deps(deps): bump the minor-updates group across 1 directory with 24 updates

[dependabot]

Bumps the minor-updates group with 24 updates in the / directory:

Package	From	To
@cloudflare/containers	0.3.2	0.3.6
@lucide/svelte	1.8.0	1.17.0
agents	0.11.4	0.13.3
alchemy	0.91.2	0.93.9
better-auth	1.6.5	1.6.13
effect	3.21.1	3.21.2
hono	4.12.14	4.12.23
zod	4.3.6	4.4.3
@cloudflare/vitest-pool-workers	0.14.7	0.16.11
@cloudflare/workers-types	4.20260418.1	4.20260601.1
@internationalized/date	3.12.1	3.12.2
@sveltejs/kit	2.57.1	2.61.1
@sveltejs/vite-plugin-svelte	7.0.0	7.1.2
@tailwindcss/vite	4.2.2	4.3.0
@types/node	25.6.0	25.9.1
bits-ui	2.18.0	2.18.1
svelte	5.55.4	5.56.0
svelte-check	4.4.6	4.5.0
svelte-sonner	1.1.0	1.1.1
tailwind-merge	3.5.0	3.6.0
tailwindcss	4.2.2	4.3.0
vite	8.0.8	8.0.16
vitest	4.1.4	4.1.8
wrangler	4.83.0	4.96.0

Updates @cloudflare/containers from 0.3.2 to 0.3.6

Release notes

Sourced from @​cloudflare/containers's releases.

v0.3.6

Patch Changes

• 9650b2d: Use IdentityTransformStream when proxying deferred HTTP response bodies.
• 5b6eb5f: Remove noisy logs emitted while checking container and port readiness.

v0.3.5

Patch Changes

• a3fe15b: Use the canonical AlarmInvocationInfo type from @cloudflare/workers-types for the alarm() parameter instead of an inline type. This is a no-op for users (the shape is identical), but keeps the override aligned with the Durable Object base class signature.

• ca72a22: Refreshed the examples/ projects:

  • All examples now use the latest TypeScript, Vitest, and Wrangler, and target a current Workers compatibility_date.
  • Worker types are generated by wrangler types, matching current Cloudflare guidance.
  • The examples/timeout/ snippet is now a fully runnable example.
  • Integration tests now run on arm64 hosts (e.g. Apple Silicon) and reliably clean up after themselves.

  No changes to the published library API.

• fc7e7f4: Add return types to exported functions and public methods to satisfy ESLint and improve type checking.

• eabe7ac: Clarify the license for this library matches that of @cloudflare/workers-sdk, which is dual licensed under either MIT OR Apache-2.0.

• df8699a: Tighten the return type of Container#onError from any to unknown. Subclasses that override onError can still return any value. This should be a no-op for most users.

• 45274ea: Preserve original errors as cause when wrapping abort/timeout errors during container startup, making it easier to debug the underlying failure.

• 19c1709: Reset container state after failed startup or terminal monitor errors, avoid stale monitor callbacks updating newer instances, and apply configured constructor startup options.

v0.3.4

Patch Changes

• 8442f40: Fix a race in Container where concurrent container.fetch calls to a cold container could throw "start() cannot be called on a container that is already running.".

• cf01432: Ensure pending stop events are processed when the persisted container lifecycle state is still running but the underlying container has already exited.

  Migrate the root unit test suite from Jest to Vitest and add a test:unit script for running src/tests directly.

• cf41295: Fix subclass sleepAfter overrides being ignored during the initial activity timeout setup. Previously, the base Container constructor called renewActivityTimeout() inside blockConcurrencyWhile() before subclass class-field initializers ran, so the first sleepAfterMs was always computed from the base default ('10m') regardless of whether the subclass declared sleepAfter = '2h'. A container could then be killed by the activity timeout before the subclass's longer window took effect on the next renewActivityTimeout call. Declarations like:

  class BigContainer extends Container {
    sleepAfter = '2h';
  }

  are now honored from the very first alarm check.

• 07fedbb: Preserve Cloudchamber startup rate-limit errors in the Containers helper and return HTTP 429 from containerFetch() when startup is rate limited.

... (truncated)

Changelog

Sourced from @​cloudflare/containers's changelog.

0.3.6

Patch Changes

• 9650b2d: Use IdentityTransformStream when proxying deferred HTTP response bodies.
• 5b6eb5f: Remove noisy logs emitted while checking container and port readiness.

0.3.5

Patch Changes

• a3fe15b: Use the canonical AlarmInvocationInfo type from @cloudflare/workers-types for the alarm() parameter instead of an inline type. This is a no-op for users (the shape is identical), but keeps the override aligned with the Durable Object base class signature.

• ca72a22: Refreshed the examples/ projects:

  • All examples now use the latest TypeScript, Vitest, and Wrangler, and target a current Workers compatibility_date.
  • Worker types are generated by wrangler types, matching current Cloudflare guidance.
  • The examples/timeout/ snippet is now a fully runnable example.
  • Integration tests now run on arm64 hosts (e.g. Apple Silicon) and reliably clean up after themselves.

  No changes to the published library API.

• fc7e7f4: Add return types to exported functions and public methods to satisfy ESLint and improve type checking.

• eabe7ac: Clarify the license for this library matches that of @cloudflare/workers-sdk, which is dual licensed under either MIT OR Apache-2.0.

• df8699a: Tighten the return type of Container#onError from any to unknown. Subclasses that override onError can still return any value. This should be a no-op for most users.

• 45274ea: Preserve original errors as cause when wrapping abort/timeout errors during container startup, making it easier to debug the underlying failure.

• 19c1709: Reset container state after failed startup or terminal monitor errors, avoid stale monitor callbacks updating newer instances, and apply configured constructor startup options.

0.3.4

Patch Changes

• 8442f40: Fix a race in Container where concurrent container.fetch calls to a cold container could throw "start() cannot be called on a container that is already running.".

• cf01432: Ensure pending stop events are processed when the persisted container lifecycle state is still running but the underlying container has already exited.

  Migrate the root unit test suite from Jest to Vitest and add a test:unit script for running src/tests directly.

• cf41295: Fix subclass sleepAfter overrides being ignored during the initial activity timeout setup. Previously, the base Container constructor called renewActivityTimeout() inside blockConcurrencyWhile() before subclass class-field initializers ran, so the first sleepAfterMs was always computed from the base default ('10m') regardless of whether the subclass declared sleepAfter = '2h'. A container could then be killed by the activity timeout before the subclass's longer window took effect on the next renewActivityTimeout call. Declarations like:

  class BigContainer extends Container {
    sleepAfter = '2h';
  }

  are now honored from the very first alarm check.

• 07fedbb: Preserve Cloudchamber startup rate-limit errors in the Containers helper and return HTTP 429 from containerFetch() when startup is rate limited.

0.3.3

Patch Changes

... (truncated)

Commits

• d63074d Merge pull request #215 from cloudflare/changeset-release/main
• 4c24683 Version Packages
• b7dd165 Merge pull request #216 from cloudflare/gv/noisy
• 5b6eb5f containers: Remove noisy logs
• 23a96df Merge pull request #214 from cloudflare/gv/identity
• 9650b2d Switch up TransformStream to IdentityTransformStream for deferred proxying
• 4a50257 Merge pull request #206 from cloudflare/changeset-release/main
• d8cf366 Version Packages
• f38f249 Merge pull request #213 from cloudflare/gv/onstop
• 19c1709 containers: tighten up all catch() paths in main monitor tracking of the cont...
• Additional commits viewable in compare view

Updates @lucide/svelte from 1.8.0 to 1.17.0

Release notes

Sourced from @​lucide/svelte's releases.

Version 1.17.0

What's Changed

• chore(lucide-vue-next|lucide-svelte|lucide-angular): Remove deprecated packages by @​ericfennis in lucide-icons/lucide#4376
• chore(repo): Update issue templates and documentation for package ren… by @​ericfennis in lucide-icons/lucide#4379
• feat(site): Adds survey overlay to website by @​ericfennis in lucide-icons/lucide#4380
• feat(site): Certificate dev links by @​ericfennis in lucide-icons/lucide#4390
• fix(icons): changed martini icon by @​jamiemlaw in lucide-icons/lucide#4335
• chore(deps): bump brace-expansion from 1.1.11 to 5.0.6 by @​dependabot[bot] in lucide-icons/lucide#4386
• chore(deps): bump @​tootallnate/once from 2.0.0 to 2.0.1 by @​dependabot[bot] in lucide-icons/lucide#4404
• chore(deps): bump devalue from 5.8.0 to 5.8.1 by @​dependabot[bot] in lucide-icons/lucide#4391
• chore(deps): bump ws from 8.18.0 to 8.20.1 by @​dependabot[bot] in lucide-icons/lucide#4392
• fix(gh-icon): limit icon size to a maximum of 256 pixels by @​jguddas in lucide-icons/lucide#4398
• chore(dependencies): Update dependencies by @​ericfennis in lucide-icons/lucide#4377
• feat(copilot): Adding copilot instructions by @​ericfennis in lucide-icons/lucide#4407
• feat(icons): add globe-check by @​Barakudum in lucide-icons/lucide#4342
• feat(metadata): Require use-cases in meta json by @​ericfennis in lucide-icons/lucide#4321
• feat(icons): added parasol icon by @​karsa-mistmere in lucide-icons/lucide#4347

Full Changelog: lucide-icons/lucide@1.16.0...1.17.0

Version 1.16.0

What's Changed

• feat(icons): added blender icon by @​rrod497 in lucide-icons/lucide#3884

Full Changelog: lucide-icons/lucide@1.15.0...1.16.0

Version 1.15.0

What's Changed

• fix: remove 'less' from brand stopwords by @​jguddas in lucide-icons/lucide#4331
• fix(@​lucide/vue): Clone slots before passing to icon by @​axtho in lucide-icons/lucide#4339
• fix(icons): changed text-cursor icon by @​jamiemlaw in lucide-icons/lucide#4340
• fix(icons): changed landmark icon by @​jamiemlaw in lucide-icons/lucide#4334
• chore(deps-dev): bump nitropack from 2.13.1 to 2.13.4 by @​dependabot[bot] in lucide-icons/lucide#4352
• chore(deps-dev): bump simple-git from 3.33.0 to 3.36.0 by @​dependabot[bot] in lucide-icons/lucide#4349
• fix(icons): changed candy-cane icon by @​jguddas in lucide-icons/lucide#4148
• fix(icons): changed volleyball icon by @​jamiemlaw in lucide-icons/lucide#4338
• fix(icons): changed chart-no-axes-combined icon by @​jguddas in lucide-icons/lucide#3567
• feat(icon): added broccoli icon by @​swastik7805 in lucide-icons/lucide#4263
• chore(site): Updates to site and updated carbon ads by @​ericfennis in lucide-icons/lucide#4359
• feat(icons): added sticky note variants by @​Barakudum in lucide-icons/lucide#4348
• chore(deps-dev): bump astro from 6.1.6 to 6.1.10 by @​dependabot[bot] in lucide-icons/lucide#4361

New Contributors

• @​axtho made their first contribution in lucide-icons/lucide#4339
• @​Barakudum made their first contribution in lucide-icons/lucide#4348

Full Changelog: lucide-icons/lucide@1.14.0...1.15.0

... (truncated)

Commits

• 07c885e fix(docs): fix zephyr-cloud URL in readmes
• 50d8af5 docs(readme): Update readme files (#4320)
• fe0bd9b fix(@​lucide/svelte): proper doc comments for svelte components (#4267)
• See full diff in compare view

Updates agents from 0.11.4 to 0.13.3

Release notes

Sourced from agents's releases.

agents@0.13.3

Patch Changes

• #1580 a1cd51b Thanks @​threepointone! - Improve session auto-compaction estimates by including the Session-managed frozen system prompt, support custom token counters, and expose an auto-compaction error callback.

• #1559 f942ffe Thanks @​cjol! - Stash chat turn recovery metadata before inference starts so interrupted pre-stream turns can be reconciled by chat recovery. Pre-stream interruptions now automatically retry the existing unanswered user message when it is still safe to do so.

• #1579 d0b4d0e Thanks @​threepointone! - Ensure Agent-generated workflow instance IDs always satisfy the Workflows runtime ID validator.

• #1567 3cfa498 Thanks @​cjol! - Return error statuses for in-band stream errors across programmatic chat turns.

• #1578 6fa7fd7 Thanks @​threepointone! - Use path-scoped identities for newly-created sub-agents while preserving legacy bare-name identities for existing registry entries.

• #1578 6fa7fd7 Thanks @​threepointone! - Avoid self-deadlocking facet startup when same-name sub-agents hydrate WebSocket connection state after wake.

agents@0.13.2

Patch Changes

• #1570 4f14b9c Thanks @​threepointone! - Add agents/chat-sdk, a Chat SDK StateAdapter backed by Agents sub-agents.

  This new package entrypoint exports:

  • createChatSdkState(), a convenience factory for Chat SDK state.
  • ChatSdkStateAdapter, the concrete adapter implementation.
  • ChatSdkStateAgent, the default sub-agent used for durable Chat SDK state.
  • defaultThreadShard() and defaultKeyShard(), the default sharding helpers used by the adapter.

  The adapter stores Chat SDK subscriptions, concurrency locks, pending queues, generic cache entries, callback metadata, thread and channel state, persisted message history, and transcript lists in Durable Object SQLite. State is sharded through parent.subAgent() so a messenger ingress Agent can keep Chat SDK infrastructure state inside child facets instead of requiring a separate top-level Durable Object binding for every state shard.

  createChatSdkState() now works with the default ChatSdkStateAgent class when it is re-exported from the Worker entrypoint. It also defaults parent from getCurrentAgent() when called inside an Agent lifecycle method or request handler, so the common setup is:

  export { ChatSdkStateAgent } from "agents/chat-sdk";
  const chat = new Chat({
  adapters,
  state: createChatSdkState(),
  });

  Applications that need custom state behavior can still pass a custom agent subclass and explicit parent.

  This also documents the sub-agent configuration model more clearly: production Workers should export facet classes, but facet-only child classes do not belong in new_sqlite_classes unless they are also used as top-level Durable Objects. Test wrangler configs may still include facet classes as test-only Durable Object bindings for @cloudflare/vitest-pool-workers compatibility, while keeping them out of new_sqlite_classes.

agents@0.13.1

Patch Changes

• #1563 32cde40 Thanks @​threepointone! - Add managed fiber jobs with idempotent acceptance, optional completion waiting, inspection, cancellation, explicit recovery outcomes, and retained terminal status records.

agents@0.13.0

... (truncated)

Changelog

Sourced from agents's changelog.

0.13.3

Patch Changes

• #1580 a1cd51b Thanks @​threepointone! - Improve session auto-compaction estimates by including the Session-managed frozen system prompt, support custom token counters, and expose an auto-compaction error callback.

• #1559 f942ffe Thanks @​cjol! - Stash chat turn recovery metadata before inference starts so interrupted pre-stream turns can be reconciled by chat recovery. Pre-stream interruptions now automatically retry the existing unanswered user message when it is still safe to do so.

• #1579 d0b4d0e Thanks @​threepointone! - Ensure Agent-generated workflow instance IDs always satisfy the Workflows runtime ID validator.

• #1567 3cfa498 Thanks @​cjol! - Return error statuses for in-band stream errors across programmatic chat turns.

• #1578 6fa7fd7 Thanks @​threepointone! - Use path-scoped identities for newly-created sub-agents while preserving legacy bare-name identities for existing registry entries.

• #1578 6fa7fd7 Thanks @​threepointone! - Avoid self-deadlocking facet startup when same-name sub-agents hydrate WebSocket connection state after wake.

0.13.2

Patch Changes

• #1570 4f14b9c Thanks @​threepointone! - Add agents/chat-sdk, a Chat SDK StateAdapter backed by Agents sub-agents.

  This new package entrypoint exports:

  • createChatSdkState(), a convenience factory for Chat SDK state.
  • ChatSdkStateAdapter, the concrete adapter implementation.
  • ChatSdkStateAgent, the default sub-agent used for durable Chat SDK state.
  • defaultThreadShard() and defaultKeyShard(), the default sharding helpers used by the adapter.

  The adapter stores Chat SDK subscriptions, concurrency locks, pending queues, generic cache entries, callback metadata, thread and channel state, persisted message history, and transcript lists in Durable Object SQLite. State is sharded through parent.subAgent() so a messenger ingress Agent can keep Chat SDK infrastructure state inside child facets instead of requiring a separate top-level Durable Object binding for every state shard.

  createChatSdkState() now works with the default ChatSdkStateAgent class when it is re-exported from the Worker entrypoint. It also defaults parent from getCurrentAgent() when called inside an Agent lifecycle method or request handler, so the common setup is:

  export { ChatSdkStateAgent } from "agents/chat-sdk";
  const chat = new Chat({
  adapters,
  state: createChatSdkState(),
  });

  Applications that need custom state behavior can still pass a custom agent subclass and explicit parent.

  This also documents the sub-agent configuration model more clearly: production Workers should export facet classes, but facet-only child classes do not belong in new_sqlite_classes unless they are also used as top-level Durable Objects. Test wrangler configs may still include facet classes as test-only Durable Object bindings for @cloudflare/vitest-pool-workers compatibility, while keeping them out of new_sqlite_classes.

0.13.1

Patch Changes

... (truncated)

Commits

• b504eed Version Packages (#1573)
• a1cd51b Fix session auto-compaction token estimates (#1580)
• 6fa7fd7 Fix facet identity self-deadlocks (#1578)
• d0b4d0e fix: generate valid default workflow IDs (#1579)
• 3cfa498 fix: fire chat responses for errors returned before parts are returned (#1567)
• f942ffe feat: Stash chat metadata for recovery before inference starts (#1559)
• 5beeeb4 Version Packages (#1572)
• 4f14b9c Add Chat SDK state adapter and messenger admin UI (#1570)
• a5bc238 Version Packages (#1562)
• 32cde40 Add Chat SDK messenger example with managed fiber durability (#1563)
• Additional commits viewable in compare view

Updates alchemy from 0.91.2 to 0.93.9

Release notes

Sourced from alchemy's releases.

v0.93.9

   🐞 Bug Fixes

• cloudflare: Preserve original URL through dev tunnel  -  by @​sam-goodwin in alchemy-run/alchemy#1415 (55158)

    View changes on GitHub

v0.93.8

   🐞 Bug Fixes

• stripe: Coerce Price *_decimal fields to string  -  by @​skusez in alchemy-run/alchemy#1401 (97180)

    View changes on GitHub

v0.93.7

   🚀 Features

• cli: Add alchemy state commands (tree, list, get)  -  by @​sam-goodwin in alchemy-run/alchemy#1400 (ec7be)
• cloudflare: Add Zero Trust Access resources  -  by @​G4brym in alchemy-run/alchemy#1399 (e0ad2)

    View changes on GitHub

v0.93.6

No significant changes

    View changes on GitHub

v0.93.5

   🐞 Bug Fixes

• cloudflare: Use container ingress interceptor image  -  by @​john-royal in alchemy-run/alchemy#1398 (e7d68)

    View changes on GitHub

v0.93.4

   🚀 Features

• cloudflare: Enable local explorer  -  by @​john-royal in alchemy-run/alchemy#1397 (b474e)

    View changes on GitHub

v0.93.3

   🐞 Bug Fixes

• cloudflare: Upgrade miniflare/wrangler and move to deps  -  by @​sam-goodwin and John Royal in alchemy-run/alchemy#1396 (74663)

    View changes on GitHub

v0.93.2

   🐞 Bug Fixes

... (truncated)

Changelog

Sourced from alchemy's changelog.

v0.93.9

   🐞 Bug Fixes

• cloudflare: Preserve original URL through dev tunnel  -  by sam in alchemy-run/alchemy#1415 (55158)

    View changes on GitHub

---

v0.93.8

   🐞 Bug Fixes

• stripe: Coerce Price *_decimal fields to string  -  by Jordan in alchemy-run/alchemy#1401 (97180)

    View changes on GitHub

---

v0.93.7

   🚀 Features

• cli: Add alchemy state commands (tree, list, get)  -  by sam in alchemy-run/alchemy#1400 (ec7be)
• cloudflare: Add Zero Trust Access resources  -  by Gabriel Massadas in alchemy-run/alchemy#1399 (e0ad2)

    View changes on GitHub

---

v0.93.6

No significant changes

    View changes on GitHub

---

v0.93.5

   🐞 Bug Fixes

• cloudflare: Use container ingress interceptor image  -  by John Royal in alchemy-run/alchemy#1398 (e7d68)

    View changes on GitHub

---

v0.93.4

... (truncated)

Commits

• 536dce3 chore(release): 0.93.9
• 5515887 fix(cloudflare): preserve original URL through dev tunnel (#1415)
• 3e63ddf chore(release): 0.93.8
• 9718081 fix(stripe): coerce Price *_decimal fields to string (#1401)
• da615c6 chore(release): 0.93.7
• ec7be73 feat(cli): add alchemy state commands (tree, list, get) (#1400)
• e0ad23f feat(cloudflare): add Zero Trust Access resources (#1399)
• 817c99a chore(release): 0.93.6
• c9f5e54 chore(release): 0.93.5
• e7d6800 fix(cloudflare): use container ingress interceptor image (#1398)
• Additional commits viewable in compare view

Updates better-auth from 1.6.5 to 1.6.13

Release notes

Sourced from better-auth's releases.

v1.6.13

better-auth

Features

• Added support for server-side accountInfo calls with an optional userId parameter, allowing trusted callers to read provider profiles without constructing session headers (#9813)

Bug Fixes

• Clarified that viewBackupCodes is a server-only function not accessible via HTTP in its API documentation (#9822)
• Fixed Google One Tap authenticating the wrong user when the presented Google account is already linked to a different local user, by resolving identity through the shared OAuth path
• Fixed storeStateStrategy defaulting to "cookie" instead of "database" when only secondaryStorage is configured, preventing oversized-cookie errors on platforms like AWS Lambda (#9591)
• Fixed updateUserInfoOnLink not being applied when linking accounts through the standard OAuth redirect flow (#8758)
• Fixed oidc-provider and mcp plugins accepting invalid redirect_uri schemes such as javascript: and data: (#9838)
• Fixed organization logo not accepting null, preventing users from clearing an existing logo on create and update (#9842)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

• Fixed SAML Single Logout leaving the user signed in due to session deletion matching on row ID instead of session token
• Fixed ambiguous internalAdapter helper methods that could silently match the wrong account or wipe all sessions for a user (#9818)
• Fixed a high-severity XML injection vulnerability in signed SAML assertions by updating samlify to 2.13.1 (GHSA-34r5-q4jw-r36m) (#9821)

For detailed changes, see CHANGELOG

@better-auth/api-key

Bug Fixes

• Fixed verifyApiKey rejecting keys created under a non-default configId when the request omitted configId (#9794)

For detailed changes, see CHANGELOG

@better-auth/core

Bug Fixes

• Fixed a silent failure in consumeOne when an adapter's deleteMany returned a non-numeric value, now surfacing a clear error (#9831)

For detailed changes, see CHANGELOG

@better-auth/expo

Bug Fixes

• Fixed sign-in being lost on Expo when a provider issues large tokens, by splitting oversized account cookies across multiple storage keys (#9815)

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.13

Patch Changes

• #9813 d3919dc Thanks @​gustavovalverde! - Support server-side accountInfo calls without session headers.

  auth.api.accountInfo now accepts an optional userId, so a trusted server-side caller can read a user's provider profile without constructing session headers. This mirrors getAccessToken and refreshToken. HTTP callers still require a valid session, and a session always takes precedence over a supplied userId.

  The shared "resolve the target user, then fetch a valid access token" logic behind these three endpoints now lives in one place. As part of that, a server-side call that supplies neither a session nor a userId reports USER_ID_OR_SESSION_REQUIRED (400) consistently, rather than UNAUTHORIZED on some endpoints.

• #9591 5f282bd Thanks @​Vishesh-Verma-07! - When only secondaryStorage is configured (no primary database), storeStateStrategy now defaults to "database" instead of "cookie", preventing oversized-cookie errors on platforms like AWS Lambda. The account cookie that holds OAuth tokens in database-less setups stays enabled, so getAccessToken keeps working.

• #9818 43c08a2 Thanks @​gustavovalverde! - Fix two buggy internalAdapter helpers.

  Remove findAccount(accountId). It looked accounts up by account ID alone, which is unique neither across providers nor across users, so it returned a non-deterministic match. All callers now use a user-scoped or provider-scoped lookup.

  Replace the ambiguous deleteSessions(string | string[]) with two explicit methods. deleteUserSessions(userId) revokes every session for a user, and deleteSessions(tokens) revokes sessions by token. The old single-string overload silently treated its argument as a user ID, so a caller that meant to delete one session token could instead wipe all of a user's sessions or quietly match nothing.

• #9818 43c08a2 Thanks @​gustavovalverde! - Fix Google One Tap signing in the wrong user when the presented Google account is already linked to someone else. One Tap now resolves identity through the shared OAuth path, so the user who owns the Google subject is signed in, matching the redirect and signIn.social flows. Previously it matched a local user by the token's email and used the subject only to decide linking, so a Google credential owned by one user could authenticate a different user who happened to share that email.

  /account-info now resolves the account from the signed-in user's own linked accounts and accepts an optional providerId to disambiguate when two providers issue the same account ID. A colliding account ID returns a distinct AMBIGUOUS_ACCOUNT error instead of a misleading "not found", and an account with no configured social provider returns a 400 rather than a 500.

• #9838 be32012 Thanks @​gustavovalverde! - Validate the scheme of OAuth redirect_uris in the oidc-provider and mcp plugins.

  Both plugins previously accepted any string as a redirect_uri at registration. They now reject the javascript:, data:, and vbscript: schemes, which are never valid OAuth redirect targets. The @better-auth/oauth-provider package already applied this check, so this change brings the two older plugins in line with it.

  The redirect-URI scheme policy now lives in @better-auth/core as a single SafeUrlSchema and an isSafeUrlScheme helper, and the OAuth provider plugins share that one implementation. The client navigation helpers (redirectPlugin, one-tap, and two-factor) also skip navigation when the target uses one of these schemes.

  The change is non-breaking. The http, https, loopback, and custom application schemes still register unchanged. Both oidc-provider and mcp are on the migration path to @better-auth/oauth-provider, which remains the route to its stricter HTTPS-or-loopback policy.

• #9842 87c1a0c Thanks @​bytaesu! - You can now clear an organization's logo by passing logo: null to createOrganization and updateOrganization. Previously only a string was accepted, so an existing logo could not be removed.

• #9822 9c8ded6 Thanks @​gustavovalverde! - Document viewBackupCodes as a server-only function so its API comment no longer reads like an HTTP route.

  The JSDoc above auth.api.viewBackupCodes advertised POST /two-factor/view-backup-codes, but the endpoint is server-only: it is not registered on the HTTP router and has no client method. The comment now states that it is callable only from trusted server code and that the userId should come from an authenticated session.

• #8758 23d7cbf Thanks @​bytaesu! - Apply accountLinking.updateUserInfoOnLink across every OAuth link flow.

  Enabling updateUserInfoOnLink only synced the user's profile when linking through a direct ID token. Linking through the standard OAuth redirect (linkSocial, the generic OAuth oauth2.link endpoint, and implicit linking on social sign-in) ignored the option, so the name and image never changed. Every link path now honors it.

  The synced fields match the sign-up path: name, image, and any fields your mapProfileToUser adds. The local email and emailVerified are never changed on a link, so linking a provider cannot rebind the account's identity.

  Implicit linking on social sign-in also returned the pre-update user, so the freshly issued session served stale profile data from its cookie cache until the cache expired. The new session now carries the updated profile.

• Updated dependencies [43c08a2, 5c3e248]:

  • @​better-auth/core@​1.6.13
  • @​better-auth/drizzle-adapter@​1.6.13
  • @​better-auth/kysely-adapter@​1.6.13
  • @​better-auth/memory-adapter@​1.6.13
  • @​better-auth/mongo-adapter@​1.6.13

... (truncated)

Commits

• a6f38c7 chore: release v1.6.13 (#9804)
• 87c1a0c fix(organization): allow null logo on create and update (#9842)
• be32012 fix(oauth): validate redirect_uri schemes in oidc-provider and mcp (#9838)
• 9c8ded6 docs(two-factor): mark viewBackupCodes as server-only in its API comment (#...
• 43c08a2 fix(account): scope OAuth account identity and fix buggy internalAdapter help...
• 23d7cbf fix(oauth): apply updateUserInfoOnLink in OAuth callback link flow (#8758)
• d3919dc feat(account): support server-side accountInfo calls without session header...
• 5f282bd fix(account): default storeStateStrategy to "database" when using `secondar...
• c0c574e chore: release v1.6.12 (#9590)
• c5b9f93 fix(generic-oauth): add accessTokenExpiresIn for providers that omit `expir...
• Additional commits viewable in compare view

Updates effect from 3.21.1 to 3.21.2

Release notes

Sourced from effect's releases.

effect@3.21.2

Patch Changes

• #6194 74f3267 Thanks @​mikearnaldi! - Fix TestClock.unsafeCurrentTimeNanos() to floor fractional millisecond instants before converting them to BigInt.

Changelog

Sourced from effect's changelog.

3.21.2

Patch Changes

• #6194 74f3267 Thanks @​mikearnaldi! - Fix TestClock.unsafeCurrentTimeNanos() to floor fractional millisecond instants before converting them to BigInt.

Commits

• 39c934c Version Packages (#6195)
• 74f3267 fix: floor TestClock nanoseconds before BigInt conversion (#6194)
• See full diff in compare view

Updates hono from 4.12.14 to 4.12.23

Release notes

Sourced from hono's releases.

v4.12.23

What's Changed

• fix(serve-static): normalize all backslashes in file paths, not just the first in honojs/hono#4962
• feat(context): export the Context class publicly by @​BlankParticle in honojs/hono#4543
• docs(contribution): add AI Usage Policy by @​yusukebe in Description has been truncated