Skip to content

chore(deps): bump the npm-deps group with 6 updates#45

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-deps-20a4d92b59
Open

chore(deps): bump the npm-deps group with 6 updates#45
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-deps-20a4d92b59

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 9, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm-deps group with 6 updates:

Package From To
@better-auth/oauth-provider 1.6.20 1.6.23
better-auth 1.6.20 1.6.23
@commitlint/cli 21.1.0 21.2.0
eslint 10.5.0 10.6.0
fallow 2.102.0 2.104.0
prettier 3.8.4 3.9.4

Updates @better-auth/oauth-provider from 1.6.20 to 1.6.23

Release notes

Sourced from @​better-auth/oauth-provider's releases.

v1.6.23

better-auth

Features

  • Added Yandex as a social OAuth provider (#9138)

For detailed changes, see CHANGELOG

@better-auth/drizzle-adapter

Bug Fixes

  • Fixed affected row counting for D1 and postgres-js adapters (#10257)

For detailed changes, see CHANGELOG

@better-auth/stripe

Bug Fixes

  • Fixed organization subscription actions (cancel, upgrade, restore, and the billing portal) that could act on the wrong organization.

For detailed changes, see CHANGELOG

auth

Bug Fixes

  • Fixed string default values not being properly escaped in the generated Drizzle schema (#10259)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@​bytaesu, @​vladflotsky

Full changelog: v1.6.22...v1.6.23

v1.6.22

better-auth

Bug Fixes

  • Fixed unproven credentials not being revoked during magic link and email OTP sign-in (#10239)
  • Fixed server-side OAuth requests to refuse redirect responses instead of following them (#10241)

For detailed changes, see CHANGELOG

... (truncated)

Changelog

Sourced from @​better-auth/oauth-provider's changelog.

1.6.23

Patch Changes

  • Updated dependencies [8581f97]:
    • better-auth@1.6.23
    • @​better-auth/core@​1.6.23

1.6.22

Patch Changes

1.6.21

Patch Changes

Commits

Updates better-auth from 1.6.20 to 1.6.23

Release notes

Sourced from better-auth's releases.

v1.6.23

better-auth

Features

  • Added Yandex as a social OAuth provider (#9138)

For detailed changes, see CHANGELOG

@better-auth/drizzle-adapter

Bug Fixes

  • Fixed affected row counting for D1 and postgres-js adapters (#10257)

For detailed changes, see CHANGELOG

@better-auth/stripe

Bug Fixes

  • Fixed organization subscription actions (cancel, upgrade, restore, and the billing portal) that could act on the wrong organization.

For detailed changes, see CHANGELOG

auth

Bug Fixes

  • Fixed string default values not being properly escaped in the generated Drizzle schema (#10259)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@​bytaesu, @​vladflotsky

Full changelog: v1.6.22...v1.6.23

v1.6.22

better-auth

Bug Fixes

  • Fixed unproven credentials not being revoked during magic link and email OTP sign-in (#10239)
  • Fixed server-side OAuth requests to refuse redirect responses instead of following them (#10241)

For detailed changes, see CHANGELOG

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.23

Patch Changes

  • #9138 8581f97 Thanks @​vladflotsky! - Add a pre-configured Yandex provider helper for the generic OAuth plugin.

  • Updated dependencies [930b260]:

    • @​better-auth/drizzle-adapter@​1.6.23
    • @​better-auth/core@​1.6.23
    • @​better-auth/kysely-adapter@​1.6.23
    • @​better-auth/memory-adapter@​1.6.23
    • @​better-auth/mongo-adapter@​1.6.23
    • @​better-auth/prisma-adapter@​1.6.23
    • @​better-auth/telemetry@​1.6.23

1.6.22

Patch Changes

  • #10239 c06a56d Thanks @​gustavovalverde! - Magic-link and email-OTP sign-in now reset the credentials on an account whose email had never been confirmed. When verification resolves to such an account, any existing password on it is removed and its sessions are revoked before the user is signed in, so proven control of the mailbox is the source of truth for the account.

    If you signed up with email and password but first signed in through a magic link or email OTP rather than confirming the verification email, your password is cleared and you will need to set a new one through password reset.

  • #10240 3a035e9 Thanks @​gustavovalverde! - Add account-level lockout for two-factor verification. The attempt limit applies per account across sign-in challenges and across factors: TOTP, email-OTP, and backup codes share one counter, and a successful verification resets it.

    Enabled by default: an account locks for 15 minutes after 10 consecutive failed verifications, and locked attempts return 429 with the ACCOUNT_TEMPORARILY_LOCKED error code. Configure it with twoFactor({ accountLockout: { enabled, maxFailedAttempts, durationSeconds } }).

    Run a database migration after upgrading: this adds failedVerificationCount and lockedUntil columns to the twoFactor table.

  • Updated dependencies [8bd43d9]:

    • @​better-auth/core@​1.6.22
    • @​better-auth/drizzle-adapter@​1.6.22
    • @​better-auth/kysely-adapter@​1.6.22
    • @​better-auth/memory-adapter@​1.6.22
    • @​better-auth/mongo-adapter@​1.6.22
    • @​better-auth/prisma-adapter@​1.6.22
    • @​better-auth/telemetry@​1.6.22

1.6.21

Patch Changes

  • #10212 e0762a1 Thanks @​bytaesu! - In root-mounted deployments, requests whose path does not start with the configured basePath now return 404 instead of resolving to an endpoint.

  • #10187 882cf9e Thanks @​ping-maxwell! - Admin permission changes and bans now take effect immediately for admin APIs, even when session cookie cache is enabled. Sensitive session checks also continue to work in stateless apps where signed cookies are the session record.

  • #9939 f52e1ab Thanks @​benpsnyder! - fixes a bug causing deviceAuthorization() throwing a ZodError at construction when called without a schema option

  • #10196 b5bec19 Thanks @​Paola3stefania! - OAuth sign-up and account-link profile sync now ignore provider profile values for user fields marked input: false. Input-allowed additional fields still persist from mapProfileToUser, and schema defaults still apply when OAuth creates a user. Apps that used mapProfileToUser to fill input: false fields should set those fields in server-side provisioning code instead.

... (truncated)

Commits

Updates @commitlint/cli from 21.1.0 to 21.2.0

Release notes

Sourced from @​commitlint/cli's releases.

v21.2.0

21.2.0 (2026-06-30)

Features

Chore

Full Changelog: conventional-changelog/commitlint@v21.1.0...v21.2.0

Changelog

Sourced from @​commitlint/cli's changelog.

21.2.0 (2026-06-30)

Features

  • resolve-extends: resolve pure-ESM presets (conventional-changelog v7/v9/v10) (#4859) (fdb566f)
Commits
  • 1b4e5bc v21.2.0
  • fdb566f feat(resolve-extends): resolve pure-ESM presets (conventional-changelog v7/v9...
  • See full diff in compare view

Updates eslint from 10.5.0 to 10.6.0

Release notes

Sourced from eslint's releases.

v10.6.0

Features

  • b1f9106 feat: detect Symbol() and BigInt() in no-constant-binary-expression (#20981) (Taejin Kim)
  • f291007 feat: add checkRelationalComparisons to no-constant-binary-expression (#20948) (sethamus)

Bug Fixes

  • 6b05784 fix: prefer-exponentiation-operator invalid autofix at statement start (#20997) (Milos Djermanovic)
  • bb9eb2a fix: account for shadowed Boolean in no-extra-boolean-cast (#21013) (den$)
  • 8fd8741 fix: don't report shadowed undefined in radix rule (#21011) (Pixel)
  • 5784980 fix: don't report shadowed undefined in no-throw-literal (#21010) (Pixel)
  • 9cd1e6d fix: suppress invalid class suggestion in no-promise-executor-return (#21008) (Pixel)
  • d4eb2dc fix: don't report shadowed undefined in prefer-promise-reject-errors (#21006) (Pixel)
  • 2360464 fix: prefer-promise-reject-errors false positives for shadowed Promise (#21003) (den$)
  • 63d52d2 fix: restore max-classes-per-file report range (#21002) (Pixel)
  • 7feaff0 fix: callback detection logic for IIFEs in max-nested-callbacks (#20979) (fnx)
  • 399a2ec fix: don't report inner non-callbacks in max-nested-callbacks (#20995) (Milos Djermanovic)

Documentation

  • a83683d docs: Update README (GitHub Actions Bot)
  • f5449f9 docs: document userland patterns for global assertionOptions in RuleT… (#20986) (playgirl)
  • bea49f7 docs: Update README (GitHub Actions Bot)
  • e5f70f9 docs: update code-path diagrams (#20984) (Tanuj Kanti)
  • 8890c2d docs: add TypeScript config guidance for MCP server (#20796) (Pierluigi Lenoci)
  • 3eb3d9b docs: Update README (GitHub Actions Bot)
  • c5bb59c docs: Update README (GitHub Actions Bot)
  • eb3c97c docs: fix grammar in prefer-const rule description (#20983) (lumir)

Chores

  • 6a42034 ci: run ecosystem tests on main branch (#20891) (sethamus)
  • 3dbacdb ci: bump actions/checkout from 6 to 7 (#21014) (dependabot[bot])
  • c3abfca chore: correct JSDoc param types in html formatter (#21018) (Minseon Kim)
  • a832320 ci: split ecosystem tests into separate jobs (#21001) (xbinaryx)
  • 27166e7 chore: update ecosystem plugins (#21005) (ESLint Bot)
  • 865d76e ci: bump pnpm/action-setup from 6.0.8 to 6.0.9 (#20989) (dependabot[bot])
  • 27a88c9 chore: update dependency markdown-it to v14 in root (#20994) (Milos Djermanovic)
  • 970cea6 chore: update dependency markdown-it to v14 (#20993) (Milos Djermanovic)
  • b482120 chore: update dependency prettier to v3.8.4 (#20990) (renovate[bot])
  • 6993fb3 chore: update ecosystem plugins (#20985) (ESLint Bot)
Commits
  • 5d12a04 10.6.0
  • f7ca54b Build: changelog update for 10.6.0
  • 6a42034 ci: run ecosystem tests on main branch (#20891)
  • b1f9106 feat: detect Symbol() and BigInt() in no-constant-binary-expression (#20981)
  • 3dbacdb ci: bump actions/checkout from 6 to 7 (#21014)
  • c3abfca chore: correct JSDoc param types in html formatter (#21018)
  • a83683d docs: Update README
  • a832320 ci: split ecosystem tests into separate jobs (#21001)
  • 6b05784 fix: prefer-exponentiation-operator invalid autofix at statement start (#20997)
  • bb9eb2a fix: account for shadowed Boolean in no-extra-boolean-cast (#21013)
  • Additional commits viewable in compare view

Updates fallow from 2.102.0 to 2.104.0

Release notes

Sourced from fallow's releases.

v2.104.0: CSS-in-JS intelligence, styling health, token blast-radius

Highlights

This release is heavy on CSS intelligence. fallow health --css now understands CSS-in-JS (styled-components, emotion, linaria, vanilla-extract, StyleX, Panda) as first-class, ships a second styling-health quality axis, and adds a design-token blast-radius index. Plus a staged human review walkthrough, an opt-in unused-prop exemption, and a batch of framework false-positive fixes.

CSS intelligence (CSS program, Phases 3-4)

  • CSS-in-JS is first-class in fallow health --css. styled-components / emotion / linaria (tagged templates) and vanilla-extract / StyleX / Panda / emotion-object (object notation) previously produced null css_analytics. A lexical lifter now extracts the CSS body from both forms and feeds it through the same structural analytics and styling-health pipeline, so a CSS-in-JS app gets real duplicate-block, structural, and token-sprawl signals. Dep-gated on a declared CSS-in-JS library, so non-CSS-in-JS projects are byte-unchanged.
  • Styling-health: a second CSS-quality axis, confidence-aware. fallow health --css reports a separate styling_health score (0-100) and A-F grade with a Deductions: breakdown across five capped penalty categories. It carries a confidence marker (high / low) so a thin authored-CSS surface (utility-first Tailwind app) renders dimmed with a caveat instead of an authoritative grade. Descriptive-only: no exit code, badge, or CI gating.
  • Formula v3 weights value drift over exact repetition. Research is clear that exact CSS duplication is the least-harmful pattern while design-token inconsistency is the real maintenance harm, so the exact-block penalty is down-weighted to a soft hint and token-erosion gains a hardcoded-value-sprawl drift term (distinct un-tokenized box-shadow / border-radius / line-height values). STYLING_HEALTH_FORMULA_VERSION bumps to 3. If you diff styling_health.score/grade over time, re-baseline or gate on formula_version; the one-time step-change at this boundary is expected.
  • Design-token blast-radius (token_consumers) for Tailwind v4 AND CSS-in-JS tokens. fallow health --css --format json now carries a reverse index of where each design token is consumed. Change --color-brand (Tailwind @theme) or a StyleX defineVars / vanilla-extract createTheme token and see a consumer_count plus located consumers[] before touching it. consumer_count is a static lower bound (descriptive context, not a deletion gate); the authoritative dead-token finding stays unused_theme_tokens.
  • New get_token_blast_radius MCP tool. A focused, read-only tool that surfaces the token blast-radius directly without the agent needing to know the data hides inside css_analytics.
  • Fuzzy CSS clones via value canonicalization. fallow dupes now canonicalizes CSS values on the stylesheet path (a zero-with-unit collapses to bare 0, a hex color expands to its long lowercased form), so value-drifted clones (0px vs 0, #fff vs #ffffff) hash equal and the same shadow / gradient / transition recipe re-implemented with drift finally matches. Scoped to CSS-family files and SFC/Astro <style> regions; JS/TS clone detection is unchanged.

Review and configuration

  • fallow review --walkthrough: a staged terminal tour. Renders the review walkthrough guide as an ordered, human-readable tour (Review Focus header, staged sections, per-file one-line facts and grounded badges, a collapsed "cleared" panel). --format markdown emits a paste-into-PR artifact; --format json is byte-identical to --walkthrough-guide. Per-file viewed state persists locally (--mark-viewed) and tolerates a moved tree. Always exits 0.
  • unusedComponentProps.ignorePattern: exempt intentionally-unused props. Set "unusedComponentProps": { "ignorePattern": "^_" } to exempt props whose local destructure binding matches the regex (the leading-underscore convention that TS noUnusedParameters and ESLint varsIgnorePattern honor). Applies to Vue, Svelte, Astro, and React/Preact. Opt-in; default behavior is unchanged. Thanks @​hniedner for the request. (Closes #1648)

CI, coverage, and architecture

  • The GitLab CI template can reuse a pre-installed fallow binary. Set FALLOW_SKIP_INSTALL: "true" to skip npm install -g fallow and run a fallow already on PATH (for example a version pinned through a pnpm catalog), so CI runs the same binary as your local lint gate. The job fails fast when no fallow is found. Thanks @​Jerc92 for the patch in #1662.
  • Coverage upload enrichment. fallow coverage --with-callers uploads importer edges, and the inventory upload now emits per-function complexity and per-file churn.
  • Typed architecture boundaries. fallow-engine, fallow-output, and fallow-api now own the command-neutral analysis runners, output contracts, and programmatic Rust boundary; LSP, MCP, and NAPI callers consume typed results and serialize JSON only at protocol boundaries. The old fallow-programmatic-cli compatibility crate has been removed.

Bug fixes

  • Iterating a typed class array no longer false-flags the class members as unused. A cluster of unused-class-member false positives where the class is only used through an iteration loop variable is now fixed across array-method callbacks (.map / .forEach / .filter / ...), for...of, React/Preact JSX .map, Svelte {#each}, Vue v-for (including props.<field> sources), Angular @for / *ngFor inline templates, and Astro template .map. Over-credit only: a genuinely unused member still reports. Thanks @​Ericlm for the report and minimal reproduction. (Closes #1707, #1711, #1712, #1713)
  • unused-files no longer false-flags a Next.js page.mdx when next.config wraps its config object. export default withMDX(nextConfig) (the official @next/mdx idiom), module.exports = createJestConfig(cfg), and nested/curried wrappers now resolve, which also fixes the same class for any wrapped Vite / Webpack / Jest config. Thanks @​AlonMiz for the report. (Closes #1642)
  • unused-files no longer false-flags a commit-and-tag-version updater script. A new plugin (legacy enabler standard-version) credits each bumpFiles[] / packageFiles[] updater module and filename target, from both the package.json key and standalone .versionrc configs, gated on the file existing on disk. Thanks @​rbalet for the report. (Closes #1640)
  • unused-class-members no longer false-flags framework-dispatched OpenLayers methods or a coercion-only toString. A handleEvent on an ol/interaction/* subclass and a toString used only through string coercion (template interpolation, String(...), +) are now credited, with tight gating so genuinely-dead members still report. (Closes #1638)
  • Telemetry findings_present is recorded again for fallow flags, fallow watch, and the security survivors / blind-spots subcommands. A debug-build invariant now fails fast if any finding-surfacing workflow records an event without noting its find-state, preventing the whole regression class. No change to the telemetry payload shape. (Closes #1650)

Full Changelog: fallow-rs/fallow@v2.103.0...v2.104.0

v2.103.0: typed output contracts, runtime trust-output, false-positive fixes

Runtime coverage trust-output

coverage analyze --format json now mirrors the cloud runtime trust-output contract on the local report, so an agent can reproduce a verdict instead of re-deriving it:

  • Actionability + provenance. Each report carries actionable, actionability_reason, and actionability_verdict (a capture with no tracked functions is a first-class insufficient_evidence verdict, never silently read as cold), plus a provenance block (data_source, freshness_days, untracked_ratio, unresolved_ratio, stale, stale_after_days). The block is context only: it never gates a positive verdict or a confidence score.
  • Confidence discriminators. Every finding now carries a discriminators block exposing the inputs behind its verdict: tracking_state (called / never_called / untracked), invocation_ratio, the low_traffic_threshold and min_observation_volume in effect, and trace_count with meets_observation_volume.
  • Source-map upload hint. When coverage analyze --cloud cannot map runtime positions to source and built source maps exist on disk, fallow prints the exact fallow coverage upload-source-maps --dir <dir> command. Human output only; JSON consumers already get the structured coverage_unresolved warning.

All three additions are additive and backwards-compatible.

Typed output contracts

The engine, output, API, and programmatic-CLI boundaries are now explicit: typed engine results feed the CLI, LSP, NAPI, MCP, and programmatic consumers through shared contracts instead of CLI rendering being the implicit API surface.

... (truncated)

Changelog

Sourced from fallow's changelog.

[2.104.0] - 2026-07-01

Added

  • The GitLab CI template can reuse a pre-installed fallow binary. Set FALLOW_SKIP_INSTALL: "true" to skip npm install -g fallow and run the fallow already resolvable on PATH, for example a version pinned through a pnpm catalog and exposed on PATH, so CI runs the same binary as your local lint gate. The job fails fast with a clear error when no fallow is found. Default behavior is unchanged. Thanks @​Jerc92 for the patch in #1662.

  • Design-token blast-radius for CSS-in-JS tokens (CSS program Phase 3d). The Phase 2 token blast-radius (css_analytics.token_consumers + the get_token_blast_radius MCP tool) covered only Tailwind v4 @theme tokens. It now also covers CSS-in-JS token DEFINITIONS, so changing a StyleX defineVars or vanilla-extract createTheme / createThemeContract / createGlobalTheme token shows its blast radius (a consumer_count plus located consumers[]) the same way an @theme token does. Because CSS-in-JS tokens are defined in JS objects and consumed via cross-module member access (import { vars } from './tokens'; vars.color.primary, including bracket access vars.color['gray-100']) or Panda token('colors.brand') calls, the consumer scan resolves relative imports, tsconfig path aliases, and workspace package imports to their defining files and matches the member-access or call chain against the defined leaf token paths, so an unrelated same-named binding is never counted. Entries reuse the existing token_consumers shape with consumers[].kind set to js-member for StyleX / vanilla-extract member access and js-call for Panda token(...) calls. Dep-gated on a declared CSS-in-JS library (@stylexjs/stylex, @vanilla-extract/css, or @pandacss/dev), descriptive-only (no actions, no exit-code effect), no new wire field, and no CACHE_VERSION bump; a non-CSS-in-JS project and a plain fallow health run (no --css) are byte-unchanged, and the Tailwind token_consumers output is untouched. consumer_count is still a static lower bound for dynamic import strings, unresolved aliases, generated package state, and computed token access, and unlike Tailwind there is no corroborating dead-token finding, so a CSS-in-JS consumer_count of 0 is a weaker signal.

  • Fuzzy CSS clones via CSS-aware value canonicalization (CSS program Phase 4). fallow dupes already tokenized CSS, but the lexer was character-naive, so near-miss / value-drifted CSS clones (the same shadow / gradient / transition recipe re-implemented with 0px vs 0 or #fff vs #ffffff drift, the shape of design-system erosion) never matched. The duplicate-detection tokenizer now canonicalizes CSS values on the stylesheet path: a zero-with-unit collapses to a bare 0 (0px/0em/0%) and a hex color expands to its long lowercased form (#fff -> #ffffff, #abcd -> #aabbccdd), so semantically-equal CSS hashes equal and the clone engine surfaces the fuzzy duplicates. Scoped to CSS-family files and SFC/Astro <style> regions only; JS/TS clone detection is unchanged. (PR #1669)

  • CSS-in-JS first-class in fallow health --css (CSS program Phase 3).

... (truncated)

Commits
  • e36026d chore: release v2.104.0
  • ea88340 fix(napi): align smoke test with consolidated engine root-validation message
  • bcc1f78 docs: link iteration-binding residual follow-up issues (#1716, #1717, #1718)
  • b8ef5a0 fix(extract): credit deferred iteration-binding sibling class members (#1715)
  • 8ce42a1 docs: link iteration-binding follow-up issues (#1714)
  • 91fb0ee fix(extract): credit iteration-binding class members (#1710)
  • db54051 fix(extract): credit Vue v-for loop variable class member accesses (#1709)
  • 66697dd refactor(architecture): finish typed engine split
  • 3352186 chore(license): drop redundant ed25519-dalek dev-dependency
  • 16d7934 chore(deps): bump syn from 2.0.117 to 2.0.118 (#1695)
  • Additional commits viewable in compare view

Updates prettier from 3.8.4 to 3.9.4

Release notes

Sourced from prettier's releases.

3.9.4

  • Angular: Format @content(name) -> @content (name) to align with other block syntax (#19499 by @​fisker)

🔗 Changelog

3.9.3

🔗 Changelog

3.9.1

🔗 Changelog

3.9.0

diff

🔗 Prettier 3.9: Major parser upgrades and Formatting improvements

3.8.5

🔗 Changelog

Changelog

Sourced from prettier's changelog.

3.9.4

diff

Angular: Format @content(name) -> @content (name) to align with other block syntax (#19499 by @​fisker)

<!-- Input -->
<FancyButton [label]="title">
  @content (icon) {
    <span>Icon!</span>
  }
  @content (description) {
    <span>Description text</span>
  }
  <span>Other children</span>
</FancyButton>
<!-- Prettier 3.9.3 -->
<FancyButton [label]="title">
@​content(icon) {
<span>Icon!</span>
}
@​content(description) {
<span>Description text</span>
}
<span>Other children</span>
</FancyButton>
<!-- Prettier 3.9.4 -->
<FancyButton [label]="title">
@​content (icon) {
<span>Icon!</span>
}
@​content (description) {
<span>Description text</span>
}
<span>Other children</span>
</FancyButton>

3.9.3

diff

Markdown: Fix unexpected removal of characters in liquid syntax (#19489 by @​seiyab)

</tr></table> 

... (truncated)

Commits
  • b693cb2 Release 3.9.4
  • 2e92ac0 Angular: Format @content(name) -> @content (name) to align with other blo...
  • abed2c2 Bump Prettier dependency to 3.9.3
  • 6cfbc00 Clean changelog_unreleased
  • 3732e1d Release 3.9.3
  • a74a7b0 Allow decorators to be used with declare on class fields (#19492)
  • bd9e11a Correct text identification in liquid syntax (#19489)
  • 269eee3 Bump Prettier dependency to 3.9.1
  • ec7ccd1 Clean changelog_unreleased
  • c47654c Release 3.9.1
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the npm-deps group with 6 updates:

| Package | From | To |
| --- | --- | --- |
| [@better-auth/oauth-provider](https://github.com/better-auth/better-auth/tree/HEAD/packages/oauth-provider) | `1.6.20` | `1.6.23` |
| [better-auth](https://github.com/better-auth/better-auth/tree/HEAD/packages/better-auth) | `1.6.20` | `1.6.23` |
| [@commitlint/cli](https://github.com/conventional-changelog/commitlint/tree/HEAD/@commitlint/cli) | `21.1.0` | `21.2.0` |
| [eslint](https://github.com/eslint/eslint) | `10.5.0` | `10.6.0` |
| [fallow](https://github.com/fallow-rs/fallow) | `2.102.0` | `2.104.0` |
| [prettier](https://github.com/prettier/prettier) | `3.8.4` | `3.9.4` |


Updates `@better-auth/oauth-provider` from 1.6.20 to 1.6.23
- [Release notes](https://github.com/better-auth/better-auth/releases)
- [Changelog](https://github.com/better-auth/better-auth/blob/main/packages/oauth-provider/CHANGELOG.md)
- [Commits](https://github.com/better-auth/better-auth/commits/v1.6.23/packages/oauth-provider)

Updates `better-auth` from 1.6.20 to 1.6.23
- [Release notes](https://github.com/better-auth/better-auth/releases)
- [Changelog](https://github.com/better-auth/better-auth/blob/main/packages/better-auth/CHANGELOG.md)
- [Commits](https://github.com/better-auth/better-auth/commits/v1.6.23/packages/better-auth)

Updates `@commitlint/cli` from 21.1.0 to 21.2.0
- [Release notes](https://github.com/conventional-changelog/commitlint/releases)
- [Changelog](https://github.com/conventional-changelog/commitlint/blob/master/@commitlint/cli/CHANGELOG.md)
- [Commits](https://github.com/conventional-changelog/commitlint/commits/v21.2.0/@commitlint/cli)

Updates `eslint` from 10.5.0 to 10.6.0
- [Release notes](https://github.com/eslint/eslint/releases)
- [Commits](eslint/eslint@v10.5.0...v10.6.0)

Updates `fallow` from 2.102.0 to 2.104.0
- [Release notes](https://github.com/fallow-rs/fallow/releases)
- [Changelog](https://github.com/fallow-rs/fallow/blob/main/CHANGELOG.md)
- [Commits](fallow-rs/fallow@v2.102.0...v2.104.0)

Updates `prettier` from 3.8.4 to 3.9.4
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](prettier/prettier@3.8.4...3.9.4)

---
updated-dependencies:
- dependency-name: "@better-auth/oauth-provider"
  dependency-version: 1.6.23
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-deps
- dependency-name: better-auth
  dependency-version: 1.6.23
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-deps
- dependency-name: "@commitlint/cli"
  dependency-version: 21.2.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-deps
- dependency-name: eslint
  dependency-version: 10.6.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-deps
- dependency-name: fallow
  dependency-version: 2.104.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-deps
- dependency-name: prettier
  dependency-version: 3.9.4
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-deps
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 9, 2026
@till

till commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

There's a regression in how better-auth assembles the parameters for the signature.

And I think prettier has a new rule or breaking changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant