chore(deps): bump the all-npm group across 1 directory with 3 updates

[dependabot]

Bumps the all-npm group with 3 updates in the / directory: @better-auth/oauth-provider, better-auth and @biomejs/biome.

Updates @better-auth/oauth-provider from 1.6.14 to 1.6.18

Release notes

Sourced from @​better-auth/oauth-provider's releases.

v1.6.18

better-auth

Bug Fixes

• Fixed getCookieCache to return null for expired sessions instead of treating stale signed cookies as live sessions.
• Fixed the delete-account confirmation link to prevent duplicate account deletions from concurrent callback requests.
• Fixed one-time tokens from being redeemable multiple times under concurrent requests.
• Fixed password reset tokens from changing a password more than once under concurrent requests.
• Fixed Reddit sign-in to assign a non-routable placeholder address (<id>@reddit.invalid) to users with no email, preventing accidental matches with real mailboxes.
• Fixed Sign-In with Ethereum nonces from being accepted multiple times under concurrent sign-in requests.
• Added internalAdapter.reserveVerificationValue to atomically record single-use markers, ensuring only one concurrent caller succeeds for replay-protected operations.
• Added the incrementOne adapter method and SecondaryStorage.increment for atomic counter updates, enabling strict rate-limit and usage-counter enforcement under concurrent load.
• Fixed expired two-factor challenges from completing login and prevented duplicate session creation from concurrent verifications.
• Fixed captcha verification to time out after 10 seconds, preventing slow or unreachable captcha providers from hanging requests indefinitely.
• Fixed /delete-user/callback to reject account deletion when the session has been revoked server-side (cookie-only session deployments are unaffected).
• Fixed rate limiting to prevent concurrent requests from slipping past configured limits, with a new optional consume method for custom storage backends to opt into strict enforcement.
• Fixed team deletion to preserve pending invitations by removing only the deleted team's reference rather than invalidating the invitations entirely.
• Fixed expected authentication validation failures to log as warnings instead of errors.
• Fixed MCP bearer token validation to reject expired access tokens and require the offline_access scope for refresh token usage.
• Fixed plugin API inference in composite monorepo setups where the core package resolved through multiple paths (#9583)
• Fixed OpenAPI generation to accurately serialize Zod request schemas, including optional, nullable, intersected, and record-shaped types (#9315)
• Fixed a memory leak where the JWKS cache could grow on every access token verification.
• Fixed Google One Tap to require a configured client ID (set via the oneTap plugin or socialProviders.google) and reject tokens issued for other applications.
• Fixed device-authorization token polling to prevent the same approved device code from being redeemed multiple times under concurrent polls.
• Fixed account cookie preservation when switching users in the same browser session.
• Fixed email OTP sign-in to prevent concurrent requests from signing in multiple times or exceeding the attempt limit.
• Fixed phone-number OTP sign-in to prevent concurrent requests from signing in multiple times or exceeding the attempt limit.
• Fixed two-factor OTP sign-in to prevent concurrent requests from signing in multiple times or exceeding the attempt limit.
• Fixed the Have I Been Pwned plugin to check breached passwords on additional endpoints, including email-OTP and phone-number reset-password routes and admin password-setting routes.
• Fixed the multi-session set-active and revoke endpoints to only act on sessions the caller holds a signed cookie for, preventing unauthorized session manipulation.
• Fixed the OIDC /oauth2/endsession endpoint to reject cross-site logout requests that carry only a session cookie without a valid id_token_hint.
• Fixed WeChat sign-in to work without an email address by assigning a stable placeholder email, with mapProfileToUser available to supply a real one.

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

• Fixed SAML assertion replay protection to hold under concurrent requests, preventing a duplicate submission from being accepted more than once.
• Fixed organization admins and owners to verify domain ownership for SSO providers their organization owns, not just the member who originally registered the provider.
• Fixed trustEmailVerified to treat only a boolean true or the string "true" as a verified email, rejecting the string "false" as unverified.

For detailed changes, see CHANGELOG

@better-auth/memory-adapter

Bug Fixes

... (truncated)

Changelog

Sourced from @​better-auth/oauth-provider's changelog.

1.6.18

Patch Changes

• #9941 729fd84 Thanks @​GautamBytes! - Fix OAuth provider signed query verification so CDN or proxy query parameter reordering does not break signature validation. Existing signed redirects created before this patch is deployed may fail until their short expiration window elapses.

• Updated dependencies [9ef7240, b21a5f7]:

  • better-auth@1.6.18
  • @​better-auth/core@​1.6.18

1.6.17

Patch Changes

• #9987 7343284 Thanks @​bytaesu! - Token introspection and revocation no longer fetch the signing keys from the database on every request. Keys are cached per auth instance with the same five-minute refresh as remote JWKS sources.

• Updated dependencies [baeaa00, 3e99e6c, 96c78c3, baeaa00, baeaa00, 0c3856f, baeaa00, baeaa00, ed7b6c9, e0a768c, 7343284, 0c3856f, baeaa00, baeaa00, 7343284, 7343284, 0c3856f, fdef997, 0c3856f, d9c526b, 0c3856f, fdef997, baeaa00, baeaa00, baeaa00, baeaa00, fdef997, 7343284, baeaa00, 8960f5f, baeaa00, 5c289b5, 1dbf5bb, baeaa00, baeaa00, 59e0ccb, b803c61, fdef997]:

  • better-auth@1.6.17
  • @​better-auth/core@​1.6.17

1.6.16

Patch Changes

• #9974 cb1cbfa Thanks @​Bekacru! - The /oauth2/continue post-login step no longer treats the client-submitted postLogin flag as proof that an interactive gate completed. Completion is now derived from the server-issued, session-bound marker on the signed oauth_query (matching the consent endpoint); when it is absent, authorize re-runs postLogin.shouldRedirect against the current session and redirects back to the gate if selection is still required.

• #9974 cb1cbfa Thanks @​Bekacru! - Token introspection now requires JWT access tokens to carry an azp (client) claim and resolve to an enabled client before being reported as active. This ensures only tokens issued by the OAuth token endpoint are treated as access tokens, since the JWT plugin can mint session JWTs that share the same issuer, audience, and signing keys.

• #9974 cb1cbfa Thanks @​Bekacru! - Enforce per-client grant types at the token endpoint. Previously only the provider-wide grantTypes allowlist was checked, so a client registered for authorization_code could still request client_credentials tokens, turning a user-delegated client into a machine-to-machine client. The client_credentials and authorization_code grants are now rejected with unauthorized_client unless the client declares them. Refresh tokens remain available to any client permitted the authorization_code grant (gated by offline_access), but are no longer issued to pure client_credentials clients. Clients with no recorded grantTypes fall back to ["authorization_code"], matching the registration default.

• Updated dependencies [cb1cbfa, cb1cbfa, cb1cbfa, cb1cbfa, cb1cbfa, cb1cbfa, 87e7aa5, cb1cbfa, cb1cbfa, cb1cbfa, 893cf6c, cb1cbfa, cb1cbfa, 5e49c56, cb1cbfa]:

  • better-auth@1.6.16
  • @​better-auth/core@​1.6.16

1.6.15

Patch Changes

• #9919 b0ddfd3 Thanks @​gustavovalverde! - Run configured hooks through the whole OAuth sign-in flow

  hooks.before / hooks.after configured on the auth instance now run for the OAuth authorization that continues after a user signs in, selects an account, or consents. They were being skipped there.

  Headers or cookies a hooks.before sets before returning its own response are no longer dropped, and a hooks.after that throws an APIError no longer loses either its cookies or the error's headers.

• #9937 fe9600b Thanks @​gustavovalverde! - The UserInfo endpoint (/oauth2/userinfo) now accepts POST with the access token in the Authorization header, in addition to GET.

• Updated dependencies [1012b69, ad60333, 0933c05, b0ddfd3]:

  • better-auth@1.6.15
  • @​better-auth/core@​1.6.15

Commits

• 04debbf chore: release v1.6.18 (#10026)
• 729fd84 fix(oauth-provider): canonicalize signed OAuth query params (#9941)
• 0d8b238 chore: release v1.6.17 (#9984)
• 7343284 fix: jwks caching, oauth id mapping, team invitations, account cookie, and sc...
• 1a3c8c4 chore: release v1.6.16 (#9958)
• cb1cbfa fix: address bug findings across packages (#9974)
• 03e0e36 chore: release v1.6.15 (#9886)
• fe9600b feat(oauth-provider): accept POST on the userinfo endpoint (#9937)
• b0ddfd3 fix(oauth-provider): run configured hooks when authorize resumes (#9919)
• See full diff in compare view

Updates better-auth from 1.6.14 to 1.6.18

Release notes

Sourced from better-auth's releases.

v1.6.18

better-auth

Bug Fixes

• Fixed getCookieCache to return null for expired sessions instead of treating stale signed cookies as live sessions.
• Fixed the delete-account confirmation link to prevent duplicate account deletions from concurrent callback requests.
• Fixed one-time tokens from being redeemable multiple times under concurrent requests.
• Fixed password reset tokens from changing a password more than once under concurrent requests.
• Fixed Reddit sign-in to assign a non-routable placeholder address (<id>@reddit.invalid) to users with no email, preventing accidental matches with real mailboxes.
• Fixed Sign-In with Ethereum nonces from being accepted multiple times under concurrent sign-in requests.
• Added internalAdapter.reserveVerificationValue to atomically record single-use markers, ensuring only one concurrent caller succeeds for replay-protected operations.
• Added the incrementOne adapter method and SecondaryStorage.increment for atomic counter updates, enabling strict rate-limit and usage-counter enforcement under concurrent load.
• Fixed expired two-factor challenges from completing login and prevented duplicate session creation from concurrent verifications.
• Fixed captcha verification to time out after 10 seconds, preventing slow or unreachable captcha providers from hanging requests indefinitely.
• Fixed /delete-user/callback to reject account deletion when the session has been revoked server-side (cookie-only session deployments are unaffected).
• Fixed rate limiting to prevent concurrent requests from slipping past configured limits, with a new optional consume method for custom storage backends to opt into strict enforcement.
• Fixed team deletion to preserve pending invitations by removing only the deleted team's reference rather than invalidating the invitations entirely.
• Fixed expected authentication validation failures to log as warnings instead of errors.
• Fixed MCP bearer token validation to reject expired access tokens and require the offline_access scope for refresh token usage.
• Fixed plugin API inference in composite monorepo setups where the core package resolved through multiple paths (#9583)
• Fixed OpenAPI generation to accurately serialize Zod request schemas, including optional, nullable, intersected, and record-shaped types (#9315)
• Fixed a memory leak where the JWKS cache could grow on every access token verification.
• Fixed Google One Tap to require a configured client ID (set via the oneTap plugin or socialProviders.google) and reject tokens issued for other applications.
• Fixed device-authorization token polling to prevent the same approved device code from being redeemed multiple times under concurrent polls.
• Fixed account cookie preservation when switching users in the same browser session.
• Fixed email OTP sign-in to prevent concurrent requests from signing in multiple times or exceeding the attempt limit.
• Fixed phone-number OTP sign-in to prevent concurrent requests from signing in multiple times or exceeding the attempt limit.
• Fixed two-factor OTP sign-in to prevent concurrent requests from signing in multiple times or exceeding the attempt limit.
• Fixed the Have I Been Pwned plugin to check breached passwords on additional endpoints, including email-OTP and phone-number reset-password routes and admin password-setting routes.
• Fixed the multi-session set-active and revoke endpoints to only act on sessions the caller holds a signed cookie for, preventing unauthorized session manipulation.
• Fixed the OIDC /oauth2/endsession endpoint to reject cross-site logout requests that carry only a session cookie without a valid id_token_hint.
• Fixed WeChat sign-in to work without an email address by assigning a stable placeholder email, with mapProfileToUser available to supply a real one.

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

• Fixed SAML assertion replay protection to hold under concurrent requests, preventing a duplicate submission from being accepted more than once.
• Fixed organization admins and owners to verify domain ownership for SSO providers their organization owns, not just the member who originally registered the provider.
• Fixed trustEmailVerified to treat only a boolean true or the string "true" as a verified email, rejecting the string "false" as unverified.

For detailed changes, see CHANGELOG

@better-auth/memory-adapter

Bug Fixes

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.18

Patch Changes

• #9315 9ef7240 Thanks @​GautamBytes! - fix OpenAPI requestBody generation for intersected and default-wrapped body schemas

• #9583 b21a5f7 Thanks @​GautamBytes! - Fix plugin-provided client methods and additional session fields not being inferred in composite monorepos.

• Updated dependencies [b21a5f7]:

  • @​better-auth/core@​1.6.18
  • @​better-auth/drizzle-adapter@​1.6.18
  • @​better-auth/kysely-adapter@​1.6.18
  • @​better-auth/memory-adapter@​1.6.18
  • @​better-auth/mongo-adapter@​1.6.18
  • @​better-auth/prisma-adapter@​1.6.18
  • @​better-auth/telemetry@​1.6.18

1.6.17

Patch Changes

• #9993 baeaa00 Thanks @​gustavovalverde! - When a team had a single open slot, accepting an invitation into it was wrongly rejected as over the member limit and left a dangling membership record. Two invitations accepted into a nearly-full team at the same time could also push it past its limit. Both are fixed.

• #9482 3e99e6c Thanks @​bytaesu! - admin.setUserPassword now creates a credential account when the target user does not have one, matching the behavior of resetPassword. Previously the call returned status: true without doing anything for users without an existing credential account (e.g., social-only or magic-link signups), so admins migrating users from another auth system or assigning an initial password to a social-only user can now do so directly without poking the account table.

• 96c78c3 Thanks @​GautamBytes! - Downgrade expected auth validation failures from error logs to warnings.

• #9993 baeaa00 Thanks @​gustavovalverde! - Captcha provider verification requests now time out after 10 seconds and fail closed, so a slow or unreachable captcha provider can no longer tie up a request indefinitely.

• #9993 baeaa00 Thanks @​gustavovalverde! - A delete-account confirmation link can no longer delete the account more than once when its callback is opened concurrently.

• #9991 0c3856f Thanks @​gustavovalverde! - Completing account deletion through /delete-user/callback now fails when the session has been revoked server-side, instead of proceeding within the cookie-cache window. Deployments that keep sessions only in the cookie are unaffected.

• #9993 baeaa00 Thanks @​gustavovalverde! - Polling for a device-authorization token can no longer redeem the same approved device code more than once when several polls arrive together.

• #9993 baeaa00 Thanks @​gustavovalverde! - Submitting the same email OTP from several requests at once can no longer sign in more than once or gain extra tries beyond the attempt limit.

• #10002 ed7b6c9 Thanks @​gustavovalverde! - Adding a member to a team that is already at its maximumMembersPerTeam limit is now rejected on every path. addMember with a teamId and add-team-member previously skipped the limit that invitation acceptance enforced, so they could push a team over its cap. A rejected addMember no longer creates the organization member.

• #9677 e0a768c Thanks @​GautamBytes! - Refactor role.authorize control flow while preserving existing authorization behavior.

• #9987 7343284 Thanks @​bytaesu! - Generic OAuth sign-in works again for providers whose userinfo response has no sub or id field when mapProfileToUser derives the account id. An empty id field now falls back to sub.

• #9991 0c3856f Thanks @​gustavovalverde! - getCookieCache now returns null for an expired session instead of the stale session data. Middleware that calls it to gate access no longer treats an expired signed cookie as a live session.

• #9993 baeaa00 Thanks @​gustavovalverde! - The Have I Been Pwned plugin now checks submitted passwords against the breach database on more password-setting endpoints by default, including the email-OTP and phone-number reset-password routes and the admin create-user and set-user-password routes. A breached password can no longer be set through those routes when the plugin is enabled with its default paths.

• #9987 7343284 Thanks @​bytaesu! - Preserve the fresh account cookie issued while switching users in the same browser instead of expiring it from stale request cookie state.

• #9991 0c3856f Thanks @​gustavovalverde! - Expired MCP access tokens are no longer accepted. A protected MCP resource now rejects a bearer token once it has expired, both on the server and through the remote client. A refresh token is accepted only when the original authorization included the offline_access scope.

... (truncated)

Commits

• 04debbf chore: release v1.6.18 (#10026)
• 9ef7240 fix(open-api): serialize zod request schemas accurately (#9315)
• b21a5f7 fix(client): preserve plugin inference in composite monorepos (#9583)
• 0d8b238 chore: release v1.6.17 (#9984)
• eff3c99 test(next-js): verify nextCookies forwards all set-cookie headers (#10013)
• e0a768c refactor(access): flatten access plugin role authorization logic (#9677)
• 3310ebc fix(open-api): mark model ids as required (#9704)
• 59e0ccb fix(client): updateSession should infer session additional fields (#9777)
• 96c78c3 fix(logger): downgrade validation logs level to warn
• 5c289b5 fix(account): resolve stateless account cookies across instances (#9979)
• Additional commits viewable in compare view

Updates @biomejs/biome from 2.4.16 to 2.5.0

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.5.0

2.5.0

Minor Changes

• #9539 f0615fd Thanks @​ematipico! - Added a new reporter called concise. When --reporter=concise is passed the commands format, lint, check and ci, the diagnostics are printed in a compact manner:

  ! index.ts:2:10: lint/correctness/noUnusedImports: Several of these imports are unused.
  ! main.ts:9:7: lint/correctness/noUnusedVariables: This variable f is unused.
  × index.ts:8:5: lint/suspicious/noImplicitAnyLet: This variable implicitly has the any type.
  × main.ts:2:10: lint/suspicious/noRedeclare: Shouldn't redeclare 'z'. Consider to delete it or rename it.
  

• #9495 2056b23 Thanks @​aviraldua93! - Added the useKeyWithClickEvents a11y lint rule for HTML files (.html, .vue, .svelte, .astro). This is a port of the existing JSX rule. The rule enforces that elements with an onclick handler also have at least one keyboard event handler (onkeydown, onkeyup, or onkeypress) to ensure keyboard accessibility.

  Inherently keyboard-accessible elements (<a>, <button>, <input>, <select>, <textarea>, <option>) are excluded, as are elements hidden from assistive technologies (aria-hidden) or with role="presentation" / role="none".

  <!-- Invalid: no keyboard handler -->
  <div onclick="handleClick()">Click me</div>
  <!-- Valid: has keyboard handler -->
  <div onclick="handleClick()" onkeydown="handleKeyDown()">Click me</div>
  <!-- Valid: inherently keyboard-accessible -->
  <button onclick="handleClick()">Submit</button>

• #9152 9ec8500 Thanks @​ematipico! - Added new nursery lint rule noUndeclaredClasses for HTML, JSX, and SFC files (Vue, Astro, Svelte). The rule detects CSS class names used in class="..." (or className) attributes that are not defined in any <style> block or linked stylesheet reachable from the file.

  <!-- .typo is used but never defined -->
  <html>
    <head>
      <style>
        .button {
          color: blue;
        }
      </style>
    </head>
    <body>
      <div class="button typo"></div>
    </body>
  </html>

• #9152 9ec8500 Thanks @​ematipico! - Added new nursery lint rule noUnusedClasses for CSS. The rule detects CSS class selectors that are never referenced in any HTML or JSX file that imports the stylesheet. This is a project-domain rule that requires the module graph.

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.5.0

Minor Changes

• #9539 f0615fd Thanks @​ematipico! - Added a new reporter called concise. When --reporter=concise is passed the commands format, lint, check and ci, the diagnostics are printed in a compact manner:

  ! index.ts:2:10: lint/correctness/noUnusedImports: Several of these imports are unused.
  ! main.ts:9:7: lint/correctness/noUnusedVariables: This variable f is unused.
  × index.ts:8:5: lint/suspicious/noImplicitAnyLet: This variable implicitly has the any type.
  × main.ts:2:10: lint/suspicious/noRedeclare: Shouldn't redeclare 'z'. Consider to delete it or rename it.
  

• #9495 2056b23 Thanks @​aviraldua93! - Added the useKeyWithClickEvents a11y lint rule for HTML files (.html, .vue, .svelte, .astro). This is a port of the existing JSX rule. The rule enforces that elements with an onclick handler also have at least one keyboard event handler (onkeydown, onkeyup, or onkeypress) to ensure keyboard accessibility.

  Inherently keyboard-accessible elements (<a>, <button>, <input>, <select>, <textarea>, <option>) are excluded, as are elements hidden from assistive technologies (aria-hidden) or with role="presentation" / role="none".

  <!-- Invalid: no keyboard handler -->
  <div onclick="handleClick()">Click me</div>
  <!-- Valid: has keyboard handler -->
  <div onclick="handleClick()" onkeydown="handleKeyDown()">Click me</div>
  <!-- Valid: inherently keyboard-accessible -->
  <button onclick="handleClick()">Submit</button>

• #9152 9ec8500 Thanks @​ematipico! - Added new nursery lint rule noUndeclaredClasses for HTML, JSX, and SFC files (Vue, Astro, Svelte). The rule detects CSS class names used in class="..." (or className) attributes that are not defined in any <style> block or linked stylesheet reachable from the file.

  <!-- .typo is used but never defined -->
  <html>
    <head>
      <style>
        .button {
          color: blue;
        }
      </style>
    </head>
    <body>
      <div class="button typo"></div>
    </body>
  </html>

• #9152 9ec8500 Thanks @​ematipico! - Added new nursery lint rule noUnusedClasses for CSS. The rule detects CSS class selectors that are never referenced in any HTML or JSX file that imports the stylesheet. This is a project-domain rule that requires the module graph.

  /* styles.css — .ghost is never used in any importing file */

... (truncated)

Commits

• c0b9832 ci: release (#10499)
• 995c1ff feat(lint): add useFunctionComponentDefinition rule (#10498)
• 311c2b2 fix(biome_configuration): avoid Markdown links in JSON schema descriptions (#...
• 04c3f19 fix: docs and readme (#10584)
• 961f41c refactor(useExportType): improve docs and code (#10569)
• 78075b7 feat(useExportType): add style option (#10561)
• 6642895 feat: rule promotion for v2.5 (#10562)
• 9a5855e feat: noRestrictedDependencies (#10467)
• 608a62f Merge branch 'main' into chore/merge-main-into-next
• 0f29b83 feat(linter): implement useIncludes rule (#10516)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions