Merge branch 'main' into rob/aisec-24-unauthenticated-attacker-prevents-customer-backend-from

Author: wobsoriano

.changeset/famous-bats-tan.md

@@ -0,0 +1,2 @@
+---
+---

.changeset/legal-numbers-fry.md

@@ -0,0 +1,8 @@
+---
+'@clerk/localizations': patch
+'@clerk/clerk-js': patch
+'@clerk/shared': patch
+'@clerk/ui': patch
+---
+
+Update `<ConfigureSSO />` in the context of organizations to only allow managing enterprise connections based on system permission

.changeset/pin-trusted-publisher-deps.md

@@ -0,0 +1,2 @@
+---
+---

.changeset/slow-breads-pump.md

@@ -0,0 +1,2 @@
+---
+---

integration/constants.ts

@@ -88,3 +88,18 @@ export const constants = {
   INTEGRATION_INSTANCE_KEYS: process.env.INTEGRATION_INSTANCE_KEYS,
   INTEGRATION_STAGING_INSTANCE_KEYS: process.env.INTEGRATION_STAGING_INSTANCE_KEYS,
 } as const;
+
+/**
+ * Floor versions of transitive deps that carry pnpm "trustedPublisher" evidence.
+ * Injected as `pnpm.overrides` into every fixture's tmp `package.json` so that
+ * isolated installs satisfy pnpm 10's trust-downgrade check. Sourced from the
+ * 2026-05-11 npm supply-chain incident response (mini Shai-Hulud worm).
+ * Update when upstream packages publish newer versions via OIDC trusted publisher.
+ */
+export const TRUSTED_OVERRIDES: Record<string, string> = {
+  'semver@<7.7.3': '7.7.4',
+  'chokidar@<5.0.0': '5.0.0',
+  'undici-types@<7.16.0': '7.24.8',
+  'tailwind-merge@<3.4.0': '3.4.0',
+  'vite@<7.1.3': '7.3.3',
+};

integration/models/applicationConfig.ts

@@ -2,7 +2,7 @@ import * as path from 'node:path';
 
 import type { AccountlessApplication } from '@clerk/backend';
 
-import { constants } from '../constants';
+import { constants, TRUSTED_OVERRIDES } from '../constants';
 import { PKGLAB } from '../presets/utils';
 import { createLogger, fs } from '../scripts';
 import { application } from './application';
@@ -125,13 +125,22 @@ export const applicationConfig = () => {
             ? []
             : [...dependencies.entries()].filter(([, version]) => version === PKGLAB).map(([name]) => [name, 'latest']),
         );
+      const packageJsonPath = path.resolve(appDirPath, 'package.json');
+      const contents = await fs.readJSON(packageJsonPath);
       if (npmDeps.length > 0) {
-        const packageJsonPath = path.resolve(appDirPath, 'package.json');
         logger.info(`Modifying dependencies in "${packageJsonPath}"`);
-        const contents = await fs.readJSON(packageJsonPath);
         contents.dependencies = { ...contents.dependencies, ...Object.fromEntries(npmDeps) };
-        await fs.writeJSON(packageJsonPath, contents, { spaces: 2 });
       }
+      // Pin transitives to versions with pnpm "trustedPublisher" evidence so the
+      // isolated tmp install passes pnpm 10's trust-downgrade check.
+      contents.pnpm = {
+        ...(contents.pnpm ?? {}),
+        overrides: {
+          ...(contents.pnpm?.overrides ?? {}),
+          ...TRUSTED_OVERRIDES,
+        },
+      };
+      await fs.writeJSON(packageJsonPath, contents, { spaces: 2 });
 
       return application(self, appDirPath, appDirName, serverUrl);
     },

package.json

@@ -161,10 +161,15 @@
       "msw"
     ],
     "overrides": {
+      "chokidar@<5.0.0": "5.0.0",
       "react": "catalog:react",
       "react-dom": "catalog:react",
       "rolldown": "catalog:repo",
-      "utf-8-validate": "5.0.10"
+      "semver@<7.7.3": "7.7.4",
+      "tailwind-merge@<3.4.0": "3.4.0",
+      "undici-types@<7.16.0": "7.24.8",
+      "utf-8-validate": "5.0.10",
+      "vite@<7.1.3": "7.3.3"
     }
   }
 }

packages/localizations/src/ar-SA.ts

@@ -179,6 +179,10 @@ export const arSA: LocalizationResource = {
     year: undefined,
   },
   configureSSO: {
+    missingManageEnterpriseConnectionsPermission: {
+      subtitle: 'تواصل مع مسؤول مؤسستك للحصول على أذونات لإدارة الاتصالات المؤسسية.',
+      title: 'ليس لديك إذن لإدارة الاتصالات المؤسسية',
+    },
     navbar: {
       title: 'تكوين تسجيل الدخول الموحد (SSO)',
     },

packages/localizations/src/be-BY.ts

@@ -179,6 +179,11 @@ export const beBY: LocalizationResource = {
     year: undefined,
   },
   configureSSO: {
+    missingManageEnterpriseConnectionsPermission: {
+      subtitle:
+        'Звярніцеся да адміністратара вашай арганізацыі, каб атрымаць дазволы на кіраванне карпаратыўнымі падключэннямі.',
+      title: 'У вас няма дазволу на кіраванне карпаратыўнымі падключэннямі',
+    },
     navbar: {
       title: 'Налада адзінага ўваходу (SSO)',
     },

packages/localizations/src/bg-BG.ts

@@ -180,6 +180,11 @@ export const bgBG: LocalizationResource = {
     year: undefined,
   },
   configureSSO: {
+    missingManageEnterpriseConnectionsPermission: {
+      subtitle:
+        'Свържете се с администратора на вашата организация, за да получите разрешения за управление на корпоративни връзки.',
+      title: 'Нямате разрешение да управлявате корпоративни връзки',
+    },
     navbar: {
       title: 'Конфигуриране на единен вход (SSO)',
     },