Skip to content

fix(deps): upgrade better-auth 1.6.11 -> 1.6.13 (security)#5508

Merged
waleedlatif1 merged 1 commit into
stagingfrom
upgrade-better-auth
Jul 8, 2026
Merged

fix(deps): upgrade better-auth 1.6.11 -> 1.6.13 (security)#5508
waleedlatif1 merged 1 commit into
stagingfrom
upgrade-better-auth

Conversation

@waleedlatif1

Copy link
Copy Markdown
Collaborator

Summary

  • Resolves Dependabot alerts #166 and #167: high-severity stored XSS in better-auth's oidc-provider/mcp plugins via javascript:/data: redirect_uri schemes (fixed upstream in 1.6.13)
  • Bumps better-auth 1.6.11 -> 1.6.13 in apps/sim/package.json and packages/auth/package.json, plus matching @better-auth/sso and @better-auth/stripe peers
  • Verified this is a patch-only release train (1.6.11 -> 1.6.12 -> 1.6.13) — reviewed both upstream changelogs, no breaking API changes

Test plan

  • bun install resolves cleanly, lockfile updated
  • type-check passes in both apps/sim and packages/auth
  • Existing auth/OAuth test suites pass (lib/api-key/auth.test.ts, lib/oauth/oauth.test.ts, lib/integrations/oauth-service.test.ts, app/api/files/authorization.test.ts, lib/mcp/oauth/auth.test.ts — 95/95 passing)
  • No source code changes — dependency manifests + lockfile only

…166/#167)

Patches a high-severity stored XSS in the oidc-provider and mcp plugins
via javascript:/data: redirect_uri schemes. Also bumps @better-auth/sso
and @better-auth/stripe to matching 1.6.13 peers. Patch-only release
(1.6.11 -> 1.6.12 -> 1.6.13), no breaking changes in either changelog.
@waleedlatif1 waleedlatif1 requested a review from a team as a code owner July 8, 2026 17:22
@vercel

vercel Bot commented Jul 8, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
docs Ready Ready Preview, Comment Jul 8, 2026 5:27pm

Request Review

@cursor

cursor Bot commented Jul 8, 2026

Copy link
Copy Markdown

PR Summary

Medium Risk
Touches authentication and SSO/billing plugins without code changes; risk is mainly regression or subtle behavior changes in auth flows after the security patch.

Overview
Security patch: bumps the better-auth stack from 1.6.11 to 1.6.13 in apps/sim/package.json and packages/auth/package.json, with matching @better-auth/sso and @better-auth/stripe peers and an updated bun.lock.

This addresses upstream fixes for high-severity stored XSS in OIDC/MCP-related flows involving unsafe redirect_uri schemes (javascript: / data:). There are no application source changes—only manifests and the lockfile. Transitive updates include @better-auth/utils 0.4.1, SSO’s samlify 2.13.1, and related adapter/core packages on the same release train.

Reviewed by Cursor Bugbot for commit 09bb064. Configure here.

@greptile-apps

greptile-apps Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR upgrades better-auth from 1.6.11 to 1.6.13 (and its peer packages @better-auth/sso and @better-auth/stripe) to address two high-severity stored XSS vulnerabilities where javascript: and data: URI schemes were accepted as valid redirect_uri values in the oidc-provider and mcp plugins. No application source code is modified — only dependency manifests and the lockfile.

  • Security fix: Resolves Dependabot alerts fix(deps): bump @anthropic-ai/sdk from 0.38.0 to 0.39.0 in /sim #166 and fix(deps): bump the react-ecosystem group in /sim with 4 updates #167 — stored XSS via unsanitized redirect_uri schemes in better-auth's OIDC/MCP plugins, patched upstream in 1.6.13.
  • Indirect dependency changes: samlify (pulled in by @better-auth/sso) jumps from 2.10.2 → 2.13.1, dropping node-forge, camelcase, pako, and uuid as dependencies and upgrading @xmldom/xmldom and xpath; these are all improvements that reduce attack surface.
  • Lockfile consistency: All @better-auth/* sub-packages and @better-auth/utils (0.4.0 → 0.4.1) are updated atomically in bun.lock, consistent with the better-auth 1.6.13 release train.

Confidence Score: 5/5

Safe to merge — purely a dependency version bump with no application source changes, directly addressing known high-severity XSS vulnerabilities.

All three files are dependency manifests and a lockfile. The version jump is a patch-only train (1.6.11 → 1.6.12 → 1.6.13) with no breaking API changes. The upstream fix targets a concrete, well-scoped vulnerability in the OIDC/MCP redirect_uri validation. The lockfile diff is internally consistent — all better-auth sub-packages move together, the samlify upgrade drops historically problematic dependencies (node-forge, uuid), and no unexpected transitive additions appear.

No files require special attention. The bun.lock diff is the most complex artifact but all changes trace directly to the better-auth and samlify version bumps.

Important Files Changed

Filename Overview
apps/sim/package.json Bumps better-auth 1.6.11 → 1.6.13 and @better-auth/sso/@better-auth/stripe from 1.6.11 → 1.6.13; straightforward security patch with no API changes.
packages/auth/package.json Bumps better-auth 1.6.11 → 1.6.13 in the auth workspace package; consistent with the apps/sim change.
bun.lock Lockfile updated to reflect all better-auth 1.6.13 sub-packages, @better-auth/utils 0.4.1, samlify 2.13.1, and xpath 0.0.34; removals of camelcase, node-forge, and pako are expected from samlify's leaner 2.13.x dependency tree.

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant Client
    participant BetterAuth as better-auth (1.6.13)
    participant OIDCPlugin as oidc-provider / mcp plugin
    participant App as Application

    Note over Client,App: Fixed in 1.6.13 — redirect_uri scheme validation
    Client->>BetterAuth: Authorization request with redirect_uri
    BetterAuth->>OIDCPlugin: Validate redirect_uri
    alt javascript: or data: scheme (BLOCKED in 1.6.13)
        OIDCPlugin-->>BetterAuth: Reject — invalid scheme
        BetterAuth-->>Client: 400 Bad Request
    else https: / http: scheme (ALLOWED)
        OIDCPlugin-->>BetterAuth: Valid redirect_uri
        BetterAuth->>App: Proceed with auth flow
        App-->>Client: Authorization code / token
    end
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant Client
    participant BetterAuth as better-auth (1.6.13)
    participant OIDCPlugin as oidc-provider / mcp plugin
    participant App as Application

    Note over Client,App: Fixed in 1.6.13 — redirect_uri scheme validation
    Client->>BetterAuth: Authorization request with redirect_uri
    BetterAuth->>OIDCPlugin: Validate redirect_uri
    alt javascript: or data: scheme (BLOCKED in 1.6.13)
        OIDCPlugin-->>BetterAuth: Reject — invalid scheme
        BetterAuth-->>Client: 400 Bad Request
    else https: / http: scheme (ALLOWED)
        OIDCPlugin-->>BetterAuth: Valid redirect_uri
        BetterAuth->>App: Proceed with auth flow
        App-->>Client: Authorization code / token
    end
Loading

Reviews (1): Last reviewed commit: "fix(deps): upgrade better-auth 1.6.11 ->..." | Re-trigger Greptile

@waleedlatif1 waleedlatif1 merged commit cb6f99d into staging Jul 8, 2026
18 checks passed
@waleedlatif1 waleedlatif1 deleted the upgrade-better-auth branch July 8, 2026 17:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant