You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
the namespace export is renamed OTPFieldPreview → OTPField and should be imported as: { OTPField } from '@​base-ui/react/otp-field' (#5029) by @atomiks
Avoid password manager bubbles after first input (#4868) by @atomiks
#102035953157 Thanks @bytaesu! - Rate limiting no longer trusts multi-hop X-Forwarded-For chains, preventing a client behind an appending proxy from spoofing the leftmost hop to bypass the per-IP rate limit. Single-value IP headers continue to work. To key the real client behind a proxy chain, set advanced.ipAddress.trustedProxies to your reverse-proxy IPs or CIDR ranges (the chain is walked right to left, skipping trusted hops), or point advanced.ipAddress.ipAddressHeaders at a single trusted client-IP header.
#9555c1a8a64 Thanks @ChrisMGeo! - Fix invalid OpenAPI output for Better Auth callback, session, and passkey routes so client generators can consume the schema.
#102247a7a7b3 Thanks @Bekacru! - Deleting an SSO provider no longer leaves linked accounts that a later provider with the same provider ID can reuse.
SSO and SCIM provider setup now rejects provider IDs already used by another account provider.
SSO provider updates now reject identity-defining changes, such as issuer, login endpoints, client ID, SAML metadata, or user ID mappings, after accounts are linked. Secret rotation and same-value updates still work.
#10226fa1e036 Thanks @Bekacru! - SAML SSO now rejects responses whose audience, bearer recipient, or response destination does not match the configured Service Provider before creating a session.
#102251a8b7cc Thanks @Bekacru! - SAML single logout now rejects IdP SLO POST URLs that use non-http(s) schemes, such as javascript: or data:.
#10227fcabaaf Thanks @Bekacru! - SSO domain verification now requires proof for every domain a provider lists. When a provider's domain has multiple comma-separated domains, each listed domain must publish the verification TXT record before the provider is marked verified. The verifier accepts TXT records that exactly match the raw verification token, matching the documented setup flow, or the existing identifier=value format.
renovateBot
changed the title
fix(deps): update bun minor and patch dependencies to ^7.79.0
fix(deps): update bun minor and patch dependencies
Jun 18, 2026
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@emnapi/runtime@1.11.1. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Warn
Obfuscated code: npm effect is 90.0% likely obfuscated
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/effect@3.21.4. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Warn
Obfuscated code: npm happy-dom is 90.0% likely obfuscated
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/happy-dom@20.10.6. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Warn
Obfuscated code: npm oxfmt is 90.0% likely obfuscated
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/oxfmt@0.56.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Warn
Obfuscated code: npm oxfmt is 90.0% likely obfuscated
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/oxfmt@0.56.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Warn
Obfuscated code: npm recharts is 62.0% likely obfuscated
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/recharts@3.9.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^1.5.0→^1.6.01.6.18→1.6.22^1.6.18→^1.6.22^1.6.18→^1.6.220.4.1→0.4.2^1.40.2→^1.42.3^10.4.0→^10.5.0^0.98.2→^0.99.0^0.17.3→^0.17.4^1.60.0→^1.61.1^1.1.16→^1.1.17^1.3.4→^1.3.5^1.1.16→^1.1.17^2.1.17→^2.1.18^1.1.16→^1.1.17^2.1.9→^2.1.10^1.1.9→^1.1.10^1.2.11→^1.2.12^2.3.0→^2.3.1^1.1.9→^1.1.10^1.2.5→^1.3.0^1.3.0→^1.3.1^1.1.14→^1.1.15^1.2.9→^1.2.10^0.11.3→^0.11.6^0.7.0→^0.8.1^0.10.5→^0.10.8^5.101.0→^5.101.2^5.101.0→^5.101.2^1.170.15→^1.170.16^1.168.25→^1.168.26^25.9.3→^25.9.4^6.0.2→^6.0.3^1.6.18→^1.6.22^5.5.0→^5.6.1^3.21.3→^3.21.4^39.2.7→^39.8.10^1.47.1→^1.49.0^16.10.2→^16.10.6^15.0.12→^15.0.13^16.10.2→^16.10.6^20.10.3→^20.10.6^4.12.25→^4.12.27^1.18.0→^1.21.00.54.0→0.56.0^7.78.0→^7.80.03.8.1→3.9.0^7.8.4→^7.8.5^4.11.0→^4.12.0^8.0.16→^8.1.0^0.1.24→^0.2.1^4.1.8→^4.1.9^4.100.0→^4.105.0Release Notes
mui/base-ui (@base-ui/react)
v1.6.0Compare Source
Jun 18, 2026
General changes
Accordion
Accordion.Root(#4961) by @chuganzyAlert Dialog
Autocomplete
openrequirement for theinlineprop (#5069) by @atomiksAvatar
Checkbox
data-focusedField attribute when disabled (#4998) by @atomiksvalidatefn calls (#4911) by @mj12albertCheckbox Group
validatefn (#4912) by @mj12albertCollapsible
Combobox
openrequirement for theinlineprop (#5069) by @atomiksDialog
Drawer
Field
Field.Itemstate inField.Label(#4916) by @chuganzyField.Itemstate inField.Description(#4960) by @chuganzyFieldset
Form
Menu
Menubar
Meter
Navigation Menu
Number Field
OTP Field
the namespace export is renamed
OTPFieldPreview→OTPFieldand should be imported as:{ OTPField } from '@​base-ui/react/otp-field'(#5029) by @atomiksPopover
Preview Card
Radio Group
Scroll Area
Select
Slider
validatefn calls (#4911) by @mj12albertSwitch
validatefn calls (#4911) by @mj12albertTabs
Toast
Toggle
Toggle Group
aria-orientationfromrole="group"element (#4628) by @sernstbergerToolbar
disabledto default toolbar button (#4967) by @mj12albertTooltip
All contributors of this release in alphabetical order: @aarongarciah, @atomiks, @chuganzy, @flaviendelangle, @lyzno1, @mattrothenberg, @michaldudak, @mj12albert, @sernstberger, @spokodev
better-auth/better-auth (@better-auth/api-key)
v1.6.22Compare Source
Patch Changes
c06a56d,8bd43d9,3a035e9]:v1.6.21Compare Source
Patch Changes
#10203
5953157Thanks @bytaesu! - Rate limiting no longer trusts multi-hopX-Forwarded-Forchains, preventing a client behind an appending proxy from spoofing the leftmost hop to bypass the per-IP rate limit. Single-value IP headers continue to work. To key the real client behind a proxy chain, setadvanced.ipAddress.trustedProxiesto your reverse-proxy IPs or CIDR ranges (the chain is walked right to left, skipping trusted hops), or pointadvanced.ipAddress.ipAddressHeadersat a single trusted client-IP header.Updated dependencies [
e0762a1,882cf9e,f52e1ab,90d509e,b5bec19,816d7f9,239bcc8,1bc370a,570267c,461ca6f,88409b0,5953157,b046f9e,ae647b4]:v1.6.20Compare Source
Patch Changes
21448b1,8ecf238,930f534]:v1.6.19Compare Source
Patch Changes
de4aa52,b4b0266,5bd5e1c,581f827,8407885,c1a8a64,635f190,a787e0b,c2f718f,7d18175]:better-auth/better-auth (@better-auth/passkey)
v1.6.22Compare Source
Patch Changes
c06a56d,8bd43d9,3a035e9]:v1.6.21Compare Source
Patch Changes
e0762a1,882cf9e,f52e1ab,90d509e,b5bec19,816d7f9,239bcc8,1bc370a,570267c,461ca6f,88409b0,5953157,b046f9e,ae647b4]:v1.6.20Compare Source
Patch Changes
21448b1,8ecf238,930f534]:v1.6.19Compare Source
Patch Changes
#9555
c1a8a64Thanks @ChrisMGeo! - Fix invalid OpenAPI output for Better Auth callback, session, and passkey routes so client generators can consume the schema.Updated dependencies [
de4aa52,b4b0266,5bd5e1c,581f827,8407885,c1a8a64,635f190,a787e0b,c2f718f,7d18175]:better-auth/better-auth (@better-auth/sso)
v1.6.22Compare Source
Patch Changes
c06a56d,8bd43d9,3a035e9]:v1.6.21Compare Source
Patch Changes
#10224
7a7a7b3Thanks @Bekacru! - Deleting an SSO provider no longer leaves linked accounts that a later provider with the same provider ID can reuse.SSO and SCIM provider setup now rejects provider IDs already used by another account provider.
SSO provider updates now reject identity-defining changes, such as issuer, login endpoints, client ID, SAML metadata, or user ID mappings, after accounts are linked. Secret rotation and same-value updates still work.
#10226
fa1e036Thanks @Bekacru! - SAML SSO now rejects responses whose audience, bearer recipient, or response destination does not match the configured Service Provider before creating a session.#10225
1a8b7ccThanks @Bekacru! - SAML single logout now rejects IdP SLO POST URLs that use non-http(s) schemes, such asjavascript:ordata:.#10227
fcabaafThanks @Bekacru! - SSO domain verification now requires proof for every domain a provider lists. When a provider'sdomainhas multiple comma-separated domains, each listed domain must publish the verification TXT record before the provider is marked verified. The verifier accepts TXT records that exactly match the raw verification token, matching the documented setup flow, or the existingidentifier=valueformat.Updated dependencies [
e0762a1,882cf9e,f52e1ab,90d509e,b5bec19,816d7f9,239bcc8,1bc370a,570267c,461ca6f,88409b0,5953157,b046f9e,ae647b4]:v1.6.20Compare Source
Patch Changes
21448b1,8ecf238,930f534]:v1.6.19Compare Source
Patch Changes
de4aa52,b4b0266,5bd5e1c,581f827,