Update Routine updates

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update	Pending
@better-auth/core (source)	1.6.15 → 1.6.18			devDependencies	patch	1.6.19
@better-auth/test-utils (source)	1.6.15 → 1.6.18			devDependencies	patch	1.6.19
@better-fetch/fetch (source)	1.1.21 → 1.3.0			dependencies	minor	1.3.1
@tailwindcss/postcss (source)	4.3.0 → 4.3.1			devDependencies	patch
@tanstack/react-start (source)	1.167.65 → 1.168.25			devDependencies	minor	1.168.26
@types/mdx (source)	2.0.13 → 2.0.14			devDependencies	patch
@types/node (source)	24.12.3 → 24.13.2			devDependencies	minor
@types/react (source)	19.2.14 → 19.2.17			devDependencies	patch
actions/checkout (changelog)	de0fac2 → df4cb1c			action	digest
better-auth (source)	1.6.15 → 1.6.18			devDependencies	patch	1.6.19
convex-helpers (source)	0.1.116 → 0.1.119			dependencies	patch
convex-test (source)	0.0.51 → 0.0.53			devDependencies	patch
eslint (source)	10.3.0 → 10.5.0			devDependencies	minor
eslint-config-next (source)	16.2.6 → 16.2.9			devDependencies	patch
eslint-plugin-react-refresh	0.5.2 → 0.5.3			devDependencies	patch
fumadocs-core	16.8.8 → 16.10.2			dependencies	minor	16.10.4 (+1)
fumadocs-ui	16.8.8 → 16.10.2			dependencies	minor	16.10.4 (+1)
next (source)	16.2.6 → 16.2.9			devDependencies	patch
next (source)	16.2.6 → 16.2.9			dependencies	patch
pkg-pr-new (source)	0.0.71 → 0.0.75			devDependencies	patch
postcss (source)	8.5.14 → 8.5.15			devDependencies	patch
prettier (source)	3.8.3 → 3.8.4			devDependencies	patch
react (source)	19.2.6 → 19.2.7			devDependencies	patch
react (source)	19.2.6 → 19.2.7			dependencies	patch
react-dom (source)	19.2.6 → 19.2.7			devDependencies	patch
react-dom (source)	19.2.6 → 19.2.7			dependencies	patch
remeda (source)	2.34.0 → 2.39.0			dependencies	minor
semver	7.8.0 → 7.8.4			dependencies	patch
tailwindcss (source)	4.3.0 → 4.3.1			devDependencies	patch
type-fest	5.6.0 → 5.7.0			dependencies	minor
typescript-eslint (source)	8.59.2 → 8.61.0			devDependencies	minor	8.61.1
vitest (source)	4.1.5 → 4.1.8			devDependencies	patch	4.1.9

---

Release Notes

better-auth/better-auth (@​better-auth/core)

v1.6.18

Compare Source

Patch Changes

• #​9583 b21a5f7 Thanks @​GautamBytes! - Fix plugin-provided client methods and additional session fields not being inferred in composite monorepos.

v1.6.17

Compare Source

Patch Changes

• #​9993 baeaa00 Thanks @​gustavovalverde! - Add the optional incrementOne adapter method and the optional SecondaryStorage.increment method. incrementOne atomically applies signed numeric deltas to a single row under a where-clause guard (for example, decrementing a remaining-uses counter only while it is still positive) and returns the updated row, or null when the guard matched no row. Adapters that do not implement it natively keep working through a transaction-based fallback. SecondaryStorage.increment atomically increments a counter and sets its time-to-live only when the key is first created.

• #​9987 7343284 Thanks @​bytaesu! - Fixed a memory leak where the JWKS cache could grow on every access token verification.

• #​10003 fdef997 Thanks @​gustavovalverde! - Microsoft Entra ID sign-in now honors the configured tenant restriction. tenantId: "organizations" rejects personal Microsoft accounts, and tenantId: "consumers" rejects work and school accounts. Both were accepted before.

• #​9993 baeaa00 Thanks @​gustavovalverde! - Concurrent requests can no longer slip past the configured rate limit. The in-memory rate-limit store no longer grows without bound, and the database backend removes expired entries on its own. A custom rate-limit storage may implement a new optional consume method for strict enforcement; without it, the previous behavior is kept and a one-time warning is logged.

• #​10003 fdef997 Thanks @​gustavovalverde! - A Reddit user with no email now receives a non-routable placeholder address (<id>@&#8203;reddit.invalid) instead of one on the real reddit.com domain, so it cannot match a deliverable mailbox. The address stays unverified, and mapProfileToUser can supply a real email.

• #​9993 baeaa00 Thanks @​gustavovalverde! - Add internalAdapter.reserveVerificationValue. It atomically records a single-use marker (such as a replay tombstone) so that exactly one of several concurrent callers succeeds and the rest observe that the marker is already taken. Database-backed verification storage is atomic; secondary-storage-only verification is best-effort.

• #​9990 1dbf5bb Thanks @​gustavovalverde! - Hardens how requests are trusted across several flows. Rate limiting is now enforced even when a client IP cannot be determined, instead of being skipped. When baseURL is not configured, password-reset and verification links use the current request's host rather than the host of the first request the server handled, and a request-scoped trustedOrigins callback no longer affects other concurrent requests. The OAuth proxy, Google One Tap, and the Expo authorization proxy reject redirect and callback targets that are not in trustedOrigins. Google reCAPTCHA and Cloudflare Turnstile accept optional expectedAction and allowedHostnames to reject tokens minted for a different action or hostname. Server-side fetches reject additional reserved IPv6 ranges, and malformed redirect parameters return a 400 instead of a 500.

• #​10003 fdef997 Thanks @​gustavovalverde! - WeChat sign-in now succeeds with the documented default setup, which previously failed because WeChat returns no email address. The created user receives a stable, unverified placeholder email; supply a real one with mapProfileToUser.

v1.6.16

Compare Source

Patch Changes

• #​9974 cb1cbfa Thanks @​Bekacru! - Validate Facebook opaque access tokens against the configured app. Previously verifyIdToken returned true for any non-JWT token and getUserInfo called Graph /me with the caller-supplied token without checking which app issued it, so tokens issued for other Facebook apps were not distinguished on the direct sign-in path. Facebook tokens are now inspected via the debug_token endpoint, requiring is_valid, an app_id that matches one of the configured client ids, and a user_id that matches the returned profile, before the token is accepted. A client secret must be configured for access-token sign-in to work.

• #​9974 cb1cbfa Thanks @​Bekacru! - Enforce the Google hd (hosted domain) option against the id token. Previously hd was only sent to Google as an authorization hint, which does not by itself restrict sign-in to the configured Workspace domain. When hd is set, the hd claim on the verified id token (verifyIdToken) and the decoded callback profile (getUserInfo) must be present and match, otherwise sign-in is rejected.

• #​9974 cb1cbfa Thanks @​Bekacru! - Scope the JWKS cache per source. Access-token verification previously kept a single global key set and reused it whenever it contained a key matching the token's kid, without considering which JWKS source the verification was for. When verifying tokens against more than one source, a token could end up matched against keys fetched for a different source if the two shared a kid. The cache is now keyed per JWKS source and honors a TTL, so each verification uses the keys for its own source and rotated or removed keys are no longer used after the TTL elapses.

• #​9974 cb1cbfa Thanks @​Bekacru! - Cryptographically verify PayPal ID tokens on direct sign-in. Previously verifyIdToken only decoded the JWT and checked that a sub claim was present, performing no signature, issuer, audience, or expiration checks, so any well-formed token paired with a valid access token would be accepted. The token is now verified against PayPal's issuer and published JWKS (RS256) or the client secret (HS256), with the aud pinned to the configured clientId, a maxTokenAge bound, and the nonce checked when supplied.

• #​9974 cb1cbfa Thanks @​Bekacru! - Stop mapping the Reddit oauth_client_id to the user's email. Reddit's identity scope does not return an email address, and the provider previously stored oauth_client_id (which identifies the OAuth application and is the same for every user of the app) as user.email with has_verified_email as emailVerified. This collapsed all Reddit users of the same app onto a single "verified" email, which could enable implicit account linking/takeover. The Reddit provider now uses the email returned from mapProfileToUser when provided, otherwise falls back to a unique per-user synthetic address (<reddit-user-id>@&#8203;reddit.com), and no longer marks it as verified. Provide a real email via mapProfileToUser if you need the actual address.

• #​9974 cb1cbfa Thanks @​Bekacru! - Fix verifyAccessToken silently dropping the configured audience check during remote introspection. Previously, when a required audience was set in verifyOptions but the introspection response omitted the aud claim, audience validation was skipped and any active token from the issuer was accepted — so a token issued for a different resource or client on the same issuer could also pass verification. Verification now requires the claim: a missing or mismatching aud is rejected. Authorization servers that legitimately omit aud from introspection responses (it is OPTIONAL per RFC 7662) can opt back into the old behavior with the new remoteVerify.allowMissingAudience: true flag, which still rejects mismatching audiences.

better-auth/better-auth (@​better-auth/test-utils)

v1.6.18

Compare Source

Patch Changes

• Updated dependencies [9ef7240, b21a5f7]:
  • better-auth@​1.6.18
  • @​better-auth/core@​1.6.18

v1.6.17

Compare Source

Patch Changes

• Updated dependencies [baeaa00, 3e99e6c, 96c78c3, baeaa00, baeaa00, 0c3856f, baeaa00, baeaa00, ed7b6c9, e0a768c, 7343284, 0c3856f, baeaa00, baeaa00, 7343284, 7343284, 0c3856f, fdef997, 0c3856f, d9c526b, 0c3856f, fdef997, baeaa00, baeaa00, baeaa00, baeaa00, fdef997, 7343284, baeaa00, 8960f5f, baeaa00, 5c289b5, 1dbf5bb, baeaa00, baeaa00, 59e0ccb, b803c61, fdef997]:
  • better-auth@​1.6.17
  • @​better-auth/core@​1.6.17

v1.6.16

Compare Source

Patch Changes

• Updated dependencies [cb1cbfa, cb1cbfa, cb1cbfa, cb1cbfa, cb1cbfa, cb1cbfa, 87e7aa5, cb1cbfa, cb1cbfa, cb1cbfa, 893cf6c, cb1cbfa, cb1cbfa, 5e49c56, cb1cbfa]:
  • better-auth@​1.6.16
  • @​better-auth/core@​1.6.16

better-auth/better-fetch (@​better-fetch/fetch)

v1.3.0

Compare Source

   🚀 Features

• Improve logger with self-contained log lines  -  by @​Thanaen and Claude Opus 4.6 (1M context) in #​94 (04582)

   🐞 Bug Fixes

• Keep request context identity stable across hooks  -  by @​bytaesu in #​108 (4b49f)

    View changes on GitHub

v1.2.2

Compare Source

   🐞 Bug Fixes

• create-fetch: Keep options.headers a plain object so plugins can spread it  -  by @​bytaesu in #​101 (f3ceb)

    View changes on GitHub

v1.2.1

Compare Source

   🐞 Bug Fixes

• create-fetch: Preserve Headers instances by sharing one mergeHeaders  -  by @​bytaesu in #​100 (7b799)

    View changes on GitHub

v1.2.0

Compare Source

   🚀 Features

• Add support for header validation and aggregation in fetch schema  -  by @​karol-broda in #​65 (ffc12)

   🐞 Bug Fixes

• utils: Resolve content-type correctly and normalize all header forms  -  by @​bytaesu in #​97 (1a84c)

    View changes on GitHub

tailwindlabs/tailwindcss (@​tailwindcss/postcss)

v4.3.1

Compare Source

Added

• Add --silent option to suppress output in @tailwindcss/cli (#​20100)

Fixed

• Remove deprecation warnings by using Module#registerHooks instead of Module#register on Node 26+ (#​20028)
• Canonicalization: don't crash when plugin utilities throw for unsupported values (#​20052)
• Allow @apply to be used with CSS mixins (#​19427)
• Ensure not-* correctly negates @container queries, including style(…) queries (#​20059)
• Ensure drop-shadow-* color utilities work with custom shadow values containing calc(…) (#​20080)
• Fix 'Sourcemap is likely to be incorrect' warnings when using @tailwindcss/vite (#​20103)
• Ensure @tailwindcss/webpack can be installed in Rspack projects without requiring webpack as a peer dependency (#​20027)
• Canonicalization: don't suggest invalid calc(…) expressions (e.g. px-[calc(1rem+0px)] → px-[calc(1rem+0)]) (#​20127)
• Canonicalization: avoid suggesting large spacing-scale values for arbitrary lengths (e.g. left-[99999px] → left-[99999px], not left-24999.75) (#​20130)
• Ensure @tailwindcss/cli in --watch mode recovers when a tracked dependency is deleted and restored (#​20137)
• Ensure standalone @tailwindcss/cli binaries are ignored when scanning for class candidates (#​20139)
• Ensure class candidates are extracted from Twig addClass(…) and removeClass(…) calls (#​20198)
• Don't crash in the Ruby or Vue preprocessors when scanning files containing invalid UTF-8 bytes (#​19588)
• Allow @variant to be used inside addBase (#​19480)
• Ensure @source globs with symlinks are preserved (#​20203)
• Ensure later @source rules can re-include files excluded by earlier @source not rules (#​20203)
• Upgrade: don't migrate empty class rules to invalid @utility rules (#​20205)
• Ensure transitions between inset-shadow-none and other inset shadows work correctly (#​20208)
• Ensure explicitly referenced @source directories are scanned even when ignored by git (#​20214)
• Ensure @source globs ending in **/* preserve dynamic path segments to avoid scanning too many files (#​20217)
• Canonicalization: don't fold calc(…) divisions when the result would require high precision (e.g. w-[calc(100%/3.5)] → w-[calc(100%/3.5)], not w-[28.571428571428573%]) (#​20221)
• Serve ESM type declarations to ESM importers of @tailwindcss/postcss (#​20228)

Changed

• Generate 0 instead of calc(var(--spacing) * 0) for spacing utilities like m-0 and left-0 (#​20196)
• Generate var(--spacing) instead of calc(var(--spacing) * 1) for spacing utilities like m-1 and left-1 (#​20196)

TanStack/router (@​tanstack/react-start)

v1.168.25

Compare Source

Patch Changes

• #​7566 9bebf8d - Add validator() as the canonical server function and middleware validator method. Deprecate inputValidator() and emit compiler warnings for remaining uses.

• Updated dependencies [9bebf8d]:

  • @​tanstack/start-client-core@​1.170.12
  • @​tanstack/start-plugin-core@​1.171.17
  • @​tanstack/react-start-client@​1.168.13
  • @​tanstack/react-start-rsc@​0.1.24
  • @​tanstack/start-server-core@​1.169.14
  • @​tanstack/react-start-server@​1.167.19

v1.168.24

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/react-router@​1.170.15
  • @​tanstack/react-start-client@​1.168.12
  • @​tanstack/react-start-rsc@​0.1.23
  • @​tanstack/react-start-server@​1.167.18
  • @​tanstack/start-client-core@​1.170.11
  • @​tanstack/start-plugin-core@​1.171.16
  • @​tanstack/start-server-core@​1.169.13

v1.168.23

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/react-router@​1.170.14
  • @​tanstack/react-start-client@​1.168.11
  • @​tanstack/react-start-rsc@​0.1.22
  • @​tanstack/react-start-server@​1.167.17
  • @​tanstack/start-client-core@​1.170.10
  • @​tanstack/start-plugin-core@​1.171.15
  • @​tanstack/start-server-core@​1.169.12

v1.168.22

Compare Source

Patch Changes

• Updated dependencies [ac10815]:
  • @​tanstack/react-router@​1.170.13
  • @​tanstack/react-start-client@​1.168.10
  • @​tanstack/react-start-rsc@​0.1.21
  • @​tanstack/react-start-server@​1.167.16
  • @​tanstack/start-client-core@​1.170.9
  • @​tanstack/start-plugin-core@​1.171.14
  • @​tanstack/start-server-core@​1.169.11

v1.168.21

Compare Source

Patch Changes

• Updated dependencies [301f6ba]:
  • @​tanstack/start-plugin-core@​1.171.13
  • @​tanstack/router-utils@​1.162.2
  • @​tanstack/react-start-rsc@​0.1.20
  • @​tanstack/react-router@​1.170.12
  • @​tanstack/react-start-client@​1.168.9
  • @​tanstack/react-start-server@​1.167.15
  • @​tanstack/start-client-core@​1.170.8
  • @​tanstack/start-server-core@​1.169.10

v1.168.20

Compare Source

Patch Changes

• Updated dependencies [8091918]:
  • @​tanstack/start-plugin-core@​1.171.12
  • @​tanstack/react-start-rsc@​0.1.19

v1.168.19

Compare Source

Patch Changes

• Updated dependencies []:
  • @​tanstack/react-router@​1.170.11
  • @​tanstack/react-start-client@​1.168.8
  • @​tanstack/react-start-rsc@​0.1.18
  • @​tanstack/react-start-server@​1.167.14
  • @​tanstack/start-client-core@​1.170.7
  • @​tanstack/start-plugin-core@​1.171.11
  • @​tanstack/start-server-core@​1.169.9

v1.168.18

Compare Source

Patch Changes

• #​7509 9cb7a00 - feat(rsbuild): add RSC support

• Updated dependencies [9cb7a00]:

  • @​tanstack/start-plugin-core@​1.171.10
  • @​tanstack/start-server-core@​1.169.8
  • @​tanstack/react-start-rsc@​0.1.17
  • @​tanstack/react-start-server@​1.167.13

v1.168.17

Compare Source

Patch Changes

• #​7505 2f53749 - Preserve primitive values thrown from beforeLoad error handling.

• Updated dependencies [2f53749]:

  • @​tanstack/react-router@​1.170.10
  • @​tanstack/react-start-client@​1.168.7
  • @​tanstack/react-start-rsc@​0.1.16
  • @​tanstack/react-start-server@​1.167.12
  • @​tanstack/start-client-core@​1.170.6
  • @​tanstack/start-plugin-core@​1.171.9
  • @​tanstack/start-server-core@​1.169.7

v1.168.16

Compare Source

Patch Changes

• Updated dependencies [d1997b6]:
  • @​tanstack/start-server-core@​1.169.6
  • @​tanstack/react-router@​1.170.9
  • @​tanstack/react-start-rsc@​0.1.15
  • @​tanstack/react-start-server@​1.167.11
  • @​tanstack/start-plugin-core@​1.171.8
  • @​tanstack/react-start-client@​1.168.6
  • @​tanstack/start-client-core@​1.170.5

v1.168.15

Compare Source

Patch Changes

• Updated dependencies [9c09bca]:
  • @​tanstack/start-plugin-core@​1.171.7
  • @​tanstack/start-server-core@​1.169.5
  • @​tanstack/react-start-rsc@​0.1.14
  • @​tanstack/react-start-server@​1.167.10

v1.168.14

Compare Source

Patch Changes

• #​7492 71fb329 - Avoid pulling the client hydration entry into root @tanstack/react-start and @tanstack/solid-start imports by re-exporting Hydrate from framework client Hydrate-only subpaths.

• Updated dependencies [71fb329]:

  • @​tanstack/react-start-client@​1.168.5

v1.168.13

Compare Source

Patch Changes

• Fix serialization adapter module resolution in TanStack Start. Vite dev now uses clean runtime-specific virtual module IDs instead of browser requests containing encoded null-byte virtual IDs, which avoids reverse proxy failures. When no serialization adapters are configured, Vite and Rsbuild now resolve #tanstack-start-plugin-adapters through the package empty-adapter fallback. (#​7484)

• Publish matching TanStack Start dev server packages so fresh installs do not pair a Start plugin that no longer provides tanstack-start-injected-head-scripts:v with an older Start server runtime that still imports it. (#​7487)

• Updated dependencies [a82cec6, d8be4f8]:

  • @​tanstack/start-plugin-core@​1.171.6
  • @​tanstack/start-client-core@​1.170.4
  • @​tanstack/start-server-core@​1.169.4
  • @​tanstack/react-start-rsc@​0.1.13
  • @​tanstack/react-start-client@​1.168.4
  • @​tanstack/react-start-server@​1.167.9

v1.168.12

Compare Source

Patch Changes

• Add Vite bundled dev mode support for TanStack Start. Start now recognizes Vite's experimental.bundledDev opt-in, uses the bundled dev client entry in the dev manifest, keeps server requests pointed at the latest client build output, and preserves import-pro

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (in timezone America/Los_Angeles)

• Branch creation
  • Monday through Friday (* * * * 1-5)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
better-auth	Ready	Preview, Comment	Jun 17, 2026 7:13pm

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/@convex-dev/better-auth@376

commit: 5fab04d