps.yml index 48d5c5b252..f402ceb5f3 100644 --- a/.github/workflows/validate-deps.yml +++ b/.github/workflows/validate-deps.yml @@ -8,6 +8,9 @@ on: - '.changeset/config.json' - 'pnpm-workspace.yaml' - 'scripts/check-changeset-fixed.mjs' + # Re-run when the workflow itself changes, so edits to these gates are + # exercised on the PR that introduces them. + - '.github/workflows/validate-deps.yml' schedule: # Run weekly on Monday at 03:00 UTC - cron: '0 3 * * 1' From f99722cb9aee7a4e5f034a97c3db6980952e8554 Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 15 Jul 2026 15:58:56 +0000 Subject: [PATCH 3/5] fix(deps): remediate 9 OSV advisories surfaced by the new audit gate The OSV-Scanner gate (replacing the retired `pnpm audit`) blocks on any severity and surfaced 9 pre-existing advisories in pnpm-lock.yaml across 6 packages. Pin each to its patched line, following the existing pnpm-workspace.yaml `overrides` convention: - uuid 8.3.2 -> ^11.1.1 GHSA-w5hq-g745-h8pq (high) - @better-auth/oauth-provider 1.6.23 -> 1.7.0-rc.1 GHSA-p2fr-6hmx-4528 - postcss 8.4.31 -> ^8.5.10 GHSA-qx2v-qp2m-jg93 - cookie 0.6.0 -> 0.7.0 GHSA-pxg6-pf52-xh8x - svelte 5.55.3 -> ^5.55.7 GHSA-9rmh-mm8f-r9h6 + 3 more - @tootallnate/once 1.1.2 -> 2.0.1 GHSA-vpq2-c234-7xj6 (low) @better-auth/oauth-provider mirrors the existing @better-auth/scim pre-release pin (same monorepo, same advisory class). uuid pins to the conservative ^11.1.1 LTS line rather than the latest major. svelte is an optional peer-of-a-peer (better-auth > @sveltejs/kit) that `overrides` alone cannot re-resolve, so it is additionally pinned via a `svelte` devDependency in the root (private) package.json so the peer dedupes onto the patched 5.56.x line; both are documented in pnpm-workspace.yaml. Verified: no vulnerable version remains in the lockfile and `pnpm install --frozen-lockfile` is in sync. Co-Authored-By: Claude Opus 4.8 Claude-Session: https://claude.ai/code/session_015JoYhorCUhGc8bgFYsErfE --- package.json | 1 + pnpm-lock.yaml | 143 +++++++++++++++++++------------------------- pnpm-workspace.yaml | 28 +++++++++ 3 files changed, 91 insertions(+), 81 deletions(-) diff --git a/package.json b/package.json index 57f943090f..b8ea9369c9 100644 --- a/package.json +++ b/package.json @@ -46,6 +46,7 @@ "@types/node": "^26.1.1", "@typescript-eslint/parser": "^8.63.0", "eslint": "^10.7.0", + "svelte": "^5.55.7", "tsup": "^8.5.1", "tsx": "^4.23.0", "turbo": "^2.10.4", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index a683d35f75..c315430172 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -11,6 +11,12 @@ overrides: form-data@<4.0.6: '>=4.0.6' undici@>=7.23.0 <7.28.0: ^7.28.0 '@better-auth/scim@<1.7.0-rc.1': 1.7.0-rc.1 + '@better-auth/oauth-provider@<1.7.0-rc.1': 1.7.0-rc.1 + uuid@<11.1.1: ^11.1.1 + postcss@<8.5.10: ^8.5.10 + cookie@<0.7.0: 0.7.0 + svelte: ^5.55.7 + '@tootallnate/once@<2.0.1': 2.0.1 importers: @@ -28,6 +34,9 @@ importers: eslint: specifier: ^10.7.0 version: 10.7.0(jiti@2.7.0) + svelte: + specifier: ^5.55.7 + version: 5.56.5(@typescript-eslint/types@8.63.0) tsup: specifier: ^8.5.1 version: 8.5.1(jiti@2.7.0)(postcss@8.5.18)(tsx@4.23.0)(typescript@6.0.3)(yaml@2.9.0) @@ -1314,14 +1323,14 @@ importers: specifier: ^1.6.23 version: 1.6.23(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0) '@better-auth/oauth-provider': - specifier: ^1.6.23 - version: 1.6.23(fd11e4920ccca1ffd38b6ae495c5b791) + specifier: 1.7.0-rc.1 + version: 1.7.0-rc.1(cbb5eacd36da2fc4af9e6bf4f5c2aa26) '@better-auth/scim': specifier: 1.7.0-rc.1 - version: 1.7.0-rc.1(f7524a52bb9c2782743bc554398fd16d) + version: 1.7.0-rc.1(e532fad85f382004d74095166a0ee9bf) '@better-auth/sso': specifier: ^1.6.23 - version: 1.6.23(fd11e4920ccca1ffd38b6ae495c5b791) + version: 1.6.23(cbb5eacd36da2fc4af9e6bf4f5c2aa26) '@noble/hashes': specifier: ^2.2.0 version: 2.2.0 @@ -1342,7 +1351,7 @@ importers: version: link:../../types better-auth: specifier: ^1.6.23 - version: 1.6.23(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(@sveltejs/kit@2.66.0(@opentelemetry/api@1.9.1)(@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.55.3(@typescript-eslint/types@8.63.0))(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(svelte@5.55.3(@typescript-eslint/types@8.63.0))(typescript@6.0.3)(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(better-sqlite3@12.11.1)(mongodb@7.5.0(socks@2.8.9))(mysql2@3.22.6(@types/node@26.1.1))(next@16.2.10(@opentelemetry/api@1.9.1)(@playwright/test@1.61.1)(react-dom@19.2.7(react@19.2.7))(react@19.2.7))(pg@8.22.0)(react-dom@19.2.7(react@19.2.7))(react@19.2.7)(svelte@5.55.3(@typescript-eslint/types@8.63.0))(vitest@4.1.10) + version: 1.6.23(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(@sveltejs/kit@2.66.0(@opentelemetry/api@1.9.1)(@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.56.5(@typescript-eslint/types@8.63.0))(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(svelte@5.56.5(@typescript-eslint/types@8.63.0))(typescript@6.0.3)(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(better-sqlite3@12.11.1)(mongodb@7.5.0(socks@2.8.9))(mysql2@3.22.6(@types/node@26.1.1))(next@16.2.10(@opentelemetry/api@1.9.1)(@playwright/test@1.61.1)(react-dom@19.2.7(react@19.2.7))(react@19.2.7))(pg@8.22.0)(react-dom@19.2.7(react@19.2.7))(react@19.2.7)(svelte@5.56.5(@typescript-eslint/types@8.63.0))(vitest@4.1.10) jose: specifier: ^6.2.3 version: 6.2.3 @@ -2477,13 +2486,13 @@ packages: mongodb: optional: true - '@better-auth/oauth-provider@1.6.23': - resolution: {integrity: sha512-1sDN+N4Sztmpk8ziCU3MXicxOTfvYoHvHvhJMQ7PSfr+pLXnYN+dJFI9S3zBRwstmTeJx/OhRIZWrwFJ0TgBnA==} + '@better-auth/oauth-provider@1.7.0-rc.1': + resolution: {integrity: sha512-992i44HfdHRDlMSnaapXMkMRKGyNxIMm5K//K2yiL0dErdtBB5s5q1PZI0Cm2/imzrOI6HP9UjUvy6lCDj6EHw==} peerDependencies: - '@better-auth/core': ^1.6.23 + '@better-auth/core': ^1.7.0-rc.1 '@better-auth/utils': 0.4.2 '@better-fetch/fetch': 1.3.1 - better-auth: ^1.6.23 + better-auth: ^1.7.0-rc.1 better-call: 1.3.7 '@better-auth/prisma-adapter@1.6.23': @@ -3996,7 +4005,7 @@ packages: peerDependencies: '@opentelemetry/api': ^1.0.0 '@sveltejs/vite-plugin-svelte': ^3.0.0 || ^4.0.0-next.1 || ^5.0.0 || ^6.0.0-next.0 || ^7.0.0 - svelte: ^4.0.0 || ^5.0.0-next.0 + svelte: ^5.55.7 typescript: ^5.3.3 || ^6.0.0 vite: ^5.0.3 || ^6.0.0 || ^7.0.0-beta.0 || ^8.0.0 peerDependenciesMeta: @@ -4009,7 +4018,7 @@ packages: resolution: {integrity: sha512-ILXmxC7HAsnkK2eslgPetrqqW1BKSL7LktsFgqzNj83MaivMGZzluWq32m25j2mDOjmSKX7GGWahePhuEs7P/g==} engines: {node: ^20.19 || ^22.12 || >=24} peerDependencies: - svelte: ^5.46.4 + svelte: ^5.55.7 vite: ^8.0.0-beta.7 || ^8.0.0 '@swc/helpers@0.5.15': @@ -4146,9 +4155,9 @@ packages: '@textlint/types@15.7.1': resolution: {integrity: sha512-Vye/GmFNBTgVzZFtIFJTmLB+s2A7oIADxNG6r9UhfPuY+Czv0z5G3xeyFZZudPlfxURsKUyPIU5XsjOFqVp33A==} - '@tootallnate/once@1.1.2': - resolution: {integrity: sha512-RbzJvlNzmRq5c3O09UipeuXno4tA1FE6ikOjxZK0tuxVv3412l64l5t1W5pj4+rJq9vpkm/kwiR07aZXnsKPxw==} - engines: {node: '>= 6'} + '@tootallnate/once@2.0.1': + resolution: {integrity: sha512-HqmEUIGRJ5fSXchkVgR5F7qn48bDBzv0kWj/Kfu5e6uci4UlEeng4331LnBkWffb++Ei3FOVLxo8JJWMFBDMeQ==} + engines: {node: '>= 10'} '@ts-morph/common@0.29.0': resolution: {integrity: sha512-35oUmphHbJvQ/+UTwFNme/t2p3FoKiGJ5auTjjpNTop2dyREspirjMy82PLSC1pnDJ8ah1GU98hwpVt64YXQsg==} @@ -4794,7 +4803,7 @@ packages: react: ^18.0.0 || ^19.0.0 react-dom: ^18.0.0 || ^19.0.0 solid-js: ^1.0.0 - svelte: ^4.0.0 || ^5.0.0 + svelte: ^5.55.7 vitest: ^2.0.0 || ^3.0.0 || ^4.0.0 vue: ^3.0.0 peerDependenciesMeta: @@ -5156,8 +5165,8 @@ packages: resolution: {integrity: sha512-D76uU73ulSXrD1UXF4KE2TMxVVwhsnCgfAyTg9k8P6KGZjlXKrOLe4dJQKI3Bxi5wjesZoFXJWElNWBjPZMbhg==} engines: {node: '>=6.6.0'} - cookie@0.6.0: - resolution: {integrity: sha512-U71cyTamuh1CRNCfpGY6to28lxvNwPG4Guz/EVjgf3Jmzv0vlDp1atT9eS5dDjMYHucpHbWns6Lwf3BKz6svdw==} + cookie@0.7.0: + resolution: {integrity: sha512-qCf+V4dtlNhSRXGAZatc1TasyFO6GjohcOul807YOb5ik3+kQSnb4d7iajeCL8QHaJ4uZEjCgiCJerKXwdRVlQ==} engines: {node: '>= 0.6'} cookie@0.7.2: @@ -7615,7 +7624,7 @@ packages: engines: {node: '>= 18'} peerDependencies: jiti: '>=1.21.0' - postcss: '>=8.0.9' + postcss: ^8.5.10 tsx: ^4.8.1 yaml: ^2.4.2 peerDependenciesMeta: @@ -7628,10 +7637,6 @@ packages: yaml: optional: true - postcss@8.4.31: - resolution: {integrity: sha512-PS08Iboia9mts/2ygV3eLpY5ghnUcfLV/EXTOW1E2qYxJKGGBUtNjN76FYHnMs36RmARn41bC0AZmn+rR0OVpQ==} - engines: {node: ^10 || ^12 || >=14} - postcss@8.5.18: resolution: {integrity: sha512-xdB1oSLHbz1vRWgCDalrCqEFTWzFlhqFC5tIHLMOSUIjhm3XXQ1qrFy8S/ESr1JYRRXqM3c1QFiMZUJdUTqyMQ==} engines: {node: ^10 || ^12 || >=14} @@ -8263,8 +8268,8 @@ packages: resolution: {integrity: sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==} engines: {node: '>= 0.4'} - svelte@5.55.3: - resolution: {integrity: sha512-dS1N+i3bA1v+c4UDb750MlN5vCO82G6vxh8HeTsPsTdJ1BLsN1zxSyDlIdBBqUjqZ/BxEwM8UrFf98aaoVnZFQ==} + svelte@5.56.5: + resolution: {integrity: sha512-P03YJmUy2JoOxYHb4Ka3oFat1hq2ko2it1MOItSjsJ4B6WgZPLc3+RyyU+57OGWhs3Ieq74EJpZtSnNXdAGgDw==} engines: {node: '>=18'} table@6.9.0: @@ -8434,7 +8439,7 @@ packages: peerDependencies: '@microsoft/api-extractor': ^7.36.0 '@swc/core': ^1 - postcss: ^8.4.12 + postcss: ^8.5.10 typescript: '>=4.5.0' peerDependenciesMeta: '@microsoft/api-extractor': @@ -8596,13 +8601,8 @@ packages: util-deprecate@1.0.2: resolution: {integrity: sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==} - uuid@14.0.1: - resolution: {integrity: sha512-6ZxzVpzDXDa3bJWaHilVayA+BH/1zmxCJoVgvmqJnid/gPoKHxUrS/aC/T6LGQtNHT+XHG9fXPJB4d+IrU30Ew==} - hasBin: true - - uuid@8.3.2: - resolution: {integrity: sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==} - deprecated: uuid@10 and below is no longer supported. For ESM codebases, update to uuid@latest. For CommonJS codebases, use uuid@11 (but be aware this version will likely be deprecated in 2028). + uuid@11.1.1: + resolution: {integrity: sha512-vIYxrBCC/N/K+Js3qSN88go7kIfNPssr/hHCesKCQNAjmgvYS2oqr69kIufEG+O4+PfezOH4EbIeHCfFov8ZgQ==} hasBin: true validate-npm-package-license@3.0.4: @@ -9307,12 +9307,12 @@ snapshots: optionalDependencies: mongodb: 7.5.0(socks@2.8.9) - '@better-auth/oauth-provider@1.6.23(fd11e4920ccca1ffd38b6ae495c5b791)': + '@better-auth/oauth-provider@1.7.0-rc.1(cbb5eacd36da2fc4af9e6bf4f5c2aa26)': dependencies: '@better-auth/core': 1.6.23(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0) '@better-auth/utils': 0.4.2 '@better-fetch/fetch': 1.3.1 - better-auth: 1.6.23(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(@sveltejs/kit@2.66.0(@opentelemetry/api@1.9.1)(@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.55.3(@typescript-eslint/types@8.63.0))(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(svelte@5.55.3(@typescript-eslint/types@8.63.0))(typescript@6.0.3)(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(better-sqlite3@12.11.1)(mongodb@7.5.0(socks@2.8.9))(mysql2@3.22.6(@types/node@26.1.1))(next@16.2.10(@opentelemetry/api@1.9.1)(@playwright/test@1.61.1)(react-dom@19.2.7(react@19.2.7))(react@19.2.7))(pg@8.22.0)(react-dom@19.2.7(react@19.2.7))(react@19.2.7)(svelte@5.55.3(@typescript-eslint/types@8.63.0))(vitest@4.1.10) + better-auth: 1.6.23(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(@sveltejs/kit@2.66.0(@opentelemetry/api@1.9.1)(@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.56.5(@typescript-eslint/types@8.63.0))(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(svelte@5.56.5(@typescript-eslint/types@8.63.0))(typescript@6.0.3)(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(better-sqlite3@12.11.1)(mongodb@7.5.0(socks@2.8.9))(mysql2@3.22.6(@types/node@26.1.1))(next@16.2.10(@opentelemetry/api@1.9.1)(@playwright/test@1.61.1)(react-dom@19.2.7(react@19.2.7))(react@19.2.7))(pg@8.22.0)(react-dom@19.2.7(react@19.2.7))(react@19.2.7)(svelte@5.56.5(@typescript-eslint/types@8.63.0))(vitest@4.1.10) better-call: 1.3.7(zod@4.4.3) jose: 6.2.3 zod: 4.4.3 @@ -9322,20 +9322,20 @@ snapshots: '@better-auth/core': 1.6.23(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0) '@better-auth/utils': 0.4.2 - '@better-auth/scim@1.7.0-rc.1(f7524a52bb9c2782743bc554398fd16d)': + '@better-auth/scim@1.7.0-rc.1(e532fad85f382004d74095166a0ee9bf)': dependencies: '@better-auth/core': 1.6.23(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0) '@better-auth/utils': 0.4.2 - better-auth: 1.6.23(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(@sveltejs/kit@2.66.0(@opentelemetry/api@1.9.1)(@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.55.3(@typescript-eslint/types@8.63.0))(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(svelte@5.55.3(@typescript-eslint/types@8.63.0))(typescript@6.0.3)(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(better-sqlite3@12.11.1)(mongodb@7.5.0(socks@2.8.9))(mysql2@3.22.6(@types/node@26.1.1))(next@16.2.10(@opentelemetry/api@1.9.1)(@playwright/test@1.61.1)(react-dom@19.2.7(react@19.2.7))(react@19.2.7))(pg@8.22.0)(react-dom@19.2.7(react@19.2.7))(react@19.2.7)(svelte@5.55.3(@typescript-eslint/types@8.63.0))(vitest@4.1.10) + better-auth: 1.6.23(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(@sveltejs/kit@2.66.0(@opentelemetry/api@1.9.1)(@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.56.5(@typescript-eslint/types@8.63.0))(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(svelte@5.56.5(@typescript-eslint/types@8.63.0))(typescript@6.0.3)(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(better-sqlite3@12.11.1)(mongodb@7.5.0(socks@2.8.9))(mysql2@3.22.6(@types/node@26.1.1))(next@16.2.10(@opentelemetry/api@1.9.1)(@playwright/test@1.61.1)(react-dom@19.2.7(react@19.2.7))(react@19.2.7))(pg@8.22.0)(react-dom@19.2.7(react@19.2.7))(react@19.2.7)(svelte@5.56.5(@typescript-eslint/types@8.63.0))(vitest@4.1.10) better-call: 1.3.7(zod@4.4.3) zod: 4.4.3 - '@better-auth/sso@1.6.23(fd11e4920ccca1ffd38b6ae495c5b791)': + '@better-auth/sso@1.6.23(cbb5eacd36da2fc4af9e6bf4f5c2aa26)': dependencies: '@better-auth/core': 1.6.23(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0) '@better-auth/utils': 0.4.2 '@better-fetch/fetch': 1.3.1 - better-auth: 1.6.23(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(@sveltejs/kit@2.66.0(@opentelemetry/api@1.9.1)(@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.55.3(@typescript-eslint/types@8.63.0))(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(svelte@5.55.3(@typescript-eslint/types@8.63.0))(typescript@6.0.3)(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(better-sqlite3@12.11.1)(mongodb@7.5.0(socks@2.8.9))(mysql2@3.22.6(@types/node@26.1.1))(next@16.2.10(@opentelemetry/api@1.9.1)(@playwright/test@1.61.1)(react-dom@19.2.7(react@19.2.7))(react@19.2.7))(pg@8.22.0)(react-dom@19.2.7(react@19.2.7))(react@19.2.7)(svelte@5.55.3(@typescript-eslint/types@8.63.0))(vitest@4.1.10) + better-auth: 1.6.23(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(@sveltejs/kit@2.66.0(@opentelemetry/api@1.9.1)(@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.56.5(@typescript-eslint/types@8.63.0))(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(svelte@5.56.5(@typescript-eslint/types@8.63.0))(typescript@6.0.3)(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(better-sqlite3@12.11.1)(mongodb@7.5.0(socks@2.8.9))(mysql2@3.22.6(@types/node@26.1.1))(next@16.2.10(@opentelemetry/api@1.9.1)(@playwright/test@1.61.1)(react-dom@19.2.7(react@19.2.7))(react@19.2.7))(pg@8.22.0)(react-dom@19.2.7(react@19.2.7))(react@19.2.7)(svelte@5.56.5(@typescript-eslint/types@8.63.0))(vitest@4.1.10) better-call: 1.3.7(zod@4.4.3) fast-xml-parser: 5.10.0 jose: 6.2.3 @@ -10751,16 +10751,15 @@ snapshots: '@sveltejs/acorn-typescript@1.0.11(acorn@8.17.0)': dependencies: acorn: 8.17.0 - optional: true - '@sveltejs/kit@2.66.0(@opentelemetry/api@1.9.1)(@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.55.3(@typescript-eslint/types@8.63.0))(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(svelte@5.55.3(@typescript-eslint/types@8.63.0))(typescript@6.0.3)(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0))': + '@sveltejs/kit@2.66.0(@opentelemetry/api@1.9.1)(@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.56.5(@typescript-eslint/types@8.63.0))(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(svelte@5.56.5(@typescript-eslint/types@8.63.0))(typescript@6.0.3)(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0))': dependencies: '@standard-schema/spec': 1.1.0 '@sveltejs/acorn-typescript': 1.0.11(acorn@8.17.0) - '@sveltejs/vite-plugin-svelte': 7.0.0(svelte@5.55.3(@typescript-eslint/types@8.63.0))(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)) + '@sveltejs/vite-plugin-svelte': 7.0.0(svelte@5.56.5(@typescript-eslint/types@8.63.0))(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)) '@types/cookie': 0.6.0 acorn: 8.17.0 - cookie: 0.6.0 + cookie: 0.7.0 devalue: 5.8.1 esm-env: 1.2.2 kleur: 4.1.5 @@ -10768,19 +10767,19 @@ snapshots: mrmime: 2.0.1 set-cookie-parser: 3.1.2 sirv: 3.0.2 - svelte: 5.55.3(@typescript-eslint/types@8.63.0) + svelte: 5.56.5(@typescript-eslint/types@8.63.0) vite: 8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0) optionalDependencies: '@opentelemetry/api': 1.9.1 typescript: 6.0.3 optional: true - '@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.55.3(@typescript-eslint/types@8.63.0))(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0))': + '@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.56.5(@typescript-eslint/types@8.63.0))(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0))': dependencies: deepmerge: 4.3.1 magic-string: 0.30.21 obug: 2.1.3 - svelte: 5.55.3(@typescript-eslint/types@8.63.0) + svelte: 5.56.5(@typescript-eslint/types@8.63.0) vite: 8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0) vitefu: 1.1.3(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)) optional: true @@ -10919,7 +10918,7 @@ snapshots: dependencies: '@textlint/ast-node-types': 15.7.1 - '@tootallnate/once@1.1.2': + '@tootallnate/once@2.0.1': optional: true '@ts-morph/common@0.29.0': @@ -11157,8 +11156,7 @@ snapshots: dependencies: tar: 7.5.20 - '@types/trusted-types@2.0.7': - optional: true + '@types/trusted-types@2.0.7': {} '@types/unist@2.0.11': {} @@ -11528,8 +11526,7 @@ snapshots: dependencies: tslib: 2.8.1 - aria-query@5.3.1: - optional: true + aria-query@5.3.1: {} array-union@2.1.0: {} @@ -11559,8 +11556,7 @@ snapshots: aws-ssl-profiles@1.1.2: {} - axobject-query@4.1.0: - optional: true + axobject-query@4.1.0: {} azure-devops-node-api@12.5.0: dependencies: @@ -11606,7 +11602,7 @@ snapshots: baseline-browser-mapping@2.10.43: {} - better-auth@1.6.23(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(@sveltejs/kit@2.66.0(@opentelemetry/api@1.9.1)(@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.55.3(@typescript-eslint/types@8.63.0))(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(svelte@5.55.3(@typescript-eslint/types@8.63.0))(typescript@6.0.3)(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(better-sqlite3@12.11.1)(mongodb@7.5.0(socks@2.8.9))(mysql2@3.22.6(@types/node@26.1.1))(next@16.2.10(@opentelemetry/api@1.9.1)(@playwright/test@1.61.1)(react-dom@19.2.7(react@19.2.7))(react@19.2.7))(pg@8.22.0)(react-dom@19.2.7(react@19.2.7))(react@19.2.7)(svelte@5.55.3(@typescript-eslint/types@8.63.0))(vitest@4.1.10): + better-auth@1.6.23(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(@sveltejs/kit@2.66.0(@opentelemetry/api@1.9.1)(@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.56.5(@typescript-eslint/types@8.63.0))(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(svelte@5.56.5(@typescript-eslint/types@8.63.0))(typescript@6.0.3)(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(better-sqlite3@12.11.1)(mongodb@7.5.0(socks@2.8.9))(mysql2@3.22.6(@types/node@26.1.1))(next@16.2.10(@opentelemetry/api@1.9.1)(@playwright/test@1.61.1)(react-dom@19.2.7(react@19.2.7))(react@19.2.7))(pg@8.22.0)(react-dom@19.2.7(react@19.2.7))(react@19.2.7)(svelte@5.56.5(@typescript-eslint/types@8.63.0))(vitest@4.1.10): dependencies: '@better-auth/core': 1.6.23(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0) '@better-auth/drizzle-adapter': 1.6.23(@better-auth/core@1.6.23(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0))(@better-auth/utils@0.4.2) @@ -11626,7 +11622,7 @@ snapshots: nanostores: 1.4.0 zod: 4.4.3 optionalDependencies: - '@sveltejs/kit': 2.66.0(@opentelemetry/api@1.9.1)(@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.55.3(@typescript-eslint/types@8.63.0))(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(svelte@5.55.3(@typescript-eslint/types@8.63.0))(typescript@6.0.3)(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)) + '@sveltejs/kit': 2.66.0(@opentelemetry/api@1.9.1)(@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.56.5(@typescript-eslint/types@8.63.0))(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(svelte@5.56.5(@typescript-eslint/types@8.63.0))(typescript@6.0.3)(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)) better-sqlite3: 12.11.1 mongodb: 7.5.0(socks@2.8.9) mysql2: 3.22.6(@types/node@26.1.1) @@ -11634,7 +11630,7 @@ snapshots: pg: 8.22.0 react: 19.2.7 react-dom: 19.2.7(react@19.2.7) - svelte: 5.55.3(@typescript-eslint/types@8.63.0) + svelte: 5.56.5(@typescript-eslint/types@8.63.0) vitest: 4.1.10(@opentelemetry/api@1.9.1)(@types/node@26.1.1)(@vitest/coverage-v8@4.1.10)(happy-dom@20.10.2)(msw@2.14.6(@types/node@26.1.1)(typescript@6.0.3))(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)) transitivePeerDependencies: - '@cloudflare/workers-types' @@ -11953,7 +11949,7 @@ snapshots: cookie-signature@1.2.2: {} - cookie@0.6.0: + cookie@0.7.0: optional: true cookie@0.7.2: {} @@ -12246,8 +12242,7 @@ snapshots: detect-node-es@1.1.0: {} - devalue@5.8.1: - optional: true + devalue@5.8.1: {} devlop@1.1.0: dependencies: @@ -12469,8 +12464,7 @@ snapshots: transitivePeerDependencies: - supports-color - esm-env@1.2.2: - optional: true + esm-env@1.2.2: {} esm@3.2.25: {} @@ -12491,7 +12485,6 @@ snapshots: '@jridgewell/sourcemap-codec': 1.5.5 optionalDependencies: '@typescript-eslint/types': 8.63.0 - optional: true esrecurse@4.3.0: dependencies: @@ -12566,7 +12559,7 @@ snapshots: saxes: 5.0.1 tmp: 0.2.7 unzipper: 0.10.14 - uuid: 8.3.2 + uuid: 11.1.1 expand-template@2.0.3: {} @@ -13183,7 +13176,7 @@ snapshots: http-proxy-agent@4.0.1: dependencies: - '@tootallnate/once': 1.1.2 + '@tootallnate/once': 2.0.1 agent-base: 6.0.2 debug: 4.4.3(supports-color@8.1.1) transitivePeerDependencies: @@ -13337,7 +13330,6 @@ snapshots: is-reference@3.0.3: dependencies: '@types/estree': 1.0.9 - optional: true is-subdir@1.2.0: dependencies: @@ -13597,8 +13589,7 @@ snapshots: load-tsconfig@0.2.5: {} - locate-character@3.0.0: - optional: true + locate-character@3.0.0: {} locate-path@5.0.0: dependencies: @@ -13923,7 +13914,7 @@ snapshots: roughjs: 4.6.6 stylis: 4.4.0 ts-dedent: 2.3.0 - uuid: 14.0.1 + uuid: 11.1.1 micromark-core-commonmark@2.0.3: dependencies: @@ -14451,7 +14442,7 @@ snapshots: '@swc/helpers': 0.5.15 baseline-browser-mapping: 2.10.43 caniuse-lite: 1.0.30001805 - postcss: 8.4.31 + postcss: 8.5.18 react: 19.2.7 react-dom: 19.2.7(react@19.2.7) styled-jsx: 5.1.6(react@19.2.7) @@ -14784,12 +14775,6 @@ snapshots: tsx: 4.23.0 yaml: 2.9.0 - postcss@8.4.31: - dependencies: - nanoid: 3.3.16 - picocolors: 1.1.1 - source-map-js: 1.2.1 - postcss@8.5.18: dependencies: nanoid: 3.3.16 @@ -15598,7 +15583,7 @@ snapshots: supports-preserve-symlinks-flag@1.0.0: {} - svelte@5.55.3(@typescript-eslint/types@8.63.0): + svelte@5.56.5(@typescript-eslint/types@8.63.0): dependencies: '@jridgewell/remapping': 2.3.5 '@jridgewell/sourcemap-codec': 1.5.5 @@ -15618,7 +15603,6 @@ snapshots: zimmerframe: 1.1.4 transitivePeerDependencies: - '@typescript-eslint/types' - optional: true table@6.9.0: dependencies: @@ -15986,9 +15970,7 @@ snapshots: util-deprecate@1.0.2: {} - uuid@14.0.1: {} - - uuid@8.3.2: {} + uuid@11.1.1: {} validate-npm-package-license@3.0.4: dependencies: @@ -16189,8 +16171,7 @@ snapshots: yocto-queue@0.1.0: {} - zimmerframe@1.1.4: - optional: true + zimmerframe@1.1.4: {} zip-stream@4.1.1: dependencies: diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index 17689128a9..97a2e219ed 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -33,6 +33,28 @@ onlyBuiltDependencies: # the advisory is patched only in >=1.7.0-beta.4 — there is NO stable # patched release yet. Pin to the newest pre-release (1.7.0-rc.1) to clear # the CI audit gate; revert to a stable `^1.7.x` line the moment one ships. +# - @better-auth/oauth-provider: GHSA-p2fr-6hmx-4528 — same better-auth +# monorepo and same situation as @better-auth/scim above. `plugin-auth` +# depends on ^1.6.23; the fix first ships in the 1.7.0 pre-release line. +# Pin to 1.7.0-rc.1 for parity with @better-auth/scim. +# - uuid: GHSA-w5hq-g745-h8pq (high) — pulled 8.3.2 transitively; the fix +# first lands in 11.1.1. Pin to the ^11.1.1 LTS line (uuid `legacy-11` +# dist-tag) rather than the latest major to keep the jump conservative. +# - postcss: GHSA-qx2v-qp2m-jg93 — a transitive path still resolves 8.4.31 +# (the direct `apps/docs` dep already tracks ^8.5.x); force the patched +# ^8.5.10 line so the transitive copy is deduped onto it. +# - cookie: GHSA-pxg6-pf52-xh8x — pulled 0.6.0 transitively; force the +# patched 0.7.0 line (drop-in compatible). +# - svelte: GHSA-9rmh-mm8f-r9h6, GHSA-f3cj-j4f6-wq85, GHSA-pr6f-5x2q-rwfp, +# GHSA-rcqx-6q8c-2c42 — auto-installed (auto-install-peers) as an *optional* +# peer-of-a-peer via better-auth > @sveltejs/kit at 5.55.3. An `overrides` +# entry alone can't rewrite this resolution (pnpm rewrites the peer range +# but leaves the locked 5.55.3), so the patched line is pinned by BOTH this +# override AND a `svelte: ^5.55.7` devDependency in the root (private) +# package.json, which gives the peer a concrete version to dedupe onto. +# Keep both in sync; removing the root devDependency reintroduces 5.55.3. +# - @tootallnate/once: GHSA-vpq2-c234-7xj6 (low) — pulled 1.1.2 through a +# legacy agent chain; force the patched 2.0.1 line. overrides: esbuild: '>=0.28.1' 'minimatch@<10.2.3': '10.2.3' @@ -40,3 +62,9 @@ overrides: 'form-data@<4.0.6': '>=4.0.6' 'undici@>=7.23.0 <7.28.0': '^7.28.0' '@better-auth/scim@<1.7.0-rc.1': '1.7.0-rc.1' + '@better-auth/oauth-provider@<1.7.0-rc.1': '1.7.0-rc.1' + 'uuid@<11.1.1': '^11.1.1' + 'postcss@<8.5.10': '^8.5.10' + 'cookie@<0.7.0': '0.7.0' + svelte: '^5.55.7' + '@tootallnate/once@<2.0.1': '2.0.1' From 421eeea12d35e0698e6cd587fa5b3b31c7ed6a8f Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 15 Jul 2026 16:21:58 +0000 Subject: [PATCH 4/5] fix(auth): align better-auth family on 1.7.0-rc.1 + new adapter methods The @better-auth/oauth-provider fix (GHSA-p2fr-6hmx-4528) only ships in the 1.7 line, whose plugins import CLIENT_ASSERTION_TYPE and other symbols that exist only in @better-auth/core 1.7.x. Pinning oauth-provider to 1.7.0-rc.1 while core/better-auth stayed on 1.6.23 made sign-in 500 at runtime ("@better-auth/core/oauth2 does not provide an export named CLIENT_ASSERTION_TYPE"), failing the dogfood regression gate. Pin the ENTIRE better-auth family (better-auth, @better-auth/core, and all @better-auth/* plugins/adapters) to 1.7.0-rc.1 via pnpm-workspace overrides so the stack is internally consistent. better-auth 1.7 also adds two methods to its CustomAdapter contract, now implemented in the ObjectQL adapter as find-then-write mirrors of the existing delete/update methods (ObjectQL has no native atomic primitive): - consumeOne: atomic single-row consume (used for verification tokens on the sign-in path) - incrementOne: guarded field = field + delta counter mutation Verified locally: plugin-auth builds (dts included) and all 440 unit tests pass; frozen-lockfile is in sync; only plugin-auth consumes better-auth. Co-Authored-By: Claude Opus 4.8 Claude-Session: https://claude.ai/code/session_015JoYhorCUhGc8bgFYsErfE --- .../plugin-auth-better-auth-17-adapter.md | 23 +++ .../plugin-auth/src/objectql-adapter.ts | 49 ++++++ pnpm-lock.yaml | 158 +++++++++--------- pnpm-workspace.yaml | 17 +- 4 files changed, 164 insertions(+), 83 deletions(-) create mode 100644 .changeset/plugin-auth-better-auth-17-adapter.md diff --git a/.changeset/plugin-auth-better-auth-17-adapter.md b/.changeset/plugin-auth-better-auth-17-adapter.md new file mode 100644 index 0000000000..ecb40ddae5 --- /dev/null +++ b/.changeset/plugin-auth-better-auth-17-adapter.md @@ -0,0 +1,23 @@ +--- +'@objectstack/plugin-auth': patch +--- + +fix(auth): align the better-auth family on 1.7.0-rc.1 and implement the new adapter methods (#2974) + +Remediating GHSA-p2fr-6hmx-4528 (`@better-auth/oauth-provider`) requires the +1.7 plugin line, which imports `CLIENT_ASSERTION_TYPE` and other symbols that +only exist in `@better-auth/core` 1.7.x — so the whole better-auth family is +pinned to `1.7.0-rc.1` together (mixing a 1.7 plugin with 1.6.23 core 500s on +sign-in). better-auth 1.7 also extends its `CustomAdapter` contract with two +new methods, which the ObjectQL adapter now implements: + +- `consumeOne` — atomic single-row consume (find the guarded row, delete it, + return it), used by better-auth for single-use credential consumption + (e.g. verification tokens on the sign-in path). +- `incrementOne` — guarded counter mutation (`field = field + delta` per + `increment` entry plus any absolute `set` values), returning the updated row + or `null` when the guard matches nothing. + +Both are find-then-write mirrors of the existing `delete` / `update` methods +(ObjectQL exposes no native atomic primitive) and honour the same core/plugin +field-name bridging. diff --git a/packages/plugins/plugin-auth/src/objectql-adapter.ts b/packages/plugins/plugin-auth/src/objectql-adapter.ts index ae2c12bf90..daabb0a94b 100644 --- a/packages/plugins/plugin-auth/src/objectql-adapter.ts +++ b/packages/plugins/plugin-auth/src/objectql-adapter.ts @@ -334,6 +334,55 @@ export function createObjectQLAdapterFactory(rawDataEngine: IDataEngine) { } return records.length; }, + + // Atomic single-row consume (better-auth 1.7+). ObjectQL has no native + // `DELETE ... RETURNING`, so we find the single guarded row, delete it, + // and return the consumed record — a find-then-write mirror of `delete`. + consumeOne: async ( + { model, where }: { model: string; where: CleanedWhere[] }, + ): Promise => { + const objectName = resolveProtocolName(model); + const bridged = objectName !== model; + const filter = convertWhere(bridged ? remapWhere(where) : where); + + const record = await dataEngine.findOne(objectName, { where: filter }); + if (!record) return null; + await dataEngine.delete(objectName, { where: { id: record.id } }); + const norm = normaliseLegacyDates(model, record); + return (bridged ? remapKeys(norm, snakeToCamel) : norm) as T; + }, + + // Guarded counter mutation (better-auth 1.7+). ObjectQL has no native + // `SET n = n + $delta ... RETURNING`, so we read the guarded row, apply + // `field = field + delta` for each `increment` entry (negative deltas + // decrement) plus any absolute `set` values, and write it back. `where` + // is both selector and guard, so a non-matching guard returns null. + incrementOne: async ( + { model, where, increment, set }: { + model: string; where: CleanedWhere[]; + increment: Record; set?: Record; + }, + ): Promise => { + const objectName = resolveProtocolName(model); + const bridged = objectName !== model; + const filter = convertWhere(bridged ? remapWhere(where) : where); + + const record = await dataEngine.findOne(objectName, { where: filter }); + if (!record) return null; + + const patch: Record = {}; + for (const [field, delta] of Object.entries(increment)) { + const col = bridged ? camelToSnake(field) : field; + const current = Number((record as Record)[col] ?? 0); + patch[col] = current + delta; + } + if (set) Object.assign(patch, bridged ? remapKeys(set, camelToSnake) : set); + + const result = await dataEngine.update(objectName, { ...patch, id: record.id }); + if (!result) return null; + const norm = normaliseLegacyDates(model, result); + return (bridged ? remapKeys(norm, snakeToCamel) : norm) as T; + }, }), }); } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index c315430172..1290c8b93b 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -10,8 +10,17 @@ overrides: tar@>=2.0.0 <7.5.11: ^7.5.11 form-data@<4.0.6: '>=4.0.6' undici@>=7.23.0 <7.28.0: ^7.28.0 + better-auth@<1.7.0-rc.1: 1.7.0-rc.1 + '@better-auth/core@<1.7.0-rc.1': 1.7.0-rc.1 '@better-auth/scim@<1.7.0-rc.1': 1.7.0-rc.1 '@better-auth/oauth-provider@<1.7.0-rc.1': 1.7.0-rc.1 + '@better-auth/sso@<1.7.0-rc.1': 1.7.0-rc.1 + '@better-auth/drizzle-adapter@<1.7.0-rc.1': 1.7.0-rc.1 + '@better-auth/kysely-adapter@<1.7.0-rc.1': 1.7.0-rc.1 + '@better-auth/memory-adapter@<1.7.0-rc.1': 1.7.0-rc.1 + '@better-auth/mongo-adapter@<1.7.0-rc.1': 1.7.0-rc.1 + '@better-auth/prisma-adapter@<1.7.0-rc.1': 1.7.0-rc.1 + '@better-auth/telemetry@<1.7.0-rc.1': 1.7.0-rc.1 uuid@<11.1.1: ^11.1.1 postcss@<8.5.10: ^8.5.10 cookie@<0.7.0: 0.7.0 @@ -1320,17 +1329,17 @@ importers: packages/plugins/plugin-auth: dependencies: '@better-auth/core': - specifier: ^1.6.23 - version: 1.6.23(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0) + specifier: 1.7.0-rc.1 + version: 1.7.0-rc.1(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0) '@better-auth/oauth-provider': specifier: 1.7.0-rc.1 - version: 1.7.0-rc.1(cbb5eacd36da2fc4af9e6bf4f5c2aa26) + version: 1.7.0-rc.1(d37c296af90073cd4febdd02701fdde9) '@better-auth/scim': specifier: 1.7.0-rc.1 - version: 1.7.0-rc.1(e532fad85f382004d74095166a0ee9bf) + version: 1.7.0-rc.1(8eecf8493c740b15981aa3ac7fe18ecf) '@better-auth/sso': - specifier: ^1.6.23 - version: 1.6.23(cbb5eacd36da2fc4af9e6bf4f5c2aa26) + specifier: 1.7.0-rc.1 + version: 1.7.0-rc.1(d37c296af90073cd4febdd02701fdde9) '@noble/hashes': specifier: ^2.2.0 version: 2.2.0 @@ -1350,8 +1359,8 @@ importers: specifier: workspace:* version: link:../../types better-auth: - specifier: ^1.6.23 - version: 1.6.23(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(@sveltejs/kit@2.66.0(@opentelemetry/api@1.9.1)(@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.56.5(@typescript-eslint/types@8.63.0))(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(svelte@5.56.5(@typescript-eslint/types@8.63.0))(typescript@6.0.3)(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(better-sqlite3@12.11.1)(mongodb@7.5.0(socks@2.8.9))(mysql2@3.22.6(@types/node@26.1.1))(next@16.2.10(@opentelemetry/api@1.9.1)(@playwright/test@1.61.1)(react-dom@19.2.7(react@19.2.7))(react@19.2.7))(pg@8.22.0)(react-dom@19.2.7(react@19.2.7))(react@19.2.7)(svelte@5.56.5(@typescript-eslint/types@8.63.0))(vitest@4.1.10) + specifier: 1.7.0-rc.1 + version: 1.7.0-rc.1(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(@sveltejs/kit@2.66.0(@opentelemetry/api@1.9.1)(@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.56.5(@typescript-eslint/types@8.63.0))(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(svelte@5.56.5(@typescript-eslint/types@8.63.0))(typescript@6.0.3)(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(better-sqlite3@12.11.1)(mongodb@7.5.0(socks@2.8.9))(mysql2@3.22.6(@types/node@26.1.1))(next@16.2.10(@opentelemetry/api@1.9.1)(@playwright/test@1.61.1)(react-dom@19.2.7(react@19.2.7))(react@19.2.7))(pg@8.22.0)(react-dom@19.2.7(react@19.2.7))(react@19.2.7)(svelte@5.56.5(@typescript-eslint/types@8.63.0))(vitest@4.1.10) jose: specifier: ^6.2.3 version: 6.2.3 @@ -2433,8 +2442,8 @@ packages: resolution: {integrity: sha512-6zABk/ECA/QYSCQ1NGiVwwbQerUCZ+TQbp64Q3AgmfNvurHH0j8TtXa1qbShXA6qqkpAj4V5W8pP6mLe1mcMqA==} engines: {node: '>=18'} - '@better-auth/core@1.6.23': - resolution: {integrity: sha512-beEhOs0uVeOxYOZKUfIEBd/nQV2Bd4/6wyLxZ0OFkn6CMTK2Vi+hXuZLnyPBeB6RdHpebEoJWiHqwHxBIxgPDQ==} + '@better-auth/core@1.7.0-rc.1': + resolution: {integrity: sha512-qwVJ5LBPAp8FhhRbUzJDv8cp6h6sn266PPJIXBhB2aYXee40/VGpyoTmx9+LmOotOLQ4BWSO5rCSDvS8FGVdEQ==} peerDependencies: '@better-auth/utils': 0.4.2 '@better-fetch/fetch': 1.3.1 @@ -2450,36 +2459,36 @@ packages: '@opentelemetry/api': optional: true - '@better-auth/drizzle-adapter@1.6.23': - resolution: {integrity: sha512-2+/PTVfIP9E7iz6af8TB3lhnowHUj9ljC66kECmHaFEdUqPgzHoWux9epotKwO7XDg2ui4ttWQ8CMeNFLvQeKQ==} + '@better-auth/drizzle-adapter@1.7.0-rc.1': + resolution: {integrity: sha512-r2PjeNFZpWwkW9hvMyE+sgqzYPm3+pB7wE6+aL/iVl0SumqJns1fTFZiqTlQP67AUhJHO2Oelra+WdrtEE0v5Q==} peerDependencies: - '@better-auth/core': ^1.6.23 + '@better-auth/core': ^1.7.0-rc.1 '@better-auth/utils': 0.4.2 - drizzle-orm: ^0.45.2 + drizzle-orm: ^0.45.2 || >=1.0.0-rc.1 <2.0.0 peerDependenciesMeta: drizzle-orm: optional: true - '@better-auth/kysely-adapter@1.6.23': - resolution: {integrity: sha512-zbNJsMbG09exfkGyvFqBLLqWoMPAUWjxCuUnEK5AsjbYoZeIjj/QGZgdf4CapVWryKxjA9Q6Jlr6fbiPpC3VAg==} + '@better-auth/kysely-adapter@1.7.0-rc.1': + resolution: {integrity: sha512-8ykUlvqJERPJj3fohgc66VA091tGNiZlw0Pr4YnChr4n7bSqI6P/9bic1g6+XiGz10Li4t0qGcyqBpXKJb/iTw==} peerDependencies: - '@better-auth/core': ^1.6.23 + '@better-auth/core': ^1.7.0-rc.1 '@better-auth/utils': 0.4.2 kysely: ^0.28.17 || ^0.29.0 peerDependenciesMeta: kysely: optional: true - '@better-auth/memory-adapter@1.6.23': - resolution: {integrity: sha512-krIiR0pIVkaKlAzm690n5bcMW4NGbqeMg0HQSD9fz/KcQF/eWLqcq9gG/BhHTj2i/y96qH+W5JWPmaSOS5iTgQ==} + '@better-auth/memory-adapter@1.7.0-rc.1': + resolution: {integrity: sha512-CyGMXZNCLQ531K4mhdSfhAjXXh+R+ybX/Xss2u9ZYs7un5XZbL+gC5rTGNPktV3KcEHPG60/om7x3bH4jMPi6g==} peerDependencies: - '@better-auth/core': ^1.6.23 + '@better-auth/core': ^1.7.0-rc.1 '@better-auth/utils': 0.4.2 - '@better-auth/mongo-adapter@1.6.23': - resolution: {integrity: sha512-7+QdevitGlKBbP6JbiSk5SBnzPsKV/mDrQBGBn8hwByQLeJwqpqbuBPw7ZI8vzUlFfAAnyFiqwP3Eb8mxnp7pA==} + '@better-auth/mongo-adapter@1.7.0-rc.1': + resolution: {integrity: sha512-nJEythD9d9rsEPCb3awTSrYn+heLDAReTyBQrfxOC5HYv+m+ekElE8Fy/XuFzENw+7qyY0V7LlfGK7JYhL5XbQ==} peerDependencies: - '@better-auth/core': ^1.6.23 + '@better-auth/core': ^1.7.0-rc.1 '@better-auth/utils': 0.4.2 mongodb: ^6.0.0 || ^7.0.0 peerDependenciesMeta: @@ -2495,10 +2504,10 @@ packages: better-auth: ^1.7.0-rc.1 better-call: 1.3.7 - '@better-auth/prisma-adapter@1.6.23': - resolution: {integrity: sha512-2qSdzidq4tkb1eS5TTqb4Nzg0mdZWm3Qky9SYeXeb8PpVQbC2sxqJhEM5mK7y12uU6I8hc64wO9f7AFVNL+6UQ==} + '@better-auth/prisma-adapter@1.7.0-rc.1': + resolution: {integrity: sha512-d7J+VO7ZGnt20agKYDfA8XRi8Tzw4fekmzQTUzfkfd9EwYvOUx1Ed6cCjG7nsEPuHn49PLVtv+iX5Cfx2XF2kw==} peerDependencies: - '@better-auth/core': ^1.6.23 + '@better-auth/core': ^1.7.0-rc.1 '@better-auth/utils': 0.4.2 '@prisma/client': ^5.0.0 || ^6.0.0 || ^7.0.0 prisma: ^5.0.0 || ^6.0.0 || ^7.0.0 @@ -2516,19 +2525,19 @@ packages: better-auth: ^1.7.0-rc.1 better-call: 1.3.7 - '@better-auth/sso@1.6.23': - resolution: {integrity: sha512-nAO25rH25SL2t/BkK/iPqGsnhwI7tOGxktVupuyIBysju13QpV4tJjytnSbVnnDwPo5p6M4Ld6WF83XCEJYCzg==} + '@better-auth/sso@1.7.0-rc.1': + resolution: {integrity: sha512-+v7y+NbuWKnQphSq6K9R3NzIwdpxsY3BSDcM2Z2EoLIMaKYJczR6L2NTf3medG1UYdZDbVLunZQ7RxWaO4pzoQ==} peerDependencies: - '@better-auth/core': ^1.6.23 + '@better-auth/core': ^1.7.0-rc.1 '@better-auth/utils': 0.4.2 '@better-fetch/fetch': 1.3.1 - better-auth: ^1.6.23 + better-auth: ^1.7.0-rc.1 better-call: 1.3.7 - '@better-auth/telemetry@1.6.23': - resolution: {integrity: sha512-/R2Kb+z2BpDOOWwVHqOk+c0VNpuwfCv4Hp5Yr9003WIZPax/zyNraGLB9CFE8qF2gZW8Dsz419k4I8CPrGzpDA==} + '@better-auth/telemetry@1.7.0-rc.1': + resolution: {integrity: sha512-1lpODl12kDY3jA/46odeEtfC0u/UyPWAchtqIZq/JZVJGrnK5UCLwHRcSHYlkpHfZWXm7sXZYJ1vHJHKX66HCg==} peerDependencies: - '@better-auth/core': ^1.6.23 + '@better-auth/core': ^1.7.0-rc.1 '@better-auth/utils': 0.4.2 '@better-fetch/fetch': 1.3.1 @@ -4784,8 +4793,8 @@ packages: engines: {node: '>=6.0.0'} hasBin: true - better-auth@1.6.23: - resolution: {integrity: sha512-4vOaRd9UiKGKm9R+ej0jjU1es3MiJIiNc9Qq3VCnYqOZ4/nb5272QqTxWYoDxyUXl5x6A2x2we5KZKQO9teTQQ==} + better-auth@1.7.0-rc.1: + resolution: {integrity: sha512-dmTImZTzxDYfNSLdv5yTwRxNMnN8xBQnG9oeeW+eSltO0R0TxOfYZTnu1JE9MSI8tlR5tFfUaoLBTal6Z28v9A==} peerDependencies: '@lynx-js/react': '*' '@prisma/client': ^5.0.0 || ^6.0.0 || ^7.0.0 @@ -8362,16 +8371,9 @@ packages: resolution: {integrity: sha512-Bf+ILmBgretUrdJxzXM0SgXLZ3XfiaUuOj/IKQHuTXip+05Xn+uyEYdVg0kYDipTBcLrCVyUzAPz7QmArb0mmw==} engines: {node: '>=14.0.0'} - tldts-core@6.1.86: - resolution: {integrity: sha512-Je6p7pkk+KMzMv2XXKmAE3McmolOQFdxkKw0R8EYNr7sELW46JqnNeTX8ybPiQgvg1ymCoF8LXs5fzFaZvJPTA==} - tldts-core@7.4.8: resolution: {integrity: sha512-c1P7u0EhACHj7lPy4MJm8iTFEU8+nB0LCtddH0fhP7noaVoXAqafMtOOeX+ulpuPBqnrRgRhw494RICT3mbhnw==} - tldts@6.1.86: - resolution: {integrity: sha512-WMi/OQ2axVTf/ykqCQgXiIct+mSQDFdH2fkwhPwgEwvJ1kSzZRiinb0zF2Xb8u4+OqPChmyI6MEu4EezNJz+FQ==} - hasBin: true - tldts@7.4.8: resolution: {integrity: sha512-htwgN/8KRB3z3vnC0BOETVh2m499g5GmyTK9Wq5JBLX3FNz6tSBveAd+fQhzy9hkjif8vy2jwDMR1sGhLtZl2A==} hasBin: true @@ -9268,7 +9270,7 @@ snapshots: '@bcoe/v8-coverage@1.0.2': {} - '@better-auth/core@1.6.23(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0)': + '@better-auth/core@1.7.0-rc.1(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0)': dependencies: '@better-auth/utils': 0.4.2 '@better-fetch/fetch': 1.3.1 @@ -9283,69 +9285,69 @@ snapshots: '@cloudflare/workers-types': 4.20260520.1 '@opentelemetry/api': 1.9.1 - '@better-auth/drizzle-adapter@1.6.23(@better-auth/core@1.6.23(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0))(@better-auth/utils@0.4.2)': + '@better-auth/drizzle-adapter@1.7.0-rc.1(@better-auth/core@1.7.0-rc.1(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0))(@better-auth/utils@0.4.2)': dependencies: - '@better-auth/core': 1.6.23(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0) + '@better-auth/core': 1.7.0-rc.1(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0) '@better-auth/utils': 0.4.2 - '@better-auth/kysely-adapter@1.6.23(@better-auth/core@1.6.23(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0))(@better-auth/utils@0.4.2)(kysely@0.29.3)': + '@better-auth/kysely-adapter@1.7.0-rc.1(@better-auth/core@1.7.0-rc.1(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0))(@better-auth/utils@0.4.2)(kysely@0.29.3)': dependencies: - '@better-auth/core': 1.6.23(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0) + '@better-auth/core': 1.7.0-rc.1(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0) '@better-auth/utils': 0.4.2 optionalDependencies: kysely: 0.29.3 - '@better-auth/memory-adapter@1.6.23(@better-auth/core@1.6.23(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0))(@better-auth/utils@0.4.2)': + '@better-auth/memory-adapter@1.7.0-rc.1(@better-auth/core@1.7.0-rc.1(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0))(@better-auth/utils@0.4.2)': dependencies: - '@better-auth/core': 1.6.23(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0) + '@better-auth/core': 1.7.0-rc.1(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0) '@better-auth/utils': 0.4.2 - '@better-auth/mongo-adapter@1.6.23(@better-auth/core@1.6.23(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0))(@better-auth/utils@0.4.2)(mongodb@7.5.0(socks@2.8.9))': + '@better-auth/mongo-adapter@1.7.0-rc.1(@better-auth/core@1.7.0-rc.1(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0))(@better-auth/utils@0.4.2)(mongodb@7.5.0(socks@2.8.9))': dependencies: - '@better-auth/core': 1.6.23(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0) + '@better-auth/core': 1.7.0-rc.1(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0) '@better-auth/utils': 0.4.2 optionalDependencies: mongodb: 7.5.0(socks@2.8.9) - '@better-auth/oauth-provider@1.7.0-rc.1(cbb5eacd36da2fc4af9e6bf4f5c2aa26)': + '@better-auth/oauth-provider@1.7.0-rc.1(d37c296af90073cd4febdd02701fdde9)': dependencies: - '@better-auth/core': 1.6.23(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0) + '@better-auth/core': 1.7.0-rc.1(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0) '@better-auth/utils': 0.4.2 '@better-fetch/fetch': 1.3.1 - better-auth: 1.6.23(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(@sveltejs/kit@2.66.0(@opentelemetry/api@1.9.1)(@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.56.5(@typescript-eslint/types@8.63.0))(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(svelte@5.56.5(@typescript-eslint/types@8.63.0))(typescript@6.0.3)(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(better-sqlite3@12.11.1)(mongodb@7.5.0(socks@2.8.9))(mysql2@3.22.6(@types/node@26.1.1))(next@16.2.10(@opentelemetry/api@1.9.1)(@playwright/test@1.61.1)(react-dom@19.2.7(react@19.2.7))(react@19.2.7))(pg@8.22.0)(react-dom@19.2.7(react@19.2.7))(react@19.2.7)(svelte@5.56.5(@typescript-eslint/types@8.63.0))(vitest@4.1.10) + better-auth: 1.7.0-rc.1(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(@sveltejs/kit@2.66.0(@opentelemetry/api@1.9.1)(@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.56.5(@typescript-eslint/types@8.63.0))(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(svelte@5.56.5(@typescript-eslint/types@8.63.0))(typescript@6.0.3)(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(better-sqlite3@12.11.1)(mongodb@7.5.0(socks@2.8.9))(mysql2@3.22.6(@types/node@26.1.1))(next@16.2.10(@opentelemetry/api@1.9.1)(@playwright/test@1.61.1)(react-dom@19.2.7(react@19.2.7))(react@19.2.7))(pg@8.22.0)(react-dom@19.2.7(react@19.2.7))(react@19.2.7)(svelte@5.56.5(@typescript-eslint/types@8.63.0))(vitest@4.1.10) better-call: 1.3.7(zod@4.4.3) jose: 6.2.3 zod: 4.4.3 - '@better-auth/prisma-adapter@1.6.23(@better-auth/core@1.6.23(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0))(@better-auth/utils@0.4.2)': + '@better-auth/prisma-adapter@1.7.0-rc.1(@better-auth/core@1.7.0-rc.1(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0))(@better-auth/utils@0.4.2)': dependencies: - '@better-auth/core': 1.6.23(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0) + '@better-auth/core': 1.7.0-rc.1(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0) '@better-auth/utils': 0.4.2 - '@better-auth/scim@1.7.0-rc.1(e532fad85f382004d74095166a0ee9bf)': + '@better-auth/scim@1.7.0-rc.1(8eecf8493c740b15981aa3ac7fe18ecf)': dependencies: - '@better-auth/core': 1.6.23(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0) + '@better-auth/core': 1.7.0-rc.1(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0) '@better-auth/utils': 0.4.2 - better-auth: 1.6.23(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(@sveltejs/kit@2.66.0(@opentelemetry/api@1.9.1)(@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.56.5(@typescript-eslint/types@8.63.0))(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(svelte@5.56.5(@typescript-eslint/types@8.63.0))(typescript@6.0.3)(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(better-sqlite3@12.11.1)(mongodb@7.5.0(socks@2.8.9))(mysql2@3.22.6(@types/node@26.1.1))(next@16.2.10(@opentelemetry/api@1.9.1)(@playwright/test@1.61.1)(react-dom@19.2.7(react@19.2.7))(react@19.2.7))(pg@8.22.0)(react-dom@19.2.7(react@19.2.7))(react@19.2.7)(svelte@5.56.5(@typescript-eslint/types@8.63.0))(vitest@4.1.10) + better-auth: 1.7.0-rc.1(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(@sveltejs/kit@2.66.0(@opentelemetry/api@1.9.1)(@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.56.5(@typescript-eslint/types@8.63.0))(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(svelte@5.56.5(@typescript-eslint/types@8.63.0))(typescript@6.0.3)(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(better-sqlite3@12.11.1)(mongodb@7.5.0(socks@2.8.9))(mysql2@3.22.6(@types/node@26.1.1))(next@16.2.10(@opentelemetry/api@1.9.1)(@playwright/test@1.61.1)(react-dom@19.2.7(react@19.2.7))(react@19.2.7))(pg@8.22.0)(react-dom@19.2.7(react@19.2.7))(react@19.2.7)(svelte@5.56.5(@typescript-eslint/types@8.63.0))(vitest@4.1.10) better-call: 1.3.7(zod@4.4.3) zod: 4.4.3 - '@better-auth/sso@1.6.23(cbb5eacd36da2fc4af9e6bf4f5c2aa26)': + '@better-auth/sso@1.7.0-rc.1(d37c296af90073cd4febdd02701fdde9)': dependencies: - '@better-auth/core': 1.6.23(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0) + '@better-auth/core': 1.7.0-rc.1(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0) '@better-auth/utils': 0.4.2 '@better-fetch/fetch': 1.3.1 - better-auth: 1.6.23(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(@sveltejs/kit@2.66.0(@opentelemetry/api@1.9.1)(@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.56.5(@typescript-eslint/types@8.63.0))(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(svelte@5.56.5(@typescript-eslint/types@8.63.0))(typescript@6.0.3)(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(better-sqlite3@12.11.1)(mongodb@7.5.0(socks@2.8.9))(mysql2@3.22.6(@types/node@26.1.1))(next@16.2.10(@opentelemetry/api@1.9.1)(@playwright/test@1.61.1)(react-dom@19.2.7(react@19.2.7))(react@19.2.7))(pg@8.22.0)(react-dom@19.2.7(react@19.2.7))(react@19.2.7)(svelte@5.56.5(@typescript-eslint/types@8.63.0))(vitest@4.1.10) + better-auth: 1.7.0-rc.1(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(@sveltejs/kit@2.66.0(@opentelemetry/api@1.9.1)(@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.56.5(@typescript-eslint/types@8.63.0))(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(svelte@5.56.5(@typescript-eslint/types@8.63.0))(typescript@6.0.3)(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(better-sqlite3@12.11.1)(mongodb@7.5.0(socks@2.8.9))(mysql2@3.22.6(@types/node@26.1.1))(next@16.2.10(@opentelemetry/api@1.9.1)(@playwright/test@1.61.1)(react-dom@19.2.7(react@19.2.7))(react@19.2.7))(pg@8.22.0)(react-dom@19.2.7(react@19.2.7))(react@19.2.7)(svelte@5.56.5(@typescript-eslint/types@8.63.0))(vitest@4.1.10) better-call: 1.3.7(zod@4.4.3) fast-xml-parser: 5.10.0 jose: 6.2.3 samlify: 2.13.1 - tldts: 6.1.86 + tldts: 7.4.8 zod: 4.4.3 - '@better-auth/telemetry@1.6.23(@better-auth/core@1.6.23(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0))(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)': + '@better-auth/telemetry@1.7.0-rc.1(@better-auth/core@1.7.0-rc.1(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0))(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)': dependencies: - '@better-auth/core': 1.6.23(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0) + '@better-auth/core': 1.7.0-rc.1(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0) '@better-auth/utils': 0.4.2 '@better-fetch/fetch': 1.3.1 @@ -11602,15 +11604,15 @@ snapshots: baseline-browser-mapping@2.10.43: {} - better-auth@1.6.23(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(@sveltejs/kit@2.66.0(@opentelemetry/api@1.9.1)(@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.56.5(@typescript-eslint/types@8.63.0))(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(svelte@5.56.5(@typescript-eslint/types@8.63.0))(typescript@6.0.3)(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(better-sqlite3@12.11.1)(mongodb@7.5.0(socks@2.8.9))(mysql2@3.22.6(@types/node@26.1.1))(next@16.2.10(@opentelemetry/api@1.9.1)(@playwright/test@1.61.1)(react-dom@19.2.7(react@19.2.7))(react@19.2.7))(pg@8.22.0)(react-dom@19.2.7(react@19.2.7))(react@19.2.7)(svelte@5.56.5(@typescript-eslint/types@8.63.0))(vitest@4.1.10): + better-auth@1.7.0-rc.1(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(@sveltejs/kit@2.66.0(@opentelemetry/api@1.9.1)(@sveltejs/vite-plugin-svelte@7.0.0(svelte@5.56.5(@typescript-eslint/types@8.63.0))(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(svelte@5.56.5(@typescript-eslint/types@8.63.0))(typescript@6.0.3)(vite@8.0.16(@types/node@26.1.1)(esbuild@0.28.1)(jiti@2.7.0)(tsx@4.23.0)(yaml@2.9.0)))(better-sqlite3@12.11.1)(mongodb@7.5.0(socks@2.8.9))(mysql2@3.22.6(@types/node@26.1.1))(next@16.2.10(@opentelemetry/api@1.9.1)(@playwright/test@1.61.1)(react-dom@19.2.7(react@19.2.7))(react@19.2.7))(pg@8.22.0)(react-dom@19.2.7(react@19.2.7))(react@19.2.7)(svelte@5.56.5(@typescript-eslint/types@8.63.0))(vitest@4.1.10): dependencies: - '@better-auth/core': 1.6.23(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0) - '@better-auth/drizzle-adapter': 1.6.23(@better-auth/core@1.6.23(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0))(@better-auth/utils@0.4.2) - '@better-auth/kysely-adapter': 1.6.23(@better-auth/core@1.6.23(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0))(@better-auth/utils@0.4.2)(kysely@0.29.3) - '@better-auth/memory-adapter': 1.6.23(@better-auth/core@1.6.23(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0))(@better-auth/utils@0.4.2) - '@better-auth/mongo-adapter': 1.6.23(@better-auth/core@1.6.23(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0))(@better-auth/utils@0.4.2)(mongodb@7.5.0(socks@2.8.9)) - '@better-auth/prisma-adapter': 1.6.23(@better-auth/core@1.6.23(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0))(@better-auth/utils@0.4.2) - '@better-auth/telemetry': 1.6.23(@better-auth/core@1.6.23(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0))(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1) + '@better-auth/core': 1.7.0-rc.1(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0) + '@better-auth/drizzle-adapter': 1.7.0-rc.1(@better-auth/core@1.7.0-rc.1(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0))(@better-auth/utils@0.4.2) + '@better-auth/kysely-adapter': 1.7.0-rc.1(@better-auth/core@1.7.0-rc.1(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0))(@better-auth/utils@0.4.2)(kysely@0.29.3) + '@better-auth/memory-adapter': 1.7.0-rc.1(@better-auth/core@1.7.0-rc.1(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0))(@better-auth/utils@0.4.2) + '@better-auth/mongo-adapter': 1.7.0-rc.1(@better-auth/core@1.7.0-rc.1(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0))(@better-auth/utils@0.4.2)(mongodb@7.5.0(socks@2.8.9)) + '@better-auth/prisma-adapter': 1.7.0-rc.1(@better-auth/core@1.7.0-rc.1(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0))(@better-auth/utils@0.4.2) + '@better-auth/telemetry': 1.7.0-rc.1(@better-auth/core@1.7.0-rc.1(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1)(@cloudflare/workers-types@4.20260520.1)(@opentelemetry/api@1.9.1)(better-call@1.3.7(zod@4.4.3))(jose@6.2.3)(kysely@0.29.3)(nanostores@1.4.0))(@better-auth/utils@0.4.2)(@better-fetch/fetch@1.3.1) '@better-auth/utils': 0.4.2 '@better-fetch/fetch': 1.3.1 '@noble/ciphers': 2.2.0 @@ -15721,19 +15723,11 @@ snapshots: tinyrainbow@3.1.0: {} - tldts-core@6.1.86: {} - - tldts-core@7.4.8: - optional: true - - tldts@6.1.86: - dependencies: - tldts-core: 6.1.86 + tldts-core@7.4.8: {} tldts@7.4.8: dependencies: tldts-core: 7.4.8 - optional: true tmp@0.2.7: {} diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index 97a2e219ed..317ff8001c 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -36,7 +36,12 @@ onlyBuiltDependencies: # - @better-auth/oauth-provider: GHSA-p2fr-6hmx-4528 — same better-auth # monorepo and same situation as @better-auth/scim above. `plugin-auth` # depends on ^1.6.23; the fix first ships in the 1.7.0 pre-release line. -# Pin to 1.7.0-rc.1 for parity with @better-auth/scim. +# Pin to 1.7.0-rc.1. The 1.7 oauth-provider is exercised on the sign-in +# path and imports symbols (e.g. CLIENT_ASSERTION_TYPE) that only exist in +# @better-auth/core 1.7.x, so the ENTIRE better-auth family must move to +# 1.7.0-rc.1 together — mixing a 1.7 plugin with 1.6.23 core 500s at +# runtime (dogfood sign-in). The full family is pinned below; revert all of +# them to a stable `^1.7.x` line the moment one ships. # - uuid: GHSA-w5hq-g745-h8pq (high) — pulled 8.3.2 transitively; the fix # first lands in 11.1.1. Pin to the ^11.1.1 LTS line (uuid `legacy-11` # dist-tag) rather than the latest major to keep the jump conservative. @@ -61,8 +66,18 @@ overrides: 'tar@>=2.0.0 <7.5.11': '^7.5.11' 'form-data@<4.0.6': '>=4.0.6' 'undici@>=7.23.0 <7.28.0': '^7.28.0' + # better-auth family — kept on one line (see @better-auth/oauth-provider note). + 'better-auth@<1.7.0-rc.1': '1.7.0-rc.1' + '@better-auth/core@<1.7.0-rc.1': '1.7.0-rc.1' '@better-auth/scim@<1.7.0-rc.1': '1.7.0-rc.1' '@better-auth/oauth-provider@<1.7.0-rc.1': '1.7.0-rc.1' + '@better-auth/sso@<1.7.0-rc.1': '1.7.0-rc.1' + '@better-auth/drizzle-adapter@<1.7.0-rc.1': '1.7.0-rc.1' + '@better-auth/kysely-adapter@<1.7.0-rc.1': '1.7.0-rc.1' + '@better-auth/memory-adapter@<1.7.0-rc.1': '1.7.0-rc.1' + '@better-auth/mongo-adapter@<1.7.0-rc.1': '1.7.0-rc.1' + '@better-auth/prisma-adapter@<1.7.0-rc.1': '1.7.0-rc.1' + '@better-auth/telemetry@<1.7.0-rc.1': '1.7.0-rc.1' 'uuid@<11.1.1': '^11.1.1' 'postcss@<8.5.10': '^8.5.10' 'cookie@<0.7.0': '0.7.0' From 4ae38a7ba35b3c4b8891f9288ba289138c30a873 Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 15 Jul 2026 16:49:34 +0000 Subject: [PATCH 5/5] fix(auth): add sys_jwks alg/crv columns for better-auth 1.7 JWKS MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit better-auth 1.7 extends its `jwks` model with two new optional columns — `alg` (signing algorithm, e.g. EdDSA) and `crv` (curve, e.g. Ed25519) — and writes them when minting signing keys. The `sys_jwks` platform object lacked both, so every JWKS insert failed at the driver ("table sys_jwks has no column named alg"), 500ing token signing. Sign-in itself succeeded, but session validation (which touches the JWKS/JWT path) then failed, so every authenticated request returned 401 — surfacing as the dogfood regression gate's "expected 201/403, got 401" failures. Add the two optional `alg`/`crv` text fields to sys_jwks. Legacy rows minted before 1.7 leave them null; better-auth falls back to the configured keyPairConfig.alg (default EdDSA). Verified locally: the full @objectstack/dogfood suite passes (256 tests, 0 failures) with the better-auth family on 1.7.0-rc.1. Co-Authored-By: Claude Opus 4.8 Claude-Session: https://claude.ai/code/session_015JoYhorCUhGc8bgFYsErfE --- .../plugin-auth-better-auth-17-adapter.md | 10 +++++++++- .../src/identity/sys-jwks.object.ts | 17 +++++++++++++++++ 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/.changeset/plugin-auth-better-auth-17-adapter.md b/.changeset/plugin-auth-better-auth-17-adapter.md index ecb40ddae5..a68a32463c 100644 --- a/.changeset/plugin-auth-better-auth-17-adapter.md +++ b/.changeset/plugin-auth-better-auth-17-adapter.md @@ -1,8 +1,9 @@ --- '@objectstack/plugin-auth': patch +'@objectstack/platform-objects': patch --- -fix(auth): align the better-auth family on 1.7.0-rc.1 and implement the new adapter methods (#2974) +fix(auth): align the better-auth family on 1.7.0-rc.1, implement the new adapter methods, and add the new sys_jwks columns (#2974) Remediating GHSA-p2fr-6hmx-4528 (`@better-auth/oauth-provider`) requires the 1.7 plugin line, which imports `CLIENT_ASSERTION_TYPE` and other symbols that @@ -21,3 +22,10 @@ new methods, which the ObjectQL adapter now implements: Both are find-then-write mirrors of the existing `delete` / `update` methods (ObjectQL exposes no native atomic primitive) and honour the same core/plugin field-name bridging. + +better-auth 1.7 also extends its `jwks` model with two new optional columns, +`alg` (signing algorithm, e.g. `EdDSA`) and `crv` (curve, e.g. `Ed25519`), and +writes them when minting signing keys. The `sys_jwks` platform object gains the +matching fields — without them every JWKS write failed (`table sys_jwks has no +column named alg`), 500ing token signing and breaking session validation +(sign-in succeeded but every authenticated request 401'd). diff --git a/packages/platform-objects/src/identity/sys-jwks.object.ts b/packages/platform-objects/src/identity/sys-jwks.object.ts index 903f92cd49..3c7fb319d1 100644 --- a/packages/platform-objects/src/identity/sys-jwks.object.ts +++ b/packages/platform-objects/src/identity/sys-jwks.object.ts @@ -59,6 +59,23 @@ export const SysJwks = ObjectSchema.create({ description: 'JSON-serialized JWK private key (encrypted at rest)', }), + // better-auth 1.7 records the key's signing algorithm and (for EdDSA/EC + // keys) its curve alongside the key material, so tokens can advertise the + // correct `alg`/`crv` in the JWKS response. Both are optional — legacy rows + // minted before 1.7 leave them null and better-auth falls back to the + // configured `keyPairConfig.alg` (default `EdDSA`). + alg: Field.text({ + label: 'Algorithm', + required: false, + description: 'JWK signing algorithm, e.g. `EdDSA` (better-auth 1.7+)', + }), + + crv: Field.text({ + label: 'Curve', + required: false, + description: 'JWK curve for EdDSA/EC keys, e.g. `Ed25519` (better-auth 1.7+)', + }), + created_at: Field.datetime({ label: 'Created At', required: true,