Merge branch 'main' into jr/integration-build-serve

Author: jacekradko

.changeset/backend-proxy-forwarded-headers.md

@@ -0,0 +1,5 @@
+---
+'@clerk/backend': patch
+---
+
+Fix `clerkFrontendApiProxy` to derive the `Clerk-Proxy-Url` header and Location rewrites from `x-forwarded-proto`/`x-forwarded-host` headers instead of the raw `request.url`. Behind a reverse proxy, `request.url` resolves to localhost, causing FAPI to receive an incorrect proxy URL. The fix uses the same forwarded-header resolution pattern as `ClerkRequest`.

.changeset/fastify-proxy-support.md

@@ -0,0 +1,5 @@
+---
+'@clerk/fastify': minor
+---
+
+Add Frontend API proxy support to `@clerk/fastify` via the `frontendApiProxy` option on `clerkPlugin`. When enabled, requests matching the proxy path (default `/__clerk`) are forwarded to Clerk's Frontend API, allowing Clerk to work in environments where direct API access is blocked by ad blockers or firewalls. The `proxyUrl` for auth handshake is automatically derived from the request when `frontendApiProxy` is configured.

.changeset/fix-429-unauthenticated.md

@@ -0,0 +1,6 @@
+---
+'@clerk/clerk-js': patch
+'@clerk/shared': patch
+---
+
+Narrow the error conditions that trigger the unauthenticated flow (sign-out) to only high-confidence authentication failures (401, 422). Previously, all 4xx errors — including 429 rate limits — were treated as auth failures, which could sign users out during transient rate limiting. Non-auth errors from `setActive` now propagate to the caller instead of being silently swallowed.

.changeset/fix-express-proxy-path-guard.md

@@ -0,0 +1,5 @@
+---
+'@clerk/express': patch
+---
+
+Fix empty path fallback for `frontendApiProxy` to prevent intercepting all requests when `path` resolves to an empty string

.changeset/hono-proxy-support.md

@@ -0,0 +1,5 @@
+---
+'@clerk/hono': minor
+---
+
+Add Frontend API proxy support to `@clerk/hono` via the `frontendApiProxy` option on `clerkMiddleware`. When enabled, requests matching the proxy path (default `/__clerk`) are forwarded to Clerk's Frontend API, allowing Clerk to work in environments where direct API access is blocked by ad blockers or firewalls. The `proxyUrl` for auth handshake is automatically derived from the request when `frontendApiProxy` is configured.

.changeset/yellow-vans-beg.md

@@ -0,0 +1,5 @@
+---
+"@clerk/expo": minor
+---
+
+Adds support for Expo SDK 55

.github/workflows/ci.yml

@@ -305,6 +305,7 @@ jobs:
             "nuxt",
             "react-router",
             "custom",
+            "hono",
           ]
         test-project: ["chrome"]
         include:

.github/workflows/release.yml

@@ -339,6 +339,36 @@ jobs:
           comment-id: ${{ github.event.comment.id }}
           reactions: heart
 
+      - name: Minimize previous snapshot comments
+        if: steps.version-packages.outputs.success == '1'
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.CLERK_COOKIE_PAT }}
+          script: |
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+              per_page: 100,
+            });
+
+            const snapshotComments = comments.filter(
+              (comment) =>
+                comment.body?.includes('the snapshot version command generated the following package versions')
+            );
+
+            for (const comment of snapshotComments) {
+              await github.graphql(`
+                mutation MinimizeComment($id: ID!) {
+                  minimizeComment(input: { subjectId: $id, classifier: OUTDATED }) {
+                    minimizedComment {
+                      isMinimized
+                    }
+                  }
+                }
+              `, { id: comment.node_id });
+            }
+
       - name: Create snapshot release comment
         if: steps.version-packages.outputs.success == '1'
         uses: peter-evans/create-or-update-comment@v3.0.0

integration/presets/envs.ts

@@ -136,6 +136,11 @@ const withWaitlistMode = withEmailCodes
   .setEnvVariable('private', 'CLERK_SECRET_KEY', instanceKeys.get('with-waitlist-mode').sk)
   .setEnvVariable('public', 'CLERK_PUBLISHABLE_KEY', instanceKeys.get('with-waitlist-mode').pk);
 
+const withEmailCodesProxy = withEmailCodes
+  .clone()
+  .setId('withEmailCodesProxy')
+  .setEnvVariable('private', 'CLERK_PROXY_ENABLED', 'true');
+
 const withSignInOrUpFlow = withEmailCodes
   .clone()
   .setId('withSignInOrUpFlow')
@@ -222,6 +227,7 @@ export const envs = {
   withDynamicKeys,
   withEmailCodes,
   withEmailCodes_destroy_client,
+  withEmailCodesProxy,
   withEmailCodesQuickstart,
   withEmailLinks,
   withKeyless,

integration/presets/longRunningApps.ts

@@ -86,6 +86,7 @@ export const createLongRunningApps = () => {
      * Hono apps
      */
     { id: 'hono.vite.withEmailCodes', config: hono.vite, env: envs.withEmailCodes },
+    { id: 'hono.vite.withEmailCodesProxy', config: hono.vite, env: envs.withEmailCodesProxy },
   ] as const;
 
   const apps = configs.map(longRunningApplication);