Skip to content

chore(deps): bump the npm-deps group across 1 directory with 7 updates#47

Merged
mroderick merged 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-deps-b7f38ca6d9
Jul 16, 2026
Merged

chore(deps): bump the npm-deps group across 1 directory with 7 updates#47
mroderick merged 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-deps-b7f38ca6d9

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 16, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm-deps group with 6 updates in the / directory:

Package From To
@better-auth/oauth-provider 1.6.20 1.6.23
@hono/node-server 2.0.6 2.0.8
hono 4.12.27 4.12.28
@commitlint/cli 21.1.0 21.2.1
eslint 10.5.0 10.6.0
prettier 3.8.4 3.9.4

Updates @better-auth/oauth-provider from 1.6.20 to 1.6.23

Release notes

Sourced from @​better-auth/oauth-provider's releases.

v1.6.23

better-auth

Features

  • Added Yandex as a social OAuth provider (#9138)

For detailed changes, see CHANGELOG

@better-auth/drizzle-adapter

Bug Fixes

  • Fixed affected row counting for D1 and postgres-js adapters (#10257)

For detailed changes, see CHANGELOG

@better-auth/stripe

Bug Fixes

  • Fixed organization subscription actions (cancel, upgrade, restore, and the billing portal) that could act on the wrong organization.

For detailed changes, see CHANGELOG

auth

Bug Fixes

  • Fixed string default values not being properly escaped in the generated Drizzle schema (#10259)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@​bytaesu, @​vladflotsky

Full changelog: v1.6.22...v1.6.23

v1.6.22

better-auth

Bug Fixes

  • Fixed unproven credentials not being revoked during magic link and email OTP sign-in (#10239)
  • Fixed server-side OAuth requests to refuse redirect responses instead of following them (#10241)

For detailed changes, see CHANGELOG

... (truncated)

Changelog

Sourced from @​better-auth/oauth-provider's changelog.

1.6.23

Patch Changes

  • Updated dependencies [8581f97]:
    • better-auth@1.6.23
    • @​better-auth/core@​1.6.23

1.6.22

Patch Changes

1.6.21

Patch Changes

Commits

Updates @hono/node-server from 2.0.6 to 2.0.8

Release notes

Sourced from @​hono/node-server's releases.

v2.0.8

What's Changed

Full Changelog: honojs/node-server@v2.0.7...v2.0.8

v2.0.7

What's Changed

Full Changelog: honojs/node-server@v2.0.6...v2.0.7

Commits

Updates better-auth from 1.6.20 to 1.6.23

Release notes

Sourced from better-auth's releases.

v1.6.23

better-auth

Features

  • Added Yandex as a social OAuth provider (#9138)

For detailed changes, see CHANGELOG

@better-auth/drizzle-adapter

Bug Fixes

  • Fixed affected row counting for D1 and postgres-js adapters (#10257)

For detailed changes, see CHANGELOG

@better-auth/stripe

Bug Fixes

  • Fixed organization subscription actions (cancel, upgrade, restore, and the billing portal) that could act on the wrong organization.

For detailed changes, see CHANGELOG

auth

Bug Fixes

  • Fixed string default values not being properly escaped in the generated Drizzle schema (#10259)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@​bytaesu, @​vladflotsky

Full changelog: v1.6.22...v1.6.23

v1.6.22

better-auth

Bug Fixes

  • Fixed unproven credentials not being revoked during magic link and email OTP sign-in (#10239)
  • Fixed server-side OAuth requests to refuse redirect responses instead of following them (#10241)

For detailed changes, see CHANGELOG

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.23

Patch Changes

  • #9138 8581f97 Thanks @​vladflotsky! - Add a pre-configured Yandex provider helper for the generic OAuth plugin.

  • Updated dependencies [930b260]:

    • @​better-auth/drizzle-adapter@​1.6.23
    • @​better-auth/core@​1.6.23
    • @​better-auth/kysely-adapter@​1.6.23
    • @​better-auth/memory-adapter@​1.6.23
    • @​better-auth/mongo-adapter@​1.6.23
    • @​better-auth/prisma-adapter@​1.6.23
    • @​better-auth/telemetry@​1.6.23

1.6.22

Patch Changes

  • #10239 c06a56d Thanks @​gustavovalverde! - Magic-link and email-OTP sign-in now reset the credentials on an account whose email had never been confirmed. When verification resolves to such an account, any existing password on it is removed and its sessions are revoked before the user is signed in, so proven control of the mailbox is the source of truth for the account.

    If you signed up with email and password but first signed in through a magic link or email OTP rather than confirming the verification email, your password is cleared and you will need to set a new one through password reset.

  • #10240 3a035e9 Thanks @​gustavovalverde! - Add account-level lockout for two-factor verification. The attempt limit applies per account across sign-in challenges and across factors: TOTP, email-OTP, and backup codes share one counter, and a successful verification resets it.

    Enabled by default: an account locks for 15 minutes after 10 consecutive failed verifications, and locked attempts return 429 with the ACCOUNT_TEMPORARILY_LOCKED error code. Configure it with twoFactor({ accountLockout: { enabled, maxFailedAttempts, durationSeconds } }).

    Run a database migration after upgrading: this adds failedVerificationCount and lockedUntil columns to the twoFactor table.

  • Updated dependencies [8bd43d9]:

    • @​better-auth/core@​1.6.22
    • @​better-auth/drizzle-adapter@​1.6.22
    • @​better-auth/kysely-adapter@​1.6.22
    • @​better-auth/memory-adapter@​1.6.22
    • @​better-auth/mongo-adapter@​1.6.22
    • @​better-auth/prisma-adapter@​1.6.22
    • @​better-auth/telemetry@​1.6.22

1.6.21

Patch Changes

  • #10212 e0762a1 Thanks @​bytaesu! - In root-mounted deployments, requests whose path does not start with the configured basePath now return 404 instead of resolving to an endpoint.

  • #10187 882cf9e Thanks @​ping-maxwell! - Admin permission changes and bans now take effect immediately for admin APIs, even when session cookie cache is enabled. Sensitive session checks also continue to work in stateless apps where signed cookies are the session record.

  • #9939 f52e1ab Thanks @​benpsnyder! - fixes a bug causing deviceAuthorization() throwing a ZodError at construction when called without a schema option

  • #10196 b5bec19 Thanks @​Paola3stefania! - OAuth sign-up and account-link profile sync now ignore provider profile values for user fields marked input: false. Input-allowed additional fields still persist from mapProfileToUser, and schema defaults still apply when OAuth creates a user. Apps that used mapProfileToUser to fill input: false fields should set those fields in server-side provisioning code instead.

... (truncated)

Commits

Updates hono from 4.12.27 to 4.12.28

Release notes

Sourced from hono's releases.

v4.12.28

What's Changed

New Contributors

Full Changelog: honojs/hono@v4.12.27...v4.12.28

Commits
  • 626b185 4.12.28
  • d6b1d32 docs(context-storage): fix JSDoc (#5086)
  • 45b081b fix(aws-lambda): detect V2 events by request context, not rawPath alone (#5033)
  • a05813c chore: bump devDependencies (#5085)
  • 872997d fix(bun): report the requested subprotocol on WSContext.protocol (#5059)
  • 82b321b fix: avoid circular dependency between body.ts and request.ts (#5071)
  • b20d422 fix(utils/body,validator): normalize Content-Type media type for case-insensi...
  • 9728702 chore: don't publish *.tsbuildinfo (#5066)
  • ed8795e docs(MIGRATION): fix req.raw.headers reference (property, not method) (#5047)
  • 03a9416 fix(serve-static): treat empty string content as found (#5062)
  • See full diff in compare view

Updates @commitlint/cli from 21.1.0 to 21.2.1

Release notes

Sourced from @​commitlint/cli's releases.

v21.2.1

21.2.0 (2026-06-30)

Features

  • resolve-extends: resolve pure-ESM presets (conventional-changelog v7/v9/v10) (#4859) (fdb566f)

Chore, doc, etc.

New Contributors

Full Changelog: conventional-changelog/commitlint@v21.2.0...v21.2.1

v21.2.0

21.2.0 (2026-06-30)

Features

Chore

Full Changelog: conventional-changelog/commitlint@v21.1.0...v21.2.0

Changelog

Sourced from @​commitlint/cli's changelog.

21.2.1 (2026-07-08)

Note: Version bump only for package @​commitlint/cli

21.2.0 (2026-06-30)

Features

  • resolve-extends: resolve pure-ESM presets (conventional-changelog v7/v9/v10) (#4859) (fdb566f)
Commits

Updates eslint from 10.5.0 to 10.6.0

Release notes

Sourced from eslint's releases.

v10.6.0

Features

  • b1f9106 feat: detect Symbol() and BigInt() in no-constant-binary-expression (#20981) (Taejin Kim)
  • f291007 feat: add checkRelationalComparisons to no-constant-binary-expression (#20948) (sethamus)

Bug Fixes

  • 6b05784 fix: prefer-exponentiation-operator invalid autofix at statement start (#20997) (Milos Djermanovic)
  • bb9eb2a fix: account for shadowed Boolean in no-extra-boolean-cast (#21013) (den$)
  • 8fd8741 fix: don't report shadowed undefined in radix rule (#21011) (Pixel)
  • 5784980 fix: don't report shadowed undefined in no-throw-literal (#21010) (Pixel)
  • 9cd1e6d fix: suppress invalid class suggestion in no-promise-executor-return (#21008) (Pixel)
  • d4eb2dc fix: don't report shadowed undefined in prefer-promise-reject-errors (#21006) (Pixel)
  • 2360464 fix: prefer-promise-reject-errors false positives for shadowed Promise (#21003) (den$)
  • 63d52d2 fix: restore max-classes-per-file report range (#21002) (Pixel)
  • 7feaff0 fix: callback detection logic for IIFEs in max-nested-callbacks (#20979) (fnx)
  • 399a2ec fix: don't report inner non-callbacks in max-nested-callbacks (#20995) (Milos Djermanovic)

Documentation

  • a83683d docs: Update README (GitHub Actions Bot)
  • f5449f9 docs: document userland patterns for global assertionOptions in RuleT… (#20986) (playgirl)
  • bea49f7 docs: Update README (GitHub Actions Bot)
  • e5f70f9 docs: update code-path diagrams (#20984) (Tanuj Kanti)
  • 8890c2d docs: add TypeScript config guidance for MCP server (#20796) (Pierluigi Lenoci)
  • 3eb3d9b docs: Update README (GitHub Actions Bot)
  • c5bb59c docs: Update README (GitHub Actions Bot)
  • eb3c97c docs: fix grammar in prefer-const rule description (#20983) (lumir)

Chores

  • 6a42034 ci: run ecosystem tests on main branch (#20891) (sethamus)
  • 3dbacdb ci: bump actions/checkout from 6 to 7 (#21014) (dependabot[bot])
  • c3abfca chore: correct JSDoc param types in html formatter (#21018) (Minseon Kim)
  • a832320 ci: split ecosystem tests into separate jobs (#21001) (xbinaryx)
  • 27166e7 chore: update ecosystem plugins (#21005) (ESLint Bot)
  • 865d76e ci: bump pnpm/action-setup from 6.0.8 to 6.0.9 (#20989) (dependabot[bot])
  • 27a88c9 chore: update dependency markdown-it to v14 in root (#20994) (Milos Djermanovic)
  • 970cea6 chore: update dependency markdown-it to v14 (#20993) (Milos Djermanovic)
  • b482120 chore: update dependency prettier to v3.8.4 (#20990) (renovate[bot])
  • 6993fb3 chore: update ecosystem plugins (#20985) (ESLint Bot)
Commits
  • 5d12a04 10.6.0
  • f7ca54b Build: changelog update for 10.6.0
  • 6a42034 ci: run ecosystem tests on main branch (#20891)
  • b1f9106 feat: detect Symbol() and BigInt() in no-constant-binary-expression (#20981)
  • 3dbacdb ci: bump actions/checkout from 6 to 7 (#21014)
  • c3abfca chore: correct JSDoc param types in html formatter (#21018)
  • a83683d docs: Update README
  • a832320 ci: split ecosystem tests into separate jobs (#21001)
  • 6b05784 fix: prefer-exponentiation-operator invalid autofix at statement start (#20997)
  • bb9eb2a fix: account for shadowed Boolean in no-extra-boolean-cast (#21013)
  • Additional commits viewable in compare view

Updates prettier from 3.8.4 to 3.9.4

Release notes

Sourced from prettier's releases.

3.9.4

  • Angular: Format @content(name) -> @content (name) to align with other block syntax (#19499 by @​fisker)

🔗 Changelog

3.9.3

🔗 Changelog

3.9.1

🔗 Changelog

3.9.0

diff

🔗 Prettier 3.9: Major parser upgrades and Formatting improvements

3.8.5

🔗 Changelog

Changelog

Sourced from prettier's changelog.

3.9.4

diff

Angular: Format @content(name) -> @content (name) to align with other block syntax (#19499 by @​fisker)

<!-- Input -->
<FancyButton [label]="title">
  @content (icon) {
    <span>Icon!</span>
  }
  @content (description) {
    <span>Description text</span>
  }
  <span>Other children</span>
</FancyButton>
<!-- Prettier 3.9.3 -->
<FancyButton [label]="title">
@​content(icon) {
<span>Icon!</span>
}
@​content(description) {
<span>Description text</span>
}
<span>Other children</span>
</FancyButton>
<!-- Prettier 3.9.4 -->
<FancyButton [label]="title">
@​content (icon) {
<span>Icon!</span>
}
@​content (description) {
<span>Description text</span>
}
<span>Other children</span>
</FancyButton>

3.9.3

diff

Markdown: Fix unexpected removal of characters in liquid syntax (#19489 by @​seiyab)

</tr></table> 

... (truncated)

Commits
  • b693cb2 Release 3.9.4
  • 2e92ac0 Angular: Format @content(name) -> @content (name) to align with other blo...
  • abed2c2 Bump Prettier dependency to 3.9.3
  • 6cfbc00 Clean changelog_unreleased
  • 3732e1d Release 3.9.3
  • a74a7b0 Allow decorators to be used with declare on class fields (#19492)
  • bd9e11a Correct text identification in liquid syntax (#19489)
  • 269eee3 Bump Prettier dependency to 3.9.1
  • ec7ccd1 Clean changelog_unreleased
  • c47654c Release 3.9.1
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the npm-deps group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@better-auth/oauth-provider](https://github.com/better-auth/better-auth/tree/HEAD/packages/oauth-provider) | `1.6.20` | `1.6.23` |
| [@hono/node-server](https://github.com/honojs/node-server) | `2.0.6` | `2.0.8` |
| [hono](https://github.com/honojs/hono) | `4.12.27` | `4.12.28` |
| [@commitlint/cli](https://github.com/conventional-changelog/commitlint/tree/HEAD/@commitlint/cli) | `21.1.0` | `21.2.1` |
| [eslint](https://github.com/eslint/eslint) | `10.5.0` | `10.6.0` |
| [prettier](https://github.com/prettier/prettier) | `3.8.4` | `3.9.4` |



Updates `@better-auth/oauth-provider` from 1.6.20 to 1.6.23
- [Release notes](https://github.com/better-auth/better-auth/releases)
- [Changelog](https://github.com/better-auth/better-auth/blob/main/packages/oauth-provider/CHANGELOG.md)
- [Commits](https://github.com/better-auth/better-auth/commits/v1.6.23/packages/oauth-provider)

Updates `@hono/node-server` from 2.0.6 to 2.0.8
- [Release notes](https://github.com/honojs/node-server/releases)
- [Commits](honojs/node-server@v2.0.6...v2.0.8)

Updates `better-auth` from 1.6.20 to 1.6.23
- [Release notes](https://github.com/better-auth/better-auth/releases)
- [Changelog](https://github.com/better-auth/better-auth/blob/main/packages/better-auth/CHANGELOG.md)
- [Commits](https://github.com/better-auth/better-auth/commits/v1.6.23/packages/better-auth)

Updates `hono` from 4.12.27 to 4.12.28
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.12.27...v4.12.28)

Updates `@commitlint/cli` from 21.1.0 to 21.2.1
- [Release notes](https://github.com/conventional-changelog/commitlint/releases)
- [Changelog](https://github.com/conventional-changelog/commitlint/blob/master/@commitlint/cli/CHANGELOG.md)
- [Commits](https://github.com/conventional-changelog/commitlint/commits/v21.2.1/@commitlint/cli)

Updates `eslint` from 10.5.0 to 10.6.0
- [Release notes](https://github.com/eslint/eslint/releases)
- [Commits](eslint/eslint@v10.5.0...v10.6.0)

Updates `prettier` from 3.8.4 to 3.9.4
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](prettier/prettier@3.8.4...3.9.4)

---
updated-dependencies:
- dependency-name: "@better-auth/oauth-provider"
  dependency-version: 1.6.23
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-deps
- dependency-name: "@hono/node-server"
  dependency-version: 2.0.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-deps
- dependency-name: better-auth
  dependency-version: 1.6.23
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-deps
- dependency-name: hono
  dependency-version: 4.12.28
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-deps
- dependency-name: "@commitlint/cli"
  dependency-version: 21.2.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-deps
- dependency-name: eslint
  dependency-version: 10.6.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-deps
- dependency-name: prettier
  dependency-version: 3.9.4
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-deps
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 16, 2026
@mroderick

Copy link
Copy Markdown
Collaborator

Dependency Upgrade Review: 7 packages across npm-deps group

PR Scope

Dependency-only — only package.json and package-lock.json changed.

Dependency Changes

Package From To Type Risk
better-auth ^1.6.20 ^1.6.23 (resolved) runtime Low
@better-auth/oauth-provider ^1.6.20 ^1.6.23 runtime Low
hono ^4.12.27 ^4.12.28 runtime Low
@hono/node-server ^2.0.6 ^2.0.8 runtime Low
@commitlint/cli ^21.1.0 ^21.2.1 dev Low
eslint ^10.4.1 ^10.6.0 dev Low
prettier ^3.8.4 ^3.9.4 dev Low

Changes & Usage Analysis

better-auth v1.6.20 → 1.6.23 — Used: betterAuth() in src/auth.js and test helpers. v1.6.21: basePath 404, admin session cache, OAuth profile sync fixes. v1.6.22: security fix (magic link credential reset) + 2FA account lockout (DB migration). v1.6.23: Yandex OAuth provider + adapter fixes. ✅ App doesn't use 2FA, so the DB migration doesn't apply. All changes are bug fixes we benefit from.

@better-auth/oauth-provider v1.6.20 → 1.6.23 — Used: oauthProvider() plugin. Peer dep bumps only, no direct changes.

hono v4.12.27 → 4.12.28 — Used: Hono class + hono/html across all routes. Bug fix release: Content-Type normalization, circular dependency fix, AWS Lambda detection. No breaking changes.

@hono/node-server v2.0.6 → 2.0.8 — Used: serve(), serveStatic(), getConnInfo(). v2.0.7 fixes serve-static precompressed file handling; v2.0.8 is CI-only.

@commitlint/cli v21.1.0 → 21.2.1 — ESM preset resolution + internal migration from git-raw-commits to @conventional-changelog/git-client.

eslint v10.5.0 → 10.6.0 — Bug fixes and new detections in existing rules. Backward-compatible.

prettier v3.8.4 → 3.9.4 — v3.9.0 was a major parser upgrade. Run npm run prettier:write after upgrading if formatting changes surface.

Compatibility Assessment

Compatible — All upgrades are minor/patch bumps with no breaking changes. No used APIs are affected.

Test Coverage

38 passing feature tests covering auth flows, routes, and components. Coverage: 67% lines. Tests would catch regressions in the main dependency APIs.

Confidence Rating

High — clean, low-risk group upgrade. All changes backward-compatible, no DB migration needed (2FA not configured), test suite in place.

@mroderick mroderick left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved. See analysis comment above.

@mroderick mroderick merged commit 038c44f into main Jul 16, 2026
6 of 7 checks passed
@mroderick mroderick deleted the dependabot/npm_and_yarn/npm-deps-b7f38ca6d9 branch July 16, 2026 14:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant