Skip to content

Commit 99e2e7f

Browse files
committed
fix(security): pin sanitizer and MCP audience
Force the patched DOMPurify release across transitive consumers. Document the single-audience constraint mitigating Better Auth 1.6 resource widening.
1 parent ae29d84 commit 99e2e7f

3 files changed

Lines changed: 9 additions & 5 deletions

File tree

pnpm-lock.yaml

Lines changed: 6 additions & 5 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

pnpm-workspace.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ trustPolicyExclude:
99
- semver@6.3.1
1010

1111
overrides:
12+
dompurify: 3.4.11
1213
vite: npm:@voidzero-dev/vite-plus-core@0.2.2
1314
vitest: 4.1.9
1415

src/lib/auth.server.ts

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -233,6 +233,8 @@ function createAuth(database: Db, env: AuthRuntimeEnv) {
233233
loginPage: "/login",
234234
scopes: [...mcpOAuthScopes],
235235
silenceWarnings: { oauthAuthServerConfig: true },
236+
// Keep this to one audience while Better Auth 1.6.x is in use. Its
237+
// resource indicator is not bound to the original authorization grant.
236238
validAudiences: [mcpResource],
237239
}),
238240
tanstackStartCookies(),

0 commit comments

Comments
 (0)