hexclave · nams1570 · Jan 17, 2026 · Jan 10, 2026 · Jan 10, 2026 · Jan 12, 2026
diff --git a/apps/backend/package.json b/apps/backend/package.json
@@ -83,8 +83,8 @@
     "chokidar-cli": "^3.0.0",
     "dotenv": "^16.4.5",
     "dotenv-cli": "^7.3.0",
-    "freestyle-sandboxes": "^0.1.5",
-    "jose": "^5.2.2",
+    "freestyle-sandboxes": "^0.1.6",
+    "jose": "^6.1.3",
     "json-diff": "^1.0.6",
     "next": "16.1.1",
     "nodemailer": "^6.9.10",
@@ -102,7 +102,7 @@
     "svix": "^1.25.0",
     "vite": "^6.1.0",
     "yaml": "^2.4.5",
-    "yup": "^1.4.0",
+    "yup": "^1.7.1",
     "zod": "^3.23.8"
   },
   "devDependencies": {

diff --git a/apps/backend/src/lib/js-execution.tsx b/apps/backend/src/lib/js-execution.tsx
@@ -38,9 +38,7 @@ function createFreestyleEngine(): JsEngine {
 
       const response = await freestyle.serverless.runs.create({
         code,
-        config: {
-          nodeModules: options.nodeModules ?? {},
-        },
+        nodeModules: options.nodeModules ?? {},
       });
 
       if (response.result === undefined) {

diff --git a/apps/dashboard/package.json b/apps/dashboard/package.json
@@ -77,7 +77,7 @@
     "export-to-csv": "^1.4.0",
     "geist": "^1",
     "input-otp": "^1.4.1",
-    "jose": "^5.2.2",
+    "jose": "^6.1.3",
     "lodash": "^4.17.21",
     "next": "16.1.1",
     "next-themes": "^0.2.1",
@@ -99,7 +99,7 @@
     "tailwindcss-animate": "^1.0.7",
     "three": "^0.169.0",
     "use-debounce": "^10.0.5",
-    "yup": "^1.4.0"
+    "yup": "^1.7.1"
   },
   "devDependencies": {
     "@types/canvas-confetti": "^1.6.4",

diff --git a/docker/dependencies/freestyle-mock/Dockerfile b/docker/dependencies/freestyle-mock/Dockerfile
@@ -39,7 +39,8 @@ serve({
   port: 8080,
   async fetch(req) {
     const url = new URL(req.url);
-    if (!(req.method === "POST" && url.pathname === "/execute/v1/script")) {
+    const isValidEndpoint = req.method === "POST" && (url.pathname === "/execute/v1/script" || url.pathname === "/execute/v2/script");
+    if (!isValidEndpoint) {
       return new Response("Not found", { status: 404 });
     }
 

diff --git a/docs/package.json b/docs/package.json
@@ -41,7 +41,7 @@
     "fumadocs-openapi": "^8.1.12",
     "fumadocs-typescript": "^4.0.5",
     "fumadocs-ui": "15.3.3",
-    "jose": "^6.1.0",
+    "jose": "^6.1.3",
     "js-yaml": "^4.1.0",
     "lucide-react": "^0.511.0",
     "mermaid": "^11.6.0",

diff --git a/packages/js/package.json b/packages/js/package.json
@@ -50,20 +50,20 @@
     "LICENSE"
   ],
   "dependencies": {
-    "@hookform/resolvers": "^3.3.4",
-    "@simplewebauthn/browser": "^11.0.0",
+    "@hookform/resolvers": "^5.2.2",
+    "@simplewebauthn/browser": "^13.2.2",
     "@stackframe/stack-shared": "workspace:*",
-    "@tanstack/react-table": "^8.20.5",
-    "color": "^4.2.3",
-    "cookie": "^0.6.0",
-    "jose": "^5.2.2",
+    "@tanstack/react-table": "^8.21.3",
+    "color": "^5.0.3",
+    "cookie": "^1.1.1",
+    "jose": "^6.1.3",
     "js-cookie": "^3.0.5",
-    "oauth4webapi": "^2.10.3",
+    "oauth4webapi": "^3.8.3",
     "@oslojs/otp": "^1.1.0",
     "qrcode": "^1.5.4",
-    "rimraf": "^5.0.5",
-    "tsx": "^4.7.2",
-    "yup": "^1.4.0"
+    "rimraf": "^6.1.2",
+    "tsx": "^4.21.0",
+    "yup": "^1.7.1"
   },
   "devDependencies": {
     "@quetzallabs/i18n": "^0.1.19",

diff --git a/packages/react/package.json b/packages/react/package.json
@@ -58,28 +58,28 @@
     "LICENSE"
   ],
   "dependencies": {
-    "@hookform/resolvers": "^3.3.4",
+    "@hookform/resolvers": "^5.2.2",
     "@stripe/react-stripe-js": "^3.8.1",
     "@stripe/stripe-js": "^7.7.0",
-    "@simplewebauthn/browser": "^11.0.0",
+    "@simplewebauthn/browser": "^13.2.2",
     "@stackframe/stack-shared": "workspace:*",
     "@stackframe/stack-ui": "workspace:*",
-    "@tanstack/react-table": "^8.20.5",
+    "@tanstack/react-table": "^8.21.3",
     "browser-image-compression": "^2.0.2",
-    "color": "^4.2.3",
-    "cookie": "^0.6.0",
-    "jose": "^5.2.2",
+    "color": "^5.0.3",
+    "cookie": "^1.1.1",
+    "jose": "^6.1.3",
     "js-cookie": "^3.0.5",
     "lucide-react": "^0.378.0",
-    "oauth4webapi": "^2.10.3",
+    "oauth4webapi": "^3.8.3",
     "@oslojs/otp": "^1.1.0",
     "qrcode": "^1.5.4",
-    "react-easy-crop": "^5.4.1",
-    "react-hook-form": "^7.51.4",
-    "rimraf": "^5.0.5",
+    "react-easy-crop": "^5.5.6",
+    "react-hook-form": "^7.70.0",
+    "rimraf": "^6.1.2",
     "tailwindcss-animate": "^1.0.7",
-    "tsx": "^4.7.2",
-    "yup": "^1.4.0"
+    "tsx": "^4.21.0",
+    "yup": "^1.7.1"
   },
   "peerDependencies": {
     "@types/react": ">=18.3.0",

diff --git a/packages/stack-shared/package.json b/packages/stack-shared/package.json
@@ -37,7 +37,7 @@
     "@types/react-dom": ">=19.0.0",
     "react": ">=19.0.0",
     "react-dom": ">=19.0.0",
-    "yup": "^1.4.0"
+    "yup": "^1.7.1"
   },
   "peerDependenciesMeta": {
     "react": {
@@ -64,8 +64,8 @@
     "elliptic": "^6.5.7",
     "esbuild-wasm": "^0.20.2",
     "ip-regex": "^5.0.0",
-    "jose": "^5.2.2",
-    "oauth4webapi": "^2.10.3",
+    "jose": "^6.1.3",
+    "oauth4webapi": "^3.8.3",
     "semver": "^7.6.3",
     "uuid": "^9.0.1"
   },

diff --git a/packages/stack-shared/src/interface/client-interface.ts b/packages/stack-shared/src/interface/client-interface.ts
@@ -5,6 +5,7 @@ import { KnownError, KnownErrors } from '../known-errors';
 import { inlineProductSchema } from '../schema-fields';
 import { AccessToken, InternalSession, RefreshToken } from '../sessions';
 import { generateSecureRandomString } from '../utils/crypto';
+import { getNodeEnvironment } from '../utils/env';
 import { StackAssertionError, throwErr } from '../utils/errors';
 import { globalVar } from '../utils/globals';
 import { HTTP_METHODS, HttpMethod } from '../utils/http';
@@ -153,22 +154,27 @@ export class StackClientInterface {
       throw new Error("Admin session token is currently not supported for fetching new access token. Did you try to log in on a StackApp initiated with the admin session?");
     }
 
+    const tokenEndpoint = this.getApiUrl() + '/auth/oauth/token';
     const as = {
       issuer: this.options.getBaseUrl(),
       algorithm: 'oauth2',
-      token_endpoint: this.getApiUrl() + '/auth/oauth/token',
+      token_endpoint: tokenEndpoint,
     };
     const client: oauth.Client = {
       client_id: this.projectId,
       client_secret: this.options.publishableClientKey,
-      token_endpoint_auth_method: 'client_secret_post',
     };
 
+    const clientAuthentication = oauth.ClientSecretPost(this.options.publishableClientKey);
+    const allowInsecure = getNodeEnvironment() === 'test' && tokenEndpoint.startsWith('http://');
+
     const response = await this._networkRetryException(async () => {
       const rawResponse = await oauth.refreshTokenGrantRequest(
         as,
         client,
+        clientAuthentication,
         refreshToken.token,
+        allowInsecure ? { [oauth.allowInsecureRequests]: true } : undefined,
       );
 
       const response = await this._processResponse(rawResponse);
@@ -190,17 +196,26 @@ export class StackClientInterface {
     });
     if (!response) return null;
 
-    const result = await oauth.processRefreshTokenResponse(as, client, response);
-    if (oauth.isOAuth2Error(result)) {
-      // TODO Handle OAuth 2.0 response body error
-      throw new StackAssertionError("OAuth error", { result });
+    let result: oauth.TokenEndpointResponse;
+    try {
+      result = await oauth.processRefreshTokenResponse(as, client, response);
+    } catch (e){
+      if (e instanceof oauth.ResponseBodyError) {
+        throw new StackAssertionError("ResponseBodyError when processing refresh token response", {
+          cause: e.cause,
+          code: e.code,
+          error: e.error,
+        });
+      }
+      throw new StackAssertionError("Unexpected error when processing refresh token response", { cause: e });
     }
 
     if (!result.access_token) {
       throw new StackAssertionError("Access token not found in token endpoint response, this is weird!");
     }
 
     return AccessToken.createIfValid(result.access_token) ?? throwErr("Access token in fetchNewAccessToken is invalid, looks like the backend is returning an invalid token!", { result });
+
   }
 
   public async sendClientRequest(
@@ -1015,37 +1030,60 @@ export class StackClientInterface {
       // TODO fix
       throw new Error("Admin session token is currently not supported for OAuth");
     }
+    const tokenEndpoint = this.getApiUrl() + '/auth/oauth/token';
     const as = {
       issuer: this.options.getBaseUrl(),
       algorithm: 'oauth2',
-      token_endpoint: this.getApiUrl() + '/auth/oauth/token',
+      token_endpoint: tokenEndpoint,
     };
     const client: oauth.Client = {
       client_id: this.projectId,
       client_secret: this.options.publishableClientKey,
-      token_endpoint_auth_method: 'client_secret_post',
     };
-    const params = await this._networkRetryException(
-      async () => oauth.validateAuthResponse(as, client, options.oauthParams, options.state),
-    );
-    if (oauth.isOAuth2Error(params)) {
-      throw new StackAssertionError("Error validating outer OAuth response", { params }); // Handle OAuth 2.0 redirect error
+    const clientAuthentication = oauth.ClientSecretPost(this.options.publishableClientKey);
+    // Allow insecure HTTP requests only in test environment (for localhost testing)
+    const allowInsecure = getNodeEnvironment() === 'test' && tokenEndpoint.startsWith('http://');
+
+    let params: URLSearchParams;
+    try {
+      params = oauth.validateAuthResponse(as, client, options.oauthParams, options.state);
+    } catch (e) {
+      if (e instanceof oauth.AuthorizationResponseError) {
+        throw new StackAssertionError("Authorization response error when validating outer OAuth response", {
+          //cause is a URLSearchParams object for this error, so we need to serialize it better
+          cause: Object.fromEntries(e.cause),
+          code: e.code,
+          error: e.error,
+        });
+      }
+      throw new StackAssertionError("Unexpected error when validating outer OAuth response", { cause: e });
     }
     const response = await oauth.authorizationCodeGrantRequest(
       as,
       client,
+      clientAuthentication,
       params,
       options.redirectUri,
       options.codeVerifier,
+      allowInsecure ? { [oauth.allowInsecureRequests]: true } : undefined,
     );
 
-    const result = await oauth.processAuthorizationCodeOAuth2Response(as, client, response);
-    if (oauth.isOAuth2Error(result)) {
-      if ("code" in result && result.code === "MULTI_FACTOR_AUTHENTICATION_REQUIRED") {
-        throw new KnownErrors.MultiFactorAuthenticationRequired((result as any).details.attempt_code);
+    let result;
+    try {
+      result = await oauth.processAuthorizationCodeResponse(as, client, response);
+    } catch (e) {
+      if (e instanceof oauth.ResponseBodyError) {
+        if ((e.cause as any).code === "MULTI_FACTOR_AUTHENTICATION_REQUIRED") {
+          throw new KnownErrors.MultiFactorAuthenticationRequired((e.cause as any).details.attempt_code);
+        }
+        // TODO Handle OAuth 2.0 response body error
+        throw new StackAssertionError("Outer OAuth error during authorization code response", {
+          cause: e.cause,
+          code: e.code,
+          error: e.error,
+        });
       }
-      // TODO Handle OAuth 2.0 response body error
-      throw new StackAssertionError("Outer OAuth error during authorization code response", { result });
+      throw new StackAssertionError("Unexpected error when processing authorization code response", { cause: e });
     }
     return {
       newUser: result.is_new_user as boolean,

diff --git a/packages/stack-ui/package.json b/packages/stack-ui/package.json
@@ -29,7 +29,7 @@
     "@types/react-dom": ">=19.0.0",
     "react": ">=19.0.0",
     "react-dom": ">=19.0.0",
-    "yup": "^1.4.0"
+    "yup": "^1.7.1"
   },
   "peerDependenciesMeta": {
     "@types/react": {

diff --git a/packages/stack/package.json b/packages/stack/package.json
@@ -58,29 +58,29 @@
     "LICENSE"
   ],
   "dependencies": {
-    "@hookform/resolvers": "^3.3.4",
+    "@hookform/resolvers": "^5.2.2",
     "@stripe/react-stripe-js": "^3.8.1",
     "@stripe/stripe-js": "^7.7.0",
-    "@simplewebauthn/browser": "^11.0.0",
+    "@simplewebauthn/browser": "^13.2.2",
     "@stackframe/stack-sc": "workspace:*",
     "@stackframe/stack-shared": "workspace:*",
     "@stackframe/stack-ui": "workspace:*",
-    "@tanstack/react-table": "^8.20.5",
+    "@tanstack/react-table": "^8.21.3",
     "browser-image-compression": "^2.0.2",
-    "color": "^4.2.3",
-    "cookie": "^0.6.0",
-    "jose": "^5.2.2",
+    "color": "^5.0.3",
+    "cookie": "^1.1.1",
+    "jose": "^6.1.3",
     "js-cookie": "^3.0.5",
     "lucide-react": "^0.378.0",
-    "oauth4webapi": "^2.10.3",
+    "oauth4webapi": "^3.8.3",
     "@oslojs/otp": "^1.1.0",
     "qrcode": "^1.5.4",
-    "react-easy-crop": "^5.4.1",
-    "react-hook-form": "^7.51.4",
-    "rimraf": "^5.0.5",
+    "react-easy-crop": "^5.5.6",
+    "react-hook-form": "^7.70.0",
+    "rimraf": "^6.1.2",
     "tailwindcss-animate": "^1.0.7",
-    "tsx": "^4.7.2",
-    "yup": "^1.4.0"
+    "tsx": "^4.21.0",
+    "yup": "^1.7.1"
   },
   "peerDependencies": {
     "@types/react": ">=18.3.0",