Merge remote-tracking branch 'upstream/main' into feat/custom-profile-and-access-token-routes

Author: eliw00d

.github/actions/npm-publish/action.yml

@@ -3,8 +3,6 @@ name: Publish release to npm
 inputs:
   node-version:
     required: true
-  npm-token:
-    required: true
   version:
     required: true
   require-build:
@@ -29,11 +27,16 @@ runs:
       with:
         node-version: 22
         cache: 'pnpm'
+        registry-url: 'https://registry.npmjs.org'
 
     - name: Install dependencies
       shell: bash
       run: pnpm install --frozen-lockfile
 
+    - name: Update npm for OIDC trusted publishing
+      shell: bash
+      run: npm install -g npm@~11.10.0
+
     - name: Build package
       if: inputs.require-build == 'true'
       shell: bash
@@ -50,9 +53,7 @@ runs:
         else
           TAG="latest"
         fi
-        npm config set "//registry.npmjs.org/:_authToken" "${NPM_TOKEN}"
-        pnpm publish --tag $TAG
+        npm publish --tag $TAG
       env:
-        NPM_TOKEN: ${{ inputs.npm-token }}
         VERSION: ${{ inputs.version }}
         NPM_CONFIG_PROVENANCE: true

.github/workflows/npm-release.yml

@@ -15,8 +15,6 @@ on:
     secrets:
       github-token:
         required: true
-      npm-token:
-        required: true
 
 ### TODO: Replace instances of './.github/actions/' w/ `auth0/dx-sdk-actions/` and append `@latest` after the common `dx-sdk-actions` repo is made public.
 ### TODO: Also remove `get-prerelease`, `get-version`, `release-create`, `tag-create` and `tag-exists` actions from this repo's .github/actions folder once the repo is public.
@@ -26,6 +24,9 @@ jobs:
     if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/'))
     runs-on: ubuntu-latest
     environment: release
+    permissions:
+      contents: write
+      id-token: write # Required for OIDC trusted publishing to npm
 
     steps:
       # Checkout the code
@@ -70,7 +71,6 @@ jobs:
           require-build: ${{ inputs.require-build }}
           release-directory: ${{ inputs.release-directory }}
           version: ${{ steps.get_version.outputs.version }}
-          npm-token: ${{ secrets.npm-token }}
 
       # Create a release for the tag
       - uses: ./.github/actions/release-create

.github/workflows/playwright.yml

@@ -26,7 +26,7 @@ jobs:
 
     - name: Run Playwright tests
       run: pnpm exec playwright test
-    - uses: actions/upload-artifact@v6
+    - uses: actions/upload-artifact@v7
       if: ${{ !cancelled() }}
       with:
         name: playwright-report

.github/workflows/release.yml

@@ -35,5 +35,4 @@ jobs:
       node-version: 22 ## Updated to Node.js 22
       require-build: false
     secrets:
-      npm-token: ${{ secrets.NPM_TOKEN }}
       github-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/rl-secure.yml

@@ -38,7 +38,7 @@ jobs:
           fetch-depth: 0
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@v5
         with:
           version: 10
 

.github/workflows/snyk.yml

@@ -36,7 +36,7 @@ jobs:
           ref: ${{ github.event.pull_request.head.sha || github.ref }}
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v4 # docs https://pnpm.io/continuous-integration#github-actions
+        uses: pnpm/action-setup@v5 # docs https://pnpm.io/continuous-integration#github-actions
         with:
           version: 10
 

.github/workflows/test.yml

@@ -29,7 +29,7 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@v5
         with:
           version: 10
 
@@ -66,7 +66,7 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@v5
         with:
           version: 10
 
@@ -83,7 +83,7 @@ jobs:
         run: pnpm test:coverage
 
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # pin@5.5.2
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # pin@6.0.0
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
 
@@ -96,7 +96,7 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@v5
         with:
           version: 10
 

.version

@@ -1 +1 @@
-v4.14.0
+v4.19.0

CHANGELOG.md

@@ -1,5 +1,84 @@
 # Change Log
 
+## [v4.19.0](https://github.com/auth0/nextjs-auth0/tree/v4.19.0) (2026-04-22)
+[Full Changelog](https://github.com/auth0/nextjs-auth0/compare/v4.18.0...v4.19.0)
+
+**Added**
+- feat: add mfa.stepUpWithPopup() for reactive MFA step-up via Universal Login [\#2524](https://github.com/auth0/nextjs-auth0/pull/2524) ([tusharpandey13](https://github.com/tusharpandey13))
+
+**Fixed**
+- fix: MFA http contract parity fixes [\#2555](https://github.com/auth0/nextjs-auth0/pull/2555) ([tusharpandey13](https://github.com/tusharpandey13))
+- fix: skip MCD session backfill in static mode [\#2618](https://github.com/auth0/nextjs-auth0/pull/2618) ([tusharpandey13](https://github.com/tusharpandey13))
+
+## [v4.18.0](https://github.com/auth0/nextjs-auth0/tree/v4.18.0) (2026-04-17)
+[Full Changelog](https://github.com/auth0/nextjs-auth0/compare/v4.17.1...v4.18.0)
+
+**Added**
+- Reapply feat: add optional update() to SessionDataStore (#2590) [\#2616](https://github.com/auth0/nextjs-auth0/pull/2616) ([Piyush-85](https://github.com/Piyush-85))
+
+**Fixed**
+- fix: DPoP nonce retry race issue [\#2580](https://github.com/auth0/nextjs-auth0/pull/2580) ([nandan-bhat](https://github.com/nandan-bhat))
+
+## [v4.17.1](https://github.com/auth0/nextjs-auth0/tree/v4.17.1) (2026-04-16)
+[Full Changelog](https://github.com/auth0/nextjs-auth0/compare/v4.17.0...v4.17.1)
+
+**Fixed**
+- fix: defer `AuthClientProvider` construction when `AUTH0_DOMAIN` not set at build time [\#2604](https://github.com/auth0/nextjs-auth0/pull/2604) ([sleitor](https://github.com/sleitor))
+- fix: Next.js edge runtime build error for crypto module [\#2564](https://github.com/auth0/nextjs-auth0/pull/2564) ([Piyush-85](https://github.com/Piyush-85))
+
+## [v4.17.0](https://github.com/auth0/nextjs-auth0/tree/v4.17.0) (2026-04-09)
+[Full Changelog](https://github.com/auth0/nextjs-auth0/compare/v4.16.2...v4.17.0)
+
+**Added**
+- feat: MCD (Multiple Custom Domains) Support [\#2545](https://github.com/auth0/nextjs-auth0/pull/2545) ([tusharpandey13](https://github.com/tusharpandey13))
+
+**Fixed**
+- fix: prevent rolling session from re-creating a deleted session on concurrent logout [\#2530](https://github.com/auth0/nextjs-auth0/pull/2530) ([sleitor](https://github.com/sleitor))
+
+## [v4.16.2](https://github.com/auth0/nextjs-auth0/tree/v4.16.2) (2026-04-07)
+[Full Changelog](https://github.com/auth0/nextjs-auth0/compare/v4.16.1...v4.16.2)
+
+**Fixed**
+- fix: Middleware should not throw ERR_JWE_INVALID [\#2546](https://github.com/auth0/nextjs-auth0/pull/2546) ([crob](https://github.com/crob))
+- fix: preserve error details from HTTP 5xx OAuth responses [\#2533](https://github.com/auth0/nextjs-auth0/pull/2533) ([sleitor](https://github.com/sleitor))
+
+**Security**
+- chore(deps): update eslint to fix flatted vulnerability [\#2575](https://github.com/auth0/nextjs-auth0/pull/2575) ([Piyush-85](https://github.com/Piyush-85))
+
+## [v4.16.1](https://github.com/auth0/nextjs-auth0/tree/v4.16.1) (2026-03-25)
+[Full Changelog](https://github.com/auth0/nextjs-auth0/compare/v4.16.0...v4.16.1)
+
+**Fixed**
+- fix: make withPageAuthRequired generic to support PageProps/LayoutProps types [\#2529](https://github.com/auth0/nextjs-auth0/pull/2529) ([sleitor](https://github.com/sleitor))
+- fix: enable full generic type inference for withPageAuthRequired to correctly propagate PageProps and LayoutProps [\#2550](https://github.com/auth0/nextjs-auth0/pull/2550) ([Piyush-85](https://github.com/Piyush-85))
+
+## [v4.16.0](https://github.com/auth0/nextjs-auth0/tree/v4.16.0) (2026-02-27)
+[Full Changelog](https://github.com/auth0/nextjs-auth0/compare/v4.15.0...v4.16.0)
+
+**Added**
+- feat: added tokenRefreshBuffer for early access‑token refreshes [\#2508](https://github.com/auth0/nextjs-auth0/pull/2508) ([nandan-bhat](https://github.com/nandan-bhat))
+- feat: support allow list for dynamic APP_BASE_URL configuration [\#2538](https://github.com/auth0/nextjs-auth0/pull/2538) ([frederikprijck](https://github.com/frederikprijck))
+- feat: Add dynamic app base URL handling [\#2528](https://github.com/auth0/nextjs-auth0/pull/2528) ([nandan-bhat](https://github.com/nandan-bhat))
+
+**Fixed**
+- fix: do not strip falsey values from authorization params [\#2526](https://github.com/auth0/nextjs-auth0/pull/2526) ([frederikprijck](https://github.com/frederikprijck))
+
+## [v4.15.0](https://github.com/auth0/nextjs-auth0/tree/v4.15.0) (2026-02-09)
+[Full Changelog](https://github.com/auth0/nextjs-auth0/compare/v4.14.1...v4.15.0)
+
+**Added**
+- feat: MFA APIs [\#2502](https://github.com/auth0/nextjs-auth0/pull/2502) ([tusharpandey13](https://github.com/tusharpandey13))
+- feat: Base MFA support [\#2480](https://github.com/auth0/nextjs-auth0/pull/2480) ([tusharpandey13](https://github.com/tusharpandey13))
+- Add TTL to /auth/access-token and optional full client response [\#2505](https://github.com/auth0/nextjs-auth0/pull/2505) ([nandan-bhat](https://github.com/nandan-bhat))
+
+## [v4.14.1](https://github.com/auth0/nextjs-auth0/tree/v4.14.1) (2026-01-24)
+[Full Changelog](https://github.com/auth0/nextjs-auth0/compare/v4.14.0...v4.14.1)
+
+**Fixed**
+- fix: do not throw ERR_JWE_DECRYPTION_FAILED, but catch it and ignore the cookie. [\#2487](https://github.com/auth0/nextjs-auth0/pull/2487) ([frederikprijck](https://github.com/frederikprijck))
+- fix: avoid headers.append error when using getAccessToken with refresh in Next.js 16 proxy  [\#2495](https://github.com/auth0/nextjs-auth0/pull/2495) ([nandan-bhat](https://github.com/nandan-bhat))
+- fix: removed un-intended class/type exports from the SDK [\#2475](https://github.com/auth0/nextjs-auth0/pull/2475) ([nandan-bhat](https://github.com/nandan-bhat))
+
 ## [v4.14.0](https://github.com/auth0/nextjs-auth0/tree/v4.14.0) (2025-12-15)
 [Full Changelog](https://github.com/auth0/nextjs-auth0/compare/v4.13.3...v4.14.0)