Skip to content
This repository was archived by the owner on Jul 18, 2025. It is now read-only.

Bump @clerk/backend from 1.34.0 to 2.3.1 #115

Closed
dependabot wants to merge 1 commit into from
Closed

Bump @clerk/backend from 1.34.0 to 2.3.1 #115

dependabot wants to merge 1 commit into from
+53 −26

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Jun 30, 2025

Bumps @clerk/backend from 1.34.0 to 2.3.1.

Release notes

Sourced from @​clerk/backend's releases.

@​clerk/backend@​2.3.1

Patch Changes

@​clerk/backend@​2.3.0

Minor Changes

  • Optimize handshake payload delivery with nonce-based fetching (#5905) by @​jacekradko

    This change introduces a significant optimization to the handshake flow by replacing direct payload delivery with a nonce-based approach to overcome browser cookie size limitations.

    Problem Solved

    Previously, the handshake payload (an encoded JWT containing set-cookie headers) was sent directly in a cookie. Since browsers limit cookies to ~4KB, this severely restricted the practical size of session tokens, which are also JWTs stored in cookies but embedded within the handshake payload.

    Solution

    We now use a conditional approach based on payload size:

    • Small payloads (≤2KB): Continue using the direct approach for optimal performance
    • Large payloads (>2KB): Use nonce-based fetching to avoid cookie size limits

    For large payloads, we:

    1. Generate a short nonce (ID) for each handshake instance
    2. Send only the nonce in the __clerk_handshake_nonce cookie
    3. Use the nonce to fetch the actual handshake payload via a dedicated BAPI endpoint

    New Handshake Flow (for payloads >2KB)

    1. User visits example.com
    2. Client app middleware triggers handshake → 307 FAPI/v1/client/handshake
    3. FAPI handshake resolves → 307 example.com with __clerk_handshake_nonce cookie containing the nonce
    4. Client app middleware makes GET BAPI/v1/clients/handshake_payload?nonce=<nonce_value> request (BAPI)
    5. BAPI returns array of set-cookie header values
    6. Client app middleware applies headers to the response

    Traditional Flow (for payloads ≤2KB)

    No changes. Continues to work as before with direct payload delivery in cookies for optimal performance.

    Trade-offs

    • Added: One additional BAPI call per handshake (only for payloads >2KB)
    • Removed: Cookie size restrictions that previously limited session token size

Patch Changes

... (truncated)

Changelog

Sourced from @​clerk/backend's changelog.

2.3.1

Patch Changes

2.3.0

Minor Changes

  • Optimize handshake payload delivery with nonce-based fetching (#5905) by @​jacekradko

    This change introduces a significant optimization to the handshake flow by replacing direct payload delivery with a nonce-based approach to overcome browser cookie size limitations.

    Problem Solved

    Previously, the handshake payload (an encoded JWT containing set-cookie headers) was sent directly in a cookie. Since browsers limit cookies to ~4KB, this severely restricted the practical size of session tokens, which are also JWTs stored in cookies but embedded within the handshake payload.

    Solution

    We now use a conditional approach based on payload size:

    • Small payloads (≤2KB): Continue using the direct approach for optimal performance
    • Large payloads (>2KB): Use nonce-based fetching to avoid cookie size limits

    For large payloads, we:

    1. Generate a short nonce (ID) for each handshake instance
    2. Send only the nonce in the __clerk_handshake_nonce cookie
    3. Use the nonce to fetch the actual handshake payload via a dedicated BAPI endpoint

    New Handshake Flow (for payloads >2KB)

    1. User visits example.com
    2. Client app middleware triggers handshake → 307 FAPI/v1/client/handshake
    3. FAPI handshake resolves → 307 example.com with __clerk_handshake_nonce cookie containing the nonce
    4. Client app middleware makes GET BAPI/v1/clients/handshake_payload?nonce=<nonce_value> request (BAPI)
    5. BAPI returns array of set-cookie header values
    6. Client app middleware applies headers to the response

    Traditional Flow (for payloads ≤2KB)

    No changes. Continues to work as before with direct payload delivery in cookies for optimal performance.

    Trade-offs

    • Added: One additional BAPI call per handshake (only for payloads >2KB)
    • Removed: Cookie size restrictions that previously limited session token size

... (truncated)

Commits
  • 0c96827 ci(repo): Version packages (#6202)
  • 1367d39 ci(repo): Version packages (#6184)
  • 8bfdf94 feat(backend): Signal support for handshake nonce (#5905)
  • 084e7cc fix(backend): Clear __clerk_synced when page is protected via middleware (#...
  • 55e8fca fix(clerk-expo): Re-export useReverification hook (#6182)
  • 62ca696 ci(repo): Version packages (#6136)
  • 1ffc5e6 chore(backend): Update dependency msw to v2.10.2 (#6131)
  • 2692124 chore(backend,nextjs): Introduce API keys methods and integration tests (#6169)
  • 52d5e57 feat(backend): Support ExpiresInSeconds param (#6150)
  • 628583a fix(backend): Consider proxyUrl in determining frontendApi URL (#6120)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump @clerk/backend from 1.34.0 to 2.3.1
c28210b 
Bumps [@clerk/backend](https://github.com/clerk/javascript/tree/HEAD/packages/backend) from 1.34.0 to 2.3.1.
- [Release notes](https://github.com/clerk/javascript/releases)
- [Changelog](https://github.com/clerk/javascript/blob/main/packages/backend/CHANGELOG.md)
- [Commits](https://github.com/clerk/javascript/commits/@clerk/[email protected]/packages/backend)

---
updated-dependencies:
- dependency-name: "@clerk/backend"
  dependency-version: 2.3.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 30, 2025
@dependabot dependabot bot mentioned this pull request Jun 30, 2025
Closed
@dependabot @github
Copy link
Author

dependabot bot commented on behalf of github Jul 7, 2025

Superseded by #116.

@dependabot dependabot bot closed this Jul 7, 2025
@dependabot dependabot bot deleted the dependabot/npm_and_yarn/mabels/backend/clerk/backend-2.3.1 branch July 7, 2025 18:32
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant