deps: update dependency better-auth to v1.4.18

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
better-auth (source)	1.4.6 → 1.4.18

---

Release Notes

better-auth/better-auth (better-auth)

v1.4.18

Compare Source

   🚀 Features

• Add disableImplicitLinking to accountLinking  -  by @​Paola3stefania and @​himself65 in #​7270 (a7740)
• Mark /forget-password/email-otp as deprecation  -  by @​bytaesu in #​7645 (8f333)
• device-authorization:
  • Add user id checks  -  by @​himself65 in #​7632 (4d79c)
• one-tap:
  • Add button mode for Google sign-in  -  by @​himself65 and Alex Yang in #​7482 (aeb92)
• sso:
  • Support multi-domain providers  -  by @​Paola3stefania in #​7541 (5be34)
  • Add provider list and detail endpoints  -  by @​Paola3stefania and @​himself65 in #​6967 (d0ed1)

   🐞 Bug Fixes

• Correctly handle OAuth callback and Apple email field  -  by @​bytaesu in #​7181 (c918e)
• Centralize cookie parsing and handle Expires dates correctly  -  by @​bytaesu, @​cursoragent, taesu and @​himself65 in #​7556 (d598b)
• Refresh account_data cookie when session is refreshed  -  by @​bytaesu and @​himself65 in #​7576 (5d3f7)
• Remove duplicate secondary storage writes from setSessionCookie  -  by @​bytaesu in #​7592 (7a4bc)
• Set default logger level to "warn"  -  by @​bytaesu, @​cursoragent and taesu in #​7597 (5d0e7)
• Respect the explicitly set sendOnSignUp option  -  by @​bytaesu in #​7593 (33619)
• Handle serial and false cases in generateId  -  by @​bytaesu in #​7474 (949cd)
• Log error when misconfigured  -  by @​himself65 in #​7584 (16201)
• Update google oauth endpoints  -  by @​bytaesu in #​7442 (d401b)
• Consistent api version for facebook provider  -  by @​bytaesu in #​7445 (cf619)
• Check jsconfig.json in getPathAliases  -  by @​jycouet in #​7650 (9cb45)
• 2fa:
  • Server-side trust device expiration and configurable maxAge  -  by @​Paola3stefania and @​himself65 in #​7644 (5d15b)
• anonymous:
  • Export types  -  by @​CalLavicka and @​himself65 in #​7661 (133a2)
• cli:
  • Use inkeep remote mcp url  -  by @​Bekacru in #​7543 (27af8)
  • Update MCP URL from Chonkie to Inkeep  -  by @​Paola3stefania in #​7585 (79621)
• core:
  • Consolidate rateLimit table schema definition  -  by @​bytaesu in #​7551 (ea589)
• email-otp:
  • Add stricter default rate limits for password reset endpoints  -  by @​bytaesu in #​7658 (dcc28)
• expo:
  • Prevent null cookie key when redirect URL has no cookie param  -  by @​bytaesu in #​7555 (d2ca0)
  • Prevent duplicate listener notifications in FocusManager and OnlineManager  -  by @​kimchi-developer and @​himself65 in #​7552 (a3ffb)
• github:
  • Surface OAuth token exchange errors  -  by @​Paola3stefania in #​7186 (94b75)
• mcp:
  • Remove local mpc  -  by @​Paola3stefania in #​7574 (d6d62)
• multi-session:
  • Prevent duplicate cookies when same user signs in multiple times  -  by @​Paola3stefania and @​himself65 in #​7256 (9db76)
• oauth-provider:
  • Properly handle metadata field in client registration  -  by @​Paola3stefania in #​7232 (33015)
• okta:
  • Userinfo route mismatch  -  by @​psigen in #​7602 (acf77)
• organization:
  • Filter returned: false fields from API responses  -  by @​Paola3stefania and @​himself65 in #​7531 (57f1e)
• saml:
  • IdP-Initiated Callback Routing  -  by @​Paola3stefania and Alex Yang in #​6675 (c6f8f)
• session:
  • Skip invalid sessions in list  -  by @​Paola3stefania and @​himself65 in #​7182 (b6986)
• stripe:
  • Allow billing interval change for same plan  -  by @​bytaesu in #​7542 (1cfcc)
  • Find active subscription correctly when upgrading  -  by @​bytaesu in #​7547 (663d4)

   🏎 Performance

• Fix infinite typecheck  -  by @​himself65 in #​7563 (12f4c)

    View changes on GitHub

v1.4.17

Compare Source

   🚀 Features

• two-factor: Add twoFactorCookieMaxAge as a separate option  -  by @​Bekacru (c6e4f)

   🐞 Bug Fixes

• Set default ipv6 subnet to 64  -  by @​himself65 in #​7509 (6ef60)
• cookies: Fallback to isProduction when baseURL is not set  -  by @​bytaesu in #​7159 (f7cbb)
• db: Only exclude returned: false fields from output schemas  -  by @​Paola3stefania in #​7504 (86db4)
• stripe: Allow re-subscribing to the same plan when subscription has expired  -  by @​DIYgod, Claude Opus 4.5, Taesu and @​bytaesu in #​7459 (a1b09)
• two-factor: Improve OTP comparision during hashed and encrypted values  -  by @​Bekacru (22534)

    View changes on GitHub

v1.4.16

Compare Source

   🚀 Features

• admin: Make password field optional on create user  -  by @​Bekacru and @​cursoragent in #​7441 (01bd8)

   🐞 Bug Fixes

• oauth: Set account cookie on re-login when updateAccountOnSignIn is false  -  by @​bytaesu in #​7217 (56bc0)
• organization: Missing activeTeamId field when dynamic access control is enabled  -  by @​longnguyen2004, @​himself65, ping-maxwell and @​ping-maxwell in #​7385 (b7ff1)
• rate-limit: Support IPv6 address normalization and subnet  -  by @​himself65 in #​7470 (1ba5a)

    View changes on GitHub

v1.4.15

Compare Source

   🐞 Bug Fixes

• Update TanStack imports to use server subpath  -  by @​himself65 in #​7446 (a02b3)
• client: Deep merge plugin actions to preserve all methods  -  by @​gustavovalverde in #​7407 (1988c)

    View changes on GitHub

v1.4.14

Compare Source

   🚀 Features

• Add skipTrailingSlashes option to advanced config  -  by @​bytaesu in #​7404 (88e92)
• stripe: Add support for locale option to upgradeSubscription  -  by @​bytaesu in #​7421 (b636b)

   🐞 Bug Fixes

• TanStack Start cookie plugins for React and Solid.js  -  by @​himself65 and Copilot in #​7389 (be37c)
• Centralize schema parsing for API responses  -  by @​bytaesu in #​7414 (a9e44)
• Update Figma provider default scope and oauth endpoints  -  by @​bytaesu in #​7422 (12330)
• Allow empty name on email sign-up  -  by @​jslno in #​7409 (dfcbe)

    View changes on GitHub

v1.4.13

Compare Source

   🚀 Features

• core: Add version in AuthContext  -  by @​himself65 in #​7362 (39fcf)
• integrations: Support both react and solid flavors of tanstack-start  -  by @​asterikx and Erik Müller in #​7340 (3fa5e)
• mcp: Add setup_auth tool  -  by @​Paola3stefania in #​7307 (33aaa)
• organization: Allow rejecting expired invites and filter pending invitations  -  by @​Bekacru, Claude and Copilot in #​7322 (f5bb8)
• scim: Add Microsoft Entra ID SCIM Compatibility  -  by @​cemcevik, Cem Cevik and @​himself65 in #​6589 (d8a1a)

   🐞 Bug Fixes

• Should return dates for expiration fields  -  by @​ping-maxwell and @​himself65 in #​7351 (0dda7)
• Preserve attributes when expiring cookies  -  by @​bytaesu and @​himself65 in #​7363 (f812e)
• expo: Fix cookie-based OAuth state with expo-authorization-proxy  -  by @​ruff-exec and @​bytaesu in #​6933 (fb72a)
• organization: Infer endpoints when dynamic ac and teams enabled  -  by @​jslno in #​7359 (2e83f)
• stripe: Add generic return type to getSchema for proper field inference  -  by @​bytaesu in #​7353 (a043b)

    View changes on GitHub

v1.4.12

Compare Source

   🚀 Features

• oauth: Add custom authorizationEndpoint option  -  by @​bytaesu and Copilot in #​6962 (19db7)

   🐞 Bug Fixes

• anonymous: Define delete-anonymous-user path method  -  by @​ping-maxwell in #​7296 (2012a)
• client: Add refetch to useSession for all clients  -  by @​Paola3stefania in #​7255 (fd4e5)
• core: Remove dual module warning  -  by @​himself65 in #​7308 (7ece1)
• session: Prevent duplicate tokens in active sessions list  -  by @​theonlypal, Taesu, @​bytaesu and @​himself65 in #​7285 (e7221)

    View changes on GitHub

v1.4.11

Compare Source

   🚀 Features

• Add auth.api.verifyPassword  -  by @​SaviruFr and @​himself65 in #​6934 (c0414)
• anonymous: Delete anonymous user endpoint  -  by @​ping-maxwell in #​6377 (cf2b3)
• generic-oauth: Add Gumroad login support  -  by @​ptaberg and @​himself65 in #​7100 (3c5d5)
• saml: Reject SAML responses containing multiple assertions  -  by @​Paola3stefania and Alexander Asomba in #​6836 (40a82)
• stripe: Enhance stripe plugin with organization customer support  -  by @​bytaesu and Cmion in #​7142 (6937f)

   🐞 Bug Fixes

• Filter null values from dynamic trusted origins  -  by @​bytaesu and @​himself65 in #​7080 (0e7a5)
• Call hooks on change-email-verification flow  -  by @​bytaesu in #​7160 (740b2)
• Clean up expired rate-limit entries on memory storage  -  by @​ping-maxwell in #​7161 (89567)
• Set Location header on redirected responses  -  by @​GautamBytes and @​ping-maxwell in #​6232 (59643)
• anonymous:
  • Prevent Convex cleanup from deleting fresh sessions  -  by @​RodrigoRafaelSantos7 and @​ping-maxwell in #​5825 (5630b)
• api-key:
  • Remove strict length pre-check in verifyApiKey  -  by @​GautamBytes and @​ping-maxwell in #​6259 (06db3)
  • Remove double stringify/parse of metadata field  -  by @​xiaoyu2er, @​ping-maxwell and @​himself65 in #​7076 (4d769)
  • Log key verification errors  -  by @​ping-maxwell and @​himself65 in #​7174 (65ea3)
• core:
  • Detect dual module error  -  by @​himself65 in #​7097 (1baaa)
  • Separate CSRF and origin checks  -  by @​Paola3stefania and @​himself65 in #​7204 (35caa)
• docs:
  • Correct tos and policy types in oauth-provider  -  by @​GautamBytes, Gautam Manchandani and @​ping-maxwell in #​7194 (8ec99)
• email-otp:
  • Call afterEmailVerification hook on verification  -  by @​GautamBytes and Gautam Manchandani in #​7121 (396d7)
• email-verification:
  • Sending email verification of another user fails with EMAIL_ALREADY_VERIFIED  -  by @​ping-maxwell in #​7215 (bb5d0)
• mcp:
  • Restore ctx.query from cookie in OAuth flow  -  by @​bytaesu in #​6974 (7bd13)
• one-tap:
  • Respect user dismiss actions in prompt retry logic  -  by @​bytaesu in #​7211 (eb8a5)
• open-api:
  • Correctly infer type for ZodDefault fields  -  by @​MuzzaiyyanHussain and Taesu in #​7150 (6fa91)
• organization:
  • Use opts pattern to enable hook injection  -  by @​bytaesu in #​7130 (53776)
• passkey:
  • Add error logs during client verification error  -  by @​ping-maxwell in #​7193 (28329)
• prisma-adapter:
  • Lift eq AND conditions to root so update detects unique where field  -  by @​ping-maxwell in #​7096 (b3241)
• stripe:
  • Improve error handling and subscriptionSuccess route  -  by @​bytaesu in #​7087 (14fc9)
  • Pass metadata to subscription object in upgrade method  -  by @​bytaesu in #​7090 (d1c3a)
  • Prevent duplicate subscription creation when a subscription already exists  -  by @​bytaesu in #​7104 (46ac1)
• two-factor:
  • Prisma issue  -  by @​okisdev, @​Bekacru, @​ping-maxwell and ping-maxwell in #​5347 (e4d72)
  • Add missing POST endpoints to client pathMethods  -  by @​theonlypal in #​7284 (63d67)

    View changes on GitHub

v1.4.10

Compare Source

   🚀 Features

• Support form data for email sign-in/sign-up and fallback to checking fetch Metadata for first login  -  by @​Paola3stefania, @​bytaesu, Bereket Engida and @​jonathansamines in #​6314 (3f06d)
• expo:
  • Add webBrowserOptions to openAuthSessionAsync  -  by @​himself65 and Copilot in #​7054 (d1184)
• saml:
  • Add XML parser hardening with configurable size limits  -  by @​Paola3stefania in #​6805 (6e1f4)
• stripe:
  • Flexible subscription cancellation and termination management  -  by @​bytaesu and @​GautamBytes in #​6961 (c128d)
  • Handle customer.subscription.created webhook event  -  by @​bytaesu, Copilot and @​himself65 in #​6924 (cf64f)
  • Add disableRedirect option for subscription and billing  -  by @​himself65 and Valerii Strilets in #​7068 (11493)

   🐞 Bug Fixes

• Correct accountLinking default to true  -  by @​bytaesu and @​himself65 in #​6963 (0ccdf)
• Add supportsArrays to memory and mongodb adapters  -  by @​bytaesu in #​6984 (855db)
• Sync updateSession changes to secondary storage and active-sessions list  -  by @​Ridhim-RR, @​bytaesu and Taesu in #​6988 (13dbf)
• admin:
  • Custom role type inference  -  by @​bytaesu in #​6997 (63438)
  • UserId check in /has-permission  -  by @​himself65 and Copilot in #​7016 (adc88)
• anonymous:
  • Missing path breaks anonymous hooks  -  by @​ping-maxwell and @​himself65 in #​6794 (8e85b)
• api:
  • Chain plugin onRequest hooks properly  -  by @​bytaesu in #​7070 (1ee6d)
• client:
  • Prevent duplicate signal processing in atom listeners  -  by @​himself65 in #​7018 (016ba)
  • Apply rate limit focus refetch regardless of session state  -  by @​bytaesu and @​himself65 in #​7048 (bf423)
• expo:
  • Improve parseSetCookieHeader  -  by @​bytaesu in #​6990 (66a61)
• oauth-provider:
  • Support jwksPath  -  by @​dvanmali in #​6989 (54847)
  • Only session db store currently supported  -  by @​dvanmali in #​7000 (49821)
• oauth-proxy:
  • Point provider requests to production and fix cookie handling in non-HTTPS environments  -  by @​bytaesu and Bereket Engida in #​6472 (8e6ad)
• organization:
  • Remove unnecessary type re-export  -  by @​bytaesu in #​7011 (40df9)
• passkey:
  • Use data.id instead of challengeId in deleteVerificationValue  -  by @​GautamBytes in #​6826 (8b4cd)
• stripe:
  • Add 'subscription/restore' to pathMethods  -  by @​bytaesu in #​6959 (9acb7)
  • Prevent trial abuse by checking all user subscriptions  -  by @​GautamBytes, Taesu and @​himself65 in #​6950 (08895)

    View changes on GitHub

v1.4.9

Compare Source

   🚀 Features

• Add ctx.isTrustedDomain helper  -  by @​jonathansamines in #​6462 (d09c5)
• Drizzle pg supports JSON  -  by @​dvanmali in #​6518 (7d5f1)
• Add Refresh Token Support to Kick OAuth Provider  -  by @​CesarRodrigu in #​6263 (b1102)
• Add additionalFields option in verification table schema  -  by @​noctarius in #​6747 (eab5b)
• Add patreon social provider  -  by @​Spuffynism, benkingcode and Kinfe123 in #​6245 (07cdd)
• Add a global backgroundTasks config option to defer actions like sending email and updates to run after response is sent  -  by @​nexxeln and @​Bekacru in #​6713 (d544b)
• admin:
  • Prevent impersonating admins by default [breaking]  -  by @​jslno and @​Bekacru in #​6454 (5fb83)
  • Add support role with permissions for user updates and enforce role change validation  -  by @​Bekacru and Copilot in #​6699 (a0a16)
• expo:
  • Last-login-method client plugin  -  by @​jslno and @​himself65 in #​6413 (381f2)
• multi-session:
  • Allow to infer additional fields  -  by @​jslno in #​6585 (13786)
  • Allow to infer additional fields "  -  by @​Bekacru in #​6585 (e26fc)
• oauth-provider:
  • An oauth 2.1 compliant plugin  -  by @​dvanmali in #​4163 (686fb)
• oauth-proxy:
  • Add expirty timestamp for encrypted tokens  -  by @​Bekacru and Copilot in #​6538 (9f6b8)
• one-time-token:
  • Support setting session cookie on ott verify  -  by @​Bekacru in #​3659 (08e05)
• organization:
  • Allow invited users to see organization name  -  by @​GautamBytes and Copilot in #​6602 (a2476)
• phone-number:
  • Add password length validation for reset functionality  -  by @​Bekacru in #​6674 (4cdf8)
• saml:
  • Assertion timestamp validation with per-provider clock skew  -  by @​Paola3stefania in #​6706 (90c59)
  • Validate SAML crypto algorithms during initial phase  -  by @​Paola3stefania in #​6785 (b56d7)
  • Enforce one-time use of SAML assertions  -  by @​Paola3stefania in #​6719 (2053f)
  • Reject deprecated SAML signature and digest algorithms  -  by @​Paola3stefania in #​6784 (1f171)
  • Reject deprecated SAML signature and digest algorithms  -  by @​Paola3stefania in #​6784 (5bab6)
• sso:
  • Use domain verified flag to trust providers automatically  -  by @​Paola3stefania (6f283)
  • Add InResponseTo validation  -  by @​Paola3stefania in #​6557 (50ffe)
  • Add OIDC discovery  -  by @​Paola3stefania and @​Bekacru in #​6395 (57400)
  • Add URL normalization and validation to all discovery URLs  -  by @​jonathansamines, Paola Estefanía de Campos, @​Paola3stefania and @​Bekacru in #​6503 (17ff1)

   🐞 Bug Fixes

• Add helper types to exports  -  by @​himself65 in #​6479 (9b556)
• Avoid throwing on client side  -  by @​landoncolburn and @​Bekacru in #​6361 (b4f45)
• Export organization plugin types  -  by @​pffigueiredo in #​6490 (8efd5)
• Pathname should be normalized when basePath is set to root  -  by @​Bekacru (9228c)
• Prematurely deleting active sessions in secondary storage  -  by @​DevDuki in #​3885 (45cf4)
• Make sure non-chunked session data cookie is cleared  -  by @​Bekacru (26b2b)
• Array field handling across adapters and schema generation  -  by @​ping-maxwell and @​Bekacru in #​6601 (9d3d1)
• StoreStateStrategy default to database if provided  -  by @​himself65 in #​6619 (880e7)
• Should always remove 2FA verification token after successful verification  -  by @​delfortrie in #​6604 (13efb)
• Prevent stateless refresh with database configured  -  by @​Bekacru in #​6700 (a5e7c)
• Revert token masking in listSessions route  -  by @​bytaesu in #​6749 (f659c)
• Compatible with openapi 3.1  -  by @​himself65 and Copilot in #​6705 (81eec)
• Properly merge updated data in account cookie  -  by @​jslno in #​6758 (5d303)
• Preserve = padding in parsed cookies  -  by @​Shridhad in #​6789 (47884)
• Unify SSO/OAuth account linking and add domain-based org assignment to all sign-in flows  -  by @​Paola3stefania in #​6652 (dd8a5)
• Respect BETTER_AUTH_TRUSTED_ORIGINS env variable  -  by @​Paola3stefania in #​6809 (47682)
• Delete verifications with hooks  -  by @​jonathansamines in #​6803 (059b5)
• Respect IP headers in dev/test environments  -  by @​bytaesu in #​6854 (d3ebf)
• Trusted origins resolving  -  by @​Bekacru in #​6887 (94697)
• Update-user breaking during stateles

---

Configuration

📅 Schedule: Branch creation - "after 10:00 before 18:00 every weekday" in timezone Asia/Tokyo, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

🗑️ Preview Environment Cleaned Up

✅ プレビュー環境をクリーンアップしました！

Database Name: next-lift-preview-pr418-auth

PRがクローズされたため、関連するデータベースとVercel環境変数を自動的に削除しました。

[github-actions]

🚀 Preview Environment Ready

✅ プレビュー環境のセットアップが完了しました！

🗄️ Database

Name: next-lift-preview-pr418-auth
URL: libsql://next-lift-preview-pr418-auth-gn-t-k.aws-ap-northeast-1.turso.io

🌐 Deployment

Preview URL: https://next-lift-olz9hh4xf-gntks-projects.vercel.app

⚠️ このデータベースとデプロイメントはPRがクローズされると自動的に削除されます。