Skip to content

Bump better-auth from 1.6.20 to 1.6.23#78

Merged
exekias merged 1 commit into
mainfrom
dependabot/npm_and_yarn/better-auth-1.6.23
Jul 2, 2026
Merged

Bump better-auth from 1.6.20 to 1.6.23#78
exekias merged 1 commit into
mainfrom
dependabot/npm_and_yarn/better-auth-1.6.23

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps better-auth from 1.6.20 to 1.6.23.

Release notes

Sourced from better-auth's releases.

v1.6.23

better-auth

Features

  • Added Yandex as a social OAuth provider (#9138)

For detailed changes, see CHANGELOG

@better-auth/drizzle-adapter

Bug Fixes

  • Fixed affected row counting for D1 and postgres-js adapters (#10257)

For detailed changes, see CHANGELOG

@better-auth/stripe

Bug Fixes

  • Fixed organization subscription actions (cancel, upgrade, restore, and the billing portal) that could act on the wrong organization.

For detailed changes, see CHANGELOG

auth

Bug Fixes

  • Fixed string default values not being properly escaped in the generated Drizzle schema (#10259)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@​bytaesu, @​vladflotsky

Full changelog: v1.6.22...v1.6.23

v1.6.22

better-auth

Bug Fixes

  • Fixed unproven credentials not being revoked during magic link and email OTP sign-in (#10239)
  • Fixed server-side OAuth requests to refuse redirect responses instead of following them (#10241)

For detailed changes, see CHANGELOG

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.23

Patch Changes

  • #9138 8581f97 Thanks @​vladflotsky! - Add a pre-configured Yandex provider helper for the generic OAuth plugin.

  • Updated dependencies [930b260]:

    • @​better-auth/drizzle-adapter@​1.6.23
    • @​better-auth/core@​1.6.23
    • @​better-auth/kysely-adapter@​1.6.23
    • @​better-auth/memory-adapter@​1.6.23
    • @​better-auth/mongo-adapter@​1.6.23
    • @​better-auth/prisma-adapter@​1.6.23
    • @​better-auth/telemetry@​1.6.23

1.6.22

Patch Changes

  • #10239 c06a56d Thanks @​gustavovalverde! - Magic-link and email-OTP sign-in now reset the credentials on an account whose email had never been confirmed. When verification resolves to such an account, any existing password on it is removed and its sessions are revoked before the user is signed in, so proven control of the mailbox is the source of truth for the account.

    If you signed up with email and password but first signed in through a magic link or email OTP rather than confirming the verification email, your password is cleared and you will need to set a new one through password reset.

  • #10240 3a035e9 Thanks @​gustavovalverde! - Add account-level lockout for two-factor verification. The attempt limit applies per account across sign-in challenges and across factors: TOTP, email-OTP, and backup codes share one counter, and a successful verification resets it.

    Enabled by default: an account locks for 15 minutes after 10 consecutive failed verifications, and locked attempts return 429 with the ACCOUNT_TEMPORARILY_LOCKED error code. Configure it with twoFactor({ accountLockout: { enabled, maxFailedAttempts, durationSeconds } }).

    Run a database migration after upgrading: this adds failedVerificationCount and lockedUntil columns to the twoFactor table.

  • Updated dependencies [8bd43d9]:

    • @​better-auth/core@​1.6.22
    • @​better-auth/drizzle-adapter@​1.6.22
    • @​better-auth/kysely-adapter@​1.6.22
    • @​better-auth/memory-adapter@​1.6.22
    • @​better-auth/mongo-adapter@​1.6.22
    • @​better-auth/prisma-adapter@​1.6.22
    • @​better-auth/telemetry@​1.6.22

1.6.21

Patch Changes

  • #10212 e0762a1 Thanks @​bytaesu! - In root-mounted deployments, requests whose path does not start with the configured basePath now return 404 instead of resolving to an endpoint.

  • #10187 882cf9e Thanks @​ping-maxwell! - Admin permission changes and bans now take effect immediately for admin APIs, even when session cookie cache is enabled. Sensitive session checks also continue to work in stateless apps where signed cookies are the session record.

  • #9939 f52e1ab Thanks @​benpsnyder! - fixes a bug causing deviceAuthorization() throwing a ZodError at construction when called without a schema option

  • #10196 b5bec19 Thanks @​Paola3stefania! - OAuth sign-up and account-link profile sync now ignore provider profile values for user fields marked input: false. Input-allowed additional fields still persist from mapProfileToUser, and schema defaults still apply when OAuth creates a user. Apps that used mapProfileToUser to fill input: false fields should set those fields in server-side provisioning code instead.

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [better-auth](https://github.com/better-auth/better-auth/tree/HEAD/packages/better-auth) from 1.6.20 to 1.6.23.
- [Release notes](https://github.com/better-auth/better-auth/releases)
- [Changelog](https://github.com/better-auth/better-auth/blob/main/packages/better-auth/CHANGELOG.md)
- [Commits](https://github.com/better-auth/better-auth/commits/v1.6.23/packages/better-auth)

---
updated-dependencies:
- dependency-name: better-auth
  dependency-version: 1.6.23
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 29, 2026
@vercel

vercel Bot commented Jun 29, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
learn-postgres Ready Ready Preview Jun 29, 2026 11:27pm

@exekias exekias merged commit 54ea09d into main Jul 2, 2026
2 checks passed
@exekias exekias deleted the dependabot/npm_and_yarn/better-auth-1.6.23 branch July 2, 2026 09:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant