Bump the npm_and_yarn group across 4 directories with 11 updates

[dependabot]

Bumps the npm_and_yarn group with 10 updates in the / directory:

Package	From	To
@hono/node-server	1.19.10	1.19.13
better-auth	1.4.19	1.6.2
hono	4.12.7	4.12.18
vite	7.3.1	7.3.2
brace-expansion	1.1.12	5.0.6
defu	6.1.4	6.1.7
flatted	3.3.3	3.4.2
ip-address	10.1.0	10.2.0
tar	7.5.10	7.5.15
yaml	2.8.2	2.9.0

Bumps the npm_and_yarn group with 3 updates in the /examples/hono-cjs directory: @hono/node-server, better-auth and hono.
Bumps the npm_and_yarn group with 3 updates in the /examples/hono-esm directory: @hono/node-server, better-auth and hono.
Bumps the npm_and_yarn group with 1 update in the /packages/plugins directory: better-auth.

Updates @hono/node-server from 1.19.10 to 1.19.13

Release notes

Sourced from @​hono/node-server's releases.

v1.19.13

Security Fix

Fixed an issue in Serve Static Middleware where inconsistent handling of repeated slashes (//) between the router and static file resolution could allow middleware to be bypassed. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-92pp-h63x-v22m for details.

v1.19.12

What's Changed

• chore: ignore claude setting by @​yusukebe in honojs/node-server#314
• fix: request draining for early 413 responses by @​usualoma in honojs/node-server#329

Full Changelog: honojs/node-server@v1.19.11...v1.19.12

v1.19.11

What's Changed

• fix: do not overwrite Content-Length in the fast path pattern if Content-Length already exists. by @​usualoma in honojs/node-server#309

Full Changelog: honojs/node-server@v1.19.10...v1.19.11

Commits

• fd64e65 1.19.13
• 025c30f Merge commit from fork
• 6cdb5a7 1.19.12
• 70250f7 fix: request draining for early 413 responses (#329)
• cfc08b3 chore: ignore claude setting (#314)
• ecd4d6b 1.19.11
• c944899 fix: do not overwrite Content-Length in the fast path pattern if Content-Leng...
• See full diff in compare view

Updates better-auth from 1.4.19 to 1.6.2

Release notes

Sourced from better-auth's releases.

v1.6.2

better-auth

❗ Breaking Changes

• Prevented unverified TOTP enrollment from blocking sign-in (#8711)

Migration: Schema migration required.

Add the verified column to the twoFactor table, then regenerate/apply your ORM migration.

• Prisma: run npx auth@latest generate, then npx prisma migrate dev (or npx prisma db push) and npx prisma generate.
• Drizzle: run npx auth@latest generate, then npx drizzle-kit generate and npx drizzle-kit migrate.

Existing rows do not need a backfill because the column defaults to true.

Features

• Included enabled 2FA methods in sign-in redirect response (#8772)

Bug Fixes

• Fixed OAuth state verification against cookie-stored nonce to prevent CSRF (#8949)
• Fixed infinite router refresh loops in nextCookies() by replacing cookie probe with header-based RSC detection (#9059)
• Fixed cross-provider account collision in link-social callback (#8983)
• Included RelayState in signed SAML AuthnRequests (#9058)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

• Fixed multi-valued query params collapsing through prompt redirects (#9060)
• Rejected skip_consent at schema level in dynamic client registration (#8998)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

• Fixed SAMLResponse decoding failures caused by line-wrapped base64 (#8968)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@​aarmful, @​cyphercodes, @​dvanmali, @​gustavovalverde, @​jaydeep-pipaliya, @​ping-maxwell

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.2

Patch Changes

• #8949 9deb793 Thanks @​ping-maxwell! - security: verify OAuth state parameter against cookie-stored nonce to prevent CSRF on cookie-backed flows

• #8983 2cbcb9b Thanks @​jaydeep-pipaliya! - fix(oauth2): prevent cross-provider account collision in link-social callback

  The link-social callback used findAccount(accountId) which matched by account ID across all providers. When two providers return the same numeric ID (e.g. both Google and GitHub assign 99999), the lookup could match the wrong provider's account, causing a spurious account_already_linked_to_different_user error or silently updating the wrong account's tokens.

  Replaced with findAccountByProviderId(accountId, providerId) to scope the lookup to the correct provider, matching the pattern already used in the generic OAuth plugin.

• #9059 b20fa42 Thanks @​gustavovalverde! - fix(next-js): replace cookie probe with header-based RSC detection in nextCookies() to prevent infinite router refresh loops and eliminate leaked __better-auth-cookie-store cookie. Also fix two-factor enrollment flows to set the new session cookie before deleting the old session.

• #9058 608d8c3 Thanks @​gustavovalverde! - fix(sso): include RelayState in signed SAML AuthnRequests per SAML 2.0 Bindings §3.4.4.1

  • RelayState is now passed to samlify's ServiceProvider constructor so it is included in the redirect binding signature. Previously it was appended after the signature, causing spec-compliant IdPs to reject signed AuthnRequests.
  • authnRequestsSigned: true without a private key now throws instead of silently sending unsigned requests.

• #8772 8409843 Thanks @​aarmful! - feat(two-factor): include enabled 2fa methods in sign-in redirect response

  The 2FA sign-in redirect now returns twoFactorMethods (e.g. ["totp", "otp"]) so frontends can render the correct verification UI without guessing. The onTwoFactorRedirect client callback receives twoFactorMethods as a context parameter.

  • TOTP is included only when the user has a verified TOTP secret and TOTP is not disabled in config.
  • OTP is included when otpOptions.sendOTP is configured.
  • Unverified TOTP enrollments are excluded from the methods list.

• #8711 e78a7b1 Thanks @​aarmful! - fix(two-factor): prevent unverified TOTP enrollment from gating sign-in

  Adds a verified boolean column to the twoFactor table that tracks whether a TOTP secret has been confirmed by the user.

  • First-time enrollment: enableTwoFactor creates the row with verified: false. The row is promoted to verified: true only after verifyTOTP succeeds with a valid code.
  • Re-enrollment (calling enableTwoFactor when TOTP is already verified): the new row preserves verified: true, so the user is never locked out of sign-in while rotating their TOTP secret.
  • Sign-in: verifyTOTP rejects rows where verified === false, preventing abandoned enrollments from blocking authentication. Backup codes and OTP are unaffected and work as fallbacks during unfinished enrollment.

  Migration: The new column defaults to true, so existing twoFactor rows are treated as verified. No data migration is required. skipVerificationOnEnable: true is also unaffected — the row is created as verified: true in that mode.

• Updated dependencies []:

  • @​better-auth/core@​1.6.2
  • @​better-auth/drizzle-adapter@​1.6.2
  • @​better-auth/kysely-adapter@​1.6.2
  • @​better-auth/memory-adapter@​1.6.2
  • @​better-auth/mongo-adapter@​1.6.2
  • @​better-auth/prisma-adapter@​1.6.2
  • @​better-auth/telemetry@​1.6.2

1.6.1

Patch Changes

• #9023 2e537df Thanks @​jonathansamines! - Update endpoint instrumentation to always use endpoint routes

• #8902 f61ad1c Thanks @​ping-maxwell! - use INVALID_PASSWORD for all checkPassword failures

... (truncated)

Commits

• 700d298 chore: version packages (#9052)
• b20fa42 fix(next-js): replace cookie probe with header-based RSC detection in nextCoo...
• 2cbcb9b fix(oauth2): prevent cross-provider account collision in link-social callback...
• 9deb793 fix: cookie store strategy should verify oauth state (#8949)
• 8409843 feat(two-factor): include enabled 2fa methods in sign-in redirect response (#...
• e78a7b1 fix(two-factor): prevent unverified TOTP enrollment from gating sign-in (#8711)
• 85bb710 chore: version packages (#9018)
• 7495830 fix(api): restore getSession accessibility in generic Auth<O> context (#9017)
• 2e537df fix: endpoint instrumentation to always use route template (#9023)
• f61ad1c fix: use INVALID_PASSWORD for all checkPassword failures (#8902)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for better-auth since your current version.

Updates hono from 4.12.7 to 4.12.18

Release notes

Sourced from hono's releases.

v4.12.18

Security fixes

This release includes fixes for the following security issues:

Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

Affects: Cache Middleware. Fixes missing cache-skip handling for Vary: Authorization and Vary: Cookie, where a response cached for one authenticated user could be served to other users. GHSA-p77w-8qqv-26rm

CSS Declaration Injection via Style Object Values in JSX SSR

Affects: hono/jsx. Fixes a missing CSS-context escape for style object values and property names, where untrusted input could inject additional CSS declarations. The impact is limited to CSS and does not allow JavaScript execution. GHSA-qp7p-654g-cw7p

Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

Affects: hono/utils/jwt. Fixes improper validation of exp, nbf, and iat claims, where falsy, non-finite, or non-numeric values could silently bypass time-based checks instead of being rejected per RFC 7519. GHSA-hm8q-7f3q-5f36

---

Users who use the JWT helper, hono/jsx, or the Cache middleware are strongly encouraged to upgrade to this version.

v4.12.17

What's Changed

• fix(jsx): normalize SVG attributes on the root element by @​kfly8 in honojs/hono#4893
• fix(ssg): add atom+xml and rss+xml to defaultExtensionMap by @​yuintei in honojs/hono#4899
• fix(cors): make origin optional in CORSOptions by @​truffle-dev in honojs/hono#4905
• fix(types): propagate middleware response types to app.on overloads by @​T4ko0522 in honojs/hono#4906

New Contributors

• @​kfly8 made their first contribution in honojs/hono#4893
• @​truffle-dev made their first contribution in honojs/hono#4905

Full Changelog: honojs/hono@v4.12.16...v4.12.17

v4.12.16

Security fixes

This release includes fixes for the following security issues:

Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

Affects: hono/jsx. Fixes missing validation of JSX tag names when using jsx() or createElement(), which could allow HTML injection if untrusted input is used as the tag name. GHSA-69xw-7hcm-h432

bodyLimit() can be bypassed for chunked / unknown-length requests

Affects: Body Limit Middleware. Fixes late enforcement for request bodies without a reliable Content-Length (e.g. chunked requests), where oversized requests could reach handlers and return successful responses before being rejected. GHSA-9vqf-7f2p-gf9v

v4.12.15

What's Changed

• fix(jwt): support single-line PEM keys by @​hiendv in honojs/hono#4889

... (truncated)

Commits

• f10dee8 4.12.18
• a5bd9eb Merge commit from fork
• 58d3d3a Merge commit from fork
• 568c2ec Merge commit from fork
• ff2b3d3 4.12.17
• 52aaaf9 fix(types): propagate middleware response types to app.on overloads (#4906)
• 76d5589 fix(cors): make origin optional in CORSOptions (#4905)
• 8f027e5 fix(ssg): add atom+xml and rss+xml to defaultExtensionMap (#4899)
• bfba97c fix(jsx): normalize SVG attributes on the <svg> root element (#4893)
• 90d4182 4.12.16
• Additional commits viewable in compare view

Updates vite from 7.3.1 to 7.3.2

Release notes

Sourced from vite's releases.

v7.3.2

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

7.3.2 (2026-04-06)

Bug Fixes

• avoid path traversal with optimize deps sourcemap handler (#22161) (09d8c90)
• backport #22159, apply server.fs check to env transport (#22162) (19db0f2)
• check server.fs after stripping query as well (#22160) (f8103cc)

Commits

• cc383e0 release: v7.3.2
• 09d8c90 fix: avoid path traversal with optimize deps sourcemap handler (#22161)
• f8103cc fix: check server.fs after stripping query as well (#22160)
• 19db0f2 fix: backport #22159, apply server.fs check to env transport (#22162)
• See full diff in compare view

Updates brace-expansion from 1.1.12 to 5.0.6

Release notes

Sourced from brace-expansion's releases.

v4.0.1

• fmt 5a5cc17
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) 0b6a978

---

juliangruber/brace-expansion@v4.0.0...v4.0.1

v4.0.0

• feat: use string replaces instead of splits (#64) 278132b
• fmt dd72a59
• add tea.yaml 70e4c1b

juliangruber/brace-expansion@v3.0.0...v4.0.0

As a precaution to not risk breaking anything with 278132b, this is a new semver major release

v3.0.1

• pkg: publish on tag 3.x 3059c07
• fmt 8229e6f
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) 15f9b3c

---

juliangruber/brace-expansion@v3.0.0...v3.0.1

v3.0.0

• Switch to ES Modules and balanced-match 3.0.0 (#62) c0360e8
• added jsdoc (#55) 68c0e37
• node 16 is EOL 9e781e9
• add standard 3494c4d
• use const and let (#57) dd5a4cb
• docs 6dad209
• remove test e3dd8ae
• ci: update node versions d23ede9
• docs: add @​lanodan to contributors 1eb3fa4
• docs 1e7c9cd
• switch from tape to test module (#60) 2520537
• Bump minimist from 1.2.5 to 1.2.6 (#59) 61a94f1
• Bump path-parse from 1.0.6 to 1.0.7 (#51) dc741cf
• docs: add back ci badge 8ee5626
• Add github actions, remove travis. Closes #52 (#53) 5c8756a
• CI: Drop unused sudo: false Travis directive (#50) 05978a7

juliangruber/brace-expansion@v2.0.1...v3.0.0

v2.0.2

• pkg: publish on tag 2.x 14f1d91
• fmt ed7780a
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) 36603d5

... (truncated)

Commits

• 46317b5 5.0.6
• c0b095b Merge commit from fork
• ec56020 Bump picomatch from 4.0.3 to 4.0.4 (#93)
• 8793901 5.0.5
• 9a02af5 Merge commit from fork
• daa71bc Bump tar from 7.5.10 to 7.5.11 (#92)
• 799e5f7 Bump tar from 7.5.9 to 7.5.10 (#90)
• 012c230 5.0.4
• 243c491 Fix handling of brackets. Closes #87
• 609f858 Correct incorrect brace-expansion import (#89)
• Additional commits viewable in compare view

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates defu from 6.1.4 to 6.1.7

Release notes

Sourced from defu's releases.

v6.1.7

compare changes

📦 Build

• Correct the types export entry (#160)
• Export Defu types (#157)

❤️ Contributors

• Jakub Michálek (@​J-Michalek)
• Kricsleo (@​kricsleo)

v6.1.6

compare changes

📦 Build

• Fix mixed types (407b516)

v6.1.5

compare changes

🩹 Fixes

• Prevent prototype pollution via __proto__ in defaults (#156)
• Ignore inherited enumerable properties (11ba022)

✅ Tests

• Add more tests for plain objects (b65f603)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Kricsleo (@​kricsleo)

Changelog

Sourced from defu's changelog.

v6.1.7

compare changes

🩹 Fixes

• defu.d.cts: Export Defu types (#157)

📦 Build

• Correct the types export entry (#160)

❤️ Contributors

• Jakub Michálek (@​J-Michalek)
• Kricsleo (@​kricsleo)

v6.1.6

compare changes

📦 Build

• Fix mixed types (407b516)

❤️ Contributors

• Pooya Parsa (@​pi0)

v6.1.5

compare changes

🩹 Fixes

• Prevent prototype pollution via __proto__ in defaults (#156)
• Ignore inherited enumerable properties (11ba022)

🏡 Chore

• Add tea.yaml (70cffe5)
• Update repo (23cc432)
• Fix typecheck (89df6bb)

✅ Tests

• Add more tests for plain objects (b65f603)

🤖 CI

... (truncated)

Commits

• 80c0146 chore(release): v6.1.7
• 40d7ef4 fix(defu.d.cts): export Defu types (#157)
• 3d3a7c8 build: correct the types export entry (#160)
• 001c290 chore(release): v6.1.6
• 407b516 build: fix mixed types
• 23e59e6 chore(release): v6.1.5
• 11ba022 fix: ignore inherited enumerable properties
• 3942bfb fix: prevent prototype pollution via __proto__ in defaults (#156)
• d3ef16d chore(deps): update actions/checkout action to v6 (#151)
• 869a053 chore(deps): update actions/setup-node action to v6 (#149)
• Additional commits viewable in compare view

Updates flatted from 3.3.3 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Updates ip-address from 10.1.0 to 10.2.0

Commits

• See full diff in compare view

Updates kysely from 0.28.11 to 0.28.17

Release notes

Sourced from kysely's releases.

0.28.17

Hey 👋

A small batch of bug fixes. Please report any issues. 🤞😰🤞

0.29 is right around the corner. Try the latest RC version!

🚀 Features

🐞 Bugfixes

• fix: further harden JSON path .key(...) and .at(...) against SQL injections and exfiltrations. by @​igalklebanov in kysely-org/kysely#1804

📖 Documentation

• docs(returning): remove outdated SQLite alias workaround by @​aymenhmaidiwastaken in kysely-org/kysely#1793

📦 CICD & Tooling

⚠️ Breaking Changes

🐤 New Contributors

• @​aymenhmaidiwastaken made their first contribution in kysely-org/kysely#1793

What's Changed

Full Changelog: kysely-org/kysely@v0.28.16...v0.28.17

0.28.16

Hey 👋

A small batch of bug fixes. Please report any issues. 🤞😰🤞

0.29 is getting closer btw. 🌶️

🚀 Features

🐞 Bugfixes

• fix: FilterObject allows any defined value when query context has no tables (TB is never). by @​igalklebanov in kysely-org/kysely#1791

📖 Documentation

• add socket security badge. by @​igalklebanov in kysely-org/kysely@db646ac
• chore: make socket security badge reflect current specific version. by @​igalklebanov in kysely-org/kysely@5597144
• support multi-entry point tsdoc without index module. by @​igalklebanov in kysely-org/kysely@6998915
• fix broken tsdoc references. by @​igalklebanov in kysely-org/kysely@5a0f14b

📦 CICD & Tooling

... (truncated)

Commits

• d13d90b 0.28.17
• dbb5405 feat: further harden JSON path .key(...) and .at(...) against SQL injecti...
• 73192e4 docs(returning): remove outdated SQLite alias workaround (#1793)
• b4566a1 0.28.16
• 20548bc chore: change verifyDepsBeforeRun to "prompt".
• 5f46cfb fix: FilterObject allows any defined value when query context has no tables...
• e0d0669 chore: bump dependencies and github actions. (#1789)
• 521156b add openssf scorecard.
• 5a0f14b fix broken tsdoc references.
• 6998915 support multi-entry point tsdoc without index module.
• Additional commits viewable in compare view

Updates tar from 7.5.10 to 7.5.15

Commits

• 87cc309 7.5.15
• 7aef486 fix: regression in pending links detection
• 6244eb3 7.5.14
• 9704d8c stricter protection against hardlinks preempting their targets
• 700734f update workflows and deps
• d6611ae 7.5.13
• 119c401 fix(extract): prevent raced symlink writes outside cwd
• 2a294d3 7.5.12
• 01082a4 fix: reject top promise on floating addFilesAsync rejections
• dd1c36a linting
• Additional commits viewable in compare view

Updates yaml from 2.8.2 to 2.9.0

Release notes

Sourced from yaml's releases.

v2.9.0

The changes here are really only patches, but I'm releasing this as a minor version to note a small change to the documentation of parseDocument() and parseAllDocuments(): I've removed the claim that they'll "never throw".

It remains the case that practically all non-malicious inputs will be handled without emitting an error, but there is a decent chance that code paths remain where e.g. a RangeError due to call stack exhaustion can be triggered by malicious inputs. Up to now, I've considered these as security vulnerabilities, and in fact it's the only category of error for which yaml CVEs have been issued so far.

Starting from this release, I'll be considering such errors as bugs, but not vulnerabilities. I do welcome people and/or LLMs looking for them, but please report them as normal issues rather than suspected security vulnerabilities. This also applies to previously undiscovered bugs in earlier releases.

• fix: Avoid calling Array.prototype.push.apply() with large source array
• fix(lexer): Avoid recursive calls that may exhaust the call stack

v2.8.4

• Disable alias resolution with maxAliasCount:0 (#677)
• Handle invalid unicode escapes (e1a1a77)
• Apply minFractionDigits only to decimal strings (#676)

v2.8.3

• Add trailingComma ToString option for multiline flow formatting (#670)
• Catch stack overflow during node composition (1e84ebb)

Commits

• ddb21b0 2.9.0
• 167365b docs: Clarify that not all errors can be avoided
• 6eca2a7 fix: Avoid calling Array.prototype.push.apply() with large source array
• 0543cd5 fix(lexer): Avoid recursive calls that may exhaust the call stack
• ccdf743 2.8.4
• f625789 fix: Disable alias resolution with maxAliasCount:0 (#677)
• e1a1a77 fix: Handle invalid unicode escapes
• a163ea0 style: Satify Prettier
• b2a5a6c fix: Apply minFractionDigits only to decimal strings (#676)
• 93c951b chore: Bump JSR version to v2.8.3 (#673)
• Additional commits viewable in compare view

Updates @hono/node-server from 1.19.10 to 1.19.13

Release notes

Sourced from @​hono/node-server's releases.

v1.19.13

Security Fix

Fixed an issue in Serve Static Middleware where inconsistent handling of repeated slashes (//) between the router and static file resolution could allow middleware to be bypassed. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-92pp-h63x-v22m for details.

v1.19.12

What's Changed

• chore: ignore claude setting by @​yusukebe in honojs/node-server#314
• fix: request draining for early 413 responses by @​usualoma in honojs/node-server#329

Full Changelog: honojs/node-server@v1.19.11...v1.19.12

v1.19.11

What's Changed

• fix: do not overwrite Content-Length in the fast path pattern if Content-Length already exists. by @​usualoma in honojs/node-server#309

Full Changelog: honojs/node-server@v1.19.10...v1.19.11

Commits

• fd64e65 1.19.13
• 025c30f Merge commit from fork
• 6cdb5a7 1.19.12
• 70250f7 fix: request draining for early 413 responses (#329)
• cfc08b3 chore: ignore claude setting (#314)
• ecd4d6b 1.19.11
• c944899 fix: do not overwrite Content-Length in the fast path pattern if Content-Leng...
• See full diff in compare view

Updates better-auth from 1.4.19 to 1.6.2

Release notes

Sourced from better-auth's releases.

v1.6.2

better-auth

❗ Breaking Changes

• Prevented unverified TOTP enrollment from blocking sign-in (#8711)

Migration: Schema migration required.

Add the verified column to the twoFactor table, then regenerate/apply your ORM migration.

• Prisma: run npx auth@latest generate, then npx prisma migrate dev (or npx prisma db push) and npx prisma generate.
• Drizzle: run npx auth@latest generate, then npx drizzle-kit generate and npx drizzle-kit migrate.

Existing rows do not need a backfill because the column defaults to true.

Features

• Included enabled 2FA methods in sign-in redirect response (#8772)

Bug Fixes

• Fixed OAuth state verification against cookie-stored nonce to prevent CSRF (#8949)
• Fixed infinite router refresh loops in nextCookies() by replacing cookie probe with header-based RSC detection (#9059)
• Fixed cross-provider account collision in link-social callback (#8983)
• Included RelayState in signed SAML AuthnRequests (#9058)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

• Fixed multi-valued query params collapsing through prompt redirects (#9060)
• Rejected skip_consent at schema level in dynamic client registration (#8998)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

• Fixed SAMLResponse decoding failures caused by line-wrapped base64 (#8968)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@​aarmful, @​cyphercodes, @​dvanmali, @​gustavovalverde, @​jaydeep-pipaliya, @​ping-maxwell

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.2

Patch Changes

• #8949 9deb793 Thanks @​ping-maxwell! - security: verify OAuth state parameter against cookie-stored nonce to prevent CSRF on cookie-backed flows

• #8983 2cbcb9b Thanks @​jaydeep-pipaliya! - fix(oauth2): prevent cross-provider account collision in link-social callback

  The link-social callback used findAccount(accountId) which matched by account ID across all providers. When two providers return the same numeric ID (e.g. both Google and GitHub assign 99999), the lookup could match the wrong provider's account, causing a spurious account_already_linked_to_different_user error or silently updating the wrong account's tokens.

  Replaced with findAccountByProviderId(accountId, providerId) to scope the lookup to the correct provider, matching the pattern already used in the generic OAuth plugin.

• #9059 b20fa42 Thanks @​gustavovalverde! - fix(next-js): replace cookie probe with header-based RSC detection in nextCookies() to prevent infinite router refresh loops and eliminate leaked __better-auth-cookie-store cookie. Also fix two-factor enrollment flows to set the new session cookie before deleting the old session.

• #9058 608d8c3 Thanks @​gustavovalverde! - fix(sso): include RelayState in signed SAML AuthnRequests per SAML 2.0 Bindings §3.4.4.1

  • RelayState is now passed to samlify's ServiceProvider constructor so it is included in the redirect binding signature. Previously it was appended after the signature, causing spec-compliant IdPs to reject signed AuthnRequests.
  • authnRequestsSigned: true without a private key now throws instead of silently sending unsigned requests.

• #8772 8409843 Thanks @​aarmful! - feat(two-factor): include enabled 2fa methods in sign-in redirect response

  The 2FA sign-in redirect now returns twoFactorMethods (e.g. ["totp", "otp"]) so frontends can render the correct verification UI without guessing. The onTwoFactorRedirect client callback receives twoFactorMethods as a context parameter.

  • TOTP is included only when the user has a verified TOTP secret and TOTP is not disabled in config.
  • OTP is included when otpOptions.sendOTP is configured.
  • Unverified TOTP enrollments are excluded from the methods list.

• #8711 e78a7b1 Thanks @​aarmful! - fix(two-factor): prevent unverified TOTP enrollment from gating sign-in

  Adds a verifiedDescription has been truncated