mirror of
https://github.com/better-auth/better-auth.git
synced 2026-05-23 07:18:56 -05:00
[PR #9164] [MERGED] fix(stripe): prevent prototype pollution via user-supplied metadata #25379
Closed
opened 2026-04-15 22:51:41 -05:00 by GiteaMirror
·
0 comments
No Branch/Tag Specified
2026-05-22/chore/adopt-agents-md
2026-05-22/refactor/string-case-utils
dependabot/npm_and_yarn/uuid-14.0.0
dependabot/npm_and_yarn/turbo-2.9.14
changeset-release/main
main
2026-05-14/fix/passkey-verify-error-and-claim
dependabot/npm_and_yarn/samlify-2.13.0
dependabot/npm_and_yarn/ws-8.20.1
changeset-release/next
next
ping-maxwell/c-ping-maxwell/fix-error-link-apostrophe-f89a
dependabot/npm_and_yarn/demo/electron/demo-minor-patch-519ef7475f
dependabot/github_actions/github-actions-98f3470200
client-assertions-main
2026-05-15/ci/fix-sqlite-abi-mismatch
2026-05-15/fix/organization-team-add-cascade
2026-05-15/fix/parse-set-cookie-value-validation
2026-05-13/feat/captcha-wildcard-endpoints
2026-05-13/ci/stabilize-docker-startup
fix/i18n-before-hook-translation
fix/disable-migration-generate
2026-05-07/fix/admin-set-password-upsert
2026-05-10/fix/cookie-drain-order
2026-05-10/feat/hooks-finally
2026-05-09/fix/cookie-drain-order
2026-05-09/feat/hooks-finally
2026-05-08/feat/register-before-send
fix/stripe/subscription-data-merge
2026-05-01/chore/pnpm-v11-harden
chore/pnpm-v11
2026-04-29/feat/google-include-granted-scopes
2026-04-29/fix/oauth-account-scope-semantics
2026-04-27/fix/nextcookies-idempotent-writes
2026-04-26/fix/harden-proxy-host-validation
2026-04-26/refactor/stripe-callback-signature-cleanup
2026-04-26/fix/stripe-subscription-callback-timing
2026-04-11/fix/sveltekit-app-modules
feat/open-api-zod-contract
feat/oauth-provider-backchannel-logout-next
feat/oauth-idp-initiated-bounce
refactor/sign-in-challenges
2026-04-21/fix/oauth-rfc-input-validation
fix/release-notes-new-packages
fix/two-factor-identity-guard
fix/resource
feat/emailpassword-authorize
2026-04-12/security/dynamic-baseurl-proxy-trust-default
feat/oauth-provider-at-hash-v2
fix/release-grep-fallback
claude/address-review-comments-JhFLr
claude/slack-update-stripe-docs-consistency-8Sc0w
feat/async-auth
fix/two-factor-totp-verified-enrollment
feat/plugin-ui
codex/blog-1-6-release-post
2026-04-06/fix/type-any-guards
2026-04-05/chore/downgrade-better-call
2026-04-04/ci/skip-vercel-fork-prs
2026-03-28/ci/add-autofix-ci
chore/release-preview-script
himself65/2026/02/19/role
2026-03-24/fix/update-user-info-on-link
2026-03-20/docs/improve-website
2026-03-20/fix/anonymous-onlinkaccount-expo
2026-02-17/fix/anonymous-link-state
fix/8607-saml-inresponseto
fix/8549-scim-patch-noop
v1.4.x
refactor/migration-snapshot-tests
worktree-magic-link-additional-data
chore/migrate-build-to-rollup
worktree-fix-dynamic-baseurl-8447
2026-03-06/chore/public-api-check
fix/close-8156-regression-test
fix/secondary-storage-json-error-handling
himself65/verification-namespace
cursor/issue-8307-validation-79a3
himself65/2026/01/30/error-mdx
v1.4.x-staging
fix/email-otp-user
fix/restrict-full-organization-access-roles
himself65/2026/02/12/count
himself65/2026/02/04/define-plugin
2026-02-04/feat/add-pluralize
cursor/better-auth-js-integration-ec21
cursor/expo-state-mismatch-394c
2026-02-01/fix/org-update-role-sync-members
cursor/issue-7607-investigation-e146
cursor/email-generation-helper-0ff6
himself65/2026/01/21/avoid-spread-operator
himself65/2026/01/14/cli
claude/slack-add-docs-pr-NMvgO
claude/slack-add-advanced-useplural-WHKYL
feat/hooks-pos
feat/2fa-phone
feat/2fa
fix/rotation
fix/username-check
v1.3.x
refactor/organization
feat/multiple-client-ids-social-providers
better-auth@1.6.11
auth@1.6.11
@better-auth/test-utils@1.6.11
@better-auth/telemetry@1.6.11
@better-auth/stripe@1.6.11
@better-auth/sso@1.6.11
@better-auth/scim@1.6.11
@better-auth/api-key@1.6.11
@better-auth/redis-storage@1.6.11
@better-auth/core@1.6.11
@better-auth/oauth-provider@1.6.11
@better-auth/mongo-adapter@1.6.11
@better-auth/memory-adapter@1.6.11
@better-auth/kysely-adapter@1.6.11
@better-auth/i18n@1.6.11
@better-auth/expo@1.6.11
@better-auth/electron@1.6.11
@better-auth/drizzle-adapter@1.6.11
@better-auth/prisma-adapter@1.6.11
@better-auth/passkey@1.6.11
v1.6.11
better-auth@1.7.0-beta.3
auth@1.7.0-beta.3
@better-auth/test-utils@1.7.0-beta.3
@better-auth/telemetry@1.7.0-beta.3
@better-auth/stripe@1.7.0-beta.3
@better-auth/sso@1.7.0-beta.3
@better-auth/scim@1.7.0-beta.3
@better-auth/redis-storage@1.7.0-beta.3
@better-auth/prisma-adapter@1.7.0-beta.3
@better-auth/passkey@1.7.0-beta.3
@better-auth/oauth-provider@1.7.0-beta.3
@better-auth/mongo-adapter@1.7.0-beta.3
@better-auth/memory-adapter@1.7.0-beta.3
@better-auth/kysely-adapter@1.7.0-beta.3
@better-auth/i18n@1.7.0-beta.3
@better-auth/expo@1.7.0-beta.3
@better-auth/electron@1.7.0-beta.3
@better-auth/drizzle-adapter@1.7.0-beta.3
@better-auth/core@1.7.0-beta.3
@better-auth/cimd@1.7.0-beta.3
@better-auth/api-key@1.7.0-beta.3
v1.7.0-beta.3
better-auth@1.6.10
auth@1.6.10
@better-auth/test-utils@1.6.10
@better-auth/telemetry@1.6.10
@better-auth/stripe@1.6.10
@better-auth/sso@1.6.10
@better-auth/scim@1.6.10
@better-auth/redis-storage@1.6.10
@better-auth/prisma-adapter@1.6.10
@better-auth/passkey@1.6.10
@better-auth/oauth-provider@1.6.10
@better-auth/mongo-adapter@1.6.10
@better-auth/memory-adapter@1.6.10
@better-auth/kysely-adapter@1.6.10
@better-auth/i18n@1.6.10
@better-auth/expo@1.6.10
@better-auth/electron@1.6.10
@better-auth/drizzle-adapter@1.6.10
@better-auth/core@1.6.10
@better-auth/api-key@1.6.10
v1.6.10
better-auth@1.6.9
auth@1.6.9
@better-auth/test-utils@1.6.9
@better-auth/telemetry@1.6.9
@better-auth/stripe@1.6.9
@better-auth/sso@1.6.9
@better-auth/scim@1.6.9
@better-auth/redis-storage@1.6.9
@better-auth/prisma-adapter@1.6.9
@better-auth/passkey@1.6.9
@better-auth/oauth-provider@1.6.9
@better-auth/mongo-adapter@1.6.9
@better-auth/memory-adapter@1.6.9
@better-auth/kysely-adapter@1.6.9
@better-auth/i18n@1.6.9
@better-auth/expo@1.6.9
@better-auth/electron@1.6.9
@better-auth/drizzle-adapter@1.6.9
@better-auth/core@1.6.9
@better-auth/api-key@1.6.9
v1.6.9
better-auth@1.6.8
auth@1.6.8
@better-auth/test-utils@1.6.8
@better-auth/telemetry@1.6.8
@better-auth/stripe@1.6.8
@better-auth/sso@1.6.8
@better-auth/scim@1.6.8
@better-auth/redis-storage@1.6.8
@better-auth/prisma-adapter@1.6.8
@better-auth/passkey@1.6.8
@better-auth/oauth-provider@1.6.8
@better-auth/mongo-adapter@1.6.8
@better-auth/memory-adapter@1.6.8
@better-auth/kysely-adapter@1.6.8
@better-auth/i18n@1.6.8
@better-auth/expo@1.6.8
@better-auth/electron@1.6.8
@better-auth/drizzle-adapter@1.6.8
@better-auth/core@1.6.8
@better-auth/api-key@1.6.8
v1.6.8
@better-auth/api-key@1.7.0-beta.2
better-auth@1.7.0-beta.2
auth@1.7.0-beta.2
@better-auth/test-utils@1.7.0-beta.2
@better-auth/telemetry@1.7.0-beta.2
@better-auth/stripe@1.7.0-beta.2
@better-auth/sso@1.7.0-beta.2
@better-auth/scim@1.7.0-beta.2
@better-auth/redis-storage@1.7.0-beta.2
@better-auth/prisma-adapter@1.7.0-beta.2
@better-auth/passkey@1.7.0-beta.2
@better-auth/oauth-provider@1.7.0-beta.2
@better-auth/mongo-adapter@1.7.0-beta.2
@better-auth/memory-adapter@1.7.0-beta.2
@better-auth/kysely-adapter@1.7.0-beta.2
@better-auth/i18n@1.7.0-beta.2
@better-auth/expo@1.7.0-beta.2
@better-auth/electron@1.7.0-beta.2
@better-auth/drizzle-adapter@1.7.0-beta.2
@better-auth/core@1.7.0-beta.2
@better-auth/cimd@1.7.0-beta.2
v1.7.0-beta.2
better-auth@1.6.7
auth@1.6.7
@better-auth/test-utils@1.6.7
@better-auth/telemetry@1.6.7
@better-auth/stripe@1.6.7
@better-auth/sso@1.6.7
@better-auth/scim@1.6.7
@better-auth/redis-storage@1.6.7
@better-auth/prisma-adapter@1.6.7
@better-auth/passkey@1.6.7
@better-auth/oauth-provider@1.6.7
@better-auth/mongo-adapter@1.6.7
@better-auth/memory-adapter@1.6.7
@better-auth/kysely-adapter@1.6.7
@better-auth/i18n@1.6.7
@better-auth/expo@1.6.7
@better-auth/electron@1.6.7
@better-auth/drizzle-adapter@1.6.7
@better-auth/core@1.6.7
@better-auth/api-key@1.6.7
v1.6.7
better-auth@1.6.6
auth@1.6.6
@better-auth/test-utils@1.6.6
@better-auth/telemetry@1.6.6
@better-auth/stripe@1.6.6
@better-auth/sso@1.6.6
@better-auth/scim@1.6.6
@better-auth/redis-storage@1.6.6
@better-auth/prisma-adapter@1.6.6
@better-auth/passkey@1.6.6
@better-auth/oauth-provider@1.6.6
@better-auth/mongo-adapter@1.6.6
@better-auth/memory-adapter@1.6.6
@better-auth/kysely-adapter@1.6.6
@better-auth/i18n@1.6.6
@better-auth/expo@1.6.6
@better-auth/electron@1.6.6
@better-auth/drizzle-adapter@1.6.6
@better-auth/core@1.6.6
@better-auth/api-key@1.6.6
v1.6.6
better-auth@1.6.5
auth@1.6.5
@better-auth/test-utils@1.6.5
@better-auth/telemetry@1.6.5
@better-auth/stripe@1.6.5
@better-auth/sso@1.6.5
@better-auth/scim@1.6.5
@better-auth/redis-storage@1.6.5
@better-auth/prisma-adapter@1.6.5
@better-auth/passkey@1.6.5
@better-auth/oauth-provider@1.6.5
@better-auth/mongo-adapter@1.6.5
@better-auth/memory-adapter@1.6.5
@better-auth/kysely-adapter@1.6.5
@better-auth/i18n@1.6.5
@better-auth/expo@1.6.5
@better-auth/electron@1.6.5
@better-auth/drizzle-adapter@1.6.5
@better-auth/core@1.6.5
@better-auth/api-key@1.6.5
v1.6.5
@better-auth/api-key@1.6.4
better-auth@1.6.4
auth@1.6.4
@better-auth/test-utils@1.6.4
@better-auth/telemetry@1.6.4
@better-auth/stripe@1.6.4
@better-auth/sso@1.6.4
@better-auth/scim@1.6.4
@better-auth/redis-storage@1.6.4
@better-auth/prisma-adapter@1.6.4
@better-auth/passkey@1.6.4
@better-auth/oauth-provider@1.6.4
@better-auth/mongo-adapter@1.6.4
@better-auth/memory-adapter@1.6.4
@better-auth/kysely-adapter@1.6.4
@better-auth/i18n@1.6.4
@better-auth/expo@1.6.4
@better-auth/electron@1.6.4
@better-auth/drizzle-adapter@1.6.4
@better-auth/core@1.6.4
v1.6.4
@better-auth/cimd@1.7.0-beta.1
v1.7.0-beta.1
@better-auth/api-key@1.6.3
better-auth@1.6.3
auth@1.6.3
@better-auth/test-utils@1.6.3
@better-auth/telemetry@1.6.3
@better-auth/stripe@1.6.3
@better-auth/sso@1.6.3
@better-auth/scim@1.6.3
@better-auth/redis-storage@1.6.3
@better-auth/prisma-adapter@1.6.3
@better-auth/passkey@1.6.3
@better-auth/oauth-provider@1.6.3
@better-auth/mongo-adapter@1.6.3
@better-auth/memory-adapter@1.6.3
@better-auth/kysely-adapter@1.6.3
@better-auth/i18n@1.6.3
@better-auth/expo@1.6.3
@better-auth/electron@1.6.3
@better-auth/drizzle-adapter@1.6.3
@better-auth/core@1.6.3
v1.6.3
@better-auth/api-key@1.7.0-beta.0
better-auth@1.7.0-beta.0
auth@1.7.0-beta.0
@better-auth/test-utils@1.7.0-beta.0
@better-auth/telemetry@1.7.0-beta.0
@better-auth/stripe@1.7.0-beta.0
@better-auth/sso@1.7.0-beta.0
@better-auth/scim@1.7.0-beta.0
@better-auth/redis-storage@1.7.0-beta.0
@better-auth/prisma-adapter@1.7.0-beta.0
@better-auth/passkey@1.7.0-beta.0
@better-auth/oauth-provider@1.7.0-beta.0
@better-auth/mongo-adapter@1.7.0-beta.0
@better-auth/memory-adapter@1.7.0-beta.0
@better-auth/kysely-adapter@1.7.0-beta.0
@better-auth/i18n@1.7.0-beta.0
@better-auth/expo@1.7.0-beta.0
@better-auth/electron@1.7.0-beta.0
@better-auth/drizzle-adapter@1.7.0-beta.0
@better-auth/core@1.7.0-beta.0
v1.7.0-beta.0
better-auth@1.6.2
auth@1.6.2
@better-auth/test-utils@1.6.2
@better-auth/telemetry@1.6.2
@better-auth/stripe@1.6.2
@better-auth/sso@1.6.2
@better-auth/scim@1.6.2
@better-auth/redis-storage@1.6.2
@better-auth/prisma-adapter@1.6.2
@better-auth/passkey@1.6.2
@better-auth/oauth-provider@1.6.2
@better-auth/mongo-adapter@1.6.2
@better-auth/memory-adapter@1.6.2
@better-auth/kysely-adapter@1.6.2
@better-auth/i18n@1.6.2
@better-auth/expo@1.6.2
@better-auth/electron@1.6.2
@better-auth/drizzle-adapter@1.6.2
@better-auth/core@1.6.2
@better-auth/api-key@1.6.2
v1.6.2
better-auth@1.6.1
auth@1.6.1
@better-auth/test-utils@1.6.1
@better-auth/telemetry@1.6.1
@better-auth/stripe@1.6.1
@better-auth/sso@1.6.1
@better-auth/scim@1.6.1
@better-auth/redis-storage@1.6.1
@better-auth/prisma-adapter@1.6.1
@better-auth/passkey@1.6.1
@better-auth/oauth-provider@1.6.1
@better-auth/mongo-adapter@1.6.1
@better-auth/memory-adapter@1.6.1
@better-auth/kysely-adapter@1.6.1
@better-auth/i18n@1.6.1
@better-auth/expo@1.6.1
@better-auth/electron@1.6.1
@better-auth/drizzle-adapter@1.6.1
@better-auth/core@1.6.1
@better-auth/api-key@1.6.1
v1.6.1
better-auth@1.6.0
auth@1.6.0
@better-auth/test-utils@1.6.0
@better-auth/telemetry@1.6.0
@better-auth/stripe@1.6.0
@better-auth/sso@1.6.0
@better-auth/scim@1.6.0
@better-auth/redis-storage@1.6.0
@better-auth/prisma-adapter@1.6.0
@better-auth/passkey@1.6.0
@better-auth/oauth-provider@1.6.0
@better-auth/mongo-adapter@1.6.0
@better-auth/memory-adapter@1.6.0
@better-auth/kysely-adapter@1.6.0
@better-auth/i18n@1.6.0
@better-auth/expo@1.6.0
@better-auth/electron@1.6.0
@better-auth/drizzle-adapter@1.6.0
@better-auth/core@1.6.0
@better-auth/api-key@1.6.0
v1.6.0
v1.5.7-beta.1
v1.5.1-beta.4
v1.5.6
v1.4.22
v1.5.5
v1.5.4
v1.5.3
v1.5.2
v1.5.1-beta.3
v1.5.1-beta.2
v1.5.1
v1.4.21
v1.5.1-beta.1
v1.5.0
v1.4.20
v1.5.0-beta.20
v1.5.0-beta.19
v1.5.0-beta.18
v1.4.19
v1.5.0-beta.17
v1.5.0-beta.16
v1.5.0-beta.15
v1.5.0-beta.14
v1.5.0-beta.13
v1.5.0-beta.12
v1.5.0-beta.11
v1.4.18
v1.5.0-beta.10
v1.5.0-beta.9
v1.4.17
v1.4.16
v1.4.15
v1.5.0-beta.8
v1.4.14
v1.4.13
v1.5.0-beta.7
v1.4.12
v1.4.12-beta.2
v1.5.0-beta.6
v1.4.12-beta.1
v1.5.0-beta.5
v1.4.11
v1.5.0-beta.4
v1.4.11-beta.2
v1.5.0-beta.3
v1.4.11-beta.1
v1.4.10
v1.5.0-beta.2
v1.4.10-beta.1
v1.4.9-beta.1
v1.5.0-beta.1
v1.4.9
v1.4.8
v1.4.8-beta.7
v1.4.8-beta.6
v1.4.8-beta.5
v1.4.8-beta.4
v1.4.8-beta.3
v1.4.8-beta.2
v1.4.8-beta.1
v1.4.7
v1.4.7-beta.4
v1.4.7-beta.3
v1.4.7-beta.2
v1.4.6-beta.5
v1.4.7-beta.1
v1.4.6
v1.4.6-beta.4
v1.4.6-beta.3
v1.4.5
v1.4.6-beta.2
v1.4.6-beta.1
v1.4.5-beta.2
v1.4.5-beta.1
v1.4.4-beta.3
v1.4.4
v1.4.4-beta.2
v1.4.4-beta.1
v1.4.3
v1.4.2
v1.4.2-beta.5
v1.4.2-beta.4
v1.4.2-beta.3
v1.4.2-beta.2
v1.4.2-beta.1
v1.4.1
v1.4.1-beta.1
v1.4.0
v1.4.0-beta.28
v1.4.0-beta.27
v1.4.0-beta.26
v1.4.0-beta.25
v1.4.0-beta.24
v1.4.0-beta.23
v1.4.0-beta.22
v1.4.0-beta.21
v1.4.0-beta.20
v1.4.0-beta.19
v1.4.0-beta.18
v1.4.0-beta.17
v1.4.0-beta.16
v1.4.0-beta.15
v1.3.34
v1.3.33
v1.4.0-beta.14
v1.3.32
v1.3.31
v1.3.30
v1.4.0-beta.13
v1.3.29
v1.4.0-beta.12
v1.3.28
v1.4.0-beta.11
v1.4.0-beta.10
v1.4.0-beta.9
v1.4.0-beta.8
v1.3.27
v1.4.0-beta.7
v1.3.26
v1.3.25
v1.3.24
v1.4.0-beta.6
v1.3.23
v1.3.22
v1.3.21
v1.3.20
v1.3.19
v1.4.0-beta.5
v1.3.18
v1.4.0-beta.4
v1.3.17
v1.4.0-beta.3
v1.3.16
v1.3.15
v1.3.14
v1.4.0-beta.2
v1.3.13
v1.4.0-beta.1
v1.3.12
v1.3.11-beta.2
v1.3.11
v1.3.11-beta.1
v1.3.10
v1.3.10-beta.7
v1.3.10-beta.6
v1.3.10-beta.5
v1.3.10-beta.4
v1.3.10-beta.3
v1.3.10-beta.2
v1.3.10-beta.1
v1.3.9
v1.3.9-beta.4
v1.3.9-beta.3
v1.3.9-beta.2
v1.3.9-beta.1
v1.3.8
v1.3.8-beta.11
v1.3.8-beta.10
v1.3.8-beta.9
v1.3.8-beta.8
v1.3.8-beta.7
v1.3.8-beta.6
v1.3.8-beta.5
v1.3.8-beta.4
v1.3.8-beta.3
v1.3.8-beta.2
v1.3.8-beta.1
v1.3.7
v1.3.7-beta.4
v1.3.7-beta.3
v1.3.7-beta.2
v1.3.7-beta.1
v1.3.6
v1.3.6-beta.2
v1.3.6-beta.1
v1.3.5
v1.3.5-beta.7
v1.3.5-beta.6
v1.3.5-beta.5
v1.3.5-beta.4
v1.3.5-beta.3
v1.3.5-beta.2
v1.3.5-beta.1
better-auth@1.3.4
@better-auth/stripe@1.3.4
@better-auth/sso@1.3.4
@better-auth/expo@1.3.4
@better-auth/cli@1.3.4
v1.3.4-beta.3
v1.3.4-beta.2
v1.3.4-beta.1
v1.3.3
v1.3.2
v1.3.1
v1.3.1-beta.1
v1.3.0
v1.3.0-beta.11
v1.3.0-beta.10
v1.3.0-beta.9
v1.3.0-beta.8
v1.3.0-beta.7
v1.3.0-beta.6
v1.3.0-beta.5
v1.3.0-beta.4
v1.2.12
v1.3.0-beta.3
v1.3.0-beta.2
v1.3.0-beta.1
v1.2.11
v1.2.10
v1.2.10-pkce-fix.3
v1.2.10-beta.1
v1.2.9
v1.2.9-beta.10
v1.2.9-beta.9
feat/2867-oidcprovider-trusted
v1.2.9-beta.8
v1.2.9-beta.7
v1.2.9-beta.6
v1.2.9-beta.5
v1.2.9-beta.4
v1.2.9-beta.3
v1.2.9-beta.2
v1.2.9-beta.1
v1.2.8
v1.2.8-beta.8
v1.2.8-beta.7
v1.2.8-beta.6
v1.2.8-beta.5
v1.2.8-beta.4
v1.2.8-beta.3
v1.2.8-beta.2
v1.2.8-beta.1
v1.2.7
v1.2.7-beta.1
v1.2.6
v1.2.6-beta.13
v1.2.6-beta.12
v1.2.6-beta.11
v1.2.6-beta.10
v1.2.6-beta.9
v1.2.6-beta.8
v1.2.6-beta.7
v1.2.6-beta.6
v1.2.6-beta.5
v1.2.6-beta.4
v1.2.6-beta.3
v1.2.6-beta.2
v1.2.6-beta.1
v1.2.5
v1.2.5-beta.10
v1.2.5-beta.9
v1.2.5-beta.8
v1.2.5-beta.7
v1.2.5-beta.6
v1.2.5-beta.5
v1.2.5-beta.4
v1.2.5-beta.3
v1.2.5-beta.2
v1.2.5-beta.1
v1.2.4
v1.2.4-beta.12
v1.2.4-beta.11
v1.2.4-beta.10
v1.2.4-beta.9
v1.2.4-beta.8
v1.2.4-beta.7
v1.2.4-beta.6
v1.2.4-beta.5
v1.2.4-beta.4
v1.2.4-beta.3
v1.2.4-beta.2
v1.2.4-beta.1
v1.2.3
v1.2.3-beta.3
v1.2.3-beta.2
v1.2.3-beta.1
v1.2.2
v1.2.2-beta.6
v1.2.2-beta.5
v1.2.2-beta.4
v1.2.2-beta.3
v1.2.2-beta.2
v1.2.2-beta.1
v1.2.1
v1.2.1-beta.8
v1.2.1-beta.7
v1.2.1-beta.6
v1.2.1-beta.5
v1.2.1-beta.4
v1.2.1-beta.3
v1.2.1-beta.2
v1.2.1-beta.1
v1.2.0
v1.2.0-beta.19
v1.2.0-beta.18
v1.2.0-beta.17
v1.1.22-beta.2
v1.1.22-beta.1
v1.2.0-beta.16
v1.1.21
v1.1.21-beta.1
v1.2.0-beta.15
v1.1.20
v1.1.20-beta.5
v1.1.20-beta.4
v1.2.0-beta.14
v1.2.0-beta.13
v1.1.20-beta.3
v1.1.20-beta.2
v1.2.0-beta.12
v1.1.20-beta.1
v1.2.0-beta.11
v1.1.19
v1.1.19-beta.3
v1.2.0-beta.10
v1.2.0-beta.9
v1.2.0-beta.8
v1.2.0-beta.7
v1.1.19-beta.2
v1.1.19-beta.1
v1.1.18
v1.2.0-beta.6
v1.2.0-beta.5
v1.1.18-beta.3
v1.1.18-beta.2
v1.1.18-beta.1
v1.2.0-beta.4
v1.2.0-beta.3
v1.2.0-beta.2
v1.1.17
v1.2.0-beta.1
v1.1.17-beta.5
v1.1.17-beta.4
v1.1.17-beta.3
v1.1.17-beta.2
v1.1.17-beta.1
v1.1.16
v1.1.16-beta.10
v1.1.16-beta.9
v1.1.16-beta.8
v1.1.16-beta.7
v1.1.16-beta.6
v1.1.16-beta.5
v1.1.16-beta.4
v1.1.16-beta.3
v1.1.16-beta.2
v1.1.16-beta.1
v1.1.15
v1.1.15-beta.7
v1.1.15-beta.6
v1.1.15-beta.5
v1.1.15-beta.4
v1.1.15-beta.3
v1.1.15-beta.2
v1.1.15-beta.1
v1.1.14
v1.1.14-beta.6
v1.1.14-beta.5
v1.1.14-beta.4
v1.1.14-beta.3
v1.1.14-beta.2
v1.1.14-beta.1
v1.1.13
v1.1.13-beta.3
v1.1.13-beta.2
v1.1.13-beta.1
v1.1.12
v1.1.12-beta.4
v1.1.12-beta.3
v1.1.12-beta.2
v1.1.12-beta.1
v1.1.11
v1.1.11-beta.1
v1.1.10
v1.1.10-beta.2
v1.1.10-beta.1
v1.1.9
v1.1.9-beta.1
v1.1.8
v1.1.8-beta.3
v1.1.8-beta.2
v1.1.8-beta.1
v1.1.7
v1.1.7-beta.5
v1.1.7-beta.4
v1.1.7-beta.3
v1.1.7-beta.2
v1.1.7-beta.1
v1.1.6
v1.1.5
v1.1.4
v1.1.4-beta.2
v1.1.4-beta.1
v1.1.3
v1.1.3-beta.9
v1.1.3-beta.8
v1.1.3-beta.7
v1.1.3-beta.6
v1.1.3-beta.4
v1.1.3-beta.2
v1.1.3-beta.1
v1.1.2
v1.1.2-beta.4
v1.1.2-beta.3
v1.1.2-beta.2
v1.1.2-beta.1
v1.1.1
v1.1.0
v1.0.23-beta.6
v1.0.23-beta.5
v1.0.23-beta.4
v1.0.23-beta.3
v1.0.23-beta.2
v1.0.23-beta.1
v1.0.22
v1.0.22-beta.4
v1.0.22-beta.3
v1.0.22-beta.2
v1.0.22-beta.1
v1.0.21
v1.0.20
v1.0.19
v1.0.18
v1.0.17
v1.0.16
v1.0.16-beta.2
v1.0.16-beta.1
v1.0.15
v1.0.15-beta.1
v1.0.14
v1.0.13
v1.0.12
v1.0.12-beta.3
v1.0.12-beta.2
v1.0.12-beta.1
v1.0.11
v1.0.11-beta.8
v1.0.11-beta.7
v1.0.11-beta.6
v1.0.11-beta.5
v1.0.11-beta.4
v1.0.11-beta.3
v1.0.11-beta.2
v1.0.11-beta.1
v1.0.10
v1.0.10-beta.3
v1.0.10-beta.2
v1.0.10-beta.1
v1.0.9
v1.0.9-beta.7
v1.0.9-beta.6
v1.0.9-beta.5
v1.0.9-beta.4
v1.0.9-beta.3
v1.0.9-beta.2
v1.0.9-beta.1
v1.0.8
v1.0.8-beta.4
v1.0.8-beta.3
v1.0.8-beta.2
v1.0.8-beta.1
v1.0.7
v1.0.6
v1.0.5
v1.0.4
v1.0.3
v1.0.2
v1.0.1
v1.0.0
v1.0.0-canary.14
v1.0.0-canary.13
v1.0.0-canary.12
v1.0.0-canary.11
v1.0.0-canary.10
v1.0.0-canary.9
v1.0.0-canary.8
v1.0.0-canary.7
v1.0.0-canary.6
v0.8.9-beta.2
v0.8.9-beta.1
v1.0.0-canary.5
v1.0.0-canary.4
v1.0.0-canary.3
v1.0.0-canary.2
v1.0.0-canary.1
v0.8.8
v0.8.8-beta.2
v0.8.8-beta.1
v0.9.0-canary.1
v0.8.7
v0.8.7-canary.2
v0.8.7-canary.1
v0.8.7-beta.5
v0.8.7-beta.4
v0.8.7-beta.3
v0.8.7-beta.2
v0.8.7-beta.1
v0.8.6
v0.8.6-beta.6
v0.8.6-beta.5
v0.8.6-beta.4
v0.8.6-beta.3
v0.8.6-beta.2
v0.8.6-beta.1
v0.8.5
v0.8.5-beta.3
v0.8.5-beta.2
v0.8.5-beta.1
v0.8.4
v0.8.4-beta.7
v0.8.4-beta.6
v0.8.4-beta.5
v0.8.4-beta.4
v0.8.4-beta.2
v0.8.4-beta.1
v0.8.3
v0.8.3-beta.7
v0.8.3-beta.6
v0.8.3-beta.5
v0.8.3-beta.4
v0.8.3-beta.3
v0.8.3-beta.2
v0.8.3-beta.1
v0.8.2
v0.8.2-beta.3
v0.8.2-beta.2
v0.8.2-beta.1
v0.8.1
v0.8.1-beta.5
v0.8.1-beta.4
v0.8.1-beta.3
v0.8.1-beta.2
v0.8.1-beta.1
v0.8.0
v0.7.6-beta.4
v0.7.6-beta.3
v0.7.6-beta.2
v0.7.6-beta.1
v0.7.5
v0.7.5-beta.9
v0.7.5-beta.8
v0.7.5-beta.7
v0.7.5-beta.6
v0.7.5-beta.5
v0.7.5-beta.4
v0.7.5-beta.3
v0.7.5-beta.2
v0.7.5-beta.1
v0.7.4
v0.7.4-beta.1
v0.7.3
v0.7.3-beta.11
v0.7.3-beta.10
v0.7.3-beta.9
v0.7.3-beta.8
v0.7.3-beta.7
v0.7.3-beta.6
v0.7.3-beta.5
v0.7.3-beta.4
v0.7.3-beta.3
v0.7.3-beta.2
v0.7.3-beta.1
v0.7.2
v0.7.2-beta.5
v0.7.2-beta.4
v0.7.2-beta.3
v0.7.2-beta.2
v0.7.2-beta.1
v0.7.1
v0.7.1-beta.6
v0.7.1-beta.5
v0.7.1-beta.4
v0.7.1-beta.3
v0.7.1-beta.2
v0.7.1-beta.1
v0.7.0
v0.7.0-beta.1
v0.6.3-beta.5
v0.6.3-beta.4
v0.6.3-beta.3
v0.6.3-beta.2
v0.6.3-beta.1
v0.6.2
v0.6.2-beta.8
v0.6.2-beta.7
v0.6.2-beta.6
v0.6.2-beta.5
v0.6.2-beta.4
v0.6.2-beta.3
v0.6.2-beta.2
v0.6.2-beta.1
v0.6.1
v0.6.1-beta.9
v0.6.1-beta.8
v0.6.1-beta.7
v0.6.1-beta.6
v0.6.1-beta.5
v0.6.1-beta.4
v0.6.1-beta.3
v0.6.1-beta.2
v0.6.1-beta.1
v0.6.0
v0.6.0-beta.1
v0.5.4-beta.9
v0.5.4-beta.8
v0.5.4-beta.7
v0.5.4-beta.6
v0.5.4-beta.5
v0.5.4-beta.4
v0.5.4-beta.3
v0.5.4-beta.2
v0.5.4-beta.1
v0.5.3
v0.5.3-beta.17
v0.5.3-beta.16
v0.5.3-beta.15
v0.5.3-beta.14
v0.5.3-beta.13
v0.5.3-beta.12
v0.5.3-beta.11
v0.5.3-beta.10
v0.5.3-beta.9
v0.5.3-beta.8
v0.5.3-beta.7
v0.5.3-beta.6
v0.5.3-beta.5
v0.5.3-beta.4
v0.5.3-beta.3
v0.5.3-beta.2
v0.5.3-beta.1
v0.5.2
v0.5.2-beta.21
v0.5.2-beta.20
v0.5.2-beta.19
v0.5.2-beta.18
v0.5.2-beta.17
v0.5.2-beta.16
v0.5.2-beta.15
v0.5.2-beta.14
v0.5.2-beta.13
v0.5.2-beta.12
v0.5.2-beta.11
v0.5.2-beta.10
v0.5.2-beta.9
v0.5.2-beta.8
v0.5.2-beta.7
v0.5.2-beta.6
v0.5.2-beta.5
v0.5.2-beta.4
v0.5.2-beta.3
v0.5.2-beta.2
v0.5.2-beta.1
v0.5.1
v0.5.1-beta.7
v0.5.1-beta.6
v0.5.1-beta.5
v0.5.1-beta.4
v0.5.1-beta.3
v0.5.1-beta.2
v0.5.1-beta.1
v0.5.0
v0.4.14-beta.2
v0.4.14-beta.1
v0.4.13
v0.4.12
v0.4.12-beta.7
v0.4.12-beta.6
v0.4.12-beta.5
v0.4.12-beta.4
v0.4.12-beta.3
v0.4.12-beta.2
v0.4.12-beta.1
v0.4.11
v0.4.11-beta.3
v0.4.11-beta.2
v0.4.11-beta.1
v0.4.10-beta.10
v0.4.10-beta.9
v0.4.10
v0.4.10-beta.8
v0.4.10-beta.7
v0.4.10-beta.6
v0.4.10-beta.5
v0.4.10-beta.4
v0.4.10-beta.3
v0.4.10-beta.2
v0.4.10-beta.1
v0.4.9
v0.4.9-beta.14
v0.4.9-beta.13
v0.4.9-beta.12
v0.4.9-beta.11
v0.4.9-beta.10
v0.4.9-beta.9
v0.4.9-beta.8
v0.4.9-beta.7
v0.4.9-beta.6
v0.4.9-beta.5
v0.4.9-beta.4
v0.4.9-beta.3
v0.4.9-beta.2
v0.4.9-beta.1
v0.4.8
v0.4.7
v0.4.7-beta.2
v0.4.7-beta.1
v0.4.6
v0.4.5
v0.4.4
v0.4.4-beta.1
v0.4.3
v0.4.3-beta.1
v0.4.2
v0.4.2-beta.1
v0.4.1
v0.4.0
v0.3.6
v0.3.5
v0.3.5-beta.8
v0.3.5-beta.7
v0.3.5-beta.6
v0.3.5-beta.5
v0.3.5-beta.4
v0.3.5-beta.3
v0.3.5-beta.2
v0.3.5-beta.1
v0.3.4
v0.3.4-beta.6
v0.3.4-beta.5
v0.3.4-beta.4
v0.3.4-beta.3
v0.3.4-beta.2
v0.3.4-beta.1
v0.3.3
v0.3.3-beta.12
v0.3.3-beta.11
v0.3.3-beta.10
v0.3.3-beta.9
v0.3.3-beta.8
v0.3.3-beta.7
v0.3.3-beta.6
v0.3.3-beta.5
v0.3.3-beta.4
v0.3.3-beta.3
v0.3.3-beta.2
v0.3.3-beta.1
v0.3.2
v0.3.1
v0.3.0
v0.2.11
v0.2.10
v0.2.9
v0.2.9-beta.10
v0.2.9-beta.9
v0.2.9-beta.8
v0.2.9-beta.7
v0.2.9-beta.6
v0.2.9-beta.5
v0.2.9-beta.4
v0.2.9-beta.3
v0.2.9-beta.2
v0.2.9-beta.1
v0.2.8
v0.2.8-beta.13
v0.2.8-beta.12
v0.2.8-beta.11
v0.2.8-beta.10
v0.2.8-beta.9
v0.2.8-beta.8
v0.2.8-beta.7
v0.2.8-beta.6
v0.2.8-beta.5
v0.2.8-beta.4
v0.2.8-beta.3
v0.2.8-beta.2
v0.2.8-beta.1
v0.2.7
v0.2.6
v0.2.6-beta.10
v0.2.6-beta.9
v0.2.6-beta.8
v0.2.6-beta.7
v0.2.6-beta.6
v0.2.6-beta.5
v0.2.6-beta.4
v0.2.6-beta.3
v0.2.6-beta.2
v0.2.6-beta.1
v0.2.5
v0.2.5-beta.5
v0.2.5-beta.4
v0.2.5-beta.3
v0.2.5-beta.2
v0.2.5-beta.1
v0.2.4
v0.2.3
v0.2.3-beta.14
v0.2.3-beta.13
v0.2.3-beta.12
v0.2.3-beta.11
v0.2.3-beta.10
v0.2.3-beta.9
v0.2.3-beta.8
v0.2.3-beta.7
v0.2.3-beta.6
v0.2.3-beta.5
v0.2.3-beta.4
v0.2.3-beta.3
v0.2.3-beta.2
v0.2.3-beta.1
v0.2.2
v0.2.1
v0.2.1-beta.1
v0.2.0
v0.1.1-beta.6
v0.1.1-beta.5
v0.1.1-beta.4
v0.1.1-beta.3
v0.1.1-beta.2
v0.1.1-beta.1
v0.1.0
v0.0.10-beta.27
v0.0.10-beta.26
v0.0.10-beta.25
v0.0.10-beta.24
v0.0.10-beta.23
v0.0.10-beta.22
v0.0.10-beta.21
v0.0.10-beta.20
v0.0.10-beta.19
v0.0.10-beta.18
v0.0.10-beta.17
v0.0.10-beta.16
v0.0.10-beta.15
v0.0.10-beta.14
v0.0.10-beta.13
v0.0.10-beta.12
v0.0.10-beta.11
v0.0.10-beta.10
v0.0.10-beta.9
v0.0.10-beta.8
v0.0.10-beta.7
v0.0.10-beta.6
v0.0.10-beta.5
v0.0.10-beta.4
v0.0.10-beta.3
v0.0.10-beta.2
v0.0.10-beta.1
v0.0.9
v0.0.9-beta.38
v0.0.9-beta.37
v0.0.9-beta.36
v0.0.9-beta.35
v0.0.9-beta.34
v0.0.9-beta.33
v0.0.9-beta.32
v0.0.9-beta.31
v0.0.9-beta.30
v0.0.9-beta.29
v0.0.9-beta.28
v0.0.9-beta.27
v0.0.9-beta.26
v0.0.9-beta.25
v0.0.9-beta.24
v0.0.9-beta.23
v0.0.9-beta.22
v0.0.9-beta.21
v0.0.9-beta.20
v0.0.9-beta.19
v0.0.9-beta.18
v0.0.9-beta.17
v0.0.9-beta.16
v0.0.9-beta.15
v0.0.9-beta.14
v0.0.9-beta.13
v0.0.9-beta.12
v0.0.9-beta.11
v0.0.9-beta.10
v0.0.9-beta.9
v0.0.9-beta.8
v0.0.9-beta.7
v0.0.9-beta.6
v0.0.9-beta.5
v0.0.9-beta.4
v0.0.9-beta.3
v0.0.9-beta.2
v0.0.9-beta.1
v0.0.8
v0.0.8-beta.29
v0.0.8-beta.28
v0.0.8-beta.27
v0.0.8-beta.26
v0.0.8-beta.25
v0.0.8-beta.24
v0.0.8-beta.23
v0.0.8-beta.22
v0.0.8-beta.21
v0.0.8-beta.20
v0.0.8-beta.19
v0.0.8-beta.18
v0.0.8-beta.17
v0.0.8-beta.16
v0.0.8-beta.15
v0.0.8-beta.14
v0.0.8-beta.13
v0.0.8-beta.12
v0.0.8-beta.11
v0.0.8-beta.10
v0.0.8-beta.9
v0.0.8-beta.8
v0.0.8-beta.7
v0.0.8-beta.6
v0.0.8-beta.5
v0.0.8-beta.4
v0.0.8-beta.3
v0.0.8-beta.2
v0.0.8-beta.1
v0.0.7
v0.0.6
v0.0.5
v0.0.4
v0.0.3
v0.0.2
v0.0.2-beta.8
v0.0.2-beta.7
v0.0.2-beta.6
v0.0.2-beta.5
v0.0.2-beta.4
v0.0.2-beta.3
v0.0.2-beta.2
v0.0.2-beta.1
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
Mirrored from GitHub Pull Request
No Label
pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/better-auth#25379
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/better-auth/better-auth/pull/9164
Author: @gustavovalverde
Created: 4/14/2026
Status: ✅ Merged
Merged: 4/14/2026
Merged by: @gustavovalverde
Base:
main← Head:fix/stripe-defu-prototype-pollution📝 Commits (1)
29d323bfix(stripe): drop unsafe keys when merging user-supplied metadata📊 Changes
5 files changed (+112 additions, -36 deletions)
View changed files
➕
.changeset/fix-stripe-defu-prototype-pollution.md(+7 -0)📝
packages/stripe/package.json(+1 -1)📝
packages/stripe/src/metadata.ts(+24 -23)➕
packages/stripe/test/metadata.test.ts(+63 -0)📝
pnpm-lock.yaml(+17 -12)📄 Description
The Stripe plugin previously merged
ctx.body.metadatathroughdefu, which is vulnerable to prototype pollution when attacker-controlled__proto__keys reach the second argument (GHSA-737v-mqg7-c878).Stripe metadata is a flat
Record<string, string>, sodefu's deep-merge semantics were never exercised on that path. Replacing it with an inline merge that drops__proto__,constructor, andprototypekeys eliminates the attack surface rather than tracking upstream patches, and also drops the need fordefuon the user-input side.The two remaining
defucall sites inindex.tsandroutes.tsdeep-merge developer-suppliedCustomerCreateParamswhere inputs are trusted; they continue to usedefuand receive the patched range via the bumped dependency.The regression test covers three payload shapes (
__proto__,constructor.prototype, and flat values) across bothcustomerMetadata.setandsubscriptionMetadata.set, asserts on the returned object's prototype chain (not justObject.prototype), and includes a precedence test to keep the internal-fields-win invariant under guard.🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.