Skip to content

Bump @better-auth/sso from 1.6.9 to 1.6.11#3447

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/better-auth/sso-1.6.11
Open

Bump @better-auth/sso from 1.6.9 to 1.6.11#3447
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/better-auth/sso-1.6.11

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 8, 2026

Copy link
Copy Markdown
Contributor

Bumps @better-auth/sso from 1.6.9 to 1.6.11.

Release notes

Sourced from @​better-auth/sso's releases.

v1.6.11

better-auth

Bug Fixes

  • Added an error code to the change-email-disabled response to help clients identify the rejection reason (#8948)
  • Fixed access-control role statement types so predefined organization roles expose only their configured permissions in TypeScript (#9507)
  • Fixed the anonymous plugin to correctly call onLinkAccount when email verification triggers auto sign-in (#9548)
  • Fixed device authorization to bind pending codes to the verifying session, preventing any authenticated user from approving or denying another user's device code (#9573)
  • Fixed a race condition in the magic-link plugin that allowed concurrent requests to mint multiple sessions from the same single-use token (#9572)
  • Fixed the oidc-provider and mcp plugins to require client_secret for confidential clients on refresh token grants and use constant-time secret comparison (#9576)
  • Hardened oidc-provider and mcp plugins to follow OAuth 2.1: removed "none" from advertised signing algorithms, defaulted plain PKCE off, and rejected incomplete PKCE parameters (#9575)
  • Fixed an invitation takeover vulnerability by enabling requireEmailVerificationOnInvitation by default and extending the verification gate to getInvitation and listUserInvitations (#9577)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

  • Fixed a race condition in the OAuth authorization-code grant that allowed concurrent token-exchange requests to mint multiple token sets from the same authorization code
  • Fixed a race condition in OAuth refresh-token rotation that allowed concurrent requests to fork refresh token families, and added a unique constraint on oauthRefreshToken.token
  • Fixed OAuth account linking to require a verified local email before linking an OAuth identity to a local account (#9578)

For detailed changes, see CHANGELOG

@better-auth/core

Bug Fixes

  • Fixed an invalid import list in the instrumentation module (#9582)
  • Widened advanced.ipAddress.ipv6Subnet to accept any valid IPv6 prefix length (0-128) instead of a narrow set of values (#9545)

For detailed changes, see CHANGELOG

@better-auth/scim

Bug Fixes

  • Fixed session cleanup to run when admin, anonymous, or SCIM operations delete a user (#9162)
  • Fixed generateSCIMToken to reject providerId values that collide with built-in account providers, preventing tokens from authenticating against unintended accounts (#9579)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

  • Fixed SSO provider registration to require an org admin or owner role, preventing any organization member from registering providers (#9220)
  • Fixed an SSRF vulnerability by validating user-supplied OIDC endpoint URLs against a public-routable host allowlist at provider registration and update (#9574)

... (truncated)

Changelog

Sourced from @​better-auth/sso's changelog.

1.6.11

Patch Changes

  • #9220 86765f1 Thanks @​stewartjarod! - fix(sso): require org admin role to register SSO providers

    POST /sso/register previously allowed any organization member to register an SSO provider for the organization when organizationId was supplied, only checking membership and not role. This brings it in line with the other provider endpoints (get/update/delete), which go through checkProviderAccessisOrgAdmin and restrict access to owner or admin roles.

    Closes #9133.

  • #9574 37f60cb Thanks @​gustavovalverde! - fix(sso): validate user-supplied OIDC endpoint URLs at provider registration and update

    When skipDiscovery: true was passed to POST /sso/register, or any oidcConfig URL was passed to POST /sso/update-provider, the supplied authorizationEndpoint, tokenEndpoint, userInfoEndpoint, jwksEndpoint, and discoveryEndpoint values were persisted on the provider row without origin validation, then fetched server-side at OIDC callback time. An authenticated user could register or update an SSO provider with internal URLs (RFC 1918, link-local, cloud-metadata FQDNs like 169.254.169.254, loopback) and use the callback handler to coerce the server into making requests to those hosts.

    Both endpoints now run user-supplied OIDC URLs through a layered gate:

    1. URL parsing + http(s) scheme requirement
    2. isPublicRoutableHost from @better-auth/core/utils/host (rejects loopback, RFC 1918, link-local, ULA, cloud-metadata FQDNs, multicast, broadcast, and reserved ranges per RFC 6890)
    3. trustedOrigins allowlist as the documented escape hatch for customers running internal IdPs on private networks

    A request that fails the gate is rejected with BAD_REQUEST and the new discovery_private_host error code (or discovery_invalid_url for malformed URLs / non-http(s) schemes).

  • Updated dependencies [0cbddb8, a26333b, 99a254a, ee93485, 5f09d56, b4bc65a, da7e50b, a1c9f3c, 23094a6, 142b86c, 1f2ff42, b0ef96f, 699b09a, e21d744]:

    • @​better-auth/core@​1.6.11
    • better-auth@1.6.11

1.6.10

Patch Changes

  • #9398 006e809 Thanks @​Craga89! - fix(sso): use findSAMLProvider in spMetadata so defaultSSO providers resolve

    /sso/saml2/sp/metadata was the only SAML endpoint that called adapter.findOne

... (truncated)

Commits
  • f41514e chore: release v1.6.11 (#9532)
  • 37f60cb fix(sso): validate user-supplied OIDC endpoint URLs at registration and updat...
  • 86765f1 fix(sso): require org admin role to register SSO providers (#9220)
  • cbb5014 chore: release v1.6.10 (#9350)
  • 006e809 fix(sso): use findSAMLProvider in spMetadata so defaultSSO works (#9398)
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [@better-auth/sso](https://github.com/better-auth/better-auth/tree/HEAD/packages/sso) from 1.6.9 to 1.6.11.
- [Release notes](https://github.com/better-auth/better-auth/releases)
- [Changelog](https://github.com/better-auth/better-auth/blob/main/packages/sso/CHANGELOG.md)
- [Commits](https://github.com/better-auth/better-auth/commits/@better-auth/sso@1.6.11/packages/sso)

---
updated-dependencies:
- dependency-name: "@better-auth/sso"
  dependency-version: 1.6.11
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 8, 2026
@dependabot dependabot Bot had a problem deploying to sync-to-agents-private July 8, 2026 17:01 Failure
@changeset-bot

changeset-bot Bot commented Jul 8, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 4181c5a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants