Skip to content

Update dependency @clerk/nextjs to v7#279

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/clerk-nextjs-7.x
Open

Update dependency @clerk/nextjs to v7#279
renovate[bot] wants to merge 1 commit intomainfrom
renovate/clerk-nextjs-7.x

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Mar 4, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
@clerk/nextjs (source) ^6.39.0^7.0.4 age confidence

Release Notes

clerk/javascript (@​clerk/nextjs)

v7.0.4

Compare Source

Patch Changes

v7.0.2

Compare Source

Patch Changes

v7.0.1

Compare Source

Patch Changes

v7.0.0

Compare Source

Major Changes

  • Align experimental/unstable prefixes to use consistent naming: (#​7361) by @​brkalow

    • Renamed all __unstable_* methods to __internal_* (for internal APIs)
    • Renamed all experimental__* and experimental_* methods to __experimental_* (for beta features)
    • Removed deprecated billing-related props (__unstable_manageBillingUrl, __unstable_manageBillingLabel, __unstable_manageBillingMembersLimit) and experimental__forceOauthFirst

  • Renamed __unstable_invokeMiddlewareOnAuthStateChange to __internal_invokeMiddlewareOnAuthStateChange. (#​7925) by @​jacekradko

  • useAuth().getToken is no longer undefined during server-side rendering, it is a function and calling it will throw. (#​7730) by @​Ephem

    • If you are only using getToken in useEffect, event handlers or with non-suspenseful data fetching libraries, no change is necessary as these only trigger on the client.
    • If you are using suspenseful data fetching libraries that do trigger during SSR, you likely have strategies in place to avoid calling getToken already, since this has never been possible.
    • If you are using getToken === undefined checks to avoid calling it, know that it will now throw instead and you should catch and handle the error.
    async function doThingWithToken(getToken: GetToken) {
  try {
    const token = await getToken();

    // Use token
  } catch (error) {
    if (isClerkRuntimeError(error) && error.code === 'clerk_runtime_not_browser') {
      // Handle error
    }
  }
}

    To access auth data server-side, see the Auth object reference doc.

  • Refactor React SDK hooks to subscribe to auth state via useSyncExternalStore. This is a mostly internal refactor to unlock future improvements, but includes a few breaking changes and fixes. (#​7411) by @​Ephem

    Breaking changes:

    • Removes ability to pass in initialAuthState to useAuth
      • This was added for internal use and is no longer needed
      • Instead pass in initialState to the <ClerkProvider>, or dynamic if using the Next package
      • See your specific SDK documentation for more information on Server Rendering

    Fixes:

    • A bug where useAuth would sometimes briefly return the initialState rather than undefined
      • This could in certain situations incorrectly lead to a brief user: null on the first page after signing in, indicating a signed out state
    • Hydration mismatches in certain rare scenarios where subtrees would suspend and hydrate only after clerk-js had loaded fully

  • Updating minimum version of Node to v20.9.0 (#​6936) by @​jacekradko

  • Throw an error when an encryption key is missing when passing a secret key at runtime clerkMiddleware(). To migrate, ensure your application specifies a CLERK_ENCRYPTION_KEY environment variable when passing secretKey as a runtime option. (#​7360) by @​brkalow

  • Return 401 instead of 404 for unauthenticated server action requests in auth.protect() (#​7820) by @​jacekradko

  • Remove clerkJSUrl, clerkJSVersion, clerkUIUrl, and clerkUIVersion props from all SDKs. To pin a specific version of @clerk/clerk-js, import the Clerk constructor from @clerk/clerk-js and pass it to ClerkProvider via the Clerk prop. To pin a specific version of @clerk/ui, import ui from @clerk/ui and pass it via the ui prop. This bundles the modules directly with your application instead of loading them from the CDN. (#​7879) by @​jacekradko

  • Remove all previously deprecated UI props across the Next.js, React and clerk-js SDKs. The legacy afterSign(In|Up)Url/redirectUrl props, UserButton sign-out overrides, organization hideSlug flags, OrganizationSwitcher's afterSwitchOrganizationUrl, Client.activeSessions, setActive({ beforeEmit }), and the ClerkMiddlewareAuthObject type alias are no longer exported. Components now rely solely on the new redirect options and server-side configuration. (#​7243) by @​jacekradko

  • Introduce <Show when={...}> as the cross-framework authorization control component and remove <Protect>, <SignedIn>, and <SignedOut> in favor of <Show>. (#​7373) by @​jacekradko

  • getToken() now throws ClerkOfflineError instead of returning null when the client is offline. (#​7598) by @​bratsos

    This makes it explicit that a token fetch failure was due to network conditions, not authentication state. Previously, returning null could be misinterpreted as "user is signed out," potentially causing the cached token to be cleared.

    To handle this change, catch ClerkOfflineError from getToken() calls:

    import { ClerkOfflineError } from '@&#8203;clerk/react/errors';

try {
  const token = await session.getToken();
} catch (error) {
  if (ClerkOfflineError.is(error)) {
    // Handle offline scenario - show offline UI, retry later, etc.
  }
  throw error;
}

  • Drop support for next@13 and next@14 since they have reached EOL. Now >= [email protected] is required. (#​7197) by @​panteliselef

Minor Changes

  • Add unsafe_disableDevelopmentModeConsoleWarning option to disable the development mode warning that's emitted to the console when Clerk is first loaded. (#​7505) by @​dstaley

  • Add Frontend API proxy support via frontendApiProxy option in clerkMiddleware (#​7602) by @​brkalow

  • Introducing setup_mfa session task (#​7626) by @​octoper

  • Remove clerkJSVariant option and headless bundle. Use prefetchUI={false} instead. (#​7629) by @​jacekradko

  • Add ui prop to ClerkProvider for passing @clerk/ui (#​7664) by @​jacekradko

  • Add standalone getToken() function for retrieving session tokens outside of framework component trees. (#​7325) by @​bratsos

    This function is safe to call from anywhere in the browser, such as API interceptors, data fetching layers (e.g., React Query, SWR), or vanilla JavaScript code. It automatically waits for Clerk to initialize before returning the token.

    import { getToken } from '@​clerk/nextjs'; // or any framework package

    // Example: Axios interceptor
    axios.interceptors.request.use(async (config) => {
    const token = await getToken();
    if (token) {
    config.headers.Authorization = Bearer ${token};
    }
    return config;
    });

  • Export useOrganizationCreationDefaults hook to fetch suggested organization name and logo from default naming rules (#​7694) by @​LauraBeatris

  • Add /types subpath export to re-export types from @clerk/shared/types along with SDK-specific types. This allows importing Clerk types directly from the SDK package (e.g., import type { UserResource } from '@&#8203;clerk/react/types') without needing to install @clerk/types as a separate dependency. (#​7644) by @​nikosdouvlis

  • Add HandleSSOCallback component which handles the SSO callback during custom flows, including support for sign-in-or-up. (#​7678) by @​dstaley

  • Introduce <UNSAFE_PortalProvider> component which allows you to specify a custom container for Clerk floating UI elements (popovers, modals, tooltips, etc.) that use portals. Only Clerk components within the provider will be affected, components outside the provider will continue to use the default document.body for portals. (#​7310) by @​alexcarpenter

    This is particularly useful when using Clerk components inside external UI libraries like Radix Dialog or React Aria Components, where portaled elements need to render within the dialog's container to remain interact-able.

    'use client';

import { useRef } from 'react';
import * as Dialog from '@&#8203;radix-ui/react-dialog';
import { UNSAFE_PortalProvider, UserButton } from '@&#8203;clerk/nextjs';

export function UserDialog() {
  const containerRef = useRef<HTMLDivElement>(null);

  return (
    <Dialog.Root>
      <Dialog.Trigger>Open Dialog</Dialog.Trigger>
      <Dialog.Portal>
        <Dialog.Overlay />
        <Dialog.Content ref={containerRef}>
          <UNSAFE_PortalProvider getContainer={() => containerRef.current}>
            <UserButton />
          </UNSAFE_PortalProvider>
        </Dialog.Content>
      </Dialog.Portal>
    </Dialog.Root>
  );
}
Patch Changes

  • Fix an App Router navigation edge case where duplicate in-flight redirects to the same destination could leave Clerk's awaitable navigation pending indefinitely. (#​7865) by @​bratsos

  • Rename dev browser APIs to remove JWT terminology. The dev browser identifier is now a generic ID, so internal naming has been updated to reflect this. No runtime behavior changes. (#​7930) by @​brkalow

  • Wire clerkUIVersion option through all framework packages (#​7740) by @​nikosdouvlis

  • Fixed an issue where the CSP nonce generated by clerkMiddleware({ contentSecurityPolicy: { strict: true } }) was not forwarded as a request header. Server components can now access the nonce via headers(), allowing ClerkProvider and Next.js to apply it to <script> tags. (#​7828) by @​jacekradko

  • Fix Turbopack compatibility for ui prop by adding turbopackIgnore magic comment alongside webpackIgnore on the dynamic @clerk/ui/entry import. This prevents both bundlers from statically resolving the optional dependency at build time. (#​7805) by @​jacekradko

  • Fix @clerk/ui/entry bare specifier failing in browser when using ui prop with RSC (#​7809) by @​jacekradko

  • Add exports for useWaitlist hook. (#​7609) by @​alexcarpenter

  • Updating peerDependency for CVE-2025-55182 (#​7423) by @​dominic-clerk

  • Fix race condition that could cause __clerkSharedModules is not defined error when using the shared React UI variant. (#​7685) by @​bratsos

  • Add support for Next.js 16 cache components by improving error detection and providing helpful error messages when auth() or currentUser() are called inside a "use cache" function. (#​7595) by @​jacekradko

  • Add image CDNs to the connect-src Content Security Policy directive (#​7610) by @​LauraBeatris

  • fix: Update getAuthData to use isMachineToken (#​7755) by @​jeremy-clerk

  • Add satelliteAutoSync option to optimize satellite app handshake behavior (#​7597) by @​nikosdouvlis

    Satellite apps currently trigger a handshake redirect on every first page load, even when no cookies exist. This creates unnecessary redirects to the primary domain for apps where most users aren't authenticated.

    New option: satelliteAutoSync (default: false)

    • When false (default): Skip automatic handshake if no session cookies exist, only trigger after explicit sign-in action
    • When true: Satellite apps automatically trigger handshake on first load (previous behavior)

    New query parameter: __clerk_sync

    • __clerk_sync=1 (NeedsSync): Triggers handshake after returning from primary sign-in
    • __clerk_sync=2 (Completed): Prevents re-sync loop after handshake completes

    Backwards compatible: Still reads legacy __clerk_synced=true parameter.

    SSR redirect fix: Server-side redirects (e.g., redirectToSignIn() from middleware) now correctly add __clerk_sync=1 to the return URL for satellite apps. This ensures the handshake is triggered when the user returns from sign-in on the primary domain.

    CSR redirect fix: Client-side redirects now add __clerk_sync=1 to all redirect URL variants (forceRedirectUrl, fallbackRedirectUrl) for satellite apps, not just the default redirectUrl.

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 04:59 AM, Monday through Friday ( * 0-4 * * 1-5 ) in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/clerk-nextjs-7.x branch 2 times, most recently from 1fe7d3d to bc9155d Compare March 9, 2026 21:44
@renovate renovate bot force-pushed the renovate/clerk-nextjs-7.x branch from bc9155d to bc42437 Compare March 11, 2026 04:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants