Skip to content

Bump better-auth from 1.6.2 to 1.6.5 in /frontend#184

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/frontend/better-auth-1.6.5
Open

Bump better-auth from 1.6.2 to 1.6.5 in /frontend#184
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/frontend/better-auth-1.6.5

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 20, 2026

Bumps better-auth from 1.6.2 to 1.6.5.

Release notes

Sourced from better-auth's releases.

v1.6.5

better-auth

Bug Fixes

  • Clarified recommended production usage for the test utils plugin (#9119)
  • Fixed session not refreshing after /change-password and /revoke-other-sessions (#9087)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Security

  • Fixed GHSA-xr8f-h2gw-9xh6, a high-severity authorization bypass in @better-auth/oauth-provider where unprivileged authenticated users could create OAuth clients when deployments relied on clientPrivileges to restrict client creation.
  • First patched stable version: @better-auth/oauth-provider@1.6.5.
  • Note: the published beta line (1.7.0-beta.0 and 1.7.0-beta.1) remains affected until a fixed beta release is published.

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@​GautamBytes, @​ramonclaudio

Full changelog: v1.6.4...v1.6.5

v1.6.4

better-auth

Bug Fixes

  • Fixed forceAllowId UUIDs set in database hooks being ignored on PostgreSQL adapters when advanced.database.generateId is set to "uuid" (#9068)
  • Reverted 2FA enforcement scope to credential sign-in paths only, so magic link, email OTP, OAuth, SSO, passkey, and other non-credential sign-in flows no longer trigger a 2FA challenge (#9205)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@​GautamBytes, @​gustavovalverde

Full changelog: v1.6.3...v1.6.4

v1.6.3

better-auth

Features

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.5

Patch Changes

  • #9119 938dd80 Thanks @​GautamBytes! - clarify recommended production usage for the test utils plugin

  • #9087 0538627 Thanks @​ramonclaudio! - fix(client): refetch session after /change-password and /revoke-other-sessions

  • Updated dependencies []:

    • @​better-auth/core@​1.6.5
    • @​better-auth/drizzle-adapter@​1.6.5
    • @​better-auth/kysely-adapter@​1.6.5
    • @​better-auth/memory-adapter@​1.6.5
    • @​better-auth/mongo-adapter@​1.6.5
    • @​better-auth/prisma-adapter@​1.6.5
    • @​better-auth/telemetry@​1.6.5

1.6.4

Patch Changes

  • #9205 9aed910 Thanks @​gustavovalverde! - fix(two-factor): revert enforcement broadening from #9122

    Restores the pre-#9122 enforcement scope. 2FA is challenged only on /sign-in/email, /sign-in/username, and /sign-in/phone-number, matching the behavior that shipped through v1.6.2. Non-credential sign-in flows (magic link, email OTP, OAuth, SSO, passkey, SIWE, one-tap, phone-number OTP, device authorization, email-verification auto-sign-in) are no longer gated by a 2FA challenge by default.

    A broader enforcement scope with per-method opt-outs and alignment to NIST SP 800-63B-4 authenticator assurance levels is planned for a future minor release.

  • #9068 acbd6ef Thanks @​GautamBytes! - Fix forced UUID user IDs from create hooks being ignored on PostgreSQL adapters when advanced.database.generateId is set to "uuid".

  • #9165 39d6af2 Thanks @​gustavovalverde! - chore(adapters): require patched drizzle-orm and kysely peer versions

    Narrows the drizzle-orm peer to ^0.45.2 and the kysely peer to ^0.28.14. Both new ranges track the minor line that carries the vulnerability fix and nothing newer, so the adapters only advertise support for versions that have actually been tested against. Consumers on older ORM releases see an install-time warning and can upgrade alongside the adapter; the peer is marked optional, so installs do not hard-fail.

  • Updated dependencies [39d6af2]:

    • @​better-auth/drizzle-adapter@​1.6.4
    • @​better-auth/kysely-adapter@​1.6.4
    • @​better-auth/core@​1.6.4
    • @​better-auth/memory-adapter@​1.6.4
    • @​better-auth/mongo-adapter@​1.6.4
    • @​better-auth/prisma-adapter@​1.6.4
    • @​better-auth/telemetry@​1.6.4

1.6.3

Patch Changes

  • #9131 5142e9c Thanks @​gustavovalverde! - harden dynamic baseURL handling for direct auth.api.* calls and plugin metadata helpers

    Direct auth.api.* calls

    • Throw APIError with a clear message when the baseURL can't be resolved (no source and no fallback), instead of leaving ctx.context.baseURL = "" for downstream plugins to crash on.

... (truncated)

Commits
  • c8a91f4 chore: release v1.6.5 (#9209)
  • 938dd80 docs(test-utils): clarify production usage (#9119)
  • 0538627 fix(client): trigger $sessionSignal for session-rotating endpoints (#9087)
  • 9ec849f chore: release v1.6.4 (#9175)
  • 39d6af2 chore(adapters): require patched drizzle-orm and kysely peer versions (#9165)
  • ba03fb5 chore(deps): bump electron and next devDependencies to patched versions (#9166)
  • 9aed910 fix(two-factor): revert enforcement broadening from #9122 (#9205)
  • acbd6ef fix: honor forceAllowId UUIDs on postgres adapters (#9068)
  • 6f17bb3 chore: release v1.6.3 (#9081)
  • 9a6d475 fix(client): prevent isMounted race condition causing many rps (#9078)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump better-auth from 1.6.2 to 1.6.5 in /frontend
81d3cd5 
Bumps [better-auth](https://github.com/better-auth/better-auth/tree/HEAD/packages/better-auth) from 1.6.2 to 1.6.5.
- [Release notes](https://github.com/better-auth/better-auth/releases)
- [Changelog](https://github.com/better-auth/better-auth/blob/main/packages/better-auth/CHANGELOG.md)
- [Commits](https://github.com/better-auth/better-auth/commits/better-auth@1.6.5/packages/better-auth)

---
updated-dependencies:
- dependency-name: better-auth
  dependency-version: 1.6.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Apr 20, 2026

Labels

The following labels could not be found: dependencies, frontend. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot requested a review from JessyTsui as a code owner April 20, 2026 00:58
@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 20, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
cerul Ready Ready Preview, Comment Apr 20, 2026 1:00am

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JessyTsui JessyTsui Awaiting requested review from JessyTsui JessyTsui is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants