[PR #5490] [MERGED] chore(deps): update dependency hono to v4.10.2 [security] #22936

New Issue

GiteaMirror · 2026-04-15T21:22:41-05:00

GiteaMirror commented

2026-04-15 21:22:41 -05:00

📋 Pull Request Information

Original PR: https://github.com/better-auth/better-auth/pull/5490
Author: @renovate[bot]
Created: 10/22/2025
Status: ✅ Merged
Merged: 10/22/2025
Merged by: @himself65

Base: canary ← Head: renovate/npm-hono-vulnerability

📝 Commits (1)

67195e9 chore(deps): update dependency hono to v4.10.2 [security]

📊 Changes

1 file changed (+5 additions, -5 deletions)

View changed files

📝 pnpm-lock.yaml (+5 -5)

📄 Description

This PR contains the following updates:

Package	Change	Age	Confidence
hono (source)	`4.9.7` -> `4.10.2`

GitHub Vulnerability Alerts

GHSA-m732-5p4w-x69g

Improper Authorization in Hono (JWT Audience Validation)

Hono’s JWT authentication middleware did not validate the aud (Audience) claim by default. As a result, applications using the middleware without an explicit audience check could accept tokens intended for other audiences, leading to potential cross-service access (token mix-up).

The issue is addressed by adding a new verification.aud configuration option to allow RFC 7519–compliant audience validation. This change is classified as a security hardening improvement, but the lack of validation can still be considered a vulnerability in deployments that rely on default JWT verification.

Recommended secure configuration

You can enable RFC 7519–compliant audience validation using the new verification.aud option:

import { Hono } from 'hono'
import { jwt } from 'hono/jwt'

const app = new Hono()

app.use(
  '/api/*',
  jwt({
    secret: 'my-secret',
    verification: {
      // Require this API to only accept tokens with aud = 'service-a'
      aud: 'service-a',
    },
  })
)

Below is the original description by the reporter. For security reasons, it does not include PoC reproduction steps, as the vulnerability can be clearly understood from the technical description.

The original description by the reporter

Summary

Hono’s JWT Auth Middleware does not provide a built-in aud (Audience) verification option, which can cause confused-deputy / token-mix-up issues: an API may accept a valid token that was issued for a different audience (e.g., another service) when multiple services share the same issuer/keys. This can lead to unintended cross-service access. Hono’s docs list verification options for iss/nbf/iat/exp only, with no aud support; RFC 7519 requires that when an aud claim is present, tokens MUST be rejected unless the processing party identifies itself in that claim.

Note: This problem likely exists in the JWK/JWKS-based middleware as well (e.g., jwk / verifyWithJwks)

Details

The middleware’s verifyOptions enumerate only iss, nbf, iat, and exp; there is no aud option. The same omission appears in the JWT Helper’s “Payload Validation” list. Developers relying on the middleware for complete standards-aligned validation therefore won’t check audience by default.
Standards requirement: RFC 7519 §4.1.3 states that each principal intended to process the JWT MUST identify itself with a value in the aud claim; if it does not, the JWT MUST be rejected (when aud is present). Lack of a first-class aud check increases the risk that tokens issued for Service B are accepted by Service A.
Real-world effect: In deployments with a single IdP/JWKS and shared keys across multiple services, a token minted for one audience can be mistakenly accepted by another audience unless developers implement a custom audience check.
- For example, with Google Identity (OIDC), iss is always https://accounts.google.com (shared across apps), but aud differs per application because it is that app’s OAuth client ID; therefore, an attacker can host a separate service that supports “Sign in with Google,” obtain a valid ID token (JWT) for the victim user, and—if your API does not verify aud—use that token to access your API with the victim’s privileges.

Impact

Type: Authentication/authorization weakness via token mix-up (confused-deputy).

Who is impacted: Any Hono user who:

shares an issuer/keys across multiple services (common with a single IdP/JWKS)
distinguishes tokens by intended recipient using aud.

What can happen:

Cross-service access: A token for Service B may be accepted by Service A.
Boundary erosion: ID tokens and access tokens, or separate API audiences, can be inadvertently intermixed.
- This may causes unauthorized invocation of sensitive endpoints.

Recommended remediation:

Add verifyOptions.aud (string | string[] | RegExp) to the middleware and enforce RFC 7519 semantics: In verify method, if aud is present and does not match with specified audiences, reject.
Ensure equivalent aud handling exists in the JWK/JWKS flow (jwk middleware / verifyWithJwks) so users of external IdPs can enforce audience consistently.

Release Notes

honojs/hono (hono)

`v4.10.2`

Compare Source

`v4.10.1`

Compare Source

What's Changed

fix(types): cannot .use non-return mw from createMiddleware by @NamesMT in #4465

Full Changelog: https://github.com/honojs/hono/compare/v4.10.0...v4.10.1

`v4.10.0`

Compare Source

Release Notes

Hono v4.10.0 is now available!

This release brings improved TypeScript support and new utilities.

The main highlight is the enhanced middleware type definitions that solve a long-standing issue with type safety for RPC clients.

Middleware Type Improvements

Imagine the following app:

import { Hono } from 'hono'

const app = new Hono()

const routes = app.get(
  '/',
  (c) => {
    return c.json({ errorMessage: 'Error!' }, 500)
  },
  (c) => {
    return c.json({ message: 'Success!' }, 200)
  }
)

The client with RPC:

import { hc } from 'hono/client'

const client = hc<typeof routes>('/')

const res = await client.index.$get()

if (res.status === 500) {
}

if (res.status === 200) {
}

Previously, it couldn't infer the responses from middleware, so a type error was thrown.

Now the responses are correctly typed.

This was a long-standing issue and we were thinking it was super difficult to resolve it. But now come true.

Thank you for the great work @slawekkolodziej!

cloneRawRequest Utility

The new cloneRawRequest utility allows you to clone the raw Request object after it has been consumed by validators or middleware.

import { cloneRawRequest } from 'hono/request'

app.post('/api', async (c) => {
  const body = await c.req.json()

  // Clone the consumed request
  const clonedRequest = cloneRawRequest(c.req)
  await externalLibrary.process(clonedRequest)
})

Thanks @kamaal111!

New features

feat(types): passing middleware types #4393
feat(ssg): add default plugin that defines the recommended behavior #4394
feat(request): add cloneRawRequest utility for request cloning #4382

All changes

feat(types): passing middleware types by @slawekkolodziej in #4393
feat(ssg): add default plugin that defines the recommended behavior by @3w36zj6 in #4394
feat(request): add cloneRawRequest utility for request cloning by @kamaal111 in #4382
fix(proxy): Correct hop-by-hop header handling per RFC 9110 by @sugar-cat7 in #4459

New Contributors

@slawekkolodziej made their first contribution in #4393
@kamaal111 made their first contribution in #4382

Full Changelog: https://github.com/honojs/hono/compare/v4.9.12...v4.10.0

`v4.9.12`

Compare Source

What's Changed

refactor: internal structure of PreparedRegExpRouter for optimization and added tests by @usualoma in #4456
refactor: use protected methods instead of computed properties to allow tree shaking by @usualoma in #4458

Full Changelog: https://github.com/honojs/hono/compare/v4.9.11...v4.9.12

`v4.9.11`

Compare Source

What's Changed

fix(types): fix 4.9.8 regression by @aadito123 in #4448
feat(reg-exp-router): Introduced PreparedRegExpRouter by @usualoma in #1796

New Contributors

@aadito123 made their first contribution in #4448

Full Changelog: https://github.com/honojs/hono/compare/v4.9.10...v4.9.11

`v4.9.10`

Compare Source

What's Changed

fix(context): Fix #4427 type regression by removing non-public export by @aantthony in #4433
fix(aws-lambda): sanitize non-ASCII header values to prevent ByteString errors by @yusukebe in #4437

Full Changelog: https://github.com/honojs/hono/compare/v4.9.9...v4.9.10

`v4.9.9`

Compare Source

What's Changed

fix(service-worker): Update service-worker fire() to accept generic variants of Hono app instance by @harmony7 in #4420
fix(service-worker): correct generics for handle by @yusukebe in #4421
feat(helper/route): enable to get route path at specific index by @usualoma in #4423

New Contributors

@harmony7 made their first contribution in #4420

Full Changelog: https://github.com/honojs/hono/compare/v4.9.8...v4.9.9

`v4.9.8`

Compare Source

What's Changed

fix(types): JSONParsed infer unknown values by @BarryThePenguin in #4405
refactor(types): remove SimplifyDeepArray from json types by @BarryThePenguin in #4406
refactor(types): fix the type definitions in hono-base by @yusukebe in #4407
fix(request): return empty string for empty catch-all param by @amitksingh0880 in #4395

New Contributors

@amitksingh0880 made their first contribution in #4395

Full Changelog: https://github.com/honojs/hono/compare/v4.9.7...v4.9.8

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/better-auth/better-auth/pull/5490 **Author:** [@renovate[bot]](https://github.com/apps/renovate) **Created:** 10/22/2025 **Status:** ✅ Merged **Merged:** 10/22/2025 **Merged by:** [@himself65](https://github.com/himself65) **Base:** `canary` ← **Head:** `renovate/npm-hono-vulnerability` --- ### 📝 Commits (1) - [`67195e9`](https://github.com/better-auth/better-auth/commit/67195e9855f234a61e0c499d020fcaf99ecab805) chore(deps): update dependency hono to v4.10.2 [security] ### 📊 Changes **1 file changed** (+5 additions, -5 deletions) <details> <summary>View changed files</summary> 📝 `pnpm-lock.yaml` (+5 -5) </details> ### 📄 Description This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [hono](https://hono.dev) ([source](https://redirect.github.com/honojs/hono)) | [`4.9.7` -> `4.10.2`](https://renovatebot.com/diffs/npm/hono/4.9.7/4.10.2) | [![age](https://developer.mend.io/api/mc/badges/age/npm/hono/4.10.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/hono/4.9.7/4.10.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [GHSA-m732-5p4w-x69g](https://redirect.github.com/honojs/hono/security/advisories/GHSA-m732-5p4w-x69g) ### Improper Authorization in Hono (JWT Audience Validation) Hono’s JWT authentication middleware did not validate the `aud` (Audience) claim by default. As a result, applications using the middleware without an explicit audience check could accept tokens intended for other audiences, leading to potential cross-service access (token mix-up). The issue is addressed by adding a new `verification.aud` configuration option to allow RFC 7519–compliant audience validation. This change is classified as a **security hardening improvement**, but the lack of validation can still be considered a vulnerability in deployments that rely on default JWT verification. ### Recommended secure configuration You can enable RFC 7519–compliant audience validation using the new `verification.aud` option: ```ts import { Hono } from 'hono' import { jwt } from 'hono/jwt' const app = new Hono() app.use( '/api/*', jwt({ secret: 'my-secret', verification: { // Require this API to only accept tokens with aud = 'service-a' aud: 'service-a', }, }) ) ``` Below is the original description by the reporter. For security reasons, it does not include PoC reproduction steps, as the vulnerability can be clearly understood from the technical description. --- ## The original description by the reporter ### Summary Hono’s **JWT Auth Middleware does not provide a built-in `aud` (Audience) verification option**, which can cause **confused-deputy / token-mix-up** issues: an API may accept a valid token that was **issued for a different audience** (e.g., another service) when multiple services share the same issuer/keys. This can lead to unintended cross-service access. Hono’s docs list verification options for `iss/nbf/iat/exp` only, with **no `aud` support**; RFC 7519 requires that when an `aud` claim is present, tokens **MUST** be rejected unless the processing party identifies itself in that claim. **Note:** This problem likely exists in the **JWK/JWKS-based middleware** as well (e.g., `jwk` / `verifyWithJwks`) ### Details - The middleware’s `verifyOptions` enumerate only `iss`, `nbf`, `iat`, and `exp`; there is **no `aud` option**. The same omission appears in the JWT Helper’s “Payload Validation” list. Developers relying on the middleware for complete standards-aligned validation therefore won’t check audience by default. - **Standards requirement:** RFC 7519 §4.1.3 states that each principal intended to process the JWT **MUST** identify itself with a value in the `aud` claim; if it does not, the JWT **MUST** be rejected (when `aud` is present). Lack of a first-class `aud` check increases the risk that tokens issued for **Service B** are accepted by **Service A**. - **Real-world effect:** In deployments with a single IdP/JWKS and shared keys across multiple services, a token minted for one audience can be mistakenly accepted by another audience unless developers implement a custom audience check. - For example, with Google Identity (OIDC), iss is always https://accounts.google.com (shared across apps), but aud differs per application because it is that app’s OAuth client ID; therefore, an attacker can host a separate service that supports “Sign in with Google,” obtain a valid ID token (JWT) for the victim user, and—if your API does not verify aud—use that token to access your API with the victim’s privileges. ### Impact **Type:** Authentication/authorization weakness via **token mix-up (confused-deputy)**. **Who is impacted:** Any Hono user who: - shares an issuer/keys across multiple services (common with a single IdP/JWKS) - distinguishes tokens by intended recipient using `aud`. **What can happen:** - **Cross-service access:** A token for *Service B* may be accepted by *Service A*. - **Boundary erosion:** ID tokens and access tokens, or separate API audiences, can be inadvertently intermixed. - This may causes unauthorized invocation of sensitive endpoints. **Recommended remediation:** 1) Add `verifyOptions.aud` (`string | string[] | RegExp`) to the middleware and enforce RFC 7519 semantics: In [verify method](https://redirect.github.com/honojs/hono/blob/db764c2f1d8a2905d66c78c41aa47e47d3a4165d/src/utils/jwt/jwt.ts#L99-L156), if `aud` is present and does not match with specified audiences, reject. 2) Ensure equivalent `aud` handling exists in the JWK/JWKS flow (`jwk` middleware / `verifyWithJwks`) so users of external IdPs can enforce audience consistently. --- ### Release Notes <details> <summary>honojs/hono (hono)</summary> ### [`v4.10.2`](https://redirect.github.com/honojs/hono/compare/v4.10.1...0c6455dc10db6428257bdd601eca559247e27de6) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.10.1...v4.10.2) ### [`v4.10.1`](https://redirect.github.com/honojs/hono/releases/tag/v4.10.1) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.10.0...v4.10.1) #### What's Changed - fix(types): cannot `.use` non-return mw from `createMiddleware` by [@NamesMT](https://redirect.github.com/NamesMT) in [#4465](https://redirect.github.com/honojs/hono/pull/4465) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.10.0...v4.10.1> ### [`v4.10.0`](https://redirect.github.com/honojs/hono/releases/tag/v4.10.0) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.9.12...v4.10.0) ### Release Notes Hono v4.10.0 is now available! This release brings improved TypeScript support and new utilities. The main highlight is the enhanced middleware type definitions that solve a long-standing issue with type safety for RPC clients. #### Middleware Type Improvements Imagine the following app: ```ts import { Hono } from 'hono' const app = new Hono() const routes = app.get( '/', (c) => { return c.json({ errorMessage: 'Error!' }, 500) }, (c) => { return c.json({ message: 'Success!' }, 200) } ) ``` The client with RPC: ```ts import { hc } from 'hono/client' const client = hc<typeof routes>('/') const res = await client.index.$get() if (res.status === 500) { } if (res.status === 200) { } ``` Previously, it couldn't infer the responses from middleware, so a type error was thrown. <img width="1538" height="724" alt="CleanShot 2025-10-17 at 06 51 48@2x" src="https://github.com/user-attachments/assets/7e660db0-6c52-4249-9a3d-2932614bbace" /> Now the responses are correctly typed. <img width="1586" height="876" alt="CleanShot 2025-10-17 at 06 54 13@2x" src="https://github.com/user-attachments/assets/ef6136f1-bc26-4625-9238-0aec25110efc" /> *** This was a long-standing issue and we were thinking it was super difficult to resolve it. But now come true. Thank you for the great work [@slawekkolodziej](https://redirect.github.com/slawekkolodziej)! #### cloneRawRequest Utility The new `cloneRawRequest` utility allows you to clone the raw Request object after it has been consumed by validators or middleware. ```ts import { cloneRawRequest } from 'hono/request' app.post('/api', async (c) => { const body = await c.req.json() // Clone the consumed request const clonedRequest = cloneRawRequest(c.req) await externalLibrary.process(clonedRequest) }) ``` Thanks [@kamaal111](https://redirect.github.com/kamaal111)! #### New features - feat(types): passing middleware types [#4393](https://redirect.github.com/honojs/hono/pull/4393) - feat(ssg): add default plugin that defines the recommended behavior [#4394](https://redirect.github.com/honojs/hono/pull/4394) - feat(request): add cloneRawRequest utility for request cloning [#4382](https://redirect.github.com/honojs/hono/pull/4382) #### All changes - feat(types): passing middleware types by [@slawekkolodziej](https://redirect.github.com/slawekkolodziej) in [#4393](https://redirect.github.com/honojs/hono/pull/4393) - feat(ssg): add default plugin that defines the recommended behavior by [@3w36zj6](https://redirect.github.com/3w36zj6) in [#4394](https://redirect.github.com/honojs/hono/pull/4394) - feat(request): add cloneRawRequest utility for request cloning by [@kamaal111](https://redirect.github.com/kamaal111) in [#4382](https://redirect.github.com/honojs/hono/pull/4382) - fix(proxy): Correct hop-by-hop header handling per RFC 9110 by [@sugar-cat7](https://redirect.github.com/sugar-cat7) in [#4459](https://redirect.github.com/honojs/hono/pull/4459) #### New Contributors - [@slawekkolodziej](https://redirect.github.com/slawekkolodziej) made their first contribution in [#4393](https://redirect.github.com/honojs/hono/pull/4393) - [@kamaal111](https://redirect.github.com/kamaal111) made their first contribution in [#4382](https://redirect.github.com/honojs/hono/pull/4382) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.9.12...v4.10.0> ### [`v4.9.12`](https://redirect.github.com/honojs/hono/releases/tag/v4.9.12) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.9.11...v4.9.12) #### What's Changed - refactor: internal structure of `PreparedRegExpRouter` for optimization and added tests by [@usualoma](https://redirect.github.com/usualoma) in [#4456](https://redirect.github.com/honojs/hono/pull/4456) - refactor: use protected methods instead of computed properties to allow `tree shaking` by [@usualoma](https://redirect.github.com/usualoma) in [#4458](https://redirect.github.com/honojs/hono/pull/4458) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.9.11...v4.9.12> ### [`v4.9.11`](https://redirect.github.com/honojs/hono/releases/tag/v4.9.11) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.9.10...v4.9.11) #### What's Changed - fix(types): fix 4.9.8 regression by [@aadito123](https://redirect.github.com/aadito123) in [#4448](https://redirect.github.com/honojs/hono/pull/4448) - feat(reg-exp-router): Introduced PreparedRegExpRouter by [@usualoma](https://redirect.github.com/usualoma) in [#1796](https://redirect.github.com/honojs/hono/pull/1796) #### New Contributors - [@aadito123](https://redirect.github.com/aadito123) made their first contribution in [#4448](https://redirect.github.com/honojs/hono/pull/4448) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.9.10...v4.9.11> ### [`v4.9.10`](https://redirect.github.com/honojs/hono/releases/tag/v4.9.10) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.9.9...v4.9.10) #### What's Changed - fix(context): Fix [#4427](https://redirect.github.com/honojs/hono/issues/4427) type regression by removing non-public export by [@aantthony](https://redirect.github.com/aantthony) in [#4433](https://redirect.github.com/honojs/hono/pull/4433) - fix(aws-lambda): sanitize non-ASCII header values to prevent ByteString errors by [@yusukebe](https://redirect.github.com/yusukebe) in [#4437](https://redirect.github.com/honojs/hono/pull/4437) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.9.9...v4.9.10> ### [`v4.9.9`](https://redirect.github.com/honojs/hono/releases/tag/v4.9.9) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.9.8...v4.9.9) #### What's Changed - fix(service-worker): Update service-worker fire() to accept generic variants of Hono app instance by [@harmony7](https://redirect.github.com/harmony7) in [#4420](https://redirect.github.com/honojs/hono/pull/4420) - fix(service-worker): correct generics for `handle` by [@yusukebe](https://redirect.github.com/yusukebe) in [#4421](https://redirect.github.com/honojs/hono/pull/4421) - feat(helper/route): enable to get route path at specific index by [@usualoma](https://redirect.github.com/usualoma) in [#4423](https://redirect.github.com/honojs/hono/pull/4423) #### New Contributors - [@harmony7](https://redirect.github.com/harmony7) made their first contribution in [#4420](https://redirect.github.com/honojs/hono/pull/4420) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.9.8...v4.9.9> ### [`v4.9.8`](https://redirect.github.com/honojs/hono/releases/tag/v4.9.8) [Compare Source](https://redirect.github.com/honojs/hono/compare/v4.9.7...v4.9.8) #### What's Changed - fix(types): JSONParsed infer unknown values by [@BarryThePenguin](https://redirect.github.com/BarryThePenguin) in [#4405](https://redirect.github.com/honojs/hono/pull/4405) - refactor(types): remove SimplifyDeepArray from json types by [@BarryThePenguin](https://redirect.github.com/BarryThePenguin) in [#4406](https://redirect.github.com/honojs/hono/pull/4406) - refactor(types): fix the type definitions in hono-base by [@yusukebe](https://redirect.github.com/yusukebe) in [#4407](https://redirect.github.com/honojs/hono/pull/4407) - fix(request): return empty string for empty catch-all param by [@amitksingh0880](https://redirect.github.com/amitksingh0880) in [#4395](https://redirect.github.com/honojs/hono/pull/4395) #### New Contributors - [@amitksingh0880](https://redirect.github.com/amitksingh0880) made their first contribution in [#4395](https://redirect.github.com/honojs/hono/pull/4395) **Full Changelog**: <https://github.com/honojs/hono/compare/v4.9.7...v4.9.8> </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/better-auth/better-auth).  --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-04-15 21:22:41 -05:00

GiteaMirror closed this issue

2026-04-15 21:22:41 -05:00

Sign in to join this conversation.

Branches Tags

2026-05-13/ci/stabilize-docker-startup

dependabot/npm_and_yarn/samlify-2.13.0

changeset-release/main

main

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

2026-05-14/fix/passkey-verify-error-and-claim

changeset-release/next

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-519ef7475f

dependabot/github_actions/github-actions-98f3470200

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#22936