Merge branch 'main' into aa/generate-object-docs

Author: alexisintech

.changeset/famous-bats-tan.md

@@ -0,0 +1,2 @@
+---
+---

.changeset/pin-trusted-publisher-deps.md

@@ -0,0 +1,2 @@
+---
+---

.changeset/slow-breads-pump.md

@@ -0,0 +1,2 @@
+---
+---

integration/constants.ts

@@ -88,3 +88,18 @@ export const constants = {
   INTEGRATION_INSTANCE_KEYS: process.env.INTEGRATION_INSTANCE_KEYS,
   INTEGRATION_STAGING_INSTANCE_KEYS: process.env.INTEGRATION_STAGING_INSTANCE_KEYS,
 } as const;
+
+/**
+ * Floor versions of transitive deps that carry pnpm "trustedPublisher" evidence.
+ * Injected as `pnpm.overrides` into every fixture's tmp `package.json` so that
+ * isolated installs satisfy pnpm 10's trust-downgrade check. Sourced from the
+ * 2026-05-11 npm supply-chain incident response (mini Shai-Hulud worm).
+ * Update when upstream packages publish newer versions via OIDC trusted publisher.
+ */
+export const TRUSTED_OVERRIDES: Record<string, string> = {
+  'semver@<7.7.3': '7.7.4',
+  'chokidar@<5.0.0': '5.0.0',
+  'undici-types@<7.16.0': '7.24.8',
+  'tailwind-merge@<3.4.0': '3.4.0',
+  'vite@<7.1.3': '7.3.3',
+};

integration/models/applicationConfig.ts

@@ -2,7 +2,7 @@ import * as path from 'node:path';
 
 import type { AccountlessApplication } from '@clerk/backend';
 
-import { constants } from '../constants';
+import { constants, TRUSTED_OVERRIDES } from '../constants';
 import { PKGLAB } from '../presets/utils';
 import { createLogger, fs } from '../scripts';
 import { application } from './application';
@@ -125,13 +125,22 @@ export const applicationConfig = () => {
             ? []
             : [...dependencies.entries()].filter(([, version]) => version === PKGLAB).map(([name]) => [name, 'latest']),
         );
+      const packageJsonPath = path.resolve(appDirPath, 'package.json');
+      const contents = await fs.readJSON(packageJsonPath);
       if (npmDeps.length > 0) {
-        const packageJsonPath = path.resolve(appDirPath, 'package.json');
         logger.info(`Modifying dependencies in "${packageJsonPath}"`);
-        const contents = await fs.readJSON(packageJsonPath);
         contents.dependencies = { ...contents.dependencies, ...Object.fromEntries(npmDeps) };
-        await fs.writeJSON(packageJsonPath, contents, { spaces: 2 });
       }
+      // Pin transitives to versions with pnpm "trustedPublisher" evidence so the
+      // isolated tmp install passes pnpm 10's trust-downgrade check.
+      contents.pnpm = {
+        ...(contents.pnpm ?? {}),
+        overrides: {
+          ...(contents.pnpm?.overrides ?? {}),
+          ...TRUSTED_OVERRIDES,
+        },
+      };
+      await fs.writeJSON(packageJsonPath, contents, { spaces: 2 });
 
       return application(self, appDirPath, appDirName, serverUrl);
     },

package.json

@@ -161,10 +161,15 @@
       "msw"
     ],
     "overrides": {
+      "chokidar@<5.0.0": "5.0.0",
       "react": "catalog:react",
       "react-dom": "catalog:react",
       "rolldown": "catalog:repo",
-      "utf-8-validate": "5.0.10"
+      "semver@<7.7.3": "7.7.4",
+      "tailwind-merge@<3.4.0": "3.4.0",
+      "undici-types@<7.16.0": "7.24.8",
+      "utf-8-validate": "5.0.10",
+      "vite@<7.1.3": "7.3.3"
     }
   }
 }

packages/react/src/hooks/useAuth.ts

@@ -33,7 +33,7 @@ type UseAuthOptions = PendingSessionOptions | undefined | null;
  * </If>
  *
  * @unionReturnHeadings
- * ["Initialization", "Signed out", "Signed in (no active organization)", "Signed in (with active organization)"]
+ * ["Loading", "Signed out", "Signed in (no active organization)", "Signed in (with active organization)"]
  *
  * @param [options] - An object containing options for the `useAuth()` hook. `treatPendingAsSignedOut` is a boolean that indicates whether pending sessions are considered as signed out or not. Defaults to `true`.
  *

packages/shared/src/react/hooks/useSession.ts

@@ -10,7 +10,7 @@ const hookName = `useSession`;
  * The `useSession()` hook provides access to the current user's [`Session`](https://clerk.com/docs/reference/objects/session) object, as well as helpers for setting the active session.
  *
  * @unionReturnHeadings
- * ["Initialization", "Signed out", "Signed in"]
+ * ["Loading", "Signed out", "Signed in"]
  *
  * @function
  *

packages/shared/src/react/hooks/useUser.ts

@@ -5,10 +5,10 @@ import { useUserBase } from './base/useUserBase';
 
 const hookName = 'useUser';
 /**
- * The `useUser()` hook provides access to the current user's [`User`](https://clerk.com/docs/reference/objects/user) object, which contains all the data for a single user in your application and provides methods to manage their account. This hook also allows you to check if the user is signed in and if Clerk has loaded and initialized.
+ * The `useUser()` hook provides access to the current user's [`User`](https://clerk.com/docs/reference/objects/user) object, which contains all the data for a single user in your application and provides methods to manage their account. This hook also allows you to check if the user is signed in and if Clerk has loaded.
  *
  * @unionReturnHeadings
- * ["Initialization", "Signed out", "Signed in"]
+ * ["Loading", "Signed out", "Signed in"]
  *
  * @example
  * ### Get the current user

packages/ui/src/components/SignUp/__tests__/SignUpStart.test.tsx

@@ -523,57 +523,4 @@ describe('SignUpStart', () => {
       await waitFor(() => screen.getByText(/create your account/i));
     });
   });
-
-  describe('unsafeMetadata', () => {
-    it('does not throw when signUp.create rejects with an API error', async () => {
-      Object.defineProperty(window, 'location', {
-        writable: true,
-        value: { href: 'http://localhost/sign-up' },
-      });
-
-      let unhandledError: unknown = null;
-      const onUnhandledRejection = (reason: unknown) => {
-        unhandledError = reason;
-      };
-      process.on('unhandledRejection', onUnhandledRejection);
-
-      const { wrapper, fixtures, props } = await createFixtures(f => {
-        f.withEmailAddress({ required: true });
-        f.withPassword({ required: true });
-      });
-      fixtures.signUp.create.mockRejectedValueOnce(
-        new ClerkAPIResponseError('Error', {
-          data: [
-            {
-              code: 'form_password_pwned',
-              long_message: 'Password has been found in an online data breach.',
-              message: 'Password has been found in an online data breach.',
-              meta: { param_name: 'password' },
-            },
-          ],
-          status: 422,
-        }),
-      );
-      props.setProps({ unsafeMetadata: { foo: 'bar' } });
-
-      const { userEvent } = render(
-        <CardStateProvider>
-          <SignUpStart />
-        </CardStateProvider>,
-        { wrapper },
-      );
-
-      await userEvent.type(screen.getByLabelText(/email address/i), 'test@example.com');
-      await userEvent.type(screen.getByPlaceholderText(/create a password/i), 'password123');
-      await userEvent.click(screen.getByText(/continue/i));
-
-      await waitFor(() => expect(fixtures.signUp.create).toHaveBeenCalled());
-      await screen.findByTestId('form-feedback-error');
-      // Flush pending microtasks so any unhandled rejection event has a chance to fire.
-      await new Promise(resolve => setTimeout(resolve, 0));
-
-      process.off('unhandledRejection', onUnhandledRejection);
-      expect(unhandledError).toBeNull();
-    }, 15_000);
-  });
 });