deps(deps): bump the minor-updates group across 1 directory with 24 updates

[dependabot]

Bumps the minor-updates group with 24 updates in the / directory:

Package	From	To
@cloudflare/containers	0.3.2	0.3.7
@lucide/svelte	1.8.0	1.21.0
agents	0.11.4	0.16.2
alchemy	0.91.2	0.93.12
better-auth	1.6.5	1.6.20
effect	3.21.1	3.21.4
hono	4.12.14	4.12.26
zod	4.3.6	4.4.3
@cloudflare/vitest-pool-workers	0.14.7	0.16.18
@cloudflare/workers-types	4.20260418.1	4.20260621.1
@internationalized/date	3.12.1	3.12.2
@sveltejs/adapter-cloudflare	7.2.8	7.2.9
@sveltejs/kit	2.57.1	2.66.0
@sveltejs/vite-plugin-svelte	7.0.0	7.1.2
@tailwindcss/vite	4.2.2	4.3.1
bits-ui	2.18.0	2.18.1
svelte	5.55.4	5.56.3
svelte-check	4.4.6	4.6.0
svelte-sonner	1.1.0	1.1.1
tailwind-merge	3.5.0	3.6.0
tailwindcss	4.2.2	4.3.1
vite	8.0.8	8.0.16
vitest	4.1.4	4.1.9
wrangler	4.83.0	4.103.0

Updates @cloudflare/containers from 0.3.2 to 0.3.7

Release notes

Sourced from @​cloudflare/containers's releases.

v0.3.7

Patch Changes

• a5fd50a: Prevent startup and stop handling races from persisting a stopped state for a running container.

v0.3.6

Patch Changes

• 9650b2d: Use IdentityTransformStream when proxying deferred HTTP response bodies.
• 5b6eb5f: Remove noisy logs emitted while checking container and port readiness.

v0.3.5

Patch Changes

• a3fe15b: Use the canonical AlarmInvocationInfo type from @cloudflare/workers-types for the alarm() parameter instead of an inline type. This is a no-op for users (the shape is identical), but keeps the override aligned with the Durable Object base class signature.

• ca72a22: Refreshed the examples/ projects:

  • All examples now use the latest TypeScript, Vitest, and Wrangler, and target a current Workers compatibility_date.
  • Worker types are generated by wrangler types, matching current Cloudflare guidance.
  • The examples/timeout/ snippet is now a fully runnable example.
  • Integration tests now run on arm64 hosts (e.g. Apple Silicon) and reliably clean up after themselves.

  No changes to the published library API.

• fc7e7f4: Add return types to exported functions and public methods to satisfy ESLint and improve type checking.

• eabe7ac: Clarify the license for this library matches that of @cloudflare/workers-sdk, which is dual licensed under either MIT OR Apache-2.0.

• df8699a: Tighten the return type of Container#onError from any to unknown. Subclasses that override onError can still return any value. This should be a no-op for most users.

• 45274ea: Preserve original errors as cause when wrapping abort/timeout errors during container startup, making it easier to debug the underlying failure.

• 19c1709: Reset container state after failed startup or terminal monitor errors, avoid stale monitor callbacks updating newer instances, and apply configured constructor startup options.

v0.3.4

Patch Changes

• 8442f40: Fix a race in Container where concurrent container.fetch calls to a cold container could throw "start() cannot be called on a container that is already running.".

• cf01432: Ensure pending stop events are processed when the persisted container lifecycle state is still running but the underlying container has already exited.

  Migrate the root unit test suite from Jest to Vitest and add a test:unit script for running src/tests directly.

• cf41295: Fix subclass sleepAfter overrides being ignored during the initial activity timeout setup. Previously, the base Container constructor called renewActivityTimeout() inside blockConcurrencyWhile() before subclass class-field initializers ran, so the first sleepAfterMs was always computed from the base default ('10m') regardless of whether the subclass declared sleepAfter = '2h'. A container could then be killed by the activity timeout before the subclass's longer window took effect on the next renewActivityTimeout call. Declarations like:

  class BigContainer extends Container {
    sleepAfter = '2h';
  }

... (truncated)

Changelog

Sourced from @​cloudflare/containers's changelog.

0.3.7

Patch Changes

• a5fd50a: Prevent startup and stop handling races from persisting a stopped state for a running container.

0.3.6

Patch Changes

• 9650b2d: Use IdentityTransformStream when proxying deferred HTTP response bodies.
• 5b6eb5f: Remove noisy logs emitted while checking container and port readiness.

0.3.5

Patch Changes

• a3fe15b: Use the canonical AlarmInvocationInfo type from @cloudflare/workers-types for the alarm() parameter instead of an inline type. This is a no-op for users (the shape is identical), but keeps the override aligned with the Durable Object base class signature.

• ca72a22: Refreshed the examples/ projects:

  • All examples now use the latest TypeScript, Vitest, and Wrangler, and target a current Workers compatibility_date.
  • Worker types are generated by wrangler types, matching current Cloudflare guidance.
  • The examples/timeout/ snippet is now a fully runnable example.
  • Integration tests now run on arm64 hosts (e.g. Apple Silicon) and reliably clean up after themselves.

  No changes to the published library API.

• fc7e7f4: Add return types to exported functions and public methods to satisfy ESLint and improve type checking.

• eabe7ac: Clarify the license for this library matches that of @cloudflare/workers-sdk, which is dual licensed under either MIT OR Apache-2.0.

• df8699a: Tighten the return type of Container#onError from any to unknown. Subclasses that override onError can still return any value. This should be a no-op for most users.

• 45274ea: Preserve original errors as cause when wrapping abort/timeout errors during container startup, making it easier to debug the underlying failure.

• 19c1709: Reset container state after failed startup or terminal monitor errors, avoid stale monitor callbacks updating newer instances, and apply configured constructor startup options.

0.3.4

Patch Changes

• 8442f40: Fix a race in Container where concurrent container.fetch calls to a cold container could throw "start() cannot be called on a container that is already running.".

• cf01432: Ensure pending stop events are processed when the persisted container lifecycle state is still running but the underlying container has already exited.

  Migrate the root unit test suite from Jest to Vitest and add a test:unit script for running src/tests directly.

• cf41295: Fix subclass sleepAfter overrides being ignored during the initial activity timeout setup. Previously, the base Container constructor called renewActivityTimeout() inside blockConcurrencyWhile() before subclass class-field initializers ran, so the first sleepAfterMs was always computed from the base default ('10m') regardless of whether the subclass declared sleepAfter = '2h'. A container could then be killed by the activity timeout before the subclass's longer window took effect on the next renewActivityTimeout call. Declarations like:

  class BigContainer extends Container {
    sleepAfter = '2h';
  }

  are now honored from the very first alarm check.

... (truncated)

Commits

• 298169f Merge pull request #219 from cloudflare/changeset-release/main
• 5ee33ce Version Packages
• 84da034 Merge pull request #218 from cloudflare/gv/on-exit-improvements
• a5fd50a fix: Make sure an alarm can't call onStop in the middle of a start()
• d63074d Merge pull request #215 from cloudflare/changeset-release/main
• 4c24683 Version Packages
• b7dd165 Merge pull request #216 from cloudflare/gv/noisy
• 5b6eb5f containers: Remove noisy logs
• 23a96df Merge pull request #214 from cloudflare/gv/identity
• 9650b2d Switch up TransformStream to IdentityTransformStream for deferred proxying
• Additional commits viewable in compare view

Updates @lucide/svelte from 1.8.0 to 1.21.0

Release notes

Sourced from @​lucide/svelte's releases.

Version 1.21.0

What's Changed

• ci(release.yml): Remove new-version in release flow by @​ericfennis in lucide-icons/lucide#4478
• ci(release.yml): Fix workflow and remove version scripts in package scripts by @​ericfennis in lucide-icons/lucide#4479
• fix(docs): rename navigation category label by @​Hsiii in lucide-icons/lucide#4483
• feat(icons): added broken-bone icon by @​Patolord in lucide-icons/lucide#4131

New Contributors

• @​Hsiii made their first contribution in lucide-icons/lucide#4483
• @​Patolord made their first contribution in lucide-icons/lucide#4131

Full Changelog: lucide-icons/lucide@1.20.0...1.21.0

Version 1.20.0

What's Changed

• fix(icons): decreased size of arrows inside square-arrow-* icons by @​jguddas in lucide-icons/lucide#3926
• chore(tags): Add tags to search- icons by @​jamiemlaw in lucide-icons/lucide#4099
• feat(icons): added save-check icon by @​Konixy in lucide-icons/lucide#3120
• feat(icons): added tag-plus and tag-x icons by @​adam-kov in lucide-icons/lucide#3980
• feat(icons): added banknote-check icon by @​mfjramirezf in lucide-icons/lucide#3956
• feat(icons): added clock-arrow-in icon by @​jguddas in lucide-icons/lucide#2403
• feat(icons): added summary icon by @​jpjacobpadilla in lucide-icons/lucide#3114
• feat(icons): added user-round-arrow-in icon by @​jguddas in lucide-icons/lucide#2283
• feat(icons): added clock-arrow-out icon by @​jguddas in lucide-icons/lucide#2404
• docs(docs): fix broken Svelte package source link in README by @​SRKrukowski in lucide-icons/lucide#4468
• chore(deps-dev): bump @​angular/compiler from 21.2.5 to 21.2.17 by @​dependabot[bot] in lucide-icons/lucide#4474
• chore(deps-dev): bump @​angular/core from 21.2.5 to 21.2.17 by @​dependabot[bot] in lucide-icons/lucide#4470
• chore(deps-dev): bump vitest from 4.0.12 to 4.1.0 by @​dependabot[bot] in lucide-icons/lucide#4429
• chore(deps-dev): bump markdown-it from 14.1.1 to 14.2.0 by @​dependabot[bot] in lucide-icons/lucide#4475
• chore(deps-dev): bump @​angular/common from 21.2.5 to 21.2.17 by @​dependabot[bot] in lucide-icons/lucide#4471
• feat(icons): added pencil-sparkles icon by @​jennieboops in lucide-icons/lucide#4445

New Contributors

• @​Konixy made their first contribution in lucide-icons/lucide#3120
• @​adam-kov made their first contribution in lucide-icons/lucide#3980
• @​mfjramirezf made their first contribution in lucide-icons/lucide#3956
• @​SRKrukowski made their first contribution in lucide-icons/lucide#4468
• @​jennieboops made their first contribution in lucide-icons/lucide#4445

Full Changelog: lucide-icons/lucide@1.19.0...1.20.0

Version 1.19.0

What's Changed

• chore(deps): upgrade pnpm to version 11.6.0 by @​ericfennis in lucide-icons/lucide#4458
• feat(icons): added star-* icons by @​RajnishKMehta in lucide-icons/lucide#3918
• chore(suggest-tags): Update metadata suggestion script by @​ericfennis in lucide-icons/lucide#4462
• feat(icons): added save-pen icon by @​vaporvee in lucide-icons/lucide#4179
• feat(icons): added wrench-off icon by @​nilsjonsson in lucide-icons/lucide#4434
• feat(icons): added ad icon by @​jamiemlaw in lucide-icons/lucide#4323
• feat(icons): added eye-dashed icon by @​karsa-mistmere in lucide-icons/lucide#4415

... (truncated)

Commits

• 5ff536e ci(release.yml): Fix workflow and remove version scripts in package scripts...
• 07c885e fix(docs): fix zephyr-cloud URL in readmes
• 50d8af5 docs(readme): Update readme files (#4320)
• fe0bd9b fix(@​lucide/svelte): proper doc comments for svelte components (#4267)
• See full diff in compare view

Updates agents from 0.11.4 to 0.16.2

Release notes

Sourced from agents's releases.

agents@0.16.2

Patch Changes

• #1767 f03dee6 Thanks @​threepointone! - Reduce Think Durable Object SQLite reads during normal wakes and text-only turns.

  Think now avoids automatic media-eviction scans until hydration has been windowed or an oversized appended message has been observed. The shared resumable stream buffer also avoids per-wake metadata-column introspection by creating new tables with the current columns and lazily migrating legacy tables only when a stream write needs it.

• #1722 9f8e14b Thanks @​mattzcarey! - Fix two MCP client OAuth bugs found by the new conformance suite, and add MCP conformance testing.

  • MCPClientConnection now finishes OAuth on the transport that received the 401. A fresh transport loses the resource metadata URL from the WWW-Authenticate header, so token exchange fell back to the default /token path and failed against authorization servers at non-default locations.
  • MCPClientConnection.init() detaches the previous transport before reconnecting. Re-authorizing after a mid-session 401 (scope step-up, token revocation) previously failed permanently with "Already connected to a transport".
  • Added the official @modelcontextprotocol/conformance suite (as used by the MCP TypeScript SDK) running against the MCP client (Agent + MCPClientManager), McpAgent, and createMcpHandler + WorkerTransport — all hosted in workerd via wrangler dev. See packages/agents/conformance/README.md.

• #1767 f03dee6 Thanks @​threepointone! - Cache the active branch tip in AgentSessionProvider so finding the latest leaf no longer scans the whole session on every read and append.

  latestLeafRow() previously ran an anti-join over every message row (O(rows)) to locate the branch tip — on each hydration AND each auto-parent append, so on long transcripts it dominated a wake's read cost. The tip is now maintained in place on append/delete/clear; a cached tip is re-validated on read with an O(1) existence + still-childless check (so it self-heals if another writer deletes the tip or gives it a child), and the full scan only runs when that check fails or the cache is cold. Per-hydration and per-append tip lookups drop from O(rows) to O(1), and the full scan never runs more often than before.

agents@0.16.1

Patch Changes

• #1757 92a5ba1 Thanks @​threepointone! - Bump the partyserver dependency to ^0.5.8, which base64-encodes the x-partykit-props header so props containing non-ASCII characters (e.g. accented names) no longer trigger workerd's "header value contains non-ASCII characters" warning (which throws a TypeError in browser fetch implementations). The header is decoded back to the original Unicode payload on the server, and raw-JSON values from older callers are still accepted for backwards compatibility.

• #1754 151d457 Thanks @​threepointone! - Pin accepted WebSocket connections to binaryType = "arraybuffer". On Worker compatibility_dates >= 2026-03-17 the runtime defaults a server WebSocket's binaryType to "blob" (the websocket_standard_binary_type flag), so binary frames arrive as Blob instead of ArrayBuffer. The Agent protocol and every downstream consumer (e.g. @cloudflare/voice audio frames, user onMessage handlers that check message instanceof ArrayBuffer) have always relied on ArrayBuffer. The Agent now sets connection.binaryType = "arraybuffer" when a connection is established, restoring the historical contract regardless of compatibility date without requiring the no_websocket_standard_binary_type flag. (The hibernatable webSocketMessage handler always delivers ArrayBuffer, so this only affects non-hibernating agents.)

  Also bumps the partyserver dependency to ^0.5.7, which pins binaryType at the connection layer (accept()), accepts non-hibernating connections in half-open mode, and suppresses retryable transport-teardown errors on already-closing/closed connections. With partyserver now pinning binaryType itself, the Agent's own pin becomes defense-in-depth (kept for older partyserver versions and custom connections) and runs once per connection per isolate lifetime instead of on every state access.

• #1754 151d457 Thanks @​threepointone! - Add Browser Run Live View support to the browser tools. The cdp connector gains a getLiveViewUrl({ targetId?, mode? }) tool that returns a link a human

... (truncated)

Changelog

Sourced from agents's changelog.

0.16.2

Patch Changes

• #1767 f03dee6 Thanks @​threepointone! - Reduce Think Durable Object SQLite reads during normal wakes and text-only turns.

  Think now avoids automatic media-eviction scans until hydration has been windowed or an oversized appended message has been observed. The shared resumable stream buffer also avoids per-wake metadata-column introspection by creating new tables with the current columns and lazily migrating legacy tables only when a stream write needs it.

• #1722 9f8e14b Thanks @​mattzcarey! - Fix two MCP client OAuth bugs found by the new conformance suite, and add MCP conformance testing.

  • MCPClientConnection now finishes OAuth on the transport that received the 401. A fresh transport loses the resource metadata URL from the WWW-Authenticate header, so token exchange fell back to the default /token path and failed against authorization servers at non-default locations.
  • MCPClientConnection.init() detaches the previous transport before reconnecting. Re-authorizing after a mid-session 401 (scope step-up, token revocation) previously failed permanently with "Already connected to a transport".
  • Added the official @modelcontextprotocol/conformance suite (as used by the MCP TypeScript SDK) running against the MCP client (Agent + MCPClientManager), McpAgent, and createMcpHandler + WorkerTransport — all hosted in workerd via wrangler dev. See packages/agents/conformance/README.md.

• #1767 f03dee6 Thanks @​threepointone! - Cache the active branch tip in AgentSessionProvider so finding the latest leaf no longer scans the whole session on every read and append.

  latestLeafRow() previously ran an anti-join over every message row (O(rows)) to locate the branch tip — on each hydration AND each auto-parent append, so on long transcripts it dominated a wake's read cost. The tip is now maintained in place on append/delete/clear; a cached tip is re-validated on read with an O(1) existence + still-childless check (so it self-heals if another writer deletes the tip or gives it a child), and the full scan only runs when that check fails or the cache is cold. Per-hydration and per-append tip lookups drop from O(rows) to O(1), and the full scan never runs more often than before.

0.16.1

Patch Changes

• #1757 92a5ba1 Thanks @​threepointone! - Bump the partyserver dependency to ^0.5.8, which base64-encodes the x-partykit-props header so props containing non-ASCII characters (e.g. accented names) no longer trigger workerd's "header value contains non-ASCII characters" warning (which throws a TypeError in browser fetch implementations). The header is decoded back to the original Unicode payload on the server, and raw-JSON values from older callers are still accepted for backwards compatibility.

• #1754 151d457 Thanks @​threepointone! - Pin accepted WebSocket connections to binaryType = "arraybuffer". On Worker compatibility_dates >= 2026-03-17 the runtime defaults a server WebSocket's binaryType to "blob" (the websocket_standard_binary_type flag), so binary frames arrive as Blob instead of ArrayBuffer. The Agent protocol and every downstream consumer (e.g. @cloudflare/voice audio frames, user onMessage handlers that check message instanceof ArrayBuffer) have always relied on ArrayBuffer. The Agent now sets connection.binaryType = "arraybuffer" when a connection is established, restoring the historical contract regardless of compatibility date without requiring the no_websocket_standard_binary_type flag. (The hibernatable webSocketMessage handler always delivers ArrayBuffer, so this only affects non-hibernating agents.)

  Also bumps the partyserver dependency to ^0.5.7, which pins binaryType at the connection layer (accept()), accepts non-hibernating connections in half-open mode, and suppresses retryable transport-teardown errors on already-closing/closed connections. With partyserver now pinning binaryType itself, the Agent's own pin becomes defense-in-depth (kept for older partyserver versions and custom connections) and runs once per connection per isolate lifetime instead of on every state access.

... (truncated)

Commits

• 8019e61 Version Packages (#1768)
• 9f8e14b feat(mcp): MCP conformance test suites + two OAuth client fixes (#1722)
• f03dee6 fix: reduce Think SQLite read amplification (#1767)
• 6f1f71a Version Packages (#1756)
• 92a5ba1 Update Kimi model references to kimi-k2.7-code and bump partyserver to 0.5.8 ...
• 151d457 Browser Run: Live View, Session Recording & Quick Actions + WebSocket/compat ...
• ef85f0a Version Packages (#1708)
• 99c9326 fix(agents): defer agent teardown to its own alarm invocation so canceled req...
• c18a446 fix: stop oversized sessions from bricking the DO with SQLITE_NOMEM on wake (...
• 4ec3b07 fix(agents): ignore RPC responses after socket close (#1748)
• Additional commits viewable in compare view

Updates alchemy from 0.91.2 to 0.93.12

Release notes

Sourced from alchemy's releases.

v0.93.12

   🐞 Bug Fixes

• cloudflare:
  • Update edge preview api for remote bindings  -  by @​john-royal in alchemy-run/alchemy#1434 (2dc9c)
  • Handle domain exists  -  by @​Mkassabov in alchemy-run/alchemy#1436 (a202e)

    View changes on GitHub

v0.93.11

   🚀 Features

• cloudflare: Update Container constraints schema  -  by @​julienroubieu in alchemy-run/alchemy#1432 (bd9d6)

    View changes on GitHub

v0.93.10

   🐞 Bug Fixes

• cloudflare:
  • Defer R2Bucket api client until non-local path  -  by @​sam-goodwin in alchemy-run/alchemy#1429 (e58de)
  • Bind BrowserRendering to BrowserRun runtime type  -  by @​sam-goodwin in alchemy-run/alchemy#1431 (08873)
  • Forward jurisdiction header for R2 object operations  -  by @​sam-goodwin in alchemy-run/alchemy#1426 (41744)

    View changes on GitHub

v0.93.9

   🐞 Bug Fixes

• cloudflare: Preserve original URL through dev tunnel  -  by @​sam-goodwin in alchemy-run/alchemy#1415 (55158)

    View changes on GitHub

v0.93.8

   🐞 Bug Fixes

• stripe: Coerce Price *_decimal fields to string  -  by @​skusez in alchemy-run/alchemy#1401 (97180)

    View changes on GitHub

v0.93.7

   🚀 Features

• cli: Add alchemy state commands (tree, list, get)  -  by @​sam-goodwin in alchemy-run/alchemy#1400 (ec7be)
• cloudflare: Add Zero Trust Access resources  -  by @​G4brym in alchemy-run/alchemy#1399 (e0ad2)

    View changes on GitHub

v0.93.6

No significant changes

... (truncated)

Changelog

Sourced from alchemy's changelog.

v0.93.12

   🐞 Bug Fixes

• cloudflare:
  • Update edge preview api for remote bindings  -  by John Royal in alchemy-run/alchemy#1434 (2dc9c)
  • Handle domain exists  -  by Michael K in alchemy-run/alchemy#1436 (a202e)

    View changes on GitHub

---

v0.93.11

   🚀 Features

• cloudflare: Update Container constraints schema  -  by Julien Roubieu in alchemy-run/alchemy#1432 (bd9d6)

    View changes on GitHub

---

v0.93.10

   🐞 Bug Fixes

• cloudflare:
  • Defer R2Bucket api client until non-local path  -  by sam in alchemy-run/alchemy#1429 (e58de)
  • Bind BrowserRendering to BrowserRun runtime type  -  by sam in alchemy-run/alchemy#1431 (08873)
  • Forward jurisdiction header for R2 object operations  -  by sam in alchemy-run/alchemy#1426 (41744)

    View changes on GitHub

---

v0.93.9

   🐞 Bug Fixes

• cloudflare: Preserve original URL through dev tunnel  -  by sam in alchemy-run/alchemy#1415 (55158)

    View changes on GitHub

---

v0.93.8

   🐞 Bug Fixes

• stripe: Coerce Price *_decimal fields to string  -  by Jordan in alchemy-run/alchemy#1401 (97180)

... (truncated)

Commits

• d58304f chore(release): 0.93.12
• a202eb0 fix(cloudflare): handle domain exists (#1436)
• 2dc9ca1 fix(cloudflare): update edge preview api for remote bindings (#1434)
• 842ae22 chore(release): 0.93.11
• bd9d60e feat(cloudflare): update Container constraints schema (#1432)
• a56c9b0 chore(release): 0.93.10
• 41744d6 fix(cloudflare): forward jurisdiction header for R2 object operations (#1426)
• 088735e fix(cloudflare): bind BrowserRendering to BrowserRun runtime type (#1431)
• e58deb0 fix(cloudflare): defer R2Bucket api client until non-local path (#1429)
• 536dce3 chore(release): 0.93.9
• Additional commits viewable in compare view

Updates better-auth from 1.6.5 to 1.6.20

Release notes

Sourced from better-auth's releases.

v1.6.20

better-auth

Bug Fixes

• Fixed account-linking logs to route through the configured logger (#10121)
• Fixed TypeScript inference errors by declaring inherited APIError properties (#8734)
• Fixed refresh cookie Max-Age to be capped at expiresIn (#9621)

For detailed changes, see CHANGELOG

@better-auth/i18n

Bug Fixes

• Fixed English language fallback behavior and improved i18n documentation (#9872)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@​adityachaudhary99, @​dipan-ck, @​sleepe229, @​WilsonnnTan

Full changelog: v1.6.19...v1.6.20

v1.6.19

better-auth

Features

• Added support for pre-binding device codes to a specific user in the device authorization plugin (#9995)

Bug Fixes

• Fixed headerless session checks (#10053)
• Fixed cookie cache fallback lookup (#9348)
• Fixed sendVerificationEmail errors not being surfaced to the client (#8863)
• Fixed auth client return types not being emitted correctly in TypeScript declaration builds (#10071)
• Fixed session and account cache cookies being silently dropped when near the browser's per-cookie size limit by splitting them into chunks (#10088)
• Fixed single-use verification flows (such as magic-link) hanging on connection-limited database adapters by reusing active transactions (#10070)
• Fixed the domain not being included when clearing cross-subdomain cookies in the last-login-method plugin (#9319)
• Fixed the oauth-popup plugin leaking internal OAuth state keys into additionalData (#10067)
• Reverted the headerless session check fix (#10074)

For detailed changes, see CHANGELOG

auth

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.20

Patch Changes

• #10121 21448b1 Thanks @​adityachaudhary99! - OAuth account-linking and create-user error logs now respect a custom logger configured in betterAuth(), instead of always being written to the default console logger.

• #9621 8ecf238 Thanks @​dipan-ck! - Session refresh no longer emits a cookie Max-Age above the browser's 400-day ceiling when using a database without fractional-second precision.

• #8734 930f534 Thanks @​sleepe229! - declare inherited APIError properties to fix TypeScript inference errors

• Updated dependencies []:

  • @​better-auth/core@​1.6.20
  • @​better-auth/drizzle-adapter@​1.6.20
  • @​better-auth/kysely-adapter@​1.6.20
  • @​better-auth/memory-adapter@​1.6.20
  • @​better-auth/mongo-adapter@​1.6.20
  • @​better-auth/prisma-adapter@​1.6.20
  • @​better-auth/telemetry@​1.6.20

1.6.19

Patch Changes

• #10088 de4aa52 Thanks @​bytaesu! - Session and account cache cookies near the browser's per-cookie size limit (for example with a long cookiePrefix or many cached fields) are now split into chunks instead of being silently dropped by the browser. A cache too large to fit even when chunked is skipped with a warning rather than failing the request, so reads fall back to the database.

• #9995 b4b0266 Thanks @​ElGauchooooo! - The device authorization plugin now accepts an optional user_id when issuing a device code via /device/code, pre-binding the code to that user. Only the bound user can approve or deny the code, so a publicly visible user code can no longer be claimed by someone else.

• #10086 5bd5e1c Thanks @​gustavovalverde! - Refresh-token rotation and token revocation, two-factor backup-code regeneration, device-code claiming, and organization invitation acceptance now work on Prisma. Concurrent or repeat requests in these flows could previously return an error on Prisma instead of the expected result.

  On MongoDB servers older than 5.0, these flows and other guarded value updates (rate-limit window resets, API-key refills) no longer fail with an empty-update error.

  @better-auth/core: incrementOne now reports a clear error when called with no increment and no set.

• #9319 581f827 Thanks @​ping-maxwell! - fix(last-login-method): include domain when clearing cross-subdomain cookies

• #10067 8407885 Thanks @​bytaesu! - The oauth-popup plugin now ignores internal OAuth state fields passed through its additionalData parameter, so additionalData only ever carries your own custom values.

• #9555 c1a8a64 Thanks @​ChrisMGeo! - Fix invalid OpenAPI output for Better Auth callback, session, and passkey routes so client generators can consume the schema.

• #10071 635f190 Thanks @​gustavovalverde! - Auth clients exported from wrapper packages can now be emitted in TypeScript declaration builds without extra type annotations.

• #10070 a787e0b Thanks @​gustavovalverde! - Single-use verification flows no longer hang on database adapters that use a one-connection pool. This fixes magic-link verification and similar token checks in connection-limited serverless database setups.

• #9348 c2f718f Thanks @​ping-maxwell! - fix: cookie cache fallback lookup

• #8863 7d18175 Thanks @​ping-maxwell! - sendVerificationEmail was invoked via runInBackgroundOrAwait, which could defer work when advanced.backgroundTasks.handler is configured (so the handler could return 200 before the email callback finished) and, in the default path, caught and logged errors without rethrowing. User callbacks that throw APIError (e.g. 429 from a rate limiter) were therefore not reliably reflected in the HTTP response (better-auth/better-auth#8757).

  Now we await sendVerificationEmailFn so failures surface to the client with the correct status. The unauthenticated /send-verification-email path enforces a constant-time floor (500 ms) so that the response duration does not reveal whether the email belongs to a real unverified user.

• Updated dependencies [0895993, 5bd5e1c, a787e0b]:

... (truncated)

Commits

• c342f42 chore: release v1.6.20 (#10108)
• 21448b1 fix: route account-linking logs through the configured logger (#10121)
• 8ecf238 fix(session): cap refresh cookie Max-Age at expiresIn (#9621)
• ac4d81d chore: release v1.6.19 (#10034)
• 1e69725 docs: clarify stateless Cognito token refresh (#10092)
• de4aa52 fix(cookies): chunk session and account cookies near the browser size limit (...
• 5bd5e1c fix: make guarded state transitions portable on Prisma (#10086)
• 36f345b revert: fix: allow headerless get session checks (#10053) (#10074)Description has been truncated