chore(deps): update dependency better-auth to ^1.3.4 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
better-auth (source)	^1.4.18 → ^1.3.4

GitHub Vulnerability Alerts

CVE-2025-61928

Summary

A critical authentication bypass was identified in the API key creation and update endpoints. An attacker could create or modify API keys for arbitrary users by supplying a victim’s user ID in the request body. Due to a flaw in how the authenticated user was derived, the endpoints could treat attacker-controlled input as an authenticated user object under certain conditions.

Details

The vulnerability originated from fallback logic used when determining the current user. When no session was present, the handler incorrectly allowed request-body data to populate the user context used for authorization decisions. Because server-side validation only executed when authentication was required, privileged fields were not properly protected. As a result, the API accepted unauthenticated requests that targeted other users.

This same pattern affected both the API key creation and update routes.

Impact

Unauthenticated attackers could generate or modify API keys belonging to any user. This granted full authenticated access as the targeted user and, depending on the user’s privileges, could lead to account compromise, access to sensitive data, or broader application takeover.

GHSA-569q-mpph-wgww

Summary

Affected versions of Better Auth allow an external request to configure baseURL when it isn’t defined through any other means. This can be abused to poison the router’s base path, causing all routes to return 404 for all users.

This issue is only exploitable when baseURL is not explicitly configured (e.g., BETTER_AUTH_URL is missing) and the attacker is able to make the very first request to the server after startup. In properly configured environments or typical managed hosting platforms, this fallback behavior cannot be reached.

Details

A combination of X-Forwarded-Host and X-Forwarded-Proto is implicitly trusted. This allows the first request to configure baseURL whenever it is not explicitly configured.

Here's the code that reads the headers:

Here's the call to getBaseURL(), the result is assigned to ctx.baseURL.

Here's the router receiving the poisoned basePath:

X-Forwarded-Host and X-Forwarded-Proto can be used to modify the pathname of a parsed URL object which forms baseURL. basePath is then derived from the pathname of baseURL. Once the router basePath is poisoned it fails to match & route incoming requests.

Repro

Start a better-auth server with no baseURL configuration.

Send the following request as the first request to the server:

curl -i --location 'https://example.com/api/auth/ok' \
--header 'X-Forwarded-Proto: some:' \
--header 'X-Forwarded-Host: junk'

The better-auth API check endpoint returns 404.

Now send a regular request without the X-Forwarded-Proto and X-Forwarded-Host headers.

curl -i --location 'https://example.com/api/auth/ok'

The better-auth API check endpoint still returns 404.

Example result

We have modified the basePath for the router until the server is restarted. An attacker can repeatedly send these attack requests aiming to persistently exploit the vulnerability.

GHSA-x732-6j76-qmhm

Summary

An issue in the underlying router library rou3 can cause /path and //path to be treated as identical routes. If your environment does not normalize incoming URLs (e.g., by collapsing multiple slashes), this can allow bypasses of disabledPaths and path-based rate limits.

Details

Better Auth uses better-call, which internally relies on rou3 for routing. Affected versions of rou3 normalize paths by removing empty segments. As a result:

• /sign-in/email
• //sign-in/email
• ///sign-in/email

…all resolve to the same route.

Some production setups automatically collapse multiple slashes. This includes:

• Vercel with Nextjs (default)
• Cloudflare - when normalize to urls origin is enabled (https://developers.cloudflare.com/rules/normalization/settings/#normalize-urls-to-origin)

In these environments and other configurations where //path reach Better Auth as /path, the issue does not apply.

Fix

Updating rou3 to the latest version resolves the issue:

• better-call previously depended on "rou3": "^0.5.1"
• The fix was introduced after that version
  (commit: https://github.com/h3js/rou3/commit/f60b43fa648399534507c9ac7db36d705b8874c3)

Better Auth recommends:

1. Upgrading to Better Auth v1.4.5 or later, which includes the updated rou3.
2. Ensuring the proxy normalizes URLs.
3. If project maintainers cannot upgrade yet, they can protect their app by normalizing url before it reaches better-auth handler. See example below:

const req = new Request(...) // this would be the actual request object
const url = new URL(req.url);
const normalizedPath = url.pathname.replace(/\/+/g, "/");

if (url.pathname !== normalizedPath) {
  url.pathname = normalizedPath;
  // Update the raw request pathname
  Object.defineProperty(req, "url", {
    value: url.toString(),
    writable: true,
    configurable: true,
  });
}

Impact

• Bypass disabledPaths
• Bypass path-based rate limits

The impact of bypassing disabled paths could vary based on a project's configuration.

---

Release Notes

better-auth/better-auth (better-auth)

v1.4.5

Compare Source

v1.4.4

Compare Source

   🚀 Features

• cli: Better-auth-command  -  by @​Ridhim-RR in #​6362 (5e06f)
• scim: Add support to parse custom scim+json media type  -  by @​jonathansamines in #​6365 (6e9ec)

   🐞 Bug Fixes

• Customizing fields should be optional for rate limit options  -  by @​ceolinwill in #​6398 (115c9)
• Chunk account data cookie when exceeding limit  -  by @​jslno in #​6393 (c9eca)
• Remove applying user-agent by default  -  by @​Bekacru in #​6417 (34d7d)
• Additional fields default values should apply when creating session  -  by @​Bekacru in #​5763 (d5713)
• Return null early if userid isn't defined  -  by @​Bekacru in #​6418 (e4508)
• logger: Log level priority  -  by @​danielfinke in #​6411 (4c25b)
• mcp: Return origin url as authorization server  -  by @​jslno in #​6397 (594bb)
• multi-session: Endpoints breaks with invalid signatures  -  by @​ping-maxwell in #​6342 (9433e)
• oidc-provider: Resolve getSignedCookie return type  -  by @​bytaesu in #​6346 (425dd)

    View changes on GitHub

v1.4.3

Compare Source

   🚀 Features

• Add Vercel as OAuth provider  -  by @​anatrajkovska in #​6316 (6fd02)
• Add support for trusted proxy headers in base URL inference  -  by @​Bekacru and Copilot in #​6285 (c4c0b)

   🐞 Bug Fixes

• Support @​tanstack/solid-start in tanstackStartCookies plugin "  -  by @​Bekacru in #​6235 (781d7)
• open-api: Clean up incorrect null type in OpenAPI  -  by @​bytaesu in #​6293 (f9cba)
• two-factor: Remove incorrect blocking logic in OTP setup and verification  -  by @​isaacriehm in #​6322 (e75d2)

    View changes on GitHub

v1.4.2

Compare Source

   🚀 Features

• cli: Check /auth for auth.ts  -  by @​ping-maxwell in #​6273 (53a74)
• github: Add PKCE support for Github  -  by @​Shridhad in #​6276 (deb62)
• jwt: Allow custom jwks endpoint  -  by @​luist18 in #​6269 (1c45f)

   🐞 Bug Fixes

• Support @​tanstack/solid-start in tanstackStartCookies plugin  -  by @​jakst in #​6235 (c69b3)
• SignIn/signUp API returns user additional field  -  by @​himself65 in #​6287 (5ea36)
• cli:
  • Kysely migration fails due to chaining addIndex and addColumn on the same alterTable builder  -  by @​ping-maxwell in #​6214 (b8a73)
  • Prevent duplicate index creation in Prisma schema generation  -  by @​rovertrack in #​6234 (0bbd8)
• client:
  • Get-session gets triggered twice on foucs  -  by @​Bekacru in #​6186 (54852)
• email-otp:
  • Sign-in email-otp bugs with capitalized emails  -  by @​ping-maxwell in #​6237 (fd010)
• oidc-provider:
  • Session shouldn't be required  -  by @​Bekacru in #​6282 (201a7)
• organization:
  • Have deleteOrganization use adapter.deleteMany instead of delete  -  by @​kefimoto in #​6226 (32d3f)

    View changes on GitHub

v1.4.1

Compare Source

   🚀 Features

• api-key: Support secondary storage  -  by @​ping-maxwell and @​Bekacru in #​6014 (44308)

   🐞 Bug Fixes

• Custom fn field default values should be properly evaluted  -  by @​Bekacru and Copilot in #​6212 (590a2)
• jwt: Retrieve latest keys from storage properly  -  by @​Bekacru in #​6208 (6aca4)
• passkey: Change generate-authenticate-options from POST to GET  -  by @​mburumaxwell in #​6199 (f922c)

    View changes on GitHub

v1.4.0

Compare Source

   🚀 Features

• Bypass transaction with async local storage  -  by @​himself65 in #​4711 (52af6)
• Add returnHeaders to getSession  -  by @​frectonz in #​3983 (19d4b)
• Waku integration guide  -  by @​rmarscher in #​3990 (3e75a)
• Add support for custom callback for authorization url  -  by @​Bekacru in #​4919 (78506)
• Additional fields on account  -  by @​dvanmali in #​4935 (bf0ac)
• Add support for custom callback for token url  -  by @​acusti in #​5027 (6bb94)
• Enum support for drizzle schema  -  by @​himself65 in #​5287 (fd780)
• Nextjs 16 guide  -  by @​Kinfe123 and @​himself65 in #​5296 (8db97)
• Add storeStateStrategy  -  by @​himself65 and Copilot in #​5470 (b5f3b)
• Enhance PostgreSQL support for non-public schema by respecting search_path configuration  -  by @​okisdev in #​5449 (bef33)
• Add polar oauth provider  -  by @​ephraimduncan in #​5506 (4b075)
• Session store chunking  -  by @​himself65 and Copilot in #​5645 (0aa6d)
• Stateless session management  -  by @​Bekacru, Copilot, @​ping-maxwell and @​himself65 in #​5601 (afce9)
• Esm only  -  by @​himself65 in #​5703 (b6977)
• Implement automatic server-side IP detection  -  by @​GautamBytes in #​5695 (06e8c)
• Async import in getAdapter  -  by @​himself65 in #​5722 (10249)
• Improved API error page  -  by @​ping-maxwell and @​Bekacru in #​5272 (f9964)
• Add request state  -  by @​himself65 in #​5742 (cea5b)
• Add support for uuids  -  by @​Bekacru in #​5809 (4ac34)
• Auto-index CLI  -  by @​ping-maxwell and @​Bekacru in #​5357 (af6eb)
• Expose additional http methods  -  by @​jonathansamines and @​Bekacru in #​5754 (956e2)
• better-auth/minimal  -  by @​bytaesu and @​Bekacru in #​5704 (1ebc6)
• Add support for custom response status codes  -  by @​jonathansamines and @​Bekacru in #​5806 (fa595)
• Support pass raw function as middleware  -  by @​himself65 in #​5888 (48a20)
• Support pass raw function as middleware "  -  by @​himself65 in #​5888 (a391a)
• Adapter join support  -  by @​ping-maxwell in #​5730 (f5bbb)
• Refactor fetch plugins config disableDefaultFetchPlugins to include userAgentPlugin  -  by @​kaandok and @​himself65 in #​6020 (8e754)
• Utilize database joins across better-auth  -  by @​ping-maxwell in #​6004 (e9f5b)
• Support storing account data in a cookie  -  by @​Bekacru in #​6013 (06606)
• Adding support for SCIM provisioning  -  by @​jonathansamines in #​5685 (ffa29)
• Add support for organization slug on list members  -  by @​Bekacru in #​5862 (31a81)
• anonymous:
  • Support phone number verification for account linking  -  by @​Bekacru in #​5294 (07654)
  • Allow customizing random email generator  -  by @​bytaesu in #​5922 (5d168)
• captcha:
  • Add support for CaptchaFox  -  by @​tgrassl in #​4944 (e03e5)
• cli:
  • Add mcp client configs from cli  -  by @​Kinfe123 and @​himself65 in #​4872 (70cb4)
  • Support Cloudflare Workers virtual module imports  -  by @​chhoumann in #​5559 (cf050)
• client:
  • Refetch session when browser state changes  -  by @​himself65 and Copilot in #​5630 (522cf)
  • Add type helper AuthClient  -  by @​himself65 in #​5815 (7caa2)
  • Introduce disableSignal client option  -  by @​ping-maxwell in #​6108 (f4c43)
• core:
  • Replace ZodType with @standard-schema/spec  -  by @​himself65 in #​5629 (36315)
• db:
  • Delete hooks  -  by @​Kinfe123 and @​himself65 in #​4792 (eb76a)
• device-authorization:
  • Add verification uri  -  by @​bytaesu and @​himself65 in #​5451 (8b2b6)
• discord:
  • Allow specification of permissions  -  by @​TheUntraceable and @​Bekacru in #​4717 (69c9b)
• docs:
  • Adding missing auth & colour in builder  -  by @​okisdev in #​5982 (63518)
• email-otp:
  • Allow returning undefined in generateOTP  -  by @​ping-maxwell in #​4723 (8ac4f)
• expo:
  • Support multiple cookie prefixes for better-auth detection  -  by @​himself65 in #​6080 (f5285)
• generic-oauth:
  • Provide pre configured provider helpers  -  by @​Paola3stefania in #​6085 (07b7e)
  • Add custom token exchange support for non-standard providers  -  by @​bytaesu in #​6179 (0ac6a)
• jwt:
  • Support custom adapter option for jwt  -  by @​Bekacru in #​5812 (10cee)
  • Add JWT verification endpoint and refactor verification logic  -  by @​himself65 in #​6122 (18cf7)
  • Add key rotation  -  by @​Bekacru, Copilot and @​Paola3stefania in #​6147 (0bd9b)
• last-login-method:
  • Update OAuth login method tracking for multiple auth type  -  by @​Kinfe123 in #​4693 (5e7b5)
  • Add support for 'siwe' as a last login method and added tests  -  by @​rovertrack in #​6027 (08316)
• mongodb:
  • Support string IDs over ObjectIDs  -  by @​ping-maxwell and @​ahmedriad1 in #​5384 (0dfe6)
• oauth-proxy:
  • Stateless mode compatibility  -  by @​bytaesu and Copilot in #​6131 (05fa1)
• oidc-provider:
  • Add RP-Initiated Logout endpoint  -  by @​himself65 and Copilot in #​6094 (c9085)
• organization:
  • Support createdAt on invitations  -  by @​iRoachie and @​himself65 in #​2346 (fc321)
  • Refactor organization schema to use BetterAuth types  -  by @​himself65 in #​5515 (a58f1)
• passkey:
  • Allow multiple passkey origins  -  by @​kevcube in #​4800 (3783b)
• paybin:
  • Add Paybin OAuth provider  -  by @​redoh and Copilot in #​5626 (b5813)
• phone-number:
  • Allow custom verifyOTP implementation  -  by @​bytaesu and @​zain in #​5926 (b855a)
• plugin-openapi:
  • Allow passing nonce for CSP  -  by @​GautamBytes in #​5751 (fa147)
• prisma:
  • Enhance JSON default value handling for arrays and objects in schema generation  -  by @​rovertrack in #​5904 (09162)
• session:
  • Use JWE for cookie cache by default  -  by @​himself65 in #​5510 (f654b)
• sso:
  • DefaultSSO options and ACS endpoint  -  by @​Kinfe123 and @​Bekacru in #​3660 (b3ead)
  • Provide default service provider metadata  -  by @​dvanmali in #​4866 (e892a)
  • Add option to provide login hint  -  by @​tnkuehne and Copilot in #​5283 (6f231)
  • Add domain verification for SSO providers  -  by @​jonathansamines and @​ping-maxwell in #​5910 (da965)
• stripe:
  • Upgrade stripe support to v19.1.0  -  by @​okisdev in #​5346 (3a8f4)
  • Add StripePlugin type  -  by @​himself65 in #​5509 (34431)
  • Allow any scheme  -  by @​hyoban, @​Bekacru and Copilot in #​5725 (2451c)
  • Allow flexible types in plan limits  -  by @​bytaesu and @​Bekacru in #​5821 (4011c)

   🐞 Bug Fixes

• Device authorization plugin  -  by @​bytaesu in #​4695 (b9cbd)
• Device authorization plugin  -  by @​bytaesu in #​4695 (c3001)
• Reduce any type in generator.ts  -  by @​himself65 in #​4710 (0770c)
• Refresh secondary storage sessions on user update  -  by @​frectonz in #​4522 (ea89d)
• Allow disable database transaction  -  by @​himself65 in #​4733 (a8776)
• Wrap Math.floor around the division when calculating TTL  -  by @​DevDuki, Dusan Misic, ping-maxwell and @​himself65 in #​4768 (14b9e)
• Ttl sessions list expiration  -  by @​dvanmali in #​3836 (57e04)
• Tests failing due to clock drift  -  by @​dvanmali in #​4915 (63ca1)
• Refresh secondary storage sessions on user update  -  by @​frectonz in #​4522 (ccc7c)
• Refresh secondary storage sessions on user update  -  by @​frectonz in #​4522 (f1b0a)
• Support compressed ipv6 format  -  by @​Velka-DEV in #​4982 (d8f11)
• Add required constraint to slug filed in org plugin  -  by @​bytaesu in #​4989 (0581a)
• Use consistent messaging on requestPasswordReset  -  by @​Eazash in #​5014 (2f94b)
• Cookie size limit shouldn't throw error  -  by @​Bekacru and @​himself65 in #​5031 (72ecc)
• Handle symbols in proxy get trap to prevent TypeError  -  by @​zbeyens and @​himself65 in #​4924 (8d46c)
• Ttl for rate limited secondary storage  -  by @​dvanmali in #​4961 (f246d)
• Properly encode callback url for email verificaiton  -  by @​Bekacru in #​5052 (41d2e)
• Session update database hook should expect partial session type  -  by @​Bekacru in #​5056 (ade06)
• Deprecate options.advanced.generateId type  -  by @​himself65 (48249)
• Api keys should properly check if a request is from client or server  -  by @​Bekacru (2e236)
• Refactor account deletion functions to trigger database hooks  -  by @​xuchenhao001 in #​5114 (dade3)
• Improve username transformation logic  -  by @​ping-maxwell in #​5115 (b2a9e)
• Ensure falsy values are valid default values  -  by @​ocherry341 in #​5182 (03d62)
• Import node:async_hooks directly  -  by @​himself65 in #​5198 (0717e)
• Undeclared variable reference on docs  -  by @​Kinfe123 in #​5235 (6d6df)
• Argument where of type TwoFactorWhereUniqueInput needs at least one of id arguments  -  by @​AlexStrNik in #​5180 (2dab4)
• Mobile ai search responsiveness  -  by @​Kinfe123 in #​5269 (08d95)
• Type compatibility with exactOptionalPropertyTypes  -  by @​Kinfe123 and @​himself65 in #​5236 (f2723)
• Remove deprecated ssoClient export from client plugin  -  by @​Kinfe123 in #​5307 (ee229)
• GetAcccessToken refresh should properly refresh when oauth tokens are encrypted  -  by @​bsklaroff in #​5094 (16236)
• Resolve custom URL scheme origin matching with wildcards  -  by @​AntonVishal and antonvishal in #​5248 (82de6)
• Respect additionalFields returned config for user data when setting cookie cache  -  by @​ahmed-abdat and @​Bekacru in #​5327 (a048f)
• Correct type HookEndpointContext and InternalContext  -  by @​himself65 in #​5359 (89475)
• Add optional chaining for process.platform  -  by @​bytaesu in #​5390 (f547d)
• User-agent requirement when fetching from clients  -  by @​dvanmali in #​5420 (5deb8)
• Unused peer dependency  -  by @​himself65 in #​5465 (3a343)
• Rename sha to branch and made it canary by default  -  by @​max-programming in #​5491 (5bc26)
• Remove deprecated forgetPassword endpoints  -  by @​bytaesu in #​5455 (7b62d)
• Respect onAPIError.errorURL in OAuth callback flow  -  by @​GautamBytes and @​ping-maxwell in #​5523 (9c51f)
• Call db hooks when calling deleteUser  -  by @​ping-maxwell in #​5553 (216dc)
• Allow user update to handle additional fields and validation  -  by @​Bekacru (9c508)
• Missing email validation  -  by @​ahmedriad1 and @​ping-maxwell in #​5593 (bf8e9)
• Urls without protocol shouldn't be able to satisfy a wildcard origin  -  by @​Bekacru in #​5624 (8b355)
• Use standard validator  -  by @​himself65 in #​5627 (285e3)
• Add undefined type for optional property types  -  by @​himself65 in #​5654 (b6d40)
• Type mismatch for 'banned' on UserWithRole  -  by @​GautamBytes in #​5701 (6d7e3)
• Delete duplicate email existence check in changeEmail endpoint  -  by @​DevDuki and Dusan Misic in #​5699 (c6241)
• Add missing userId in listAccounts response  -  by @​bytaesu in #​5731 (9d4ef)
• Trigger use session on revoke sessions  -  by @​Bekacru in #​5761 (e62d3)
• string[] inference for additionalFields  -  by @​GautamBytes in #​5778 (414d0)
• Unsanitized endpoints provided dates will cause DB insert failure  -  by @​ping-maxwell and @​Bekacru in #​5042 (5c8dd)
• Update hooks return should merge with original data  -  by @​Bekacru in #​5852 (0d41f)
• Dont trigger session refresh on magic-link sign-in  -  by @​ping-maxwell in #​5221 (e843e)
• Treat generateId "serial" as numeric ID and correct UUID column types across adapters  -  by @​ping-maxwell in #​5823 (705f7)
• Validate baseURL protocol and improve error messages  -  by @​dmmulroy in #​5902 (1c0ac)
• Use ctx over request in plugin options  -  by @​ping-maxwell in #​5944 (448d7)
• Use identity instead of serial for pg schema  -  by [@​ping-maxwell](https://redirect.github.com/p

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 2a227fa

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5dbd0da5-6e14-4b25-bf32-9fc7599eda41

📥 Commits

Reviewing files that changed from the base of the PR and between 0b5a3ef and 6cf20e9.

📒 Files selected for processing (1)

• examples/react/projects/package.json

---

📝 Walkthrough

Walkthrough

A single dependency version change: better-auth in examples/react/projects/package.json was changed from ^1.4.18 to ^1.3.4.

Changes

Cohort / File(s)	Summary
Dependency Version Update examples/react/projects/package.json	Downgraded better-auth from ^1.4.18 to ^1.3.4.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

I nibble on commits beneath moonlight,
A gentle hop, a version slight,
Better-auth steps back in time,
1.3.4 — a snug little rhyme. 🐰✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	PR description is incomplete; required sections from template (Changes, Checklist, Release Impact) are missing or not filled out properly.	Complete the PR template by adding a 'Changes' section describing the update, checking relevant checklist items, and indicating release impact (e.g., whether a changeset is needed).

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title clearly describes the main change: updating better-auth dependency to ^1.3.4 and notes security impact.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch renovate/npm-better-auth-vulnerability

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@examples/react/projects/package.json`:
- Line 29: Update the better-auth dependency in the manifest from "^1.3.4" to
"^1.4.5" so the package.json floor addresses GHSA-x732-6j76-qmhm and the other
advisories, then regenerate the lockfile (npm/yarn/pnpm lock) so the lock
reflects a single resolved version (remove/replace the 1.3.4 entry and ensure
only the 1.4.x entry, e.g., 1.4.18, is present); target the package.json
"better-auth" entry and the repo lockfile(s) to keep them consistent.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0c4eedec-9564-4ff0-aba8-2d4712748df8

📥 Commits

Reviewing files that changed from the base of the PR and between c3e6a96 and 52e2e3a.

📒 Files selected for processing (1)

• examples/react/projects/package.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify manifest vs lockfile spec and resolved entries for better-auth
rg -n '"better-auth"\s*:' examples/react/projects/package.json
fd pnpm-lock.yaml --exec rg -n 'better-auth(@|:)' {}

Repository: TanStack/db

Length of output: 318

---

🌐 Web query:

What are the patched version ranges for better-auth for CVE-2025-61928, GHSA-569q-mpph-wgww, and GHSA-x732-6j76-qmhm, and do they require >=1.4.5?

💡 Result:

Vulnerability	Vulnerable (affected) better-auth versions	Patched / fixed better-auth versions	Requires >= 1.4.5?
CVE-2025-61928	< 1.3.26	>= 1.3.26	No (1.3.26 is sufficient) [1]
GHSA-569q-mpph-wgww	< 1.4.2	>= 1.4.2	No (1.4.2 is sufficient) [2]
GHSA-x732-6j76-qmhm	< 1.4.5	>= 1.4.5	Yes [3]

If you upgrade to better-auth >= 1.4.5, you’ll be patched for all three. [3]

Sources: [1] [2] [3]

---

Keep better-auth ≥ 1.4.5 to fix all three advisories; resolve lockfile mismatch.

At Line 29, the change to ^1.3.4 introduces a regression. While this floor fixes CVE-2025-61928 (patched ≥ 1.3.26) and GHSA-569q-mpph-wgww (patched ≥ 1.4.2), it leaves GHSA-x732-6j76-qmhm vulnerable (requires ≥ 1.4.5). Given the PR explicitly references these advisories, the version floor should be at least ^1.4.5.

Additionally, the lockfile currently contains both 1.4.18 and 1.3.4 entries but the manifest specifies ^1.3.4, causing misalignment that must be resolved.

Proposed fix

-    "better-auth": "^1.3.4",
+    "better-auth": "^1.4.5",

Then regenerate the lockfile to match.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"better-auth": "^1.3.4",
	"better-auth": "^1.4.5",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@examples/react/projects/package.json` at line 29, Update the better-auth
dependency in the manifest from "^1.3.4" to "^1.4.5" so the package.json floor
addresses GHSA-x732-6j76-qmhm and the other advisories, then regenerate the
lockfile (npm/yarn/pnpm lock) so the lock reflects a single resolved version
(remove/replace the 1.3.4 entry and ensure only the 1.4.x entry, e.g., 1.4.18,
is present); target the package.json "better-auth" entry and the repo
lockfile(s) to keep them consistent.

[coderabbitai]

♻️ Duplicate comments (1)

examples/react/projects/package.json (1)

29-29: ⚠️ Potential issue | 🔴 Critical

Block this security-floor downgrade for better-auth.

At Line 29, changing to ^1.3.4 weakens the minimum version in a security PR and leaves CI broken due to manifest/lockfile mismatch (^1.3.4 vs ^1.4.18). Keep the floor at ^1.4.5 or higher and regenerate the lockfile so both are aligned.

Proposed fix

-    "better-auth": "^1.3.4",
+    "better-auth": "^1.4.5",

#!/bin/bash
# Verify manifest value + lockfile alignment for better-auth (read-only).
rg -n '"better-auth"\s*:' examples/react/projects/package.json
fd 'pnpm-lock.yaml|package-lock.json|yarn.lock' -t f --exec rg -n 'better-auth(@|:)|"better-auth"\s*:'

What are the patched version ranges for better-auth advisories CVE-2025-61928, GHSA-569q-mpph-wgww, and GHSA-x732-6j76-qmhm, and which minimum version fixes all three?

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@examples/react/projects/package.json` at line 29, The PR lowered the minimum
allowed version for the dependency "better-auth" from the security floor ^1.4.5
to ^1.3.4, causing a manifest/lockfile mismatch and weakening security; revert
the package.json entry for "better-auth" to ^1.4.5 (or a higher patched minimum)
and regenerate the repository lockfile for the project's package manager
(pnpm/yarn/npm) so the lockfile and manifest match, then run an install to
update the lockfile and commit both updated package.json and the regenerated
lockfile to the branch so CI is consistent.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@examples/react/projects/package.json`:
- Line 29: The PR lowered the minimum allowed version for the dependency
"better-auth" from the security floor ^1.4.5 to ^1.3.4, causing a
manifest/lockfile mismatch and weakening security; revert the package.json entry
for "better-auth" to ^1.4.5 (or a higher patched minimum) and regenerate the
repository lockfile for the project's package manager (pnpm/yarn/npm) so the
lockfile and manifest match, then run an install to update the lockfile and
commit both updated package.json and the regenerated lockfile to the branch so
CI is consistent.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 23adf980-1538-43ce-8237-b1825d890257

📥 Commits

Reviewing files that changed from the base of the PR and between 52e2e3a and 0b5a3ef.

📒 Files selected for processing (1)

• examples/react/projects/package.json