Authentication for the Web.
A floor, not a guess: counts only commits whose author, co-author trailer, or message explicitly credits an AI tool (Claude, Copilot, Cursor, aider, Codex…). Based on 30 mainline commits. Unattributed AI code isn't counted here — the full audit estimates that separately.
mainCorrected return type annotations in the Neon and PostgreSQL adapters to properly indicate that `useVerificationToken` can return `null` when no matching row is found, matching the Adapter contract. Also pinned TypeScript version in docs to 5.6.3 to ensure typedoc builds deterministically with a supported compiler version.
Added a vercel.json configuration to prevent Vercel from auto-detecting and running Turbo builds on the proxy package, which was causing deployment failures. The proxy deploys as Vercel Functions and doesn't need a build step.
Resolved 167 Dependabot security alerts by upgrading major versions of critical dependencies including Next.js (15.5.18), Svelte (5.55.7), Vitest (3.2.6), Vite (6.4.2), and numerous other libraries across docs, apps, and core packages. This includes security fixes for packages like jsonwebtoken, socks, and micromatch that were blocking previous dependency updates.
Fixed a security vulnerability where invalid provider configurations (missing issuer/authorization endpoints) caused auth checks to fail open, exposing protected routes. The fix adds a helper that treats non-OK responses as "no session" so all auth entry points properly reject requests during misconfiguration, with a new regression test covering the InvalidEndpoints scenario.
Linting rules were run across the codebase to improve code consistency and maintainability.
The `getToken()` function now safely handles malformed percent-encoded Bearer tokens by returning null instead of throwing an uncaught error. This fixes a security vulnerability (GHSA-xmf8-cvqr-rfgj) where requests with invalid token encodings (like `Authorization: Bearer %`) would crash the application.
Patched multiple Dependabot security advisories by adding pnpm dependency overrides across the monorepo and upgrading vulnerable transitive dependencies. Critical CVE fixes include updating Qwik to 1.19.1 (RCE vulnerability), Qwik-City to 1.19.2 (prototype pollution and DoS), and MikroORM to 6.6.14 (SQL injection), along with updating the MikroORM adapter to use v6 API while maintaining backward compatibility.
Pinned @auth/core to a specific version (^0.41.2) instead of "latest" to prevent proxy deployments from failing due to dist-tag inconsistencies, and reformatted test file code styling with Prettier.
OAuth security cookies (state, nonce, PKCE) now store the provider ID that created them and validate that the same provider is handling the callback, preventing cross-provider cookie misuse. This adds provider-specific validation to the cookie parsing logic with corresponding test coverage.
Email addresses are now normalized using Unicode NFKC before validation to prevent homoglyph characters (like U+FF20 FULLWIDTH COMMERCIAL AT) from bypassing the single @ symbol check. This closes a security issue where special characters could be converted to @ symbols later in processing, potentially splitting one email into multiple recipients.
Released next-auth version 5.0.0-beta.31, a routine version increment for the authentication library.
Bumped patch versions for all 29 packages including adapters, core, and framework integrations (e.g., 1.11.1 → 1.11.2, 0.41.1 → 0.41.2). This is an automated release preparation that increments versions in package.json files across the monorepo.
Updated all @auth package versions across adapters and frameworks from *.11.0 to *.11.1 to sync with a prior npm release that wasn't reflected in the main branch, preventing version collisions in the next release cycle.
Updated the Kysely database query library from version 0.27.5 to 0.28.16, which includes dependency updates and raises the minimum Node.js requirement from 14.0.0 to 20.0.0.
Updated the refresh token rotation code example to properly handle optional access_token and expires_at fields from the Account type by adding a type guard check. This prevents TypeScript errors when these fields might be undefined.
Updated the Kysely database adapter dependency from version 0.27.5 to 0.28.15 to patch a SQL injection vulnerability (CVE-2026-33468). This security update applies to both peer dependencies and dev dependencies.
Added issuer configuration to the GitHub OAuth provider to comply with RFC 9207 standards, which GitHub now enforces by returning an 'iss' parameter in OAuth callbacks. This ensures authentication works correctly for both standard GitHub and GitHub Enterprise Server.
Documentation updated to reflect Next.js 16's renaming of middleware.ts to proxy.ts. All installation, session protection, edge compatibility, migration, RBAC, passkey, and Prisma adapter guides now show proxy.ts examples while noting legacy middleware.ts support for older Next.js versions.
The migration guide for Better Auth has been significantly expanded and updated with more comprehensive instructions and examples to help users transition to Better Auth.
next-auth version was incremented from 5.0.0-beta.29 to 5.0.0-beta.30 as part of the release process.
Updated next-auth to support Next.js 16 alongside existing versions 14 and 15, and relaxed React peer dependency constraints to include stable React 19 releases.
Updated nodemailer dependency to version 7.0.7 across all packages and added stricter email validation in the sign-in token endpoint to prevent security vulnerabilities. The validation now rejects emails containing quotes and ensures proper email format with exactly one @ symbol.
The Prisma adapter documentation now includes instructions for Prisma Postgres with Accelerate extension, updated installation commands, initialization steps, and configuration examples across all database adapter patterns. The guide also clarifies setup differences between Prisma Postgres and other databases.
Documentation examples for Drizzle SQLite table definitions were updated to use the newer array API syntax instead of object syntax for primary key constraints. This reflects current best practices in the Drizzle adapter documentation.
The release workflow now runs on merge queue events, allowing the CI pipeline to validate changes during GitHub's merge queue process for better protection against race conditions in the release branch.
Deleted the Carbon Ads widget and related styling from the documentation sidebar footer. This removes the advertising component that was previously displayed to users browsing the docs.
Deleted the version-pr npm script from package.json as it was no longer being used in the project.
Updated two documentation links for credentials-based authentication to point to the new getting-started guide instead of the concepts page.
All Auth.js adapter and framework packages have been bumped to their next minor versions across 29 package.json files, including core (0.40.0→0.41.0), adapters (e.g., Prisma 2.10.0→2.11.0), and frameworks (e.g., Express 0.11.0→0.12.0).
Resolved unit test failures in the Firebase adapter by removing a hardcoded database URL, adjusting the Firestore emulator startup sequence to wait longer (10s instead of 5s), using the correct emulator host configuration, and adding a dedicated vitest config with extended timeouts.
A Monday email with what shipped in next-auth, in plain English. No account needed — drop your email and we'll tell you when it's live.
[](https://repowrapped.com/gh/nextauthjs/next-auth)<a href="https://repowrapped.com/gh/nextauthjs/next-auth"><img src="https://repowrapped.com/gh/nextauthjs/next-auth/badge.svg" alt="shipped this week" /></a>