fix(deps): update dependency better-auth to v1.3.26 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
better-auth (source)	1.1.10 -> 1.3.26

GitHub Vulnerability Alerts

GHSA-9x4v-xfq5-m8x5

Summary

The better-auth /api/auth/error page was vulnerable to HTML injection, resulting in a reflected cross-site scripting (XSS) vulnerability.

Details

The value of error URL parameter was reflected as HTML on the error page: https://github.com/better-auth/better-auth/blob/05ada0b79dbcac93cc04ceb79b23ca598d07830c/packages/better-auth/src/api/routes/error.ts#L81

PoC

https://demo.better-auth.com/api/auth/error?error=%3Cscript%3Ealert(1)%3C/script%3E

Impact

An attacker who exploited this vulnerability by coercing a user to visit a specially-crafted URL could execute arbitrary JavaScript in the context of the user's browser.

Because better-auth is a dependency of web applications, the impact of such a vulnerability is unknowable; it depends on the functionality of the application/site using better-auth. I have calculated the CVSS score assuming the hypothetical victim is an administrator with elevated permissions and access.

CVE-2025-27143

Summary

The application is vulnerable to an open redirect due to improper validation of the callbackURL parameter in the email verification endpoint and any other endpoint that accepts callback url. While the server blocks fully qualified URLs (e.g., https://evil.com), it incorrectly allows scheme-less URLs (e.g., //malicious-site.com). This results in the browser interpreting the URL as https://malicious-site.com, leading to unintended redirection.

bypass for : GHSA-8jhw-6pjj-8723

Affected Versions

All versions prior to 1.1.19

Details

The application’s email verification endpoint (/auth/verify-email) accepts a callbackURL parameter intended to redirect users after successful email verification. While the server correctly blocks fully qualified external URLs (e.g., https://evil.com), it improperly allows scheme-less URLs (e.g., //malicious-site.com). This issue occurs because browsers interpret //malicious-site.com as https://malicious-site.com, leading to an open redirect vulnerability.

An attacker can exploit this flaw by crafting a malicious verification link and tricking users into clicking it. Upon successful email verification, the user will be automatically redirected to the attacker's website, which can be used for phishing, malware distribution, or stealing sensitive authentication tokens.

Impact

Phishing & Credential Theft – Attackers can redirect users to a fake login page, tricking them into entering sensitive credentials, which can then be stolen.

Session Hijacking & Token Theft – If used in OAuth flows, an attacker could redirect authentication tokens to their own domain, leading to account takeover.

GHSA-vp58-j275-797x

Summary

A bypass was found for wildcard or absolute URLs trustedOrigins configurations and opens the victims website to a Open Redirect vulnerability, where it can be used to steal the reset password token of a victims account by changing the "callbackURL" parameter value to a website owned by the attacker.

Details

Absolute URLs

The issue here appears in the middleware, specifically. This protection is not sufficiente and it allows attackers to exploit a open redirect vulnerability, by using the payload /\/example.com. We can check this is a valid URL ( or it will be a valid URL because the URL parser fix it for us ), by checking the image bellow:

// trustedOrigins = [ "https://example.com" ]
validateURL("https://attacker.com", "callbackURL") // ❌ APIError, No Redirect
validateURL("/\/attacker.com", "callbackURL")       // ✅ Redirect to http://attacker.com

Regex

The issue here is because the regex is not strong enough [^/\\]*?\.example\.com[/\\]*? ( this is the regex it will be created if we have a wildcard as the trustedOrigins config ), but we can bypass by using a payload like:

// trustedOrigins = [ "*.example.com" ]
  ┌──────────────────┐       ┌────────────────┐       ┌─────────────────┐
  │ None of [ "/\" ] │ ────▶ │ ".example.com" │ ────▶ │ One of [ "/\" ] │
  └──────────────────┘       └────────────────┘       └─────────────────┘
          demo                  .example.com                    /               ✅ Redirect to https://example.com
          demo                  .attacker.com                   /               ❌ APIError, no redirect
   http:attacker.com?           .example.com                    /               ✅ Redirect to http://attacker.com

This works because : and ? are special chars in a URL, so when the URL parser sees, http: it will fix our happily fix our URL to http://attacker.com? and make .example.com as parameter, thus, bypassing this check.

PoC

We can PoC the open redirect by using the demo.better-auth.com.
If we access the URL bellow, we are redirected to example.com:

• https://demo.better-auth.com/api/auth/reset-password/x?callbackURL=/\/example.com

Impact

Every single website using the better-auth library, is vulnerable to un-auth open redirect and more importantilly, vulnerable to potential one click account take over vulnerability, as the attacker can send the victim a email to reset their account while changing the "redirectTo" parameter here, and when the victim clicks on the link, the reset token is sent to the attackers website, which then a attacker could use that token to reset the password of the victims account.

CVE-2025-53535

Summary

An open redirect has been found in the originCheck middleware function, which affects the following routes: /verify-email, /reset-password/:token, /delete-user/callback, /magic-link/verify, /oauth-proxy-callback.

Details

In the matchesPattern function, url.startsWith( can be deceived with a url that starts with one of the trustedOrigins.

		const matchesPattern = (url: string, pattern: string): boolean => {
			if (url.startsWith("/")) {
				return false;
			}
			if (pattern.includes("*")) {
				return wildcardMatch(pattern)(getHost(url));
			}
			return url.startsWith(pattern);
		};

Open Redirect PoCs

export const auth = betterAuth({
	baseURL: 'http://localhost:3000',
	trustedOrigins: [
		"http://trusted.com"
	],
	emailAndPassword: {
		...
	},
})

/reset-password/:token

/verify-email

/delete-user/callback

/magic-link/verify

/oauth-proxy-callback

Impact

Untrusted open redirects in various routes.

CVE-2025-61928

Summary

Unauthenticated attackers can create or modify API keys for any user by passing that user's id in the request body to the api/auth/api-key/create route.

Details

The vulnerability exists in the authentication logic at when checking for user authentication then derives the user as session?.user ?? (authRequired ? null : { id: ctx.body.userId }). When no session exists but userId is present in the request body, authRequired becomes false and the user object is set to the attacker-controlled ID. Server-only field validation only executes when authRequired is true (lines 280-295), allowing attackers to set privileged fields. No additional authentication occurs before the database operation, so the malicious payload is accepted. The same pattern exists in the update endpoint.

PoC

curl -X POST http://localhost:3000/api/auth/api-key/create \
   -H 'Content-Type: application/json' \
   -d '{
         "userId": "victim-user-id",
         "name": "zeropath"
       }'

Response contains the new API key whose userId matches the victim, confirming the bypass.

Impact

This is a critical authentication bypass enabling full an unauthenticated attacker can generate an API key for any user and immediately gain complete authenticated access. This allows the attacker to perform any action as the victim user using the api key, potentially compromise the user data and the application depending on the victim's privileges.

This issue was found by ZeroPath.

---

Release Notes

better-auth/better-auth (better-auth)

v1.3.26

Compare Source

   🐞 Bug Fixes

• [security] api keys should properly check if a request is from client or server  -  by @​Bekacru (55608)
• api-key: Shouldn't issue api key a mock session by default  -  by @​Bekacru (a49e5)

    View changes on GitHub

v1.3.25

Compare Source

   🚀 Features

• Additional fields on account  -  by @​dvanmali in #​4935 (f148f)
• Add support for custom callback for token url  -  by @​acusti in #​5027 (3f668)
• captcha: Add support for CaptchaFox  -  by @​tgrassl in #​4944 (b6119)
• cli: Add mcp client configs from cli  -  by @​Kinfe123 and @​himself65 in #​4872 (e1082)

   🐞 Bug Fixes

• Support compressed ipv6 format  -  by @​Velka-DEV in #​4982 (c2f27)
• Add required constraint to slug filed in org plugin  -  by @​bytaesu in #​4989 (39189)
• Use consistent messaging on requestPasswordReset  -  by @​Eazash in #​5014 (d6224)
• Cookie size limit shouldn't throw error  -  by @​Bekacru and @​himself65 in #​5031 (dece5)
• Handle symbols in proxy get trap to prevent TypeError  -  by @​zbeyens and @​himself65 in #​4924 (85f3b)
• Ttl for rate limited secondary storage  -  by @​dvanmali in #​4961 (45cd3)
• adapter:
  • Use updated field values in WHERE clause during update  -  by @​QuintenStr and @​ping-maxwell in #​5004 (3e298)
  • Foreign keys that are nullable on number ids can return string of null  -  by @​ping-maxwell in #​5036 (84e99)
• api-key:
  • Correct refill interval time calculation  -  by @​Pankaj3112 and @​himself65 in #​4871 (64ac8)
• client:
  • Add lynx client exports  -  by @​JagritGumber in #​4950 (70202)
• device-authorization:
  • Fix client error type for deny device  -  by @​3ddelano in #​5022 (ec788)
• last-login-method:
  • Custom resolver method default logic  -  by @​ThibautCuchet in #​4821 (2616e)
• oauth-proxy:
  • Should skip state check for oauth proxy  -  by @​Bekacru in #​4991 (a3c1d)
• oidc:
  • Properly enforce consent requirements per OIDC spec  -  by @​himself65 in #​4974 (20704)
• org:
  • Update type to include undefined  -  by @​himself65 in #​5003 (cce9e)
• sso:
  • Safe json parsing for saml/oidc configs  -  by @​natetewelde and @​himself65 in #​4858 (d09c7)
  • Prevent duplicate SSO provider creation with same providerId  -  by @​xiaoyu2er in #​5033 (cfe64)
• stripe:
  • Update with an existing subscription  -  by @​himself65 in #​4988 (6a288)
  • Sync customer email on db change  -  by @​himself65 in #​4995 (cdd7b)
  • getCustomerCreateParams not actually being called  -  by @​ebalo55 and @​himself65 in #​5019 (cdd6f)

   🏎 Performance

• Lazy load create telemetry  -  by @​himself65 in #​5007 (e05ce)

    View changes on GitHub

v1.3.24

Compare Source

   🚀 Features

• Add support for custom callback for authorization url  -  by @​Bekacru in #​4919 (458cb)

   🐞 Bug Fixes

• Refresh secondary storage sessions on user update  -  by @​frectonz in #​4522 (80b8c)
• cli: Timestamp in schema for Drizzle with SQLite  -  by @​zy1p in #​4622 (cee5a)
• db: onDelete is ignored  -  by @​himself65 in #​4973 (aba9a)
• deps: Update dependency @​nanostores/react to v1  -  in #​4963 (483f6)

   🏎 Performance

• Improve type Auth  -  by @​himself65 in #​4930 (574b9)

    View changes on GitHub

v1.3.23

Compare Source

v1.3.22

Compare Source

v1.3.21

Compare Source

v1.3.20

Compare Source

v1.3.19

Compare Source

   🐞 Bug Fixes

• getSession shouldn't expose options and path types  -  by @​Bekacru in #​4947 (633a7)

    View changes on GitHub

v1.3.18

Compare Source

   🐞 Bug Fixes

• Ttl sessions list expiration  -  by @​dvanmali in #​3836 (71129)
• Tests failing due to clock drift  -  by @​dvanmali in #​4915 (8351c)
• Moved email verification check after password check  -  by @​QuintenStr in #​4835 (0088c)
• cli: DefaultNow is deprecated in schema for Drizzle with SQLite  -  by @​himself65 in #​4889 (e979f)
• custom-session: Don't overwrite the Set-Cookie header  -  by @​frectonz in #​4388 (15b00)
• email-otp: Call reset password callback  -  by @​HoshangDEV in #​4818 (45101)

    View changes on GitHub

v1.3.17

Compare Source

   🚀 Features

• sso: Provide default service provider metadata  -  by @​dvanmali in #​4866 (4a9d1)

   🐞 Bug Fixes

• nuxt: Avoid load env base url for SSR  -  by @​himself65 in #​4887 (15cc7)

    View changes on GitHub

v1.3.16

Compare Source

No significant changes

    View changes on GitHub

v1.3.15

Compare Source

   🐞 Bug Fixes

• types: Include null in getSession return type  -  by @​jcajuab in #​4812 (d447c)

    View changes on GitHub

v1.3.14

Compare Source

   🚀 Features

• passkey: Allow multiple passkey origins  -  by @​kevcube in #​4800 (d9601)
• sso: DefaultSSO options and ACS endpoint  -  by @​Kinfe123 and Bereket Engida in #​3660 (348f3)

   🐞 Bug Fixes

• Wrap Math.floor around the division when calculating TTL  -  by @​DevDuki, Dusan Misic, ping-maxwell and @​himself65 in #​4768 (08da9)
• api-key:
  • Calling client on server side  -  by @​himself65 in #​4777 (d384e)
• mcp:
  • Missing Content-Type header for mcp DCR  -  by @​Berndwl in #​4763 (a6b2e)
• organization:
  • Pass ctx to DB hooks  -  by @​ping-maxwell in #​4769 (39c21)
  • Allow passing id through beforeCreateOrganization  -  by @​ping-maxwell in #​4765 (25a43)
• username:
  • Username should respect send on sign config  -  by @​QuintenStr in #​4799 (ac49e)

    View changes on GitHub

v1.3.13

Compare Source

   🚀 Features

• Add returnHeaders to getSession  -  by @​frectonz in #​3983 (8a4b3)
• last-login-method: Update OAuth login method tracking for multiple auth type  -  by @​Kinfe123 in #​4693 (c03fd)

   🐞 Bug Fixes

• client: BaseURL is undefined for SSR  -  by @​himself65 in #​4760 (c1514)
• organization: Remove autoCreateOnSignUp option as it's not implemented yet  -  by @​Bekacru in #​4755 (21bd4)
• passkey: Remove email from query  -  by @​himself65 in #​4740 (8709a)

    View changes on GitHub

v1.3.12

Compare Source

   🚀 Features

• discord: Allow specification of permissions  -  by @​TheUntraceable and @​Bekacru in #​4717 (c6e33)
• email-otp: Allow returning undefined in generateOTP  -  by @​ping-maxwell in #​4723 (11dbf)

   🐞 Bug Fixes

• Device authorization plugin  -  by @​bytaesu in #​4695 (578a6)
• Reduce any type in generator.ts  -  by @​himself65 in #​4710 (fd29b)
• Refresh secondary storage sessions on user update  -  by @​frectonz in #​4522 (c3354)
• Allow disable database transaction  -  by @​himself65 in #​4733 (7efd1)
• adapter:
  • Returning null as string for optional id references  -  by @​jslno in #​4713 (c6e5d)
• api-key:
  • Cascade api keys on user deletion  -  by @​ping-maxwell in #​4703 (62b50)
• create-adapter:
  • Disable transaction by default  -  by @​ping-maxwell in #​4750 (4a434)
• organization:
  • Decouple client and server permission checks  -  by @​Bekacru in #​4707 (adfc4)
  • Membership check for organizations with large member counts  -  by @​Badbird5907 and @​himself65 in #​4724 (97b02)
• stripe:
  • OnCustomerCreate should be called even if update user isn't returned  -  by @​Bekacru in #​4716 (d3509)

    View changes on GitHub

v1.3.11

Compare Source

   🚀 Features

• Flip emailVerified when link the account  -  by @​himself65 in #​4621 (cf2ca)

   🐞 Bug Fixes

• Check if user exists before banning the user  -  by @​anmol-fzr, KinfeMichael Tariku and @​himself65 in #​4649 (283c2)
• Timestamp issues in kysely  -  by @​frectonz and @​himself65 in #​4542 (e5874)
• Respect errorCallbackURL in failed oauth flows  -  by @​frectonz in #​4650 (43545)
• plugins: Asynchronous init  -  by @​LightTab2 and @​himself65 in #​4680 (9d216)

    View changes on GitHub

v1.3.10

Compare Source

   Maintenance update: We fixed lots of issues from the community. Thanks to everyone for contributing to better-auth.

   🚀 Features

• Add getActiveRoleMember  -  by @​fathisiddiqi, @​Kinfe123 and @​himself65 in #​4484 (f6f19)
• Database transaction support  -  by @​himself65 and Joel Solano in #​4414 (22c39)
• logger: Option to disable colors  -  by @​martiinii and @​himself65 in #​4402 (53076)
• passkey: Error codes in passkey client  -  by @​frectonz, @​Kinfe123 and @​Bekacru in #​3966 (4b2f5)
• sqlite: Remove autoincrement for SQLite  -  by @​pspeter3 in #​4466 (f2c9d)

   🐞 Bug Fixes

• Ignore cookiecache on auth sensitive functions  -  by @​Kinfe123 in #​4530 (e2a95)
• Custom field for refreshTokenExpiresAt  -  by @​himself65 in #​4569 (cc007)
• Return local IP in development mode  -  by @​DiiiaZoTe and @​himself65 in #​2511 (b4ad6)
• Make cookie cache respect dontRememberMe mode  -  by @​frectonz in #​4558 (acb28)
• Normalize zod imports  -  by @​gabrielmar in #​4593 (adbfc)
• Check endpoint conflicts respect method  -  by @​himself65 in #​4595 (60930)
• Respect username validator  -  by @​azaek and @​himself65 in #​3669 (b8bed)
• Set clientId in ProviderOptions to unknown by default  -  by @​himself65 in #​4596 (78250)
• Pick the first clientId for oauth provider  -  by @​himself65 in #​4598 (8df46)
• Remove use of global.crypto  -  by @​himself65 in #​4606 (ef450)
• Should infer types correctly when empty list of plugins is provided  -  by @​frectonz in #​4612 (08fa1)
• Correct MongoDB adapter import path in CLI  -  by @​aajeeth-m in #​4602 (58963)
• Make sure fetch function doesn't get called repeatedly on onMount  -  by @​frectonz in #​4669 (9d6e4)
• Prevent lastLoginMethod plugin from setting cookie on failed auth  -  by @​Kinfe123 in #​4673 (e297c)
• admin:
  • Change the order of role and user id check when both are provider on userHasPermission  -  by @​Bekacru in #​4653 (29c57)
• anonymous:
  • Prevent false positive error on first anonymous sign-in  -  by @​ajanraj and @​himself65 in #​3662 (96804)
• cli:
  • info shows the correct version  -  by @​himself65 in #​4547 (7faae)
  • Add missing JSON type to schema generation  -  by @​TheGB0077 and @​Kinfe123 in #​4494 (20e87)
• demo:
  • Update forgot password link to /forget-password  -  by @​GivenBY in #​4567 (94450)
• docs:
  • Remove duplicated RFC compliance mention  -  by @​TheUntraceable in #​4581 (5f80c)
• expo:
  • window.crypto is undefined  -  by @​himself65 in #​4620 (7dbc5)
  • Missing peer deps  -  by @​himself65 in #​4617 (16160)
• lastLoginMethod:
  • Inherit cross-subdomain cookie settings in lastLoginMethod plugin  -  by @​lumpinif in #​4572 (78424)
• memory-adapter:
  • Should respect where connector  -  by @​jslno in #​4549 (784db)
• multi-session:
  • Multi-session cookie name preface preventing multiple accounts signed in  -  by @​PacifismPostMortem in #​4505 (8eb64)
• one-time-token:
  • Typo and clean  -  by @​gabrielmar in #​4579 (01365)
• organization:
  • checkRolePermission shouldn't be a promise  -  by @​ping-maxwell in #​4533 (abfc4)
  • Member and team hooks should apply on create organization  -  by @​Bekacru in #​4600 (7fc23)
  • Before org create hooks not applying customized data  -  by @​Bekacru in #​4623 (da9b8)
  • [security] updateOrgRole should check for userId properly  -  by @​Bekacru (12a9d)
  • Restrict role check by user id  -  by @​himself65 in #​4641 (f5fd8)
• prisma:
  • Handle optional field relation types correctly  -  by @​LiYulin-s in #​4630 (80b73)
• stripe:
  • Properly resolve plans by lookup keys  -  by @​AlexProgrammerDE in #​4499 (b531d)
  • Subscription is created without completing payment  -  by @​himself65 in #​4548 (e663f)
  • Prevent multiple free trials for same user  -  by @​RikhiSingh in #​4562 (1bb12)
  • Use correct request method for billing-portal  -  by @​danielepintore in #​4613 (9f23e)
• tiktok:
  • Remove client_secrect from authorizationUrl  -  by @​arslan2012 in #​4511 (71aeb)
• username:
  • Add missing normalization  -  by @​bortoz and @​himself65 in #​3636 (9d316)
  • Sign in should work with post normalization  -  by @​Bekacru and @​himself65 in #​4599 (b2dfb)
• vue:
  • Correct baseURL  -  by @​himself65 in #​4578 (90ea9)

    View changes on GitHub

v1.3.9

Compare Source

   🚀 Features

• Add support for not in operator  -  by @​Bekacru in #​4449 (1651f)
• Lynx integration  -  by @​himself65 in #​4470 (9589c)
• mcp: Customize resource in protected resource metadata  -  by @​frectonz in #​4419 (d4459)
• rate-limiter: Allow disabling custom paths to not be rate limited  -  by @​Bekacru in #​4502 (693c8)

   🐞 Bug Fixes

• Cloudflare build warning with node:sqlite  -  by @​himself65 in #​4415 (14ad4)
• Shouldn't update personal sub when upgrading with org ref id  -  by @​Bekacru in #​4435 (9d8f7)
• Properly generate OpenAPI schema for nested ZodObject and ZodOptional  -  by @​Kinfe123 in #​4489 (5f996)
• Respect allow different email linking option on callbacks  -  by @​Bekacru in #​4504 (6c35a)
• expo: Handle link social  -  by @​frectonz in #​4420 (d42cc)
• jwt: Revert set default iat for /token endpoint  -  by @​dvanmali in #​4501 (8f80a)
• mcp: Remove duplicate /api/auth from wwwAuthenticateValue and properly format the header  -  by @​paoloricciuti in #​4462 (4b364)
• org: List user teams had incorrect path method in jsdoc  -  by @​ping-maxwell in #​4446 (ad28a)
• paypal: Use base64.encode  -  by @​himself65 in #​4527 (4ebc6)
• stripe: Prevent multiple free trials  -  by @​hendrik-krebs in #​4432 (32546)
• tiktok: Refresh token flow uses client_key  -  by @​Manokii in #​4437 (d8145)

    View changes on GitHub

v1.3.8

Compare Source

   🚀 Features

• Support to infer error types fr

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[safedep]

SafeDep Report Summary

⚠ 1 packages are identified as suspicious, human review is recommended.

Package Details

Package	Malware	Vulnerability	Risky License	Report
better-auth @ 1.3.26 pnpm-lock.yaml				🔗
@better-auth/core @ 1.3.26 pnpm-lock.yaml				🔗
@better-auth/utils @ 0.3.0 pnpm-lock.yaml				🔗
@better-fetch/fetch @ 1.1.18 pnpm-lock.yaml				🔗
@noble/ciphers @ 2.0.1 pnpm-lock.yaml				🔗
@noble/hashes @ 2.0.1 pnpm-lock.yaml				🔗
@peculiar/asn1-cms @ 2.6.0 pnpm-lock.yaml				🔗
@peculiar/asn1-csr @ 2.6.0 pnpm-lock.yaml				🔗
@peculiar/asn1-ecc @ 2.6.0 pnpm-lock.yaml				🔗
@peculiar/asn1-pfx @ 2.6.0 pnpm-lock.yaml				🔗
@peculiar/asn1-pkcs8 @ 2.6.0 pnpm-lock.yaml				🔗
@peculiar/asn1-pkcs9 @ 2.6.0 pnpm-lock.yaml				🔗
@peculiar/asn1-rsa @ 2.6.0 pnpm-lock.yaml				🔗
@peculiar/asn1-schema @ 2.6.0 pnpm-lock.yaml				🔗
@peculiar/asn1-x509 @ 2.6.0 pnpm-lock.yaml				🔗
@peculiar/asn1-x509-attr @ 2.6.0 pnpm-lock.yaml				🔗
@peculiar/x509 @ 1.14.2 pnpm-lock.yaml				🔗
@simplewebauthn/browser @ 13.2.2 pnpm-lock.yaml				🔗
@simplewebauthn/server @ 13.2.2 pnpm-lock.yaml				🔗
asn1js @ 3.0.6 pnpm-lock.yaml				🔗
better-call @ 1.0.19 pnpm-lock.yaml				🔗
jose @ 6.1.2 pnpm-lock.yaml				🔗
kysely @ 0.28.8 pnpm-lock.yaml				🔗
nanostores @ 1.0.1 pnpm-lock.yaml				🔗
set-cookie-parser @ 2.7.2 pnpm-lock.yaml				🔗
tsyringe @ 4.10.0 pnpm-lock.yaml				🔗
zod @ 4.1.12 pnpm-lock.yaml				🔗

_{This report is generated by SafeDep Github App}