Skip to content

ci(repo): Version packages#9091

Merged
wobsoriano merged 1 commit into
mainfrom
changeset-release/main
Jul 7, 2026
Merged

ci(repo): Version packages#9091
wobsoriano merged 1 commit into
mainfrom
changeset-release/main

Conversation

@clerk-cookie

@clerk-cookie clerk-cookie commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

@clerk/clerk-js@6.25.0

Minor Changes

  • Add support for Clerk Protect mid-flow SDK challenges (protect_check) on both sign-up and sign-in. (#8329) by @zourzouvillys

    When the Protect antifraud service issues a challenge, responses now carry a protectCheck field
    with { status, token, sdkUrl, expiresAt?, uiHints? }. Clients resolve the gate by loading the
    SDK at sdkUrl, executing the challenge, and submitting the resulting proof token via
    signUp.submitProtectCheck({ proofToken }) or signIn.submitProtectCheck({ proofToken }). The
    response may carry a chained challenge, which the SDK resolves iteratively.

    Sign-in adds a new 'needs_protect_check' value to the SignInStatus union. Upgrading this
    package is type-only and does not change runtime behavior
    : the server returns the new status
    (and the protectCheck field) only for instances where Protect mid-flow challenges have been
    explicitly enabled — the feature is off by default and is not enabled for existing instances by
    upgrading. The server additionally only emits the new status value to SDK versions that
    understand it, so older clients never receive an unknown status.

    If an exhaustive switch on signIn.status flags the new value after upgrading, handle it by
    running the challenge described by protectCheck and submitting the proof via
    submitProtectCheck(). Clients should treat the protectCheck field as the authoritative gate
    signal and fall back to the status value for defense in depth.

    The pre-built <SignIn /> and <SignUp /> components handle the gate automatically by routing
    to a new protect-check route that runs the challenge SDK and resumes the flow on completion.

Patch Changes

@clerk/localizations@4.13.0

Minor Changes

  • Add support for Clerk Protect mid-flow SDK challenges (protect_check) on both sign-up and sign-in. (#8329) by @zourzouvillys

    When the Protect antifraud service issues a challenge, responses now carry a protectCheck field
    with { status, token, sdkUrl, expiresAt?, uiHints? }. Clients resolve the gate by loading the
    SDK at sdkUrl, executing the challenge, and submitting the resulting proof token via
    signUp.submitProtectCheck({ proofToken }) or signIn.submitProtectCheck({ proofToken }). The
    response may carry a chained challenge, which the SDK resolves iteratively.

    Sign-in adds a new 'needs_protect_check' value to the SignInStatus union. Upgrading this
    package is type-only and does not change runtime behavior
    : the server returns the new status
    (and the protectCheck field) only for instances where Protect mid-flow challenges have been
    explicitly enabled — the feature is off by default and is not enabled for existing instances by
    upgrading. The server additionally only emits the new status value to SDK versions that
    understand it, so older clients never receive an unknown status.

    If an exhaustive switch on signIn.status flags the new value after upgrading, handle it by
    running the challenge described by protectCheck and submitting the proof via
    submitProtectCheck(). Clients should treat the protectCheck field as the authoritative gate
    signal and fall back to the status value for defense in depth.

    The pre-built <SignIn /> and <SignUp /> components handle the gate automatically by routing
    to a new protect-check route that runs the challenge SDK and resumes the flow on completion.

Patch Changes

@clerk/react@6.12.0

Minor Changes

  • Add support for Clerk Protect mid-flow SDK challenges (protect_check) on both sign-up and sign-in. (#8329) by @zourzouvillys

    When the Protect antifraud service issues a challenge, responses now carry a protectCheck field
    with { status, token, sdkUrl, expiresAt?, uiHints? }. Clients resolve the gate by loading the
    SDK at sdkUrl, executing the challenge, and submitting the resulting proof token via
    signUp.submitProtectCheck({ proofToken }) or signIn.submitProtectCheck({ proofToken }). The
    response may carry a chained challenge, which the SDK resolves iteratively.

    Sign-in adds a new 'needs_protect_check' value to the SignInStatus union. Upgrading this
    package is type-only and does not change runtime behavior
    : the server returns the new status
    (and the protectCheck field) only for instances where Protect mid-flow challenges have been
    explicitly enabled — the feature is off by default and is not enabled for existing instances by
    upgrading. The server additionally only emits the new status value to SDK versions that
    understand it, so older clients never receive an unknown status.

    If an exhaustive switch on signIn.status flags the new value after upgrading, handle it by
    running the challenge described by protectCheck and submitting the proof via
    submitProtectCheck(). Clients should treat the protectCheck field as the authoritative gate
    signal and fall back to the status value for defense in depth.

    The pre-built <SignIn /> and <SignUp /> components handle the gate automatically by routing
    to a new protect-check route that runs the challenge SDK and resumes the flow on completion.

Patch Changes

@clerk/shared@4.25.0

Minor Changes

  • Add support for Clerk Protect mid-flow SDK challenges (protect_check) on both sign-up and sign-in. (#8329) by @zourzouvillys

    When the Protect antifraud service issues a challenge, responses now carry a protectCheck field
    with { status, token, sdkUrl, expiresAt?, uiHints? }. Clients resolve the gate by loading the
    SDK at sdkUrl, executing the challenge, and submitting the resulting proof token via
    signUp.submitProtectCheck({ proofToken }) or signIn.submitProtectCheck({ proofToken }). The
    response may carry a chained challenge, which the SDK resolves iteratively.

    Sign-in adds a new 'needs_protect_check' value to the SignInStatus union. Upgrading this
    package is type-only and does not change runtime behavior
    : the server returns the new status
    (and the protectCheck field) only for instances where Protect mid-flow challenges have been
    explicitly enabled — the feature is off by default and is not enabled for existing instances by
    upgrading. The server additionally only emits the new status value to SDK versions that
    understand it, so older clients never receive an unknown status.

    If an exhaustive switch on signIn.status flags the new value after upgrading, handle it by
    running the challenge described by protectCheck and submitting the proof via
    submitProtectCheck(). Clients should treat the protectCheck field as the authoritative gate
    signal and fall back to the status value for defense in depth.

    The pre-built <SignIn /> and <SignUp /> components handle the gate automatically by routing
    to a new protect-check route that runs the challenge SDK and resumes the flow on completion.

Patch Changes

  • Fix the touchSession option documentation to link directly to the Frontend API touch endpoint. (#9097) by @SarahSoutoul

  • Polish the Protect check card: the loading spinner now hides while a challenge widget (e.g. Turnstile) is visible instead of spinning alongside it, only appears after a short delay so near-instant checks never flash it, and the card no longer reserves empty space above the spinner before a widget has rendered. (#9099) by @mwickett

@clerk/ui@1.25.0

Minor Changes

  • Add support for Clerk Protect mid-flow SDK challenges (protect_check) on both sign-up and sign-in. (#8329) by @zourzouvillys

    When the Protect antifraud service issues a challenge, responses now carry a protectCheck field
    with { status, token, sdkUrl, expiresAt?, uiHints? }. Clients resolve the gate by loading the
    SDK at sdkUrl, executing the challenge, and submitting the resulting proof token via
    signUp.submitProtectCheck({ proofToken }) or signIn.submitProtectCheck({ proofToken }). The
    response may carry a chained challenge, which the SDK resolves iteratively.

    Sign-in adds a new 'needs_protect_check' value to the SignInStatus union. Upgrading this
    package is type-only and does not change runtime behavior
    : the server returns the new status
    (and the protectCheck field) only for instances where Protect mid-flow challenges have been
    explicitly enabled — the feature is off by default and is not enabled for existing instances by
    upgrading. The server additionally only emits the new status value to SDK versions that
    understand it, so older clients never receive an unknown status.

    If an exhaustive switch on signIn.status flags the new value after upgrading, handle it by
    running the challenge described by protectCheck and submitting the proof via
    submitProtectCheck(). Clients should treat the protectCheck field as the authoritative gate
    signal and fall back to the status value for defense in depth.

    The pre-built <SignIn /> and <SignUp /> components handle the gate automatically by routing
    to a new protect-check route that runs the challenge SDK and resumes the flow on completion.

Patch Changes

  • Fix the payment method form getting stuck in a loading state after a failed card setup. Non-validation errors such as 3DS authentication failures are now displayed. (#9080) by @aeliox

  • Fix the organization profile modal close button overlapping the SSO configuration wizard's step header. (#9089) by @iagodahlem

  • Enlarge the show/hide password toggle button's hit area with added padding and rounded corners, making it easier to tap and giving it a clearer hover/focus target. (#9096) by @alexcarpenter

  • Polish the Protect check card: the loading spinner now hides while a challenge widget (e.g. Turnstile) is visible instead of spinning alongside it, only appears after a short delay so near-instant checks never flash it, and the card no longer reserves empty space above the spinner before a widget has rendered. (#9099) by @mwickett

  • Fix standalone <SignUp /> Protect checks so the verification card stays mounted while a solved challenge routes to the next step, while stale direct visits to the protect-check route return to the start of the sign-up flow. (#9082) by @mwickett

  • Fix tooltips rendering behind modals (for example on the organization profile Security page). Tooltips now layer above modal content, and pressing Escape or clicking outside while a tooltip is open inside a modal closes only the tooltip instead of also dismissing the modal. (#9093) by @alexcarpenter

  • Updated dependencies [6f97ef5, bab1f29, f2d9e4b]:

    • @clerk/shared@4.25.0
    • @clerk/localizations@4.13.0

@clerk/astro@3.4.13

Patch Changes

@clerk/backend@3.11.1

Patch Changes

  • Enforce the azp (authorized party) claim when authorizedParties is configured. Previously, a session token that was missing the azp claim was accepted even when authorizedParties was set, allowing the authorized-parties check to be bypassed by omitting the claim. Now, when authorizedParties is configured, a token with a missing or empty azp claim is rejected. Tokens without azp continue to be accepted when no authorizedParties are configured. (#8877) by @dominic-clerk

  • Updated dependencies [6f97ef5, bab1f29, f2d9e4b]:

    • @clerk/shared@4.25.0

@clerk/chrome-extension@3.1.49

Patch Changes

@clerk/electron@0.0.10

Patch Changes

  • Updated dependencies [6f97ef5, bab1f29, f2d9e4b]:
    • @clerk/shared@4.25.0
    • @clerk/clerk-js@6.25.0
    • @clerk/react@6.12.0

@clerk/expo@3.7.1

Patch Changes

  • Updated dependencies [6f97ef5, bab1f29, f2d9e4b]:
    • @clerk/shared@4.25.0
    • @clerk/clerk-js@6.25.0
    • @clerk/react@6.12.0

@clerk/expo-passkeys@1.2.1

Patch Changes

@clerk/express@2.1.37

Patch Changes

@clerk/fastify@3.1.47

Patch Changes

@clerk/hono@0.1.47

Patch Changes

@clerk/nextjs@7.5.14

Patch Changes

  • Deprecate createRouteMatcher() in favor of resource-based auth checks. (#8994) by @Ephem

    Middleware-based auth checks rely on path matching, which can diverge from how Next.js routes requests and leave protected resources reachable.

    For a migration guide, see:
    https://clerk.com/docs/guides/development/upgrading/upgrade-guides/migrate-from-create-route-matcher

    Instead of protecting routes from middleware, move auth checks into each protected page, layout, API route, or Server Function, for example:

    import { auth } from '@clerk/nextjs/server'
    
    export default async function Page() {
      await auth.protect()
    
      return <h1>Dashboard</h1>
    }
  • Updated dependencies [6f97ef5, bab1f29, f2d9e4b, 80afb69]:

    • @clerk/shared@4.25.0
    • @clerk/react@6.12.0
    • @clerk/backend@3.11.1

@clerk/nuxt@2.6.13

Patch Changes

  • Deprecate createRouteMatcher() in favor of Nuxt's native route matching. (#9092) by @jacekradko

    To protect API routes, match paths natively inside clerkMiddleware():

    export default clerkMiddleware(event => {
      const { isAuthenticated } = event.context.auth();
      const { pathname } = getRequestURL(event);
    
      if (!isAuthenticated && pathname.startsWith('/api/admin')) {
        throw createError({ statusCode: 401, statusMessage: 'Unauthorized' });
      }
    });

    To protect pages, use Nuxt's built-in route middleware with definePageMeta({ middleware: 'auth' }).

  • Updated dependencies [6f97ef5, bab1f29, f2d9e4b, 80afb69]:

    • @clerk/shared@4.25.0
    • @clerk/backend@3.11.1
    • @clerk/vue@2.4.12

@clerk/react-router@3.5.6

Patch Changes

@clerk/tanstack-react-start@1.4.14

Patch Changes

@clerk/testing@2.2.4

Patch Changes

@clerk/vue@2.4.12

Patch Changes

@clerk/headless@0.0.8

Patch Changes

@clerk/msw@0.0.44

Patch Changes

@clerk/swingset@0.0.15

Patch Changes

@vercel

vercel Bot commented Jul 6, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
clerk-js-sandbox Ready Ready Preview, Comment Jul 7, 2026 9:17pm
swingset Ready Ready Preview, Comment Jul 7, 2026 9:17pm

Request Review

@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Important

Review skipped

Ignore keyword(s) in the title.

⛔ Ignored keywords (1)
  • ci(repo): Version packages

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository YAML (base), Repository UI (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: 3f7cccf3-ba1d-4fa2-96f3-66ea9c9c4590

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review

Comment @coderabbitai help to get the list of available commands.

@pkg-pr-new

pkg-pr-new Bot commented Jul 6, 2026

Copy link
Copy Markdown

Open in StackBlitz

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@9091

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@9091

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@9091

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@9091

@clerk/electron

npm i https://pkg.pr.new/@clerk/electron@9091

@clerk/electron-passkeys

npm i https://pkg.pr.new/@clerk/electron-passkeys@9091

@clerk/eslint-plugin

npm i https://pkg.pr.new/@clerk/eslint-plugin@9091

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@9091

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@9091

@clerk/express

npm i https://pkg.pr.new/@clerk/express@9091

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@9091

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@9091

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@9091

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@9091

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@9091

@clerk/react

npm i https://pkg.pr.new/@clerk/react@9091

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@9091

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@9091

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@9091

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@9091

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@9091

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@9091

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@9091

commit: b7a1efc

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

API Changes Report

Generated by Break Check on 2026-07-07T21:18:42.461Z

Summary

Metric Count
Packages analyzed 19
Packages with changes 0
🔴 Breaking changes 0
🟡 Non-breaking changes 0
🟢 Additions 0

No API Changes Detected

All packages have stable APIs with no detected changes.


Report generated by Break Check

Last ran on b7a1efc.

@clerk-cookie clerk-cookie force-pushed the changeset-release/main branch from cf63328 to 7154ce9 Compare July 6, 2026 20:45
@clerk-cookie clerk-cookie force-pushed the changeset-release/main branch from 7154ce9 to 02010e6 Compare July 7, 2026 14:03
@clerk-cookie clerk-cookie force-pushed the changeset-release/main branch from 02010e6 to 1966938 Compare July 7, 2026 15:27
@clerk-cookie clerk-cookie force-pushed the changeset-release/main branch from 1966938 to 84f1878 Compare July 7, 2026 16:55
@clerk-cookie clerk-cookie force-pushed the changeset-release/main branch from 84f1878 to ed3616a Compare July 7, 2026 17:54
@clerk-cookie clerk-cookie force-pushed the changeset-release/main branch from ed3616a to 73f6ec7 Compare July 7, 2026 18:00
@clerk-cookie clerk-cookie force-pushed the changeset-release/main branch from e11048a to b7a1efc Compare July 7, 2026 21:15
@wobsoriano wobsoriano merged commit 0a29667 into main Jul 7, 2026
52 checks passed
@wobsoriano wobsoriano deleted the changeset-release/main branch July 7, 2026 22:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants