fix(deps): upgrade better-auth 1.6.11 -> 1.6.13 (security)#5508
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
PR SummaryMedium Risk Overview This addresses upstream fixes for high-severity stored XSS in OIDC/MCP-related flows involving unsafe Reviewed by Cursor Bugbot for commit 09bb064. Configure here. |
Greptile SummaryThis PR upgrades
Confidence Score: 5/5Safe to merge — purely a dependency version bump with no application source changes, directly addressing known high-severity XSS vulnerabilities. All three files are dependency manifests and a lockfile. The version jump is a patch-only train (1.6.11 → 1.6.12 → 1.6.13) with no breaking API changes. The upstream fix targets a concrete, well-scoped vulnerability in the OIDC/MCP redirect_uri validation. The lockfile diff is internally consistent — all better-auth sub-packages move together, the samlify upgrade drops historically problematic dependencies (node-forge, uuid), and no unexpected transitive additions appear. No files require special attention. The bun.lock diff is the most complex artifact but all changes trace directly to the better-auth and samlify version bumps. Important Files Changed
Sequence Diagram%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
participant Client
participant BetterAuth as better-auth (1.6.13)
participant OIDCPlugin as oidc-provider / mcp plugin
participant App as Application
Note over Client,App: Fixed in 1.6.13 — redirect_uri scheme validation
Client->>BetterAuth: Authorization request with redirect_uri
BetterAuth->>OIDCPlugin: Validate redirect_uri
alt javascript: or data: scheme (BLOCKED in 1.6.13)
OIDCPlugin-->>BetterAuth: Reject — invalid scheme
BetterAuth-->>Client: 400 Bad Request
else https: / http: scheme (ALLOWED)
OIDCPlugin-->>BetterAuth: Valid redirect_uri
BetterAuth->>App: Proceed with auth flow
App-->>Client: Authorization code / token
end
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
participant Client
participant BetterAuth as better-auth (1.6.13)
participant OIDCPlugin as oidc-provider / mcp plugin
participant App as Application
Note over Client,App: Fixed in 1.6.13 — redirect_uri scheme validation
Client->>BetterAuth: Authorization request with redirect_uri
BetterAuth->>OIDCPlugin: Validate redirect_uri
alt javascript: or data: scheme (BLOCKED in 1.6.13)
OIDCPlugin-->>BetterAuth: Reject — invalid scheme
BetterAuth-->>Client: 400 Bad Request
else https: / http: scheme (ALLOWED)
OIDCPlugin-->>BetterAuth: Valid redirect_uri
BetterAuth->>App: Proceed with auth flow
App-->>Client: Authorization code / token
end
Reviews (1): Last reviewed commit: "fix(deps): upgrade better-auth 1.6.11 ->..." | Re-trigger Greptile |
Summary
better-auth'soidc-provider/mcpplugins viajavascript:/data:redirect_urischemes (fixed upstream in 1.6.13)better-auth1.6.11 -> 1.6.13 inapps/sim/package.jsonandpackages/auth/package.json, plus matching@better-auth/ssoand@better-auth/stripepeersTest plan
bun installresolves cleanly, lockfile updatedtype-checkpasses in bothapps/simandpackages/authlib/api-key/auth.test.ts,lib/oauth/oauth.test.ts,lib/integrations/oauth-service.test.ts,app/api/files/authorization.test.ts,lib/mcp/oauth/auth.test.ts— 95/95 passing)