fix(ui): scope active-devices cache by user to prevent cross-user leak

[dominic-clerk]

Description

The UserProfile active-devices list was cached in a module-scoped fetch cache keyed only by a constant string, so a session switch or a sign-out/sign-in on a shared device could render the previous user's device activity (IP, location, browser/device). Key the cache by user.id.

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

[changeset-bot]

🦋 Changeset detected

Latest commit: 2312dcb

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 2 packages

Name	Type
@clerk/ui	Patch
@clerk/chrome-extension	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	May 29, 2026 12:12pm

[github-actions]

Snapi: no API changes detected in @clerk/backend, @clerk/clerk-js, @clerk/nextjs, @clerk/react, @clerk/shared, @clerk/ui.

[pkg-pr-new]

Open in StackBlitz

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8703

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8703

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8703

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8703

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8703

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8703

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8703

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8703

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8703

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8703

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8703

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8703

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8703

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8703

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8703

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8703

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8703

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8703

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8703

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8703

commit: 2312dcb

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: e1e9dc1e-b54e-41fe-84c0-88099cf0dbc6

📥 Commits

Reviewing files that changed from the base of the PR and between b9eb19d and 2312dcb.

📒 Files selected for processing (3)

• .changeset/tangy-ducks-end.md
• packages/ui/src/components/UserProfile/ActiveDevicesSection.tsx
• packages/ui/src/components/UserProfile/__tests__/SecurityPage.test.tsx

---

📝 Walkthrough

Walkthrough

This PR fixes a caching issue in the UserProfile component where active-device session data was being shared across users due to module-level cache scoping. The fix updates the useFetch hook invocation in ActiveDevicesSection to include userId as an options parameter, ensuring the cache is keyed per user. A new test verifies that device activity from one user does not appear when rendering for another user. The changeset documents the patch release.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title clearly and concisely summarizes the main change: fixing the active-devices cache by scoping it to user.id to prevent cross-user data leakage.
Description check	✅ Passed	The pull request description is directly related to the changeset, explaining the caching issue and the solution of keying the cache by user.id.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jacekradko]

👍🏼