rebase! chore(deps): update dev dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@nuxt/schema (source)	4.3.1 → 4.4.5
@nuxt/test-utils	4.0.0 → 4.0.3
@vueuse/nuxt (source)	14.2.1 → 14.3.0
better-auth (source)	1.5.5 → 1.6.10
better-call (source)	1.3.2 → 1.3.5
better-sqlite3	12.6.2 → 12.9.0
bumpp	11.0.1 → 11.1.0
docus	5.8.1 → 5.11.0
eslint (source)	10.0.3 → 10.3.0
nitropack	2.13.1 → 2.13.4
nuxt (source)	4.3.1 → 4.4.5
tinyexec	1.1.1 → 1.1.2
vitest (source)	4.0.18 → 4.1.6
vue (source)	3.5.29 → 3.5.34
vue-tsc (source)	3.2.7 → 3.2.8
wrangler (source)	4.72.0 → 4.90.0
yaml (source)	2.8.3 → 2.9.0

---

Release Notes

nuxt/nuxt (@​nuxt/schema)

v4.4.5

Compare Source

4.4.5 is the next patch release.

👉 Changelog

compare changes

🔥 Performance

• kit: Cache layer roots and short-circuit isIgnored relative (#​35015)

🩹 Fixes

• vite: Resolve vite clientServer with ssr: false (#​34959)
• nitro: Correct payload route rule for / + override ssr: true (#​34990)
• nitro: Break recursive rendering deadlocks during prerender (#​34939)
• vite: Drop redundant css link when entry styles are inlined (#​34950)
• vite: Sort optimizeDeps.include in pre-bundle hint (#​34976)
• nuxt: Only force suspense remount after first resolve (#​34949)
• kit: Read .env before resolving nuxt schema (#​34958)
• nitro: Preserve serverHandlers array after nitro:config (#​34985)
• nuxt: Cast partial nitro handlers when prepending to server arrays (61dcde4db)
• vite: Only consider CSS inlined when styles are actually emitted (#​35006)
• nuxt: Dedupe getCachedData for concurrent callers sharing a key (#​34999)
• nuxt: Respect factory fetch/baseURL options in server useFetch (#​35003)
• nuxt: Handle string presets in auto-imports (#​35013)
• nuxt: Correct island transform for server pages and 'deep' mode (#​35005)
• vite: Inline css for non-island children of server components (#​35001)
• nuxt: Defer head DOM updates until page transition finishes (#​35016)
• nuxt: Explicitly freeze head during island plugin phase (#​35010)
• vite: Inline css imported from non-vue js modules (#​35020)

📖 Documentation

• Add warning about routing in server components (#​34994)

🏡 Chore

• Fix lockfile (c3ee07801)
• Pin jiti (c8102228f)
• Lint (39422b6d2)
• Pin @vue/compiler-sfc (cd404a14c)
• Ignore pnpm cyclic workspace deps warn (#​34998)
• Remove jiti from build steps (#​35004)

✅ Tests

• Extract server components fixture + add some failing tests (#​34995)
• Isolate buildDir per matrix project for shared fixtures (#​35007)
• Remove tests for 5.x runtimeBaseURL fature (816c25487)

❤️ Contributors

• Daniel Roe (@​danielroe)
• Harlan Wilton (@​harlan-zw)
• Jonazzzz (@​Bombastickj)
• Damian Głowala (@​DamianGlowala)
• Florian Heuberger (@​Flo0806)

v4.4.4

Compare Source

v4.4.2

Compare Source

nuxt/test-utils (@​nuxt/test-utils)

v4.0.3

Compare Source

4.0.3 is the next patch release.

👉 Changelog

compare changes

🩹 Fixes

• runtime-utils: Lazily import root-component in mount + render helpers (#​1665)
• runtime-utils: Insert compilerOptions conditionally (#​1659)
• config: Enable sourcemaps when vitest coverage is enabled (#​1674)
• module: Exclude test files from Nuxt plugin registration (#​1666)
• runtime-utils: Provide NuxtLink isActive slot props (#​1640)
• e2e: Wait for HTTP readiness before resolving startServer (#​1675)

🏡 Chore

• Fix typo (#​1663)
• Bump nitro and nuxt pins in nitro-v3 example (#​1678)

❤️ Contributors

• Daniel Roe (@​danielroe)
• Martin Masevski (@​Archetipo95)
• Ryota Watanabe (@​wattanx)
• Jan Müller (@​DerYeger)
• Yoshihiro Yamaguchi (@​yamachi4416)
• Sai Asish Y (@​SAY-5)

v4.0.2

Compare Source

👉 Changelog

compare changes

🩹 Fixes

• config: Respect override dev value (#​1602)

🤖 CI

• Use pnpm publish to resolve workspace dependencies (#​1651)

❤️ Contributors

• Julien Huang (@​huang-julien)
• Vasily Kuzin (@​ExEr7um)

v4.0.1

Compare Source

👉 Changelog

compare changes

🩹 Fixes

• config: Rename deps.optimizer.web to client for vitest4 (#​1593)
• runtime-utils: Fix mockNuxtImport types when using string target (#​1592)
• config: Pass non-project options for non-nuxt simple setup (#​1582)
• config: Do not import defineConfig from vite (1aa5e8748)
• runtime: Handle ResourceLoader removal in jsdom v28 (#​1611)
• config,vitest-environment: Directly import peerDeps (#​1617)
• runtime-utils: Align mount options merge w/ vue-test-utils (#​1610)
• vitest-environment: Avoid vitest/environments import warning (#​1627)
• runtime: Avoid error when vue/test-utils is not installed (#​1646)
• config: Prefer project h3 version if present (#​1641)

🏡 Chore

• Bump vitest-environment-nuxt versions (f5ec72127)
• Use workspace dependency (14fb254a7)
• Example playwright config improve type annotation for devices (#​1581)
• pkg-pr-new prerelease vitest-environment-nuxt (#​1601)
• Allow explicit any (633c93c2a)
• Switch unit test target to dir and move type unit tests to test:types (#​1618)
• Update lockfile (8306abf00)

✅ Tests

• Add failing test for stubbed global provide (#​1314)
• Update assertions deprecated in vitest 4.1 (#​1629)
• Change example/workspace to use glob based projects setup (#​1585)

🤖 CI

• Pin github actions to full-length commit shas (2832fd6d5)
• Avoid checkout for reproduction comment (e4e67ab09)
• Rename workflow (99318b9fc)
• Correctly publish pkg-pr-new prerelease (#​1598)

❤️ Contributors

• Daniel Roe (@​danielroe)
• Yoshihiro Yamaguchi (@​yamachi4416)
• Robin (@​OrbisK)
• Paul Melero (@​paulmelero)

vueuse/vueuse (@​vueuse/nuxt)

v14.3.0

Compare Source

   🚀 Features

• Expose pointer event onLongPress  -  by @​mrcwbr in #​5295 (b1688)
• createInjectionState: Non-undefined return when default specified  -  by @​Laupetin in #​5306 (b0c51)
• createReusableTemplate: Add support for specifying component names  -  by @​wbolster in #​5300 (ea29d)
• nuxt: Add composable variants to auto imports  -  by @​OrbisK in #​5285 (ac2ef)
• useElementVisibility: Add controls option  -  by @​kricsleo in #​5191 (0cb03)
• useTextareaAutosize: Add optional maxHeight to limit autosize growth  -  by @​palamarchukser, @​antfu and @​9romise in #​5324 (1a3e5)

   🐞 Bug Fixes

• Add explicit ./package.json export to all packages  -  by @​babu-ch and @​OrbisK in #​5343 (0d989)
• core: Always return ssrValue in useCssSupports before mounted  -  by @​danielroe in #​5290 (76b0b)
• directive: Create disposable directive func cleanup of side effects unmounted  -  by @​kalu5, @​43081j, Raman Paulau and @​OrbisK in #​5244 (52d68)
• docs: Typos in useManualRefHistory, useFocusWithin, useStorageAsync, useIntersectionObserver  -  by @​blowsie, Sam Blowes and @​OrbisK in #​5329 (1d9c4)
• docs: Add ignoreDeprecations for twoslash TS 6.0 compat  -  by @​antfu and Claude Opus 4.6 (1M context) in #​5367 (9d1eb)
• metadata: Cleanup removed function resolveRef  -  by @​ntnyq in #​5307 (49da8)
• onClickOutside: Detect iframe inside shadow DOM with detectIframe option  -  by @​babu-ch and @​OrbisK in #​5336 (1a77b)
• shared: Align overloads order of watch functions with original version  -  by @​KazariEX in #​5288 (f1d32)
• useAxios: Handle optional response data safely  -  by @​jahnli in #​5318 (51198)
• useCached: Update comparator type and improve documentation  -  by @​IceMooncake in #​5376 (d886c)
• useClipboard: Prevents fail in Safari for async operation  -  by @​MatteoGabriele in #​5369 (5ec56)
• useSortable: Re-query DOM on every start() for string selectors  -  by @​Mini-ghost in #​5374 (3341f)
• useVirtualList: React to changes made in mutable arrays properly  -  by @​dcherman in #​5267 (7069e)
• useWakeLock: Auto-release wake lock on component unmount  -  by @​ProgrammingWithSid and @​OrbisK in #​5271 (43937)
• useWebSocket: Race condition caused by onopen/onclose events.  -  by @​DanCardin, @​antfu and @​9romise in #​5175 (6661c)
• whenever: Improve old value types  -  by @​VChet in #​5096 (979c6)

   🏎 Performance

• Replace deepRef with shallowRef where appropriate  -  by @​9romise in #​5293 (80004)

    View changes on GitHub

better-auth/better-auth (better-auth)

v1.6.10

Compare Source

Patch Changes

• #​8339 1e0f26d Thanks @​ping-maxwell! - fix(captcha): breaks email-otp flow

• #​9484 8c1e917 Thanks @​ping-maxwell! - fix: warn for cookie-plugin being last in array

• #​9437 b2d655c Thanks @​cyphercodes! - Allow organization invitation role input types to accept dynamic access control roles.

• #​9497 09f1327 Thanks @​bytaesu! - Endpoints that set cookies before redirecting (such as social sign-in
  callbacks and magic-link verification) no longer emit each Set-Cookie
  entry twice on the response.

• #​9387 906b7b3 Thanks @​bytaesu! - The bearer plugin now produces a single entry per cookie name when merging
  its session token into the request Cookie header. Previously the merged
  header could carry two entries for the same name if the request already
  had a stale session cookie, which would surface to downstream code that
  picks the first occurrence.

• #​9475 e9c978e Thanks @​jaydeep-pipaliya! - fix(username): respect callbackURL on /sign-in/username

  The endpoint accepted a callbackURL body field but ignored it, so
  authClient.signIn.username({ ..., callbackURL }) silently did nothing
  while authClient.signIn.email redirected as expected. The handler now
  sets a Location header when callbackURL is provided and returns
  { redirect, url } alongside token/user, matching the email flow.

• #​9440 e71aad3 Thanks @​cyphercodes! - Clear organization active hook state after sign-out so useActiveMemberRole does not retain a previous user's role in SPA sign-out/sign-in flows.

• #​9402 80a655d Thanks @​onmax! - Revalidate the client session after admin impersonation starts or stops.

• #​9503 15ff28a Thanks @​bytaesu! - internalAdapter.deleteAccount parameter renamed from accountId to id to reflect that it queries by primary key, not the accountId column. No runtime behavior change.

• #​9268 88a7c67 Thanks @​ping-maxwell! - fix: openAPI schema for POST /sign-in/social mis-declares required fields

• #​8839 9a7b51d Thanks @​dipan-ck! - Apply email enumeration protection when emailAndPassword.autoSignIn is false. Duplicate sign-ups now return a synthetic user (token: null) and trigger onExistingUserSignUp, and new sign-ups skip auto sign-in (token: null)—even without requireEmailVerification, aligning with the docs.

• #​9065 1b25902 Thanks @​ping-maxwell! - non-ASCII error_description in generic-oauth callback routes causes TypeError on redirect

• #​9349 cf59136 Thanks @​ping-maxwell! - fix(organization): re-export field types to prevent TS2742 with additionalFields

• #​9453 a597ee0 Thanks @​mausic! - The organization plugin's cancelPendingInvitationsOnReInvite option now actually cancels the prior pending invitation when re-inviting the same email. Previously the option had no effect — re-inviting always failed with USER_IS_ALREADY_INVITED_TO_THIS_ORGANIZATION

• #​9456 fc02ced Thanks @​cyphercodes! - Reject OAuth callbacks when provider user info omits the account id to avoid linking accounts under the literal undefined id.

• #​9461 9f1ef1f Thanks @​cyphercodes! - Expose authClient.siwe.getNonce() as a compatibility alias for the SIWE nonce endpoint.

• #​9369 36ef808 Thanks @​ping-maxwell! - fix: incorrect email casing across one-tap, email-otp & email-verification

• #​9239 c1336c5 Thanks @​GautamBytes! - Fix organization.setActiveTeam so it only accepts teams from the current active organization.

• #​7764 3a9a2c3 Thanks @​programming-with-ia! - chore: expose refreshUserSessions on internal adapter

• #​9521 fde0432 Thanks @​ping-maxwell! - fix: improve link accessibility issues

• Updated dependencies [2220a6d]:

  • @​better-auth/core@​1.6.10
  • @​better-auth/drizzle-adapter@​1.6.10
  • @​better-auth/kysely-adapter@​1.6.10
  • @​better-auth/memory-adapter@​1.6.10
  • @​better-auth/mongo-adapter@​1.6.10
  • @​better-auth/prisma-adapter@​1.6.10
  • @​better-auth/telemetry@​1.6.10

v1.6.9

Compare Source

Patch Changes

• Updated dependencies [815ecf6]:
  • @​better-auth/core@​1.6.9
  • @​better-auth/drizzle-adapter@​1.6.9
  • @​better-auth/kysely-adapter@​1.6.9
  • @​better-auth/memory-adapter@​1.6.9
  • @​better-auth/mongo-adapter@​1.6.9
  • @​better-auth/prisma-adapter@​1.6.9
  • @​better-auth/telemetry@​1.6.9

v1.6.8

Compare Source

Patch Changes

• #​9253 856ab24 Thanks @​baptisteArno! - fix(organization): allow passing id through beforeCreateTeam and beforeCreateInvitation

  Mirrors #​4765 for teams and invitations: adapter.createTeam and adapter.createInvitation now pass forceAllowId: true, so ids returned from the respective hooks survive the DB insert.

• #​9331 9aa8e63 Thanks @​gustavovalverde! - fix(oauth): support mapProfileToUser fallback for providers that may omit email

  Social sign-in with OAuth providers that may return no email address (Discord phone-only accounts, Apple subsequent sign-ins, GitHub private emails, Facebook, LinkedIn, and Microsoft Entra ID managed users) can now be unblocked by synthesizing an email inside mapProfileToUser. Rejection logger messages now point at this workaround and at the new "Handling Providers Without Email" docs section.

  Provider profile types now reflect where email can be null or absent:

  • DiscordProfile.email is string | null and optional (absent when the email scope is not granted)
  • AppleProfile.email is optional
  • GithubProfile.email is string | null
  • FacebookProfile.email is optional
  • FacebookProfile.email_verified is optional (Meta's Graph API does not include this field)
  • LinkedInProfile.email is optional
  • LinkedInProfile.email_verified is optional
  • MicrosoftEntraIDProfile.email is optional

  TypeScript consumers who previously dereferenced profile.email directly inside mapProfileToUser will see a compile error that matches the runtime reality; use a nullish-coalescing fallback (profile.email ?? ...) or null-check the field.

  Sign-in still rejects with error=email_not_found (social callback) or error=email_is_missing (Generic OAuth plugin) when neither the provider nor mapProfileToUser produces an email. First-class support for users without an email, keyed on (providerId, accountId) per OpenID Connect Core §5.7, is tracked in #​9124.

• Updated dependencies [9aa8e63]:

  • @​better-auth/core@​1.6.8
  • @​better-auth/drizzle-adapter@​1.6.8
  • @​better-auth/kysely-adapter@​1.6.8
  • @​better-auth/memory-adapter@​1.6.8
  • @​better-auth/mongo-adapter@​1.6.8
  • @​better-auth/prisma-adapter@​1.6.8
  • @​better-auth/telemetry@​1.6.8

v1.6.7

Compare Source

Patch Changes

• #​9211 307196a Thanks @​stewartjarod! - Preserve Set-Cookie headers accumulated on ctx.responseHeaders when an endpoint throws APIError. Cookie side-effects from deleteSessionCookie (and any ctx.setCookie / ctx.setHeader calls before the throw) are no longer silently discarded on the error path.

• #​9292 4f373ee Thanks @​gustavovalverde! - Accept an array of Client IDs on providers that verify ID tokens by audience (Google, Apple, Microsoft Entra, Facebook, Cognito). The first entry is used for the authorization code flow; all entries are accepted when verifying an ID token's aud claim, so a single backend can serve Web, iOS, and Android clients with their platform-specific Client IDs.

  socialProviders: {
    google: {
      clientId: [
        process.env.GOOGLE_WEB_CLIENT_ID!,
        process.env.GOOGLE_IOS_CLIENT_ID!,
        process.env.GOOGLE_ANDROID_CLIENT_ID!,
      ],
      clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
    },
  }

  Passing a single string keeps working; no migration needed.

  Also exports getPrimaryClientId from @better-auth/core/oauth2 for provider authors: it returns the primary Client ID (the raw string, or the entry at array index 0), paired with clientSecret for the authorization code flow. Providers now reject empty arrays, empty strings, and missing config at sign-in time instead of silently producing a malformed authorization URL. Google, Apple, and Facebook require both clientId and clientSecret because each of those providers mandates a client secret for their server-side code exchange. Microsoft Entra and Cognito only require clientId, since both support public-client flows with PKCE alone (no secret).

• #​9293 e1b1cfc Thanks @​gustavovalverde! - Guard against c.body being undefined in parseState. Callback requests that arrive as GET leave c.body unset in some runtimes, which caused c.body.state to throw a TypeError before the existing error redirect could run. The state lookup now short-circuits on the query parameter and falls back to c.body?.state safely, so a callback without a state parameter redirects to the error page instead of crashing.

• #​4894 d053a45 Thanks @​Kinfe123! - Fire callbackOnVerification when a phone number is verified with updatePhoneNumber: true. The callback previously only ran on initial verification, so consumers relying on it (e.g. to sync verified numbers to an external system) would miss the event when an authenticated user changed their number.

• Updated dependencies [307196a, 4a180f0, 4f373ee]:

  • @​better-auth/core@​1.6.7
  • @​better-auth/drizzle-adapter@​1.6.7
  • @​better-auth/kysely-adapter@​1.6.7
  • @​better-auth/memory-adapter@​1.6.7
  • @​better-auth/mongo-adapter@​1.6.7
  • @​better-auth/prisma-adapter@​1.6.7
  • @​better-auth/telemetry@​1.6.7

v1.6.6

Compare Source

Patch Changes

• #​9214 4debfb6 Thanks @​ping-maxwell! - fix(custom-session): use coerced boolean for disableRefresh query param validation

• #​9235 9ea7eb1 Thanks @​bytaesu! - Preserve the Partitioned attribute when the customSession plugin and framework integrations forward Set-Cookie headers.

• #​9266 ab4c10f Thanks @​ping-maxwell! - fix(organization): infer team additional fields correctly

• #​9219 a61083e Thanks @​bytaesu! - Allow removing a phone number with updateUser({ phoneNumber: null }). The verified flag is reset atomically. Changing to a different number still requires OTP verification through verify({ updatePhoneNumber: true }).

• #​9226 e64ff72 Thanks @​gustavovalverde! - Consolidate host/IP classification behind @better-auth/core/utils/host and close several loopback/SSRF bypasses that the previous per-package regex checks missed.

  Electron user-image proxy: SSRF bypasses closed (@better-auth/electron). fetchUserImage previously gated outbound requests with a bespoke IPv4/IPv6 regex that missed multiple vectors. All of the following were reachable in production and are now blocked:

  • http://tenant.localhost/ and other *.localhost names (RFC 6761 reserves the entire TLD for loopback).
  • http://[::ffff:169.254.169.254]/ (IPv4-mapped IPv6 to AWS IMDS, the classic SSRF bypass).
  • http://metadata.google.internal/, http://metadata.goog/ (GCP instance metadata).
  • http://instance-data/, http://instance-data.ec2.internal/ (AWS IMDS alternate FQDNs).
  • http://100.100.100.200/ (Alibaba Cloud IMDS; lives in RFC 6598 shared address space 100.64/10, which the old regex did not cover).
  • http://0.0.0.0:PORT/ (the Linux/macOS kernel routes the unspecified address to loopback: Oligo's "0.0.0.0 Day").
  • http://[fc00::...]/, http://[fd00::...]/ (IPv6 ULA per RFC 4193) and IPv6 link-local fe80::/10, neither of which the regex recognized.

  Documentation ranges (RFC 5737 / RFC 3849), benchmarking (198.18/15), multicast, and broadcast are also now rejected.

  better-auth: 0.0.0.0 is no longer treated as loopback. The previous isLoopbackHost implementation in packages/better-auth/src/utils/url.ts classified 0.0.0.0 alongside 127.0.0.1 / ::1 / localhost. 0.0.0.0 is the unspecified address, not loopback; treating it as such lets browser-origin requests reach localhost-bound dev services (Oligo's "0.0.0.0 Day"). The helper now accepts the full 127.0.0.0/8 range and any *.localhost name, and rejects 0.0.0.0.

  better-auth: trusted-origin substring hardening. getTrustedOrigins previously used host.includes("localhost") || host.includes("127.0.0.1") when deciding whether to add an http:// variant for a dynamic baseURL.allowedHosts entry. Misconfigurations like evil-localhost.com or 127.0.0.1.nip.io would incorrectly gain an HTTP origin in the trust list. The check now uses the shared classifier, so only real loopback hosts get the HTTP variant.

  @better-auth/oauth-provider: RFC 8252 compliance.

  • §7.3 redirect URI matching now accepts the full 127.0.0.0/8 range (not just 127.0.0.1) plus [::1], with port-flexible comparison. Port-flexible matching is limited to IP literals; DNS names such as localhost continue to use exact-string matching per §8.3 ("NOT RECOMMENDED" for loopback).
  • validateIssuerUrl uses the shared loopback check rather than a two-hostname literal comparison.

  New module: @better-auth/core/utils/host. Exposes classifyHost, isLoopbackIP, isLoopbackHost, and isPublicRoutableHost. One RFC 6890 / RFC 6761 / RFC 8252 implementation that handles IPv4, IPv6 (including bracketed literals, zone IDs, IPv4-mapped addresses, and 6to4 / NAT64 / Teredo tunnel forms with embedded-IPv4 recursion), and FQDNs, with a curated cloud-metadata FQDN set. All bespoke loopback/private/link-local checks across the monorepo now route through it.

• Updated dependencies [b5742f9, a844c7d, e64ff72]:

  • @​better-auth/core@​1.6.6
  • @​better-auth/drizzle-adapter@​1.6.6
  • @​better-auth/kysely-adapter@​1.6.6
  • @​better-auth/memory-adapter@​1.6.6
  • @​better-auth/mongo-adapter@​1.6.6
  • @​better-auth/prisma-adapter@​1.6.6
  • @​better-auth/telemetry@​1.6.6

v1.6.5

Compare Source

Patch Changes

• #​9119 938dd80 Thanks @​GautamBytes! - clarify recommended production usage for the test utils plugin

• #​9087 0538627 Thanks @​ramonclaudio! - fix(client): refetch session after /change-password and /revoke-other-sessions

• Updated dependencies []:

  • @​better-auth/core@​1.6.5
  • @​better-auth/drizzle-adapter@​1.6.5
  • @​better-auth/kysely-adapter@​1.6.5
  • @​better-auth/memory-adapter@​1.6.5
  • @​better-auth/mongo-adapter@​1.6.5
  • @​better-auth/prisma-adapter@​1.6.5
  • @​better-auth/telemetry@​1.6.5

v1.6.4

Compare Source

Patch Changes

• #​9205 9aed910 Thanks @​gustavovalverde! - fix(two-factor): revert enforcement broadening from #​9122

  Restores the pre-#​9122 enforcement scope. 2FA is challenged only on /sign-in/email, /sign-in/username, and /sign-in/phone-number, matching the behavior that shipped through v1.6.2. Non-credential sign-in flows (magic link, email OTP, OAuth, SSO, passkey, SIWE, one-tap, phone-number OTP, device authorization, email-verification auto-sign-in) are no longer gated by a 2FA challenge by default.

  A broader enforcement scope with per-method opt-outs and alignment to NIST SP 800-63B-4 authenticator assurance levels is planned for a future minor release.

• #​9068 acbd6ef Thanks @​GautamBytes! - Fix forced UUID user IDs from create hooks being ignored on PostgreSQL adapters when advanced.database.generateId is set to "uuid".

• #​9165 39d6af2 Thanks @​gustavovalverde! - chore(adapters): require patched drizzle-orm and kysely peer versions

  Narrows the drizzle-orm peer to ^0.45.2 and the kysely peer to ^0.28.14. Both new ranges track the minor line that carries the vulnerability fix and nothing newer, so the adapters only advertise support for versions that have actually been tested against. Consumers on older ORM releases see an install-time warning and can upgrade alongside the adapter; the peer is marked optional, so installs do not hard-fail.

• Updated dependencies [39d6af2]:

  • @​better-auth/drizzle-adapter@​1.6.4
  • @​better-auth/kysely-adapter@​1.6.4
  • @​better-auth/core@​1.6.4
  • @​better-auth/memory-adapter@​1.6.4
  • @​better-auth/mongo-adapter@​1.6.4
  • @​better-auth/prisma-adapter@​1.6.4
  • @​better-auth/telemetry@​1.6.4

v1.6.3

Compare Source

Patch Changes

• #​9131 5142e9c Thanks @​gustavovalverde! - harden dynamic baseURL handling for direct auth.api.* calls and plugin metadata helpers

  Direct auth.api.* calls

  • Throw APIError with a clear message when the baseURL can't be resolved (no source and no fallback), instead of leaving ctx.context.baseURL = "" for downstream plugins to crash on.
  • Convert allowedHosts mismatches on the direct-API path to APIError.
  • Honor advanced.trustedProxyHeaders on the dynamic path (default true, unchanged). Previously x-forwarded-host / -proto were unconditionally trusted with allowedHosts; they now go through the same gate as the static path. The default flip to false ships in a follow-up PR.
  • `resolveRequ

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
nuxt-better-auth-docs	Error		May 12, 2026 7:13am

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
❌ Deployment failed View logs	better-auth	67e0799	May 12 2026, 07:35 AM

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/@onmax/nuxt-better-auth@346

commit: a6c3ec5

[onmax]

@renovate rebase

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

Scope: all 3 workspace projects
Progress: resolved 1, reused 0, downloaded 0, added 0
Progress: resolved 42, reused 0, downloaded 1, added 0
Progress: resolved 58, reused 0, downloaded 1, added 0
Progress: resolved 59, reused 0, downloaded 1, added 0
Progress: resolved 60, reused 0, downloaded 1, added 0
Progress: resolved 207, reused 0, downloaded 1, added 0
Progress: resolved 253, reused 0, downloaded 1, added 0
Progress: resolved 347, reused 0, downloaded 1, added 0
Progress: resolved 397, reused 0, downloaded 1, added 0
Progress: resolved 460, reused 0, downloaded 1, added 0
Progress: resolved 490, reused 0, downloaded 1, added 0
Progress: resolved 661, reused 0, downloaded 1, added 0
Progress: resolved 719, reused 0, downloaded 1, added 0
Progress: resolved 740, reused 0, downloaded 1, added 0
Progress: resolved 759, reused 0, downloaded 1, added 0
Progress: resolved 948, reused 0, downloaded 1, added 0
Progress: resolved 982, reused 0, downloaded 1, added 0
Progress: resolved 1062, reused 0, downloaded 1, added 0
Progress: resolved 1112, reused 0, downloaded 1, added 0
Progress: resolved 1126, reused 0, downloaded 1, added 0
 WARN  Request took 13974ms: https://registry.npmjs.org/vite
Progress: resolved 1150, reused 0, downloaded 1, added 0
Progress: resolved 1173, reused 0, downloaded 1, added 0
Progress: resolved 1256, reused 0, downloaded 1, added 0
Progress: resolved 1314, reused 0, downloaded 1, added 0
Progress: resolved 1371, reused 0, downloaded 1, added 0
Progress: resolved 1386, reused 0, downloaded 1, added 0
Progress: resolved 1500, reused 0, downloaded 1, added 0
Progress: resolved 1624, reused 0, downloaded 1, added 0
Progress: resolved 1820, reused 0, downloaded 1, added 0
/tmp/renovate/repos/github/nuxt-modules/better-auth/docs:
 ERR_PNPM_TRUST_DOWNGRADE  High-risk trust downgrade for "semver@6.3.1" (possible package takeover)

This error happened while installing the dependencies of nuxt@4.3.1
 at @nuxt/vite-builder@4.3.1
 at @vitejs/plugin-vue-jsx@5.1.4
 at @babel/plugin-transform-typescript@7.28.6
 at @babel/helper-create-class-features-plugin@7.28.6

Trust checks are based solely on publish date, not semver. A package cannot be installed if any earlier-published version had stronger trust evidence. Earlier versions had provenance attestation, but this version has no trust evidence. A trust downgrade may indicate a supply chain incident.

[onmax]

@renovate rebase

[onmax]

@renovatebot rebase

[vercel]

Deployment failed with the following error:

Resource is limited - try again in 24 hours (more than 100, code: "api-deployments-free-per-day").

Learn More: https://vercel.com/maximogarciamartinezs-projects?upgradeToPro=build-rate-limit