Bump better-auth from 1.3.34 to 1.4.2#1
Closed
dependabot[bot] wants to merge 1 commit into
Closed
Conversation
dependabot
Bot
added
dependencies
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/better-auth-1.4.2
branch
from
479cabe to
00dd995
Compare
suisuss
force-pushed
the
dependabot/npm_and_yarn/better-auth-1.4.2
branch
from
00dd995 to
5d378d5
Compare
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/better-auth-1.4.2
branch
from
5d378d5 to
c766fe7
Compare
Bumps [better-auth](https://github.com/better-auth/better-auth/tree/HEAD/packages/better-auth) from 1.3.34 to 1.4.2. - [Release notes](https://github.com/better-auth/better-auth/releases) - [Commits](https://github.com/better-auth/better-auth/commits/v1.4.2/packages/better-auth) --- updated-dependencies: - dependency-name: better-auth dependency-version: 1.4.2 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/better-auth-1.4.2
branch
from
c766fe7 to
fdcc3ad
Compare
Author
|
Superseded by #60. |
eskp
added a commit
that referenced
this pull request
Mar 25, 2026
Gap #1 - Stateless JWT sessions: Session ID is now a signed JWT containing org/key/scope. Any pod can verify and reconstruct transport+server from the token. In-memory Map is a local cache, not source of truth. Multi-pod deployments work without sticky sessions or Redis. Gap #2 - Per-tool logging: Added withToolLogging wrapper that logs mcp.tool.called, mcp.tool.completed, and mcp.tool.error with tool name, duration_ms, and success flag. Applied to all 15 static tools and dynamic tools. Gap #3 - OAuth DB persistence: Created mcp_oauth_clients and mcp_oauth_refresh_tokens Drizzle tables. OAuth clients and refresh tokens survive pod restarts. Auth codes stay in-memory (10min TTL). Refresh tokens hashed with SHA-256. Gap #4 - OAuth rate limiting: IP-based rate limits on /api/oauth/register (10/min) and /api/oauth/token (30/min). Max 10K client cap on registration to prevent OOM via Map growth. Gap #5 - SSE resumability: McpEventStore implements SDK EventStore interface with per-stream capped storage (1000 events), 1-hour TTL. Clients reconnect with Last-Event-ID to replay missed events.
eskp
added a commit
that referenced
this pull request
Apr 21, 2026
- tests/unit/agentic-wallet-provision.test.ts (8 it-blocks) pins:
* createSubOrganization call shape: keeperhub-operator userName, no userEmail,
disableEmailAuth/Recovery/SmsAuth/OtpEmailAuth = true, rootQuorumThreshold 1
* Single EVM derivation path m/44'/60'/0'/0/0 (CONTEXT Resolution #1)
* Exactly 3 createPolicy calls, each EFFECT_DENY + empty consensus
* DB insert contract: agentic_wallets row with 64-char hex hmac_secret and
identical walletAddressBase/walletAddressTempo (single address per CONTEXT #1)
* agentic_wallet_credits 50-cent seed per ONBOARD-03
* return shape { subOrgId, walletAddress, hmacSecret }
* Tx-like semantics: no DB insert when createSubOrganization or createPolicy
throws
- tests/unit/agentic-wallet-sign.test.ts (8 it-blocks) pins:
* signRawPayload call shape: ACTIVITY_TYPE_SIGN_RAW_PAYLOAD_V2 +
PAYLOAD_ENCODING_EIP712 + HASH_FUNCTION_NO_OP
* Base x402: chainId 8453, verifyingContract = Base USDC,
primaryType = TransferWithAuthorization
* Tempo MPP proof-mode: chainId 4217, primaryType = Proof
* Returned signature: 0x + 130 hex chars = 132 total
* v-parity mapping: Turnkey v:"00" -> trailing 1b, v:"01" -> 1c
* CONSENSUS_NEEDED -> PolicyBlockedError / POLICY_BLOCKED substring
- tests/unit/agentic-wallet-approval-request.test.ts (4 it-blocks) pins:
* DB insert contract with subOrgId, riskLevel, operationPayload,
implicit/explicit pending status
* Returns inserted row id
* risk="block" rows still inserted for audit
* risk="auto" throws (pre-filter per RESEARCH Pattern 6)
- Seeds lib/agentic-wallet/provision.ts, sign.ts, approval.ts stubs so the
three test files compile and run in RED (stub bodies throw). Plans 33-01b /
02 / 03 flip each suite GREEN.
eskp
added a commit
that referenced
this pull request
Apr 21, 2026
…ic-wallet.ts - getTurnkeyParentClient(): parent-org-scoped client for createSubOrganization - getTurnkeyClientForOrg(subOrgId): per-sub-org client for createPolicy / signRawPayload (new Turnkey instance with defaultOrganizationId: subOrgId -- CRITICAL to preserve policy scope) - createAgenticWallet(): delegates to lib/agentic-wallet/provision.provisionAgenticWallet, mirrors the single EVM address onto Base and Tempo columns (CONTEXT Resolution #1) - readTurnkeyEnv(): shared env-variable guard, throws on missing TURNKEY_* vars - Boundary invariant preserved: no imports from ./turnkey-operations - 7/7 boundary scan tests GREEN
eskp
added a commit
that referenced
this pull request
Apr 21, 2026
- createSubOrganization with anonymous-operator shape (userName keeperhub-operator, no userEmail, rootQuorumThreshold 1, API_KEY_CURVE_P256) - All four anonymous disable* flags = true (disableEmailAuth, disableEmailRecovery, disableSmsAuth, disableOtpEmailAuth) - Single EVM derivation path m/44'/60'/0'/0/0 (CONTEXT Resolution #1) - Applies 3 baseline DENY policies via applyBaselinePolicies() post-subOrg - Parallelized DB writes: agentic_wallets row + $0.50 onboard credit - 32-byte random HMAC secret (64 hex chars), surfaced ONLY via return value (T-33-02) - AGENTIC_WALLET_LEAKED_SUBORG logging path for orphan sub-org detection (RESEARCH Pitfall 6) [Rule 1 - Bug] Wave 0 provision test mocked Turnkey constructor with arrow fn; vitest 4 rejects `new TurnkeyMock()` because arrow fns lack [[Construct]]. Switched to named function expression so the mock is constructable. 8/8 tests GREEN.
6 tasks
6 tasks
eskp
added a commit
that referenced
this pull request
May 1, 2026
Cross-reviewed against four independent reviewers (code-quality, security, standards/spec, empirical-validator-output). Standards passed; the other three flagged a consistent set of issues: HIGH (CQ #1) — false positives on @everyone/@here/@username inside Discord/Slack/Telegram/email/AI-prompt configs. Skip-list expanded from `code/*` only to {code, notify, discord, slack, telegram, email, ai, ai-gateway}/* with `:` -> `/` normalization. Covers the UX-trapped autocomplete state without rejecting first-class integrations. Six new tests cover the messaging/AI/email skips and the colon-form normalization. MEDIUM (CQ #2) — `code/` skip ignored both the colon-form (`code:run-code`) and the `data.actionType` fallback used by some legacy/in-flight node shapes. Now mirrors the resolution logic in lib/mcp/calldata.ts:67-68: check both `data.config.actionType` and `data.actionType`, normalize colons to slashes. MEDIUM (Empirical YELLOW + CQ #3) — delimiter class `[\s,;:([)` missed the dominant in-the-wild bare-@ shape, where the orphan is immediately preceded by `"`/`'`/`=` because configs frequently embed JSON-encoded strings. Switched to `(?:^|[^\w@])` (any non-word, non-@ prefix). Empirical reviewer's two FAIL cases (`condition: "@Trigger-1"` and `("@nested")`) now flag correctly, and the email/URL-token/hex-string negatives still pass. MEDIUM (Sec #1) — `\{\{[^}]*\}\}` is V8-quadratic on long unmatched `{` runs (200KB run = 33s, pins worker). Switched to `\{\{[^{}]*\}\}` which is linear. Auth-gated, but the attack surface is `current.nodes` from the DB row, so an upstream create/update could plant the payload. MEDIUM (Sec #2) — `visit()` recursed unbounded; ~20k depth throws RangeError that propagates as a 500. Added MAX_DEPTH=100 guard plus a 10k-deep nesting test to confirm no throw. LOW (CQ #4 + #5) — findings array grew unbounded with no cap; offending literals never reached the response. Capped at MAX_FINDINGS=10 with short-circuiting at every recursion level, plus added MAX_STRING_LEN=256_000 for defense in depth on pathological string fields. Surfaced literals as `details.literals` on the `INVALID_TEMPLATE_LITERALS` `ListingResult` and in the 422 response body so the author can locate the offending field. LOW (CQ #6) — added missing/non-string actionType test case and a cap-at-MAX_FINDINGS test. Bypass surface (Sec #4c): the `code/*` skip-by-mislabel-actionType remains a self-foot-shooting path (author can mislabel their own workflow's actionType to bypass detection on their own config). No cross-tenant impact, no privilege escalation. Acceptable trade-off versus banning legitimate decorator/AI/messaging content. 11 new unit tests added (28 total in listing-validators.test.ts), 1 new lifecycle assertion verifies `details.literals` flows through. 46 listing-touching tests pass; biome clean on all touched files.
Dev43
pushed a commit
to Dev43/keeperhub
that referenced
this pull request
May 2, 2026
) - Replace hard border-r with rounded-r-xl + shadow-sm so the aside reads as an elevated card surface, consistent with the rest of the Hub (protocol-card, workflow-template-card idioms) - Active tag row gains a 2px left accent stripe (border-l-[var(--color-border-accent)]) plus offset pl-2/pr-3 so the selected tag reads as anchored at a glance - Tag rows clamp to min-h-7 (28px) so short and long tag names share a consistent row height — visual rhythm on the 4px scale - Section-header trigger gains a subtle hover:bg-hub-icon-bg/40 hint so the click target is telegraphed - Tags CollapsibleContent gets max-h-96 + overflow-y-auto when more than 12 public tags exist, so a long taxonomy never pushes the page - All weights stay at 400 / 600 (no font-medium); all colors come from --color-text-accent / --color-border-accent / --color-hub-icon-bg / --color-hub-card; spacing on the 4px scale; A11y preserved (aria-current, role=radio, aria-checked, aria-label).
joelorzet
added a commit
that referenced
this pull request
May 8, 2026
#1 Legitimate NULL upstream values were treated as unresolved. `extractTemplateParameters` previously called `resolveTemplateToRawValue`, which collapses both "no path" and "leaf is null" to `null`. The strict gate then false-tripped on workflows that legitimately passed NULL through a Database Query parameter (e.g. a SQL column that returned NULL). Add discriminated `*Checked` resolvers and a `resolveStrictPath` helper that uses `'key' in obj` to distinguish "the leaf key exists with a null value" from "the leaf key does not exist." The SQL parameterizer now pushes the real null and leaves the tracker empty in the legitimate case; genuine no-node / no-data / no-path still record the right reason. #3 Condition expressions accepted display- and legacy-format leftovers silently. Only stored-format `{{@nodeid:Label}}` is substituted in `evaluateConditionExpression`; any other shape that survived the substitution loop fed straight into the JS evaluator and surfaced as a misleading "Unexpected token '{'" syntax error. Add a post-substitution leftover-scan that throws a clear "unresolved template reference(s): {{...}}. Use stored format `{{@nodeid:Label.field}}`" before the evaluator runs. Tests cover both edge cases plus the discriminator distinction across no-node / no-data / no-path, and confirm a real null in a SQL parameter does not light up the tracker.
joelorzet
added a commit
that referenced
this pull request
May 9, 2026
#1 Legitimate NULL upstream values were treated as unresolved. `extractTemplateParameters` previously called `resolveTemplateToRawValue`, which collapses both "no path" and "leaf is null" to `null`. The strict gate then false-tripped on workflows that legitimately passed NULL through a Database Query parameter (e.g. a SQL column that returned NULL). Add discriminated `*Checked` resolvers and a `resolveStrictPath` helper that uses `'key' in obj` to distinguish "the leaf key exists with a null value" from "the leaf key does not exist." The SQL parameterizer now pushes the real null and leaves the tracker empty in the legitimate case; genuine no-node / no-data / no-path still record the right reason. #3 Condition expressions accepted display- and legacy-format leftovers silently. Only stored-format `{{@nodeid:Label}}` is substituted in `evaluateConditionExpression`; any other shape that survived the substitution loop fed straight into the JS evaluator and surfaced as a misleading "Unexpected token '{'" syntax error. Add a post-substitution leftover-scan that throws a clear "unresolved template reference(s): {{...}}. Use stored format `{{@nodeid:Label.field}}`" before the evaluator runs. Tests cover both edge cases plus the discriminator distinction across no-node / no-data / no-path, and confirm a real null in a SQL parameter does not light up the tracker.
10 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps better-auth from 1.3.34 to 1.4.2.
Release notes
Sourced from better-auth's releases.
... (truncated)
Commits
f2c28ddchore: release v1.4.27e7a4cachore: release v1.4.2-beta.2a2e6a8aRevert "chore: lint (#6290)"5ea36abfix: signIn/signUp API returns user additional field (#6287)205c294chore(email-otp): unit tests for sign-in with capitalizations (#6238)201a7c2fix(oidc-provider): session shouldn't be required (#6282)1c1c913chore: more join tests for missing data scenarios (#6166)1c45f37feat(jwt): allow custom jwks endpoint (#6269)fc662c5chore: remove incorrect auth cli (#6242)fabf8dcdocs: updated og image and add merch link to community section (#6251)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.