NextAuth >= v4.23.0 Breaking change: - Package subpath './core' is not defined by "exports"

[sduduzog]

Environment

---

• Operating System: Windows_NT
• Node Version: v18.16.1
• Nuxt Version: 3.6.5
• Nitro Version: 2.5.2
• Package Manager: npm@9.5.1
• Builder: vite
• User Config: experimental, postcss, build, vite, typescript, vue, nitro, modules, googleFonts, ui, htmlValidator, apollo, graphqlServer, content, runtimeConfig, app, devtools
• Runtime Modules: @nuxtjs/google-fonts@3.0.2, @sidebase/nuxt-auth@0.6.0-beta.4, nuxt-icon@0.5.0, @nuxtjs/html-validator@1.5.2, @nuxthq/ui@2.7.0, @nuxt/content@2.7.2
• Build Modules: -

---

Reproduction

n/a

Describe the bug

When doing a clean install with no package-lock.json, the next-auth package installed along with nuxt-auth module seem to have breaking changes in import namespaces used by the nuxtAuthHandler file.

Additional context

A current workaround is pinning next-auth to v4.22.5

Logs

ℹ Vite client warmed up in 8934ms                                                                                                                       01:51:59

[01:52:01]  WARN  (node-resolve plugin) Could not resolve import "next-auth/core" in C:\dev\monorepo\web\node_modules\@sidebase\nuxt-auth\dist\runtime\server\services\authjs\nuxtAuthHandler.mjs using exports defined in C:\dev\monorepo\web\node_modules\next-auth\package.json.


[01:52:01]  WARN  (node-resolve plugin) Could not resolve import "next-auth/core" in C:\dev\monorepo\web\node_modules\@sidebase\nuxt-auth\dist\runtime\server\services\authjs\nuxtAuthHandler.mjs using exports defined in C:\dev\monorepo\web\node_modules\next-auth\package.json.


[01:52:01]  WARN  (node-resolve plugin) Could not resolve import "next-auth/core" in C:\dev\monorepo\web\node_modules\@sidebase\nuxt-auth\dist\runtime\server\services\authjs\nuxtAuthHandler.mjs using exports defined in C:\dev\monorepo\web\node_modules\next-auth\package.json.


[01:52:01]  WARN  (node-resolve plugin) Could not resolve import "next-auth/core" in C:\dev\monorepo\web\node_modules\@sidebase\nuxt-auth\dist\runtime\server\services\authjs\nuxtAuthHandler.mjs using exports defined in C:\dev\monorepo\web\node_modules\next-auth\package.json.


[01:52:01]  WARN  (node-resolve plugin) Could not resolve import "next-auth/core" in C:\dev\monorepo\web\node_modules\@sidebase\nuxt-auth\dist\runtime\server\services\authjs\nuxtAuthHandler.mjs using exports defined in C:\dev\monorepo\web\node_modules\next-auth\package.json.


[01:52:01]  WARN  "next-auth/core" is imported by "node_modules/@sidebase/nuxt-auth/dist/runtime/server/services/authjs/nuxtAuthHandler.mjs", but could not be resolved – treating it as an external dependency.

✔ Nitro built in 5761 ms                                                                                                                          nitro 01:52:03

[01:52:03]  ERROR  [worker reload] [worker init] Package subpath './core' is not defined by "exports" in C:\dev\monorepo\web\node_modules\next-auth\package.json imported from C:\dev\monorepo\web\.nuxt\dev\index.mjs

  at new NodeError (node:internal/errors:399:5)
  at exportsNotFound (node:internal/modules/esm/resolve:361:10)
  at packageExportsResolve (node:internal/modules/esm/resolve:697:9)
  at packageResolve (node:internal/modules/esm/resolve:872:14)
  at moduleResolve (node:internal/modules/esm/resolve:938:20)
  at defaultResolve (node:internal/modules/esm/resolve:1153:11)
  at nextResolve (node:internal/modules/esm/loader:163:28)
  at ESMLoader.resolve (node:internal/modules/esm/loader:838:30)
  at ESMLoader.getModuleJob (node:internal/modules/esm/loader:424:18)
  at ModuleWrap.<anonymous> (node:internal/modules/esm/module_job:77:40)

[Sparo]

Exact same problem here. My workaround also was to pin next-auth, but the version I have used is from the nuxt-auth docs: next-auth@4.21.1.

So nuxt-auth docs said that we should use next-auth@4.21.1 I did that... but your solution sounds better.

[Salotronic]

same problem here...

[SherifAugustus]

faced the same problem, reverting to next-auth@4.21.1 fixed it.

[bjornol]

same problem here...

[kennedyngigi4]

@SherifAugustus where exactly should I revert the next-auth version?

[sduduzog]

@kennedyngigi4 just install the specific next-auth version to your project, then nuxt-auth will use that one

[AliBahadori41]

next-auth@4.21.1

I had same issue and next-auth@4.21.1 fixed it.

[JiangShuuu]

same issue exists in next-auth@4.23.1, but it works with next-auth@4.21.1.

[RicLzPt]

Same problem

[RicLzPt]

4.23.2 same issue.

[dingkai031]

Hello,I'm also having this problem. What does pinning mean and how to do that?

Thanks

[sduduzog]

@dingkai031 in the package.json file make sure that the next-auth version number does not have a tilde (^) so it should look like "next-auth": "4.21.1"

After removing it, make sure to run an install command again so that the pinned version is the one installed

[zoey-kaiser]

Hi @sduduzog and everyone else!

I just tested the newest version of NextAuth (4.23.2) and it seems to have resolved the issue! You should be able to use the newest version again, as they undid their change with the exports! Therefore I will be closing this issue!

[greenacresfoundation]

#Hi @sduduzog and everyone else!

I just tested the newest version of NextAuth (4.23.2) and it seems to have resolved the issue! You should be able to use the newest version again, as they undid their change with the exports! Therefore I will be closing this issue!

Hey just tested this with 4.23.2 and the bug is still there. This shouldn't be closed yet.

[RicLzPt]

#Hi @sduduzog and everyone else!

I just tested the newest version of NextAuth (4.23.2) and it seems to have resolved the issue! You should be able to use the newest version again, as they undid their change with the exports! Therefore I will be closing this issue!

Hey just tested this with 4.23.2 and the bug is still there. This shouldn't be closed yet.

Yes. The error remains

[zoey-kaiser]

Too bad, Ill keep this open. Maybe someone wants to open a PR on the offical NextAuth repo or pressure them more into reverting this change! I had mentioned it before in the commit comments, but received no answer...

[RicLzPt]

I upgraded to 4.24.4 and this issue continue

[ReaganM02]

@RicLzPt I am not sure if this will help you, but I have the same issue and it looks like it is fixed by adding npm install next-auth@4.21.1 --save-exact=true

https://stackblitz.com/edit/nuxt-starter-77eysh?file=package.json

[RicLzPt]

@RicLzPt I am not sure if this will help you, but I have the same issue and it looks like it is fixed by adding npm install next-auth@4.21.1 --save-exact=true

https://stackblitz.com/edit/nuxt-starter-77eysh?file=package.json

Thanks for your answer. I did this anteriorly and resolved. My intention is give a feedback that the error continue.

[zoey-kaiser]

Hi everyone.

Thank you for regularly checking into this issue! However, this problem will sadly not be reverted or fixed by itself. After some investigation, @BracketJohn and I have identified how we need to rewrite NuxtAuth to be compatible with NextAuth's new system architecture.
They have done this restructuring in preparation for the release of authjs, meaning that we would need to update how we integrate with their package.

Once we have done this upgrade, we will not be compatible with NextAuth versions under 4.23. We are continuing to look into how we can best integrate the newer versions of NextAuth, without making any major code changes in our module, to ensure for a smooth transfer.

[GoudekettingRM]

@zoey-kaiser is there a timeline for the upgrade? Would the upgrade cause major backwards incompatible changes In the way Nuxt Auth is used?

I.e. I want to implement Nuxt Auth in a new app, but if the fixed version is soon to come out and works mainly differently, I might focus my time elsewhere for the time being.

Also, as a sidenote, when having next-auth@4.21.1 installed, I'm getting the following vulnerability warning:

next-auth  <4.24.5
Severity: moderate
Possible user mocking that bypasses basic authentication - https://github.com/advisories/GHSA-v64w-49xw-qq89
fix available via `npm audit fix --force`
Will install next-auth@4.24.5, which is outside the stated dependency range
node_modules/next-auth

1 moderate severity vulnerability

[andreasvirkus]

I think next-auth@4.22.5 is the latest working version, see if you still have the vulnerability warning with that version?

[zoey-kaiser]

@zoey-kaiser is there a timeline for the upgrade? Would the upgrade cause major backwards incompatible changes In the way Nuxt Auth is used?

Sadly we are kind of stuck between two (non optional) solutions here.

1.) NextAuth was updated to partially use the new authjs infrastructure, which is why the breaking change happened. Rewriting our module to use their new architecture, would be a good amount of work and would need to be repeated once authjs is completely out (as we can then remove NextAuth completely)
2.) Switch to authjs under the hood, removing NextAuth completely. The issue with this, is that authjs, is still in "experimental" and is missing some features, we are still waiting for (see #117)

Also, as a sidenote, when having next-auth@4.21.1 installed, I'm getting the following vulnerability warning:

The good news about this: It does not matter for NuxtAuth. The vulnerability has to do with the middleware provided by NextAuth. As we provide our own middleware and do not use theirs, this vulnerability does not apply to NuxtAuth!

See GHSA-v64w-49xw-qq89

[yuelongh]

just to say other than this issue also when I used next-auth@4.22.5 and the baseURL set in auth object inside nuxt.config.ts I still get the default url which is http://127.0.0.1:3000/api/auth/signin/credentials for signinUrl and callbackURL rather then the baseURL set by myself.

next-auth@4.21.1 works okay!

[davidlemaitre]

@yuelongh Same config here. I resolved by setting NEXTAUTH_URL environment variable.

[agracia-foticos]

Same issue

[SiamGamerAlbion]

same issue

[tukutela]

yep same, what a bummer! thanks nuxt-auth team for your work!

[marwenbk]

this broke our site

[Fexxix]

Hi there, I added these two lines in the next-auth's package.json's export and it fixed the development version at least.

"./core": {
      "types": "./core/index.d.ts",
      "default": "./core/index.js"
    },

I know this won't work in production and even in development it's only a temporary fix. I'm on next-auth's 4.24.5 version, should I revert to an older version?

[AdytZZa22]

Same issue. 4.22.5 works fine, but there is still a warning: Could not resolve import "next-auth/core"

[dandonovan78]

For anyone else wondering how to go about this
Just run this
npm install next-auth@4.21.1 --save-exact=true

It felt a bit weird to have to install next-auth when @sidebase/nuxt-auth includes it, adding the following to my package.json seems to work to pin the version (using npm):

"overrides": {
   "@sidebase/nuxt-auth": {
     "next-auth": "4.21.1"
   }
 },

[phaberest]

Do we have any possible update on this matter?

Locking version to 4.21.1 makes it work but exposes to a security issue reported on GHSA-v64w-49xw-qq89

[zoey-kaiser]

Hi everyone!

We are now beginning this migration, for more information please keep an eye on #673. As this issue will be fixed through this migration, I will now close this issue.

Thank you for all the hard work investigating!

[v0id-4lpz]

❌ Tested today and @sidebase/nuxt-auth@0.7.2 + next-auth@4.22.5 don't work as the doc says.

npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR!
npm ERR! While resolving: @sidebase/nuxt-auth@0.7.2
npm ERR! Found: next-auth@4.22.5
npm ERR!   next-auth@"4.22.5" from the root project
npm ERR!
npm ERR! Could not resolve dependency:
npm ERR! peer next-auth@"~4.21.1" from @sidebase/nuxt-auth@0.7.2
npm ERR! node_modules/@sidebase/nuxt-auth
npm ERR!   @sidebase/nuxt-auth@"^0.7.2" from the root project
npm ERR!
npm ERR! Conflicting peer dependency: next-auth@4.21.1
npm ERR! node_modules/next-auth
npm ERR!   peer next-auth@"~4.21.1" from @sidebase/nuxt-auth@0.7.2
npm ERR!   node_modules/@sidebase/nuxt-auth
npm ERR!     @sidebase/nuxt-auth@"^0.7.2" from the root project
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR!
npm ERR!
npm ERR! For a full report see:

✅ Working with @sidebase/nuxt-auth@0.7.2 + next-auth@4.21.1

[zoey-kaiser]

❌ Tested today and @sidebase/nuxt-auth@0.7.2 + next-auth@4.22.5 don't work as the doc says.

Thanks for checking this. We also use next-auth@4.21.1 in our apps, so I will adjust the docs to recommend that version ❤️