Bump better-auth from 1.3.8 to 1.3.29 #27
Conversation
dependabot
bot
added
dependencies
|
✨🔮 The Orb has been consulted. I will peer into the diffs and whisper my findings. Until the whisper arrives, a fragment of haiku emerges: PR 27, diff0 update, |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![diff0-agent[bot]](https://avatars.githubusercontent.com/in/2044610?s=60&v=4){kind=small}
There was a problem hiding this comment.
🤖 AI Code Review (Summary Only)
Found 10 issue(s):
🟠 security (high) in packages/backend/package.json:26
Major version update of 'better-auth' from 1.3.8 to 1.3.29 (21 patch versions jump) without testing could introduce breaking changes or security vulnerabilities. The package also has significant dependency changes including jose (5.10.0 -> 6.1.0) which is a major version bump for a cryptography library.
🟡 security (medium) in pnpm-lock.yaml:4682
Major version upgrade of 'jose' library from 5.10.0 to 6.1.0. Jose is a critical cryptography library for JWT/JWE/JWS handling. Major version changes in cryptographic libraries can introduce breaking API changes or security-relevant modifications.
🟡 bug (medium) in pnpm-lock.yaml:671
The better-auth update introduces new peer dependency requirements (@lynx-js/react, @sveltejs/kit, next, solid-js, svelte, vue) that weren't required in the previous version. While marked as optional, this indicates a significant API change that could affect compatibility.
🟡 security (medium) in pnpm-lock.yaml:671
Updates to cryptographic libraries @noble/ciphers (0.6.0 -> 2.0.1) and @noble/hashes (1.8.0 -> 2.0.1) are major version upgrades. These are critical security dependencies used for encryption and hashing operations.
🟢 security (low) in pnpm-lock.yaml:3613
SimpleWebAuthn libraries updated from 13.2.0/13.2.1 to 13.2.2. While minor, WebAuthn is a security-critical authentication mechanism.
🟢 performance (low) in pnpm-lock.yaml:5088
nanostores updated from 0.11.4 to 1.0.1 with Node.js engine requirement changed from '^18.0.0 || >=20.0.0' to '^20.0.0 || >=22.0.0', dropping Node 18 support.
🟢 suggestion (low) in pnpm-lock.yaml:1621
Package @opentelemetry/exporter-jaeger is now deprecated. The lock file shows a deprecation warning: 'Jaeger now has native support for OTLP. Please use @opentelemetry/exporter-trace-otlp-proto instead.'
🟢 bug (low) in pnpm-lock.yaml:680
New dependencies introduced by better-auth update: @better-auth/core, @better-auth/telemetry, and better-call version change (1.0.16 -> 1.0.19). This suggests internal restructuring of the library.
🟢 style (low) in packages/backend/package.json:26
The version specifier for better-auth changed from pinned version '1.3.8' to pinned version '1.3.29'. Consider using a range (e.g., '^1.3.29') for better compatibility with security patches.
🟡 security (medium) in pnpm-lock.yaml:4708
kysely updated from 0.28.7 to 0.28.8 with minimum Node.js engine requirement of '>=20.0.0'. Kysely is used for database queries, and version mismatches could affect query builder functionality.
Inline positions unavailable. Powered by diff0 AI
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/better-auth-1.3.29
branch
from
eab70b6 to
c641bc7
Compare
Bumps [better-auth](https://github.com/better-auth/better-auth/tree/HEAD/packages/better-auth) from 1.3.8 to 1.3.29. - [Release notes](https://github.com/better-auth/better-auth/releases) - [Commits](https://github.com/better-auth/better-auth/commits/v1.3.29/packages/better-auth) --- updated-dependencies: - dependency-name: better-auth dependency-version: 1.3.29 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/better-auth-1.3.29
branch
from
c641bc7 to
592135d
Compare
Bumps better-auth from 1.3.8 to 1.3.29.
Commits
179752frefactor: improve type in beforeHook (#5463)1b6a991feat: enhance PostgreSQL support for non-public schema by respecting `search_...4d26e9afix(admin): validate admin role updates against the configured roles to preve...0f84ff7chore: refactor origin check middleware (#5411)e608812chore: release v1.3.280177f1cchore: add TransactionAdapter parameter to InternalAdapter interface10b2f0efix(two-factor): backup codes shouldn't be encrypted twice (#5202)30c3c1crefactor: move client plugin types to core (#5184)643a1b0refactor: move BetterAuthOptions, BetterAuthPlugin, AuthContext types to core...1c789d3fix(two-factor): return parsed array in viewBackupCodes (#5174)You can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)