Skip to content

chore(deps): bump the dependencies group with 2 updates#122

Merged
github-actions[bot] merged 1 commit intomainfrom
dependabot/npm_and_yarn/dependencies-74891e43b9
May 10, 2026
Merged

chore(deps): bump the dependencies group with 2 updates#122
github-actions[bot] merged 1 commit intomainfrom
dependabot/npm_and_yarn/dependencies-74891e43b9

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 10, 2026

Bumps the dependencies group with 2 updates: @hono/zod-openapi and better-auth.

Updates @hono/zod-openapi from 1.3.0 to 1.4.0

Release notes

Sourced from @​hono/zod-openapi's releases.

@​hono/zod-openapi@​1.4.0

Minor Changes

  • #1881 e90e4fb30877f3e3f4b0588bdb2bbfc337efbf67 Thanks @​T4ko0522! - fix(zod-openapi): bump peerDependencies.hono to >=4.10.0 to match the runtime requirement coming through @hono/zod-validator.

    @hono/zod-openapi lists @hono/zod-validator as a direct (non-peer) dependency, so its peer range must be at least as strict as @hono/zod-validator's. After the typed-400 fix bumps @hono/zod-validator's peerDependencies.hono to >=4.10.0, leaving @hono/zod-openapi's peer at >=4.3.6 would let consumers install @hono/zod-openapi against e.g. hono@4.9.9, where the bundled @hono/zod-validator types reference the 4-argument MiddlewareHandler<E, P, I, R> (introduced in Hono v4.10.0) and fail to compile (TS2707).

Patch Changes

Changelog

Sourced from @​hono/zod-openapi's changelog.

1.4.0

Minor Changes

  • #1881 e90e4fb30877f3e3f4b0588bdb2bbfc337efbf67 Thanks @​T4ko0522! - fix(zod-openapi): bump peerDependencies.hono to >=4.10.0 to match the runtime requirement coming through @hono/zod-validator.

    @hono/zod-openapi lists @hono/zod-validator as a direct (non-peer) dependency, so its peer range must be at least as strict as @hono/zod-validator's. After the typed-400 fix bumps @hono/zod-validator's peerDependencies.hono to >=4.10.0, leaving @hono/zod-openapi's peer at >=4.3.6 would let consumers install @hono/zod-openapi against e.g. hono@4.9.9, where the bundled @hono/zod-validator types reference the 4-argument MiddlewareHandler<E, P, I, R> (introduced in Hono v4.10.0) and fail to compile (TS2707).

Patch Changes

Commits

Updates better-auth from 1.6.9 to 1.6.10

Release notes

Sourced from better-auth's releases.

v1.6.10

better-auth

Bug Fixes

  • Exposed refreshUserSessions on the internal adapter (#7764)
  • Fixed organization invitation roles to accept dynamic access control roles (#9437)
  • Improved link accessibility (#9521)
  • Fixed incorrect email casing in one-tap, email-otp, and email-verification flows (#9369)
  • Fixed OpenAPI schema for POST /sign-in/social mis-declaring required fields (#9268)
  • Added a warning when the cookie plugin is placed last in the plugins array (#9484)
  • Fixed useSession not revalidating after admin impersonation starts or stops (#9402)
  • Fixed duplicate Set-Cookie headers being emitted on redirect responses from social sign-in and magic-link endpoints (#9497)
  • Fixed the bearer plugin writing duplicate cookie entries when merging the session token into request headers (#9387)
  • Fixed captcha plugin breaking the email-otp flow (#8339)
  • Fixed email enumeration protection not applying when emailAndPassword.autoSignIn is false (#8839)
  • Fixed a TypeError caused by non-ASCII characters in OAuth error descriptions on redirect (#9065)
  • Renamed internalAdapter.deleteAccount parameter from accountId to id to reflect that it queries by primary key (#9503)
  • Fixed OAuth callbacks accepting a missing provider account ID, which could link accounts under an undefined id (#9456)
  • Fixed cancelPendingInvitationsOnReInvite having no effect, where re-inviting the same email always returned USER_IS_ALREADY_INVITED_TO_THIS_ORGANIZATION (#9453)
  • Fixed a TS2742 type error caused by missing re-exports when using additionalFields in the organization plugin (#9349)
  • Fixed useActiveMemberRole retaining a previous user's role after sign-out in SPA flows (#9440)
  • Fixed setActiveTeam to only accept teams from the currently active organization (#9239)
  • Added authClient.siwe.getNonce() as a compatibility alias for the SIWE nonce endpoint (#9461)
  • Fixed callbackURL being ignored on signIn.username, so it now redirects correctly like signIn.email (#9475)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

  • Fixed sessionId typing in refresh token types to be optional, matching the schema (#9324)
  • Fixed stale prompt=login consent continuations not completing after a forced login
  • Exported OAuth provider helper types needed for portable downstream TypeScript declaration emit (#9406)
  • Fixed prompt=login not being honored after consent continuation, preventing session bypass (#9344)
  • Added database indexes to OAuth provider foreign-key fields in generated schemas (#9389)

For detailed changes, see CHANGELOG

@better-auth/stripe

Bug Fixes

  • Fixed onSubscriptionUpdate to receive the raw stripeSubscription object, and fixed onSubscriptionCancel to receive the post-update subscription row instead of a stale snapshot (#9354)
  • Fixed getCheckoutSessionParams overriding internally managed Stripe Checkout Session fields such as success_url, cancel_url, customer, and line_items (#9481)
  • Fixed onSubscriptionDeleted, onTrialEnd, and onTrialExpired receiving a stale pre-update subscription snapshot instead of the post-update row (#9356)
  • Fixed getCheckoutSessionParams overriding free trial and internal metadata, which could hide trial periods and create duplicate subscription rows on webhook (#9474)
  • Renamed internal subscription webhook variables for clarity (#9355)

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.10

Patch Changes

  • #8339 1e0f26d Thanks @​ping-maxwell! - fix(captcha): breaks email-otp flow

  • #9484 8c1e917 Thanks @​ping-maxwell! - fix: warn for cookie-plugin being last in array

  • #9437 b2d655c Thanks @​cyphercodes! - Allow organization invitation role input types to accept dynamic access control roles.

  • #9497 09f1327 Thanks @​bytaesu! - Endpoints that set cookies before redirecting (such as social sign-in callbacks and magic-link verification) no longer emit each Set-Cookie entry twice on the response.

  • #9387 906b7b3 Thanks @​bytaesu! - The bearer plugin now produces a single entry per cookie name when merging its session token into the request Cookie header. Previously the merged header could carry two entries for the same name if the request already had a stale session cookie, which would surface to downstream code that picks the first occurrence.

  • #9475 e9c978e Thanks @​jaydeep-pipaliya! - fix(username): respect callbackURL on /sign-in/username

    The endpoint accepted a callbackURL body field but ignored it, so authClient.signIn.username({ ..., callbackURL }) silently did nothing while authClient.signIn.email redirected as expected. The handler now sets a Location header when callbackURL is provided and returns { redirect, url } alongside token/user, matching the email flow.

  • #9440 e71aad3 Thanks @​cyphercodes! - Clear organization active hook state after sign-out so useActiveMemberRole does not retain a previous user's role in SPA sign-out/sign-in flows.

  • #9402 80a655d Thanks @​onmax! - Revalidate the client session after admin impersonation starts or stops.

  • #9503 15ff28a Thanks @​bytaesu! - internalAdapter.deleteAccount parameter renamed from accountId to id to reflect that it queries by primary key, not the accountId column. No runtime behavior change.

  • #9268 88a7c67 Thanks @​ping-maxwell! - fix: openAPI schema for POST /sign-in/social mis-declares required fields

  • #8839 9a7b51d Thanks @​dipan-ck! - Apply email enumeration protection when emailAndPassword.autoSignIn is false. Duplicate sign-ups now return a synthetic user (token: null) and trigger onExistingUserSignUp, and new sign-ups skip auto sign-in (token: null)—even without requireEmailVerification, aligning with the docs.

  • #9065 1b25902 Thanks @​ping-maxwell! - non-ASCII error_description in generic-oauth callback routes causes TypeError on redirect

  • #9349 cf59136 Thanks @​ping-maxwell! - fix(organization): re-export field types to prevent TS2742 with additionalFields

  • #9453 a597ee0 Thanks @​mausic! - The organization plugin's cancelPendingInvitationsOnReInvite option now actually cancels the prior pending invitation when re-inviting the same email. Previously the option had no effect — re-inviting always failed with USER_IS_ALREADY_INVITED_TO_THIS_ORGANIZATION

  • #9456 fc02ced Thanks @​cyphercodes! - Reject OAuth callbacks when provider user info omits the account id to avoid linking accounts under the literal undefined id.

  • #9461 9f1ef1f Thanks @​cyphercodes! - Expose authClient.siwe.getNonce() as a compatibility alias for the SIWE nonce endpoint.

  • #9369 36ef808 Thanks @​ping-maxwell! - fix: incorrect email casing across one-tap, email-otp & email-verification

... (truncated)

Commits
  • cbb5014 chore: release v1.6.10 (#9350)
  • 09f1327 fix(api): prevent duplicate set-cookie on redirect (#9497)
  • 15ff28a fix(internal-adapter): rename deleteAccount param from accountId to id (#...
  • fde0432 fix: improve link accessibility issues (#9521)
  • cf59136 fix(organization): re-export field types to prevent TS2742 with additionalFie...
  • 8c1e917 fix: warn for cookie-plugin being last in array (#9484)
  • 3a9a2c3 chore: expose refreshUserSessions on internal adapter (#7764)
  • e9c978e fix(username): respect callbackURL on sign-in (#9475)
  • 36ef808 fix: incorrect email casing across one-tap, email-otp & email-verification (#...
  • 9a7b51d fix(credential): apply enumeration protection when autoSignIn is false (#8839)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
chore(deps): bump the dependencies group with 2 updates
3ffaf06 
Bumps the dependencies group with 2 updates: [@hono/zod-openapi](https://github.com/honojs/middleware/tree/HEAD/packages/zod-openapi) and [better-auth](https://github.com/better-auth/better-auth/tree/HEAD/packages/better-auth).


Updates `@hono/zod-openapi` from 1.3.0 to 1.4.0
- [Release notes](https://github.com/honojs/middleware/releases)
- [Changelog](https://github.com/honojs/middleware/blob/main/packages/zod-openapi/CHANGELOG.md)
- [Commits](https://github.com/honojs/middleware/commits/@hono/zod-openapi@1.4.0/packages/zod-openapi)

Updates `better-auth` from 1.6.9 to 1.6.10
- [Release notes](https://github.com/better-auth/better-auth/releases)
- [Changelog](https://github.com/better-auth/better-auth/blob/main/packages/better-auth/CHANGELOG.md)
- [Commits](https://github.com/better-auth/better-auth/commits/better-auth@1.6.10/packages/better-auth)

---
updated-dependencies:
- dependency-name: "@hono/zod-openapi"
  dependency-version: 1.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: better-auth
  dependency-version: 1.6.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 10, 2026
@github-actions github-actions Bot enabled auto-merge May 10, 2026 05:06
@github-actions github-actions Bot merged commit 0c34f96 into main May 10, 2026
6 checks passed
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/dependencies-74891e43b9 branch May 10, 2026 05:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants