Skip to content

build(deps): bump @better-auth/oauth-provider from 1.5.5 to 1.6.5#3151

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/better-auth/oauth-provider-1.6.5
Open

build(deps): bump @better-auth/oauth-provider from 1.5.5 to 1.6.5#3151
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/better-auth/oauth-provider-1.6.5

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 17, 2026
edited
Loading

Bumps @better-auth/oauth-provider from 1.5.5 to 1.6.5.

Release notes

Sourced from @​better-auth/oauth-provider's releases.

v1.6.5

better-auth

Bug Fixes

  • Clarified recommended production usage for the test utils plugin (#9119)
  • Fixed session not refreshing after /change-password and /revoke-other-sessions (#9087)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Security

  • Fixed GHSA-xr8f-h2gw-9xh6, a high-severity authorization bypass in @better-auth/oauth-provider where unprivileged authenticated users could create OAuth clients when deployments relied on clientPrivileges to restrict client creation.
  • First patched stable version: @better-auth/[email protected].
  • Note: the published beta line (1.7.0-beta.0 and 1.7.0-beta.1) remains affected until a fixed beta release is published.

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@​GautamBytes, @​ramonclaudio

Full changelog: v1.6.4...v1.6.5

v1.6.4

better-auth

Bug Fixes

  • Fixed forceAllowId UUIDs set in database hooks being ignored on PostgreSQL adapters when advanced.database.generateId is set to "uuid" (#9068)
  • Reverted 2FA enforcement scope to credential sign-in paths only, so magic link, email OTP, OAuth, SSO, passkey, and other non-credential sign-in flows no longer trigger a 2FA challenge (#9205)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@​GautamBytes, @​gustavovalverde

Full changelog: v1.6.3...v1.6.4

v1.6.3

better-auth

Features

... (truncated)

Changelog

Sourced from @​better-auth/oauth-provider's changelog.

1.6.5

Patch Changes

1.6.4

Patch Changes

1.6.3

Patch Changes

  • #9123 e2e25a4 Thanks @​gustavovalverde! - fix(oauth-provider): override confidential auth methods to public in unauthenticated DCR

    When allowUnauthenticatedClientRegistration is enabled, unauthenticated DCR requests that specify client_secret_post, client_secret_basic, or omit token_endpoint_auth_method (which defaults to client_secret_basic per RFC 7591 §2) are now silently overridden to token_endpoint_auth_method: "none" (public client) instead of being rejected with HTTP 401.

    This follows RFC 7591 §3.2.1, which allows the server to "reject or replace any of the client's requested metadata values submitted during the registration and substitute them with suitable values." The registration response communicates the actual method back to the client, allowing compliant clients to adjust.

    This fixes interoperability with real-world MCP clients (Claude, Codex, Factory Droid, and others) that send token_endpoint_auth_method: "client_secret_post" in their DCR payload because the server metadata advertises it in token_endpoint_auth_methods_supported.

    Closes #8588

  • #9131 5142e9c Thanks @​gustavovalverde! - harden dynamic baseURL handling for direct auth.api.* calls and plugin metadata helpers

    Direct auth.api.* calls

    • Throw APIError with a clear message when the baseURL can't be resolved (no source and no fallback), instead of leaving ctx.context.baseURL = "" for downstream plugins to crash on.
    • Convert allowedHosts mismatches on the direct-API path to APIError.
    • Honor advanced.trustedProxyHeaders on the dynamic path (default true, unchanged). Previously x-forwarded-host / -proto were unconditionally trusted with allowedHosts; they now go through the same gate as the static path. The default flip to false ships in a follow-up PR.

... (truncated)

Commits
  • c8a91f4 chore: release v1.6.5 (#9209)
  • 5b900a2 Merge commit from fork
  • 9ec849f chore: release v1.6.4 (#9175)
  • 6f17bb3 chore: release v1.6.3 (#9081)
  • 5142e9c fix(auth): harden dynamic baseURL resolution (#9131)
  • e2e25a4 fix(oauth-provider): graceful DCR override for unauthenticated confidential c...
  • 314e06f feat(oauth-provider): add customTokenResponseFields and harden authorizatio...
  • 700d298 chore: version packages (#9052)
  • 4c829bf fix(oauth-provider): preserve multi-valued query params through prompt redire...
  • c6922dc refactor(oauth-provider): reject skip_consent at schema level in DCR (#8998)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​better-auth/oauth-provider since your current version.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 17, 2026
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented Apr 17, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: 7eba9ee

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 17, 2026

A matching internal PR is ready in inkeep/agents-private#151 for canonical review and merge.

  • Original author attribution is preserved as @dependabot[bot]
  • The internal PR is the authoritative merge surface
  • The public repo will pick up the merged change through the normal mirror sync

This comment will be updated as the bridge state changes.

@socket-security
Copy link
Copy Markdown

socket-security Bot commented Apr 17, 2026
edited
Loading

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/better-auth/oauth-provider-1.6.5 branch 3 times, most recently from 4f10b24 to 91e004c Compare April 22, 2026 23:16
@socket-security
Copy link
Copy Markdown

socket-security Bot commented Apr 22, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updated@​better-auth/​oauth-provider@​1.5.5 ⏵ 1.6.577 +1100 +1679 +197100

View full report

@dependabot
build(deps): bump @better-auth/oauth-provider from 1.5.5 to 1.6.5
7eba9ee 
Bumps [@better-auth/oauth-provider](https://github.com/better-auth/better-auth/tree/HEAD/packages/oauth-provider) from 1.5.5 to 1.6.5.
- [Release notes](https://github.com/better-auth/better-auth/releases)
- [Changelog](https://github.com/better-auth/better-auth/blob/main/packages/oauth-provider/CHANGELOG.md)
- [Commits](https://github.com/better-auth/better-auth/commits/@better-auth/[email protected]/packages/oauth-provider)

---
updated-dependencies:
- dependency-name: "@better-auth/oauth-provider"
  dependency-version: 1.6.5
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/better-auth/oauth-provider-1.6.5 branch from 91e004c to 7eba9ee Compare April 25, 2026 02:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants