v0.11.0

[nicknisi]

Summary

Cuts a 0.11.0 release for the PKCE / sealed OAuth state work merged in #68.

Per the policy stated in CHANGELOG.md — "While the package is pre-1.0, minor version bumps are used to signal breaking changes" — this is a minor bump despite carrying breaking changes. In strict semver terms it would be major; in this repo's pre-1.0 convention, minor.

Breaking changes shipping in 0.11.0

• getSignInUrl / getSignUpUrl / getAuthorizationUrl now return { url, headers } instead of a bare URL string. Callers must forward the Set-Cookie from headers on the redirect that starts the OAuth flow, or the callback will reject the flow as a CSRF failure. See the migration guide.
• Minimum @workos-inc/node is ^8.9.0; engines.node is >=20.15.0 (was >=20.0.0) to match @workos-inc/node@^8.13.x's declared engine.

What this PR contains

• Bumps package.json version 0.10.0 → 0.11.0.
• Cuts CHANGELOG.md [Unreleased] → [0.11.0] - 2026-04-27 (entries unchanged from Implement PKCE and sealed OAuth state flow #68).
• Refreshes package-lock.json to sync the version bump and the engines.node floor that Implement PKCE and sealed OAuth state flow #68 introduced but had been left dirty in the working tree.

No source code changes — all behavioral changes already shipped in #68.

Test plan

• npm run typecheck clean
• npm test — 146 tests passing
• CI green on this branch
• After merge: tag v0.11.0 and publish to npm

[greptile-apps]

Greptile Summary

This is a pure release-prep PR that bumps package.json / package-lock.json from 0.10.0 → 0.11.0, raises engines.node to >=20.15.0, and cuts the CHANGELOG.md [Unreleased] section into a dated [0.11.0] - 2026-04-27 entry. No source-code changes are included; all behavioral changes (PKCE/CSRF, sealed OAuth state) already shipped in #68.

Confidence Score: 5/5

Safe to merge — only version metadata and changelog updated, no logic changes.

All three changed files contain only release bookkeeping: version strings, the engines floor, and the dated changelog entry. No source code, no new logic, and no custom rules are violated.

No files require special attention.

Important Files Changed

Filename	Overview
CHANGELOG.md	Adds [0.11.0] - 2026-04-27 release block below the empty [Unreleased] section; content unchanged from #68
package.json	Version bumped from 0.10.0 to 0.11.0; engines.node raised from >=20.0.0 to >=20.15.0
package-lock.json	Lock file synced to reflect version 0.11.0 and updated engines.node floor

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["PR #70 — v0.11.0 release prep"] --> B["package.json\nversion: 0.10.0 → 0.11.0\nengines.node: ≥20.0.0 → ≥20.15.0"]
    A --> C["package-lock.json\nsynced to 0.11.0"]
    A --> D["CHANGELOG.md\n[Unreleased] → [0.11.0] - 2026-04-27"]
    B & C & D --> E["npm publish v0.11.0\n(post-merge)"]

Loading

_{Reviews (1): Last reviewed commit: "v0.11.0" | Re-trigger Greptile}

[gjtorikian]

should probably get release-please set up here but that's a different concern