chore(deps): bump the npm_and_yarn group across 1 directory with 20 updates by dependabot[bot] · Pull Request #108 · CodeStorm-Hub/StormCom

dependabot · 2026-05-28T18:33:42Z

Bumps the npm_and_yarn group with 18 updates in the / directory:

Package	From	To
better-auth	`1.3.34`	`1.6.2`
next	`16.0.3`	`16.2.6`
postcss	`8.5.6`	`8.5.10`
vite	`7.2.2`	`7.3.3`
picomatch	`2.3.1`	`2.3.2`
ajv	`6.12.6`	`6.15.0`
minimatch	`3.1.2`	`3.1.5`
glob	`10.4.5`	`10.5.0`
glob	`10.3.10`	`10.5.0`
body-parser	`2.2.0`	`2.2.2`
defu	`6.1.4`	`6.1.7`
dompurify	`3.3.0`	`3.4.7`
effect	`3.18.4`	`3.21.0`
fast-uri	`3.1.0`	`3.1.2`
flatted	`3.3.3`	`3.4.2`
path-to-regexp	`8.3.0`	`8.4.2`
preact	`10.27.2`	`10.29.2`
rollup	`4.53.1`	`4.60.4`
undici	`5.29.0`	`6.26.0`

Updates better-auth from 1.3.34 to 1.6.2

Release notes

Sourced from better-auth's releases.

v1.6.2

better-auth

❗ Breaking Changes

Prevented unverified TOTP enrollment from blocking sign-in (#8711)

Migration: Schema migration required.

Add the verified column to the twoFactor table, then regenerate/apply your ORM migration.

Prisma: run npx auth@latest generate, then npx prisma migrate dev (or npx prisma db push) and npx prisma generate.

Drizzle: run npx auth@latest generate, then npx drizzle-kit generate and npx drizzle-kit migrate.

Existing rows do not need a backfill because the column defaults to true.

Features

Included enabled 2FA methods in sign-in redirect response (#8772)

Bug Fixes

Fixed OAuth state verification against cookie-stored nonce to prevent CSRF (#8949)

Fixed infinite router refresh loops in nextCookies() by replacing cookie probe with header-based RSC detection (#9059)

Fixed cross-provider account collision in link-social callback (#8983)

Included RelayState in signed SAML AuthnRequests (#9058)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

Fixed multi-valued query params collapsing through prompt redirects (#9060)

Rejected skip_consent at schema level in dynamic client registration (#8998)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

Fixed SAMLResponse decoding failures caused by line-wrapped base64 (#8968)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@aarmful, @cyphercodes, @dvanmali, @gustavovalverde, @jaydeep-pipaliya, @ping-maxwell

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.2

Patch Changes

#8949 9deb793 Thanks @ping-maxwell! - security: verify OAuth state parameter against cookie-stored nonce to prevent CSRF on cookie-backed flows

#8983 2cbcb9b Thanks @jaydeep-pipaliya! - fix(oauth2): prevent cross-provider account collision in link-social callback

The link-social callback used findAccount(accountId) which matched by account ID across all providers. When two providers return the same numeric ID (e.g. both Google and GitHub assign 99999), the lookup could match the wrong provider's account, causing a spurious account_already_linked_to_different_user error or silently updating the wrong account's tokens.

Replaced with findAccountByProviderId(accountId, providerId) to scope the lookup to the correct provider, matching the pattern already used in the generic OAuth plugin.

#9059 b20fa42 Thanks @gustavovalverde! - fix(next-js): replace cookie probe with header-based RSC detection in nextCookies() to prevent infinite router refresh loops and eliminate leaked __better-auth-cookie-store cookie. Also fix two-factor enrollment flows to set the new session cookie before deleting the old session.

#9058 608d8c3 Thanks @gustavovalverde! - fix(sso): include RelayState in signed SAML AuthnRequests per SAML 2.0 Bindings §3.4.4.1

RelayState is now passed to samlify's ServiceProvider constructor so it is included in the redirect binding signature. Previously it was appended after the signature, causing spec-compliant IdPs to reject signed AuthnRequests.

authnRequestsSigned: true without a private key now throws instead of silently sending unsigned requests.

#8772 8409843 Thanks @aarmful! - feat(two-factor): include enabled 2fa methods in sign-in redirect response

The 2FA sign-in redirect now returns twoFactorMethods (e.g. ["totp", "otp"]) so frontends can render the correct verification UI without guessing. The onTwoFactorRedirect client callback receives twoFactorMethods as a context parameter.

TOTP is included only when the user has a verified TOTP secret and TOTP is not disabled in config.

OTP is included when otpOptions.sendOTP is configured.

Unverified TOTP enrollments are excluded from the methods list.

#8711 e78a7b1 Thanks @aarmful! - fix(two-factor): prevent unverified TOTP enrollment from gating sign-in

Adds a verified boolean column to the twoFactor table that tracks whether a TOTP secret has been confirmed by the user.

First-time enrollment: enableTwoFactor creates the row with verified: false. The row is promoted to verified: true only after verifyTOTP succeeds with a valid code.

Re-enrollment (calling enableTwoFactor when TOTP is already verified): the new row preserves verified: true, so the user is never locked out of sign-in while rotating their TOTP secret.

Sign-in: verifyTOTP rejects rows where verified === false, preventing abandoned enrollments from blocking authentication. Backup codes and OTP are unaffected and work as fallbacks during unfinished enrollment.

Migration: The new column defaults to true, so existing twoFactor rows are treated as verified. No data migration is required. skipVerificationOnEnable: true is also unaffected — the row is created as verified: true in that mode.

Updated dependencies []:

@better-auth/core@1.6.2

@better-auth/drizzle-adapter@1.6.2

@better-auth/kysely-adapter@1.6.2

@better-auth/memory-adapter@1.6.2

@better-auth/mongo-adapter@1.6.2

@better-auth/prisma-adapter@1.6.2

@better-auth/telemetry@1.6.2

1.6.1

Patch Changes

#9023 2e537df Thanks @jonathansamines! - Update endpoint instrumentation to always use endpoint routes

#8902 f61ad1c Thanks @ping-maxwell! - use INVALID_PASSWORD for all checkPassword failures

... (truncated)

Commits

700d298 chore: version packages (#9052)
b20fa42 fix(next-js): replace cookie probe with header-based RSC detection in nextCoo...
2cbcb9b fix(oauth2): prevent cross-provider account collision in link-social callback...
9deb793 fix: cookie store strategy should verify oauth state (#8949)
8409843 feat(two-factor): include enabled 2fa methods in sign-in redirect response (#...
e78a7b1 fix(two-factor): prevent unverified TOTP enrollment from gating sign-in (#8711)
85bb710 chore: version packages (#9018)
7495830 fix(api): restore getSession accessibility in generic Auth<O> context (#9017)
2e537df fix: endpoint instrumentation to always use route template (#9023)
f61ad1c fix: use INVALID_PASSWORD for all checkPassword failures (#8902)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for better-auth since your current version.

Updates next from 16.0.3 to 16.2.6

Release notes

Sourced from next's releases.

v16.2.6

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

GHSA-8h8q-6873-q5fj: Denial of Service with Server Components

GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes

GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up

GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components

GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection

GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces

GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input

GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API

GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting

GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Core Changes

fix: preserve HTTP access fallbacks during prerender recovery (#92231)

Fix fallback route params case in app-page handler (#91737)

Fix invalid HTML response for route-level RSC requests in deployment adapter (#91541)

Patch setHeader for direct route handlers (#93101)

Include deployment id in cacheHandlers keys (#93453)

Fix double-encoding of URL pathname parts in client param parsing (#93491)

v16.2.5

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

GHSA-8h8q-6873-q5fj: Denial of Service with Server Components

GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes

GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components

GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection

GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

... (truncated)

Commits

ee6e79b v16.2.6
afa053d Turbopack: Match proxy matchers with webpack implementation (#93594)
97a154e Turbopack: Fix middleware matcher suffix (#93590)
83899bc [backport] Disable build caches for production/staging/force-preview deploys ...
7b222b9 [backport][test] Pin package manager to patch versions (#93595)
a8dc24f [backport] Turbopack: more strict vergen setup (#93587)
766148f v16.2.5
0dd9483 fix: add explicit checks for RSC header (#83) (#98)
d166096 fix proxy matching for segment prefetch URLs (#89) (#96)
9d50c0b Strip next-resume header from incoming requests (#92)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Updates postcss from 8.5.6 to 8.5.10

Release notes

Sourced from postcss's releases.

8.5.10

Fixed XSS via unescaped </style> in non-bundler cases (by @TharVid).

8.5.9

Speed up source map encoding paring in case of the error.

8.5.8

Fixed Processor#version.

8.5.7

Improved source map annotation cleaning performance (by CodeAnt AI).

Changelog

Sourced from postcss's changelog.

8.5.10

Fixed XSS via unescaped </style> in non-bundler cases (by @TharVid).

8.5.9

Speed up source map encoding paring in case of the error.

8.5.8

Fixed Processor#version.

8.5.7

Improved source map annotation cleaning performance (by CodeAnt AI).

Commits

33b9790 Release 8.5.10 version
536c79e Escape </style> in CSS output (#2074)
afa96b2 Update dependencies (#2073)
effe88b Typo (#2072)
3ee79a2 Thread model (#2071)
2e0683d Create incident response docs (#2070)
fe88ac2 Release 8.5.9 version
c551632 Avoid RegExp when we can use simple JS
89a6b74 Move SECURITY.txt for docs folder to keep GitHub page cleaner
6ceb8a4 Create SECURITY.md
Additional commits viewable in compare view

Updates vite from 7.2.2 to 7.3.3

Release notes

Sourced from vite's releases.

v7.3.3

Please refer to CHANGELOG.md for details.

v7.3.2

Please refer to CHANGELOG.md for details.

v7.3.1

Please refer to CHANGELOG.md for details.

v7.3.0

Please refer to CHANGELOG.md for details.

v7.2.7

Please refer to CHANGELOG.md for details.

v7.2.6

Please refer to CHANGELOG.md for details.

v7.2.5

Please refer to CHANGELOG.md for details.

Note: 7.2.5 failed to publish so it is skipped on npm

v7.2.4

Please refer to CHANGELOG.md for details.

v7.2.3

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

7.3.3 (2026-05-07)

Bug Fixes

avoid destructure lowering for newer safari (#22346) (5ab51c0)

7.3.2 (2026-04-06)

Bug Fixes

avoid path traversal with optimize deps sourcemap handler (#22161) (09d8c90)

backport #22159, apply server.fs check to env transport (#22162) (19db0f2)

check server.fs after stripping query as well (#22160) (f8103cc)

7.3.1 (2026-01-07)

Features

add ignoreOutdatedRequests option to optimizeDeps (#21364) (9d39d37)

7.3.0 (2025-12-15)

Features

deps: update esbuild from ^0.25.0 to ^0.27.0 (#21183) (cff26ec)

7.2.7 (2025-12-08)

Bug Fixes

plugin shortcut support (#21211) (721f163)

7.2.6 (2025-12-01)

7.2.5 (2025-12-01)

Bug Fixes

config: handle shebang properly (#21158) (df5a30d)

deps: update all non-major dependencies (#21146) (a3cd262)

deps: update all non-major dependencies (#21175) (72e398a)

fix external: true merging (#21164) (5ef557a)

shortcuts not rebound after server restart (#21166) (3765f7b)

Performance Improvements

deps: replace debug with obug (#21137) (203a551)

Documentation

clarify manifest.json imports field is JS chunks only (#21136) (46d3077)

Miscellaneous Chores

deps: update rolldown-related dependencies (#21174) (74559c9)

7.2.4 (2025-11-20)

... (truncated)

Commits

ca31424 release: v7.3.3
5ab51c0 fix: avoid destructure lowering for newer safari (#22346)
cc383e0 release: v7.3.2
09d8c90 fix: avoid path traversal with optimize deps sourcemap handler (#22161)
f8103cc fix: check server.fs after stripping query as well (#22160)
19db0f2 fix: backport #22159, apply server.fs check to env transport (#22162)
95e8923 release: v7.3.1
9d39d37 feat: add ignoreOutdatedRequests option to optimizeDeps (#21364)
acf7e05 release: v7.3.0
cff26ec feat(deps): update esbuild from ^0.25.0 to ^0.27.0 (#21183)
Additional commits viewable in compare view

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

fix: exception when glob pattern contains constructor by @Jason3S in micromatch/picomatch#144

Fix for CVE-2026-33671

Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

Changelogs are for humans, not machines.

There should be an entry for every single version.

The same types of changes should be grouped.

Versions and sections should be linkable.

The latest version comes first.

The release date of each versions is displayed.

Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

Added for new features.

Changed for changes in existing functionality.

Deprecated for soon-to-be removed features.

Removed for now removed features.

Fixed for any bug fixes.

Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

Fix bad text values in parse #126, thanks to @connor4312

Changed

Remove process global to work outside of node #129, thanks to @styfle

Add sideEffects to package.json #128, thanks to @frandiox

Removed os, make compatible browser environment. See #124, thanks to @gwsbhqt

3.0.1

Fixes

... (truncated)

Commits

81cba8d Publish 2.3.2
fc1f6b6 Merge commit from fork
eec17ae Merge commit from fork
78f8ca4 Merge pull request #156 from micromatch/backport-144
3f4f10e Merge pull request #144 from Jason3S/jdent-object-properties
See full diff in compare view

Updates ajv from 6.12.6 to 6.15.0

Commits

184bc32 6.15.0
fea46af test/fix prototype pollution via $data ref with format keyword (#2606)
e3af0a7 6.14.0
b552ed6 add regExp option to address $data exploit via a regular expression (CVE-2025...
72f2286 docs: update v7 info
231e52b Merge pull request #1320 from philsturgeon/patch-1
d3475fc Add spectral, an AJV util from a sponsor
413afe0 docs: v7.0.0-beta.3
11e997b update readme for v7
See full diff in compare view

Updates minimatch from 3.1.2 to 3.1.5

Commits

7bba978 3.1.5
bd25942 docs: add warning about ReDoS
1a9c27c fix partial matching of globstar patterns
1a2e084 3.1.4
ae24656 update lockfile
b100374 limit recursion for **, improve perf considerably
26ffeaa lockfile update
9eca892 lock node version to 14
00c323b 3.1.3
30486b2 update CI matrix and actions
Additional commits viewable in compare view

Updates glob from 10.4.5 to 10.5.0

Commits

56774ef 10.5.0
1e4e297 bin: Do not expose filenames to shell expansion
See full diff in compare view

Updates glob from 10.3.10 to 10.5.0

Commits

56774ef 10.5.0
1e4e297 bin: Do not expose filenames to shell expansion
See full diff in compare view

Updates body-parser from 2.2.0 to 2.2.2

Release notes

Sourced from body-parser's releases.

v2.2.2

What's Changed

docs: update README links by @efekrskl in expressjs/body-parser#673

docs: release notes for the v1.20.4 release by @Phillip9587 in expressjs/body-parser#674

docs: update URL-encoded parser description to include ISO-8859-1 encoding support by @Phillip9587 in expressjs/body-parser#679

docs: use standard jsdoc tags everywhere by @Phillip9587 in expressjs/body-parser#677

deps: qs@^6.14.1 by @UlisesGascon in expressjs/body-parser#689

refactor(json): simplify strict mode error string construction by @jonchurch in expressjs/body-parser#693

Release: 2.2.2 by @UlisesGascon in expressjs/body-parser#691

New Contributors

@efekrskl made their first contribution in expressjs/body-parser#673

Full Changelog: expressjs/body-parser@v2.2.1...v2.2.2

v2.2.1

Important: Security

Security fix for CVE-2025-13466 (GHSA-wqch-xfxh-vrr4)

What's Changed

ci: add dependabot by @Phillip9587 in expressjs/body-parser#593

ci: use full SHAs for github action versions by @Phillip9587 in expressjs/body-parser#594

deps: type-is@^2.0.1 by @Phillip9587 in expressjs/body-parser#599

build(deps): bump actions/setup-node from 4.3.0 to 4.4.0 by @dependabot[bot] in expressjs/body-parser#609

build(deps): bump github/codeql-action from 3.28.13 to 3.28.15 by @dependabot[bot] in expressjs/body-parser#610

build(deps-dev): bump eslint-plugin-promise from 6.1.1 to 6.6.0 by @dependabot[bot] in expressjs/body-parser#611

build(deps-dev): bump eslint-plugin-import from 2.27.5 to 2.31.0 by @dependabot[bot] in expressjs/body-parser#613

build(deps-dev): bump eslint-plugin-markdown from 3.0.0 to 3.0.1 by @dependabot[bot] in expressjs/body-parser#612

ci: add codeql github workflows scanning by @Phillip9587 in expressjs/body-parser#614

ci: update CodeQL config to ignore the test directory by @Phillip9587 in expressjs/body-parser#615

build(deps): bump actions/download-artifact from 4.2.1 to 4.3.0 by @dependabot[bot] in expressjs/body-parser#620

build(deps): bump github/codeql-action from 3.28.15 to 3.28.16 by @dependabot[bot] in expressjs/body-parser#619

chore(deps): unpin devDependencies by @Phillip9587 in expressjs/body-parser#616

ci: add node.js 24 to test matrix by @Phillip9587 in expressjs/body-parser#621

build(deps): bump github/codeql-action from 3.28.16 to 3.28.18 by @dependabot[bot] in expressjs/body-parser#623

build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @dependabot[bot] in expressjs/body-parser#624

chore: add funding to package.json by @Phillip9587 in expressjs/body-parser#617

build(deps): bump github/codeql-action from 3.28.18 to 3.29.2 by @dependabot[bot] in expressjs/body-parser#625

build(deps): bump github/codeql-action from 3.29.2 to 3.29.5 by @dependabot[bot] in expressjs/body-parser#630

refactor: move common request validation to read function by @Phillip9587 in expressjs/body-parser#600

deps: bump iconv-lite by @bjohansebas in expressjs/body-parser#631

doc: pull beta changelog forward into 2.0.0 by @jonchurch in expressjs/body-parser#629

refactor: optimize raw and text parsers with shared passthrough function by @Phillip9587 in expressjs/body-parser#634

build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @dependabot[bot] in expressjs/body-parser#640

build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 by @dependabot[bot] in expressjs/body-parser#639

build(deps): bump actions/setup-node from 4.4.0 to 5.0.0 by @dependabot[bot] in expressjs/body-parser#636

build(deps): bump actions/download-artifact from 4.3.0 to 5.0.0 by @dependabot[bot] in expressjs/body-parser#637

build(deps): bump github/codeql-action from 3.29.7 to 3.30.5 by @dependabot[bot] in expressjs/body-parser#638

deps: raw-body@^3.0.1 by @Phillip9587 in expressjs/body-parser#641

... (truncated)

Changelog

Sourced from body-parser's changelog.

2.2.2 / 2026-01-07

deps: qs@^6.14.1

refactor(json): simplify strict mode error string construction

2.2.1 / 2025-11-24

Security fix for GHSA-wqch-xfxh-vrr4

deps:

type-is@^2.0.1

iconv-lite@^0.7.0

Handle split surrogate pairs when encoding UTF-8

Avoid false positives in encodingExists by using prototype-less objects

raw-body@^3.0.1

debug@^4.4.3

Commits

3d24866 2.2.2 (#691)
8474a98 refactor(json): simplify strict mode error string construction (#693)
03f17c2 deps: qs@^6.14.1 (#689)
ea1f25e docs: use standard jsdoc tags everywhere (#677)
d7deef8 docs: update URL-encoded parser description to include ISO-8859-1 encoding su...
b6f52aa docs: release notes for the v1.20.4 release (#674)
2965ca4 docs: update links (#673)
d96b63d 2.2.1 (#659)
b204886 sec: security patch for CVE-2025-13466
e20e351 feat: remove history.md from being packaged on publish (#660)
Additional commits viewable in compare view

Updates defu from 6.1.4 to 6.1.7

Release notes

Sourced from defu's releases.

v6.1.7

compare changes

📦 Build

Correct the types export entry (#160)

Export Defu types (#157)

❤️ Contributors

Jakub Michálek (@J-Michalek)

Kricsleo (@kricsleo)

v6.1.6

compare changes

📦 Build

Fix mixed types (407b516)

v6.1.5

compare changes

🩹 Fixes

Prevent prototype pollution via __proto__ in defaults (#156)

Ignore inherited enumerable properties (11ba022)

✅ Tests

Add more tests for plain objects (b65f603)

❤️ Contributors

Pooya Parsa (@pi0)

Kricsleo (@kricsleo)

Changelog

Sourced from defu's changelog.

v6.1.7

compare changes

🩹 Fixes

defu.d.cts: Export Defu types (#157)

📦 Build

Correct the types export entry (#160)

❤️ Contributors

Jakub Michálek (@J-Michalek)

Kricsleo (@kricsleo)

v6.1.6

compare changes

📦 Build

Fix mixed types (407b516)

❤️ Contributors

Pooya Parsa (@pi0)

v6.1.5

compare changes

🩹 Fixes

Prevent prototype pollution via __proto__ in defaults (#156)

Ignore inherited enumerable properties (11ba022)

🏡 Chore

Add tea.yaml (70cffe5)

Update repo (23cc432)

Fix typecheck (89df6bb)

✅ Tests

Add more tests for plain objects (b65f603)

🤖 CI

... (truncated)

Commits

80c0146 chore(release): v6.1.7
40d7ef4 fix(defu.d.cts): export Defu types (#157)
3d3a7c8 build: correct the types export entry (#160)
001c290 chore(release): v6.1.6
407b516 build: fix mixed types
23e59e6 chore(release): v6.1.5
11ba022 fix: ignore inherited enumerable properties
3942bfb fix: prevent prototype pollution via __proto__ in defaults (#156)
d3ef16d chore(deps): update actions/checkout action to v6 (#151)
869a053 chore(deps): update actions/setup-node action to v6 (#149)
Additional commits viewable in compare view

Updates dompurify from 3.3.0 to 3.4.7

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.7

Hardened the handling of Shadow Roots when using IN_PLACE, thanks @GameZoneHacker...
Description has been truncated

…pdates Bumps the npm_and_yarn group with 18 updates in the / directory: | Package | From | To | | --- | --- | --- | | [better-auth](https://github.com/better-auth/better-auth/tree/HEAD/packages/better-auth) | `1.3.34` | `1.6.2` | | [next](https://github.com/vercel/next.js) | `16.0.3` | `16.2.6` | | [postcss](https://github.com/postcss/postcss) | `8.5.6` | `8.5.10` | | [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `7.2.2` | `7.3.3` | | [picomatch](https://github.com/micromatch/picomatch) | `2.3.1` | `2.3.2` | | [ajv](https://github.com/ajv-validator/ajv) | `6.12.6` | `6.15.0` | | [minimatch](https://github.com/isaacs/minimatch) | `3.1.2` | `3.1.5` | | [glob](https://github.com/isaacs/node-glob) | `10.4.5` | `10.5.0` | | [glob](https://github.com/isaacs/node-glob) | `10.3.10` | `10.5.0` | | [body-parser](https://github.com/expressjs/body-parser) | `2.2.0` | `2.2.2` | | [defu](https://github.com/unjs/defu) | `6.1.4` | `6.1.7` | | [dompurify](https://github.com/cure53/DOMPurify) | `3.3.0` | `3.4.7` | | [effect](https://github.com/Effect-TS/effect/tree/HEAD/packages/effect) | `3.18.4` | `3.21.0` | | [fast-uri](https://github.com/fastify/fast-uri) | `3.1.0` | `3.1.2` | | [flatted](https://github.com/WebReflection/flatted) | `3.3.3` | `3.4.2` | | [path-to-regexp](https://github.com/pillarjs/path-to-regexp) | `8.3.0` | `8.4.2` | | [preact](https://github.com/preactjs/preact) | `10.27.2` | `10.29.2` | | [rollup](https://github.com/rollup/rollup) | `4.53.1` | `4.60.4` | | [undici](https://github.com/nodejs/undici) | `5.29.0` | `6.26.0` | Updates `better-auth` from 1.3.34 to 1.6.2 - [Release notes](https://github.com/better-auth/better-auth/releases) - [Changelog](https://github.com/better-auth/better-auth/blob/main/packages/better-auth/CHANGELOG.md) - [Commits](https://github.com/better-auth/better-auth/commits/better-auth@1.6.2/packages/better-auth) Updates `next` from 16.0.3 to 16.2.6 - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v16.0.3...v16.2.6) Updates `postcss` from 8.5.6 to 8.5.10 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](postcss/postcss@8.5.6...8.5.10) Updates `vite` from 7.2.2 to 7.3.3 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v7.3.3/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v7.3.3/packages/vite) Updates `picomatch` from 2.3.1 to 2.3.2 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@2.3.1...2.3.2) Updates `ajv` from 6.12.6 to 6.15.0 - [Release notes](https://github.com/ajv-validator/ajv/releases) - [Commits](ajv-validator/ajv@v6.12.6...v6.15.0) Updates `minimatch` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.5) Updates `glob` from 10.4.5 to 10.5.0 - [Changelog](https://github.com/isaacs/node-glob/blob/main/changelog.md) - [Commits](isaacs/node-glob@v10.4.5...v10.5.0) Updates `glob` from 10.3.10 to 10.5.0 - [Changelog](https://github.com/isaacs/node-glob/blob/main/changelog.md) - [Commits](isaacs/node-glob@v10.4.5...v10.5.0) Updates `body-parser` from 2.2.0 to 2.2.2 - [Release notes](https://github.com/expressjs/body-parser/releases) - [Changelog](https://github.com/expressjs/body-parser/blob/master/HISTORY.md) - [Commits](expressjs/body-parser@v2.2.0...v2.2.2) Updates `defu` from 6.1.4 to 6.1.7 - [Release notes](https://github.com/unjs/defu/releases) - [Changelog](https://github.com/unjs/defu/blob/main/CHANGELOG.md) - [Commits](unjs/defu@v6.1.4...v6.1.7) Updates `dompurify` from 3.3.0 to 3.4.7 - [Release notes](https://github.com/cure53/DOMPurify/releases) - [Commits](cure53/DOMPurify@3.3.0...3.4.7) Updates `effect` from 3.18.4 to 3.21.0 - [Release notes](https://github.com/Effect-TS/effect/releases) - [Changelog](https://github.com/Effect-TS/effect/blob/main/packages/effect/CHANGELOG.md) - [Commits](https://github.com/Effect-TS/effect/commits/effect@3.21.0/packages/effect) Updates `fast-uri` from 3.1.0 to 3.1.2 - [Release notes](https://github.com/fastify/fast-uri/releases) - [Commits](fastify/fast-uri@v3.1.0...v3.1.2) Updates `flatted` from 3.3.3 to 3.4.2 - [Commits](WebReflection/flatted@v3.3.3...v3.4.2) Updates `kysely` from 0.28.8 to 0.28.17 - [Release notes](https://github.com/kysely-org/kysely/releases) - [Commits](kysely-org/kysely@v0.28.8...v0.28.17) Updates `path-to-regexp` from 8.3.0 to 8.4.2 - [Release notes](https://github.com/pillarjs/path-to-regexp/releases) - [Changelog](https://github.com/pillarjs/path-to-regexp/blob/master/History.md) - [Commits](pillarjs/path-to-regexp@v8.3.0...v8.4.2) Updates `preact` from 10.27.2 to 10.29.2 - [Release notes](https://github.com/preactjs/preact/releases) - [Commits](preactjs/preact@10.27.2...10.29.2) Updates `qs` from 6.14.0 to 6.15.2 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.14.0...v6.15.2) Updates `rollup` from 4.53.1 to 4.60.4 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.53.1...v4.60.4) Updates `undici` from 5.29.0 to 6.26.0 - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v5.29.0...v6.26.0) --- updated-dependencies: - dependency-name: better-auth dependency-version: 1.6.2 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: next dependency-version: 16.2.6 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: postcss dependency-version: 8.5.10 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 7.3.3 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: picomatch dependency-version: 2.3.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: ajv dependency-version: 6.15.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: glob dependency-version: 10.5.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: glob dependency-version: 10.5.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: body-parser dependency-version: 2.2.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: defu dependency-version: 6.1.7 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: dompurify dependency-version: 3.4.7 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: effect dependency-version: 3.21.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: fast-uri dependency-version: 3.1.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: kysely dependency-version: 0.28.17 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: path-to-regexp dependency-version: 8.4.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: preact dependency-version: 10.29.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: qs dependency-version: 6.15.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: rollup dependency-version: 4.60.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: undici dependency-version: 6.26.0 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

github-actions · 2026-05-28T18:33:54Z

👋 Thanks for opening your first pull request in StormCom!

A maintainer will review your PR soon. Please make sure:

Your PR follows our
Contributing Guidelines
All CI checks pass
You've added appropriate tests
Documentation has been updated (if needed)

We appreciate your contribution to making StormCom better! 🚀

dependabot Bot requested a review from syed-reza98 as a code owner May 28, 2026 18:33

dependabot Bot added dependencies javascript Pull requests that update javascript code labels May 28, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the npm_and_yarn group across 1 directory with 20 updates#108

chore(deps): bump the npm_and_yarn group across 1 directory with 20 updates#108
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-bb9d63e451

dependabot Bot commented on behalf of github May 28, 2026

Uh oh!

github-actions Bot commented May 28, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github May 28, 2026

v1.6.2

better-auth

❗ Breaking Changes

Features

Bug Fixes

@better-auth/oauth-provider

Bug Fixes

@better-auth/sso

Bug Fixes

Contributors

1.6.2

Patch Changes

1.6.1

Patch Changes

v16.2.6

Security Fixes

Core Changes

v16.2.5

Security Fixes

8.5.10

8.5.9

8.5.8

8.5.7

8.5.10

8.5.9

8.5.8

8.5.7

v7.3.3

v7.3.2

v7.3.1

v7.3.0

v7.2.7

v7.2.6

v7.2.5

v7.2.4

v7.2.3

7.3.3 (2026-05-07)

Bug Fixes

7.3.2 (2026-04-06)

Bug Fixes

7.3.1 (2026-01-07)

Features

7.3.0 (2025-12-15)

Features

7.2.7 (2025-12-08)

Bug Fixes

7.2.6 (2025-12-01)

7.2.5 (2025-12-01)

Bug Fixes

Performance Improvements

Documentation

Miscellaneous Chores

7.2.4 (2025-11-20)

2.3.2

What's Changed

Release history

4.0.0 (2024-02-07)

Fixes

Changed

3.0.1

Fixes

v2.2.2

What's Changed

New Contributors

v2.2.1

Important: Security

What's Changed

2.2.2 / 2026-01-07

2.2.1 / 2025-11-24

v6.1.7

📦 Build

❤️ Contributors

v6.1.6

📦 Build

v6.1.5

🩹 Fixes

✅ Tests

❤️ Contributors

`better-auth`

`@better-auth/oauth-provider`

`@better-auth/sso`