chore(deps): bump the npm-deps group across 1 directory with 4 updates

[dependabot]

Bumps the npm-deps group with 4 updates in the / directory: better-auth, eslint, fallow and tap.

Updates better-auth from 1.6.5 to 1.6.8

Release notes

Sourced from better-auth's releases.

v1.6.8

better-auth

Bug Fixes

• Fixed mapProfileToUser fallback for OAuth providers that may omit email from their profile response (#9331)
• Fixed support for passing id through beforeCreateTeam and beforeCreateInvitation hooks (#9253)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

• Fixed authorization flows that do not include a state parameter (#9328)

For detailed changes, see CHANGELOG

@better-auth/passkey

Bug Fixes

• Fixed incompatibility with TypeScript's exactOptionalPropertyTypes compiler option (#9270)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@​baptisteArno, @​gustavovalverde, @​ping-maxwell

Full changelog: v1.6.7...v1.6.8

v1.6.7

better-auth

Features

• Added support for an array of client IDs as the ID token audience in social providers (#9292)

Bug Fixes

• Fixed response headers being lost when an APIError is thrown (#9211)
• Fixed browser and edge runtime errors by serving a no-op ./instrumentation module in those environments (#9281)
• Fixed a crash when parsing OAuth2 state with an undefined request body (#9293)
• Fixed callbackOnVerification not being called when updatePhoneNumber is enabled (#4894)

For detailed changes, see CHANGELOG

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.8

Patch Changes

• #9253 856ab24 Thanks @​baptisteArno! - fix(organization): allow passing id through beforeCreateTeam and beforeCreateInvitation

  Mirrors #4765 for teams and invitations: adapter.createTeam and adapter.createInvitation now pass forceAllowId: true, so ids returned from the respective hooks survive the DB insert.

• #9331 9aa8e63 Thanks @​gustavovalverde! - fix(oauth): support mapProfileToUser fallback for providers that may omit email

  Social sign-in with OAuth providers that may return no email address (Discord phone-only accounts, Apple subsequent sign-ins, GitHub private emails, Facebook, LinkedIn, and Microsoft Entra ID managed users) can now be unblocked by synthesizing an email inside mapProfileToUser. Rejection logger messages now point at this workaround and at the new "Handling Providers Without Email" docs section.

  Provider profile types now reflect where email can be null or absent:

  • DiscordProfile.email is string | null and optional (absent when the email scope is not granted)
  • AppleProfile.email is optional
  • GithubProfile.email is string | null
  • FacebookProfile.email is optional
  • FacebookProfile.email_verified is optional (Meta's Graph API does not include this field)
  • LinkedInProfile.email is optional
  • LinkedInProfile.email_verified is optional
  • MicrosoftEntraIDProfile.email is optional

  TypeScript consumers who previously dereferenced profile.email directly inside mapProfileToUser will see a compile error that matches the runtime reality; use a nullish-coalescing fallback (profile.email ?? ...) or null-check the field.

  Sign-in still rejects with error=email_not_found (social callback) or error=email_is_missing (Generic OAuth plugin) when neither the provider nor mapProfileToUser produces an email. First-class support for users without an email, keyed on (providerId, accountId) per OpenID Connect Core §5.7, is tracked in #9124.

• Updated dependencies [9aa8e63]:

  • @​better-auth/core@​1.6.8
  • @​better-auth/drizzle-adapter@​1.6.8
  • @​better-auth/kysely-adapter@​1.6.8
  • @​better-auth/memory-adapter@​1.6.8
  • @​better-auth/mongo-adapter@​1.6.8
  • @​better-auth/prisma-adapter@​1.6.8
  • @​better-auth/telemetry@​1.6.8

1.6.7

Patch Changes

• #9211 307196a Thanks @​stewartjarod! - Preserve Set-Cookie headers accumulated on ctx.responseHeaders when an endpoint throws APIError. Cookie side-effects from deleteSessionCookie (and any ctx.setCookie / ctx.setHeader calls before the throw) are no longer silently discarded on the error path.

• #9292 4f373ee Thanks @​gustavovalverde! - Accept an array of Client IDs on providers that verify ID tokens by audience (Google, Apple, Microsoft Entra, Facebook, Cognito). The first entry is used for the authorization code flow; all entries are accepted when verifying an ID token's aud claim, so a single backend can serve Web, iOS, and Android clients with their platform-specific Client IDs.

  socialProviders: {
    google: {
      clientId: [
        process.env.GOOGLE_WEB_CLIENT_ID!,
        process.env.GOOGLE_IOS_CLIENT_ID!,
        process.env.GOOGLE_ANDROID_CLIENT_ID!,

... (truncated)

Commits

• b289ac6 chore: release v1.6.8 (#9316)
• 9aa8e63 fix(oauth): support mapProfileToUser fallback for providers that may omit e...
• 856ab24 fix(organization): allow passing id through beforeCreateTeam and `beforeCre...
• f8076d1 chore: release v1.6.7 (#9289)
• 4f373ee feat(social-providers): accept array of Client IDs for ID token audience (#9292)
• e1b1cfc fix(oauth2): guard against undefined body when parsing state (#9293)
• d053a45 fix(phone-number): call callbackOnVerification when updatePhoneNumber is enab...
• 307196a fix(api): preserve response headers when APIError is thrown (#9211)
• 0290077 chore: release v1.6.6 (#9222)
• 9ea7eb1 fix(cookies): preserve partitioned attribute on set-cookie round-trip (#9235)
• Additional commits viewable in compare view

Updates eslint from 10.2.0 to 10.2.1

Release notes

Sourced from eslint's releases.

v10.2.1

Bug Fixes

• 14be92b fix: model generator yield resumption paths in code path analysis (#20665) (sethamus)
• 84a19d2 fix: no-async-promise-executor false positives for shadowed Promise (#20740) (xbinaryx)
• af764af fix: clarify language and processor validation errors (#20729) (Pixel998)
• e251b89 fix: update eslint (#20715) (renovate[bot])

Documentation

• ca92ca0 docs: reuse markdown-it instance for markdown filter (#20768) (Amaresh S M)
• 57d2ee2 docs: Enable Eleventy incremental mode for watch (#20767) (Amaresh S M)
• c1621b9 docs: fix typos in code-path-analyzer.js (#20700) (Ayush Shukla)
• 1418d52 docs: Update README (GitHub Actions Bot)
• 39771e6 docs: Update README (GitHub Actions Bot)
• 71e0469 docs: fix incomplete JSDoc param description in no-shadow rule (#20728) (kuldeep kumar)
• 22119ce docs: clarify scope of for-direction rule with dead code examples (#20723) (Amaresh S M)
• 8f3fb77 docs: document meta.docs.dialects (#20718) (Pixel998)

Chores

• 7ddfea9 chore: update dependency prettier to v3.8.2 (#20770) (renovate[bot])
• fac40e1 ci: bump pnpm/action-setup from 5.0.0 to 6.0.0 (#20763) (dependabot[bot])
• 7246f92 test: add tests for SuppressionsService.load() error handling (#20734) (kuldeep kumar)
• 4f34b1e chore: update pnpm/action-setup action to v5 (#20762) (renovate[bot])
• 51080eb test: processor service (#20731) (kuldeep kumar)
• e7e1889 chore: remove stale babel-eslint10 fixture and test (#20727) (kuldeep kumar)
• 4e1a87c test: remove redundant async/await in flat config array tests (#20722) (Pixel998)
• 066eabb test: add rule metadata coverage for languages and docs.dialects (#20717) (Pixel998)

Commits

• 4d1d8f9 10.2.1
• 3e33105 Build: changelog update for 10.2.1
• ca92ca0 docs: reuse markdown-it instance for markdown filter (#20768)
• 7ddfea9 chore: update dependency prettier to v3.8.2 (#20770)
• 57d2ee2 docs: Enable Eleventy incremental mode for watch (#20767)
• c1621b9 docs: fix typos in code-path-analyzer.js (#20700)
• fac40e1 ci: bump pnpm/action-setup from 5.0.0 to 6.0.0 (#20763)
• 7246f92 test: add tests for SuppressionsService.load() error handling (#20734)
• 4f34b1e chore: update pnpm/action-setup action to v5 (#20762)
• 1418d52 docs: Update README
• Additional commits viewable in compare view

Updates fallow from 2.40.3 to 2.46.0

Release notes

Sourced from fallow's releases.

v2.46.0 — Block Claude Code commits on fallow audit + Zed extension

Headlines

Block Claude Code commits and pushes on fallow audit

fallow setup-hooks generates a Claude Code PreToolUse gate that intercepts the agent's git commit / git push Bash calls, runs fallow audit --format json --quiet --explain, and blocks with exit 2 + the audit JSON on stderr whenever the verdict is fail. Claude reads the _meta.docs links and actions arrays attached to every finding, fixes the code, and retries the command.

# Install the project-level gate
fallow setup-hooks
Or install once under ~/ so every repo Claude opens is gated
fallow setup-hooks --user
Remove the gate
fallow setup-hooks --uninstall

Features:

• Merges into existing .claude/settings.json: non-fallow handlers in the same Bash matcher group are preserved; only the fallow entry is replaced on upgrade.
• Idempotent: repeat runs print unchanged and exit 0. Second install is a no-op; second uninstall reports "not present."
• Self-healing upgrade path: detects and cleans up handler commands from older manual setups (absolute paths, ~/-based paths, Windows drive paths, quoted or unquoted variants) so re-running the installer converges on the canonical form without duplicates.
• Fails open with one stderr line: missing jq, missing fallow, runtime audit errors, and non-zero exits all print a fallow-gate: notice to stderr and let the command through, so agents never silently trust a missing gate.
• Codex fallback: when AGENTS.md or .codex/ is present, maintains a managed block between <!-- fallow:setup-hooks:start/end --> markers with Codex-readable instructions. Idempotent across runs.
• --dry-run, --force, --user, --gitignore-claude flags.
• Structured summary output: per-path action descriptions with handler counts (updated (1 handler added, 1 preserved)).

Full recipe and manual setup steps at https://docs.fallow.tools/integrations/claude-hooks.

Zed editor extension

Fallow is now available for Zed alongside the existing VS Code extension. Thanks @​M-Hassan-Raza (#164).

Bug fixes

• Health baselines survive line-number churn. Previously keyed on file + function + line_start; any refactor that shifted lines invalidated every entry and re-reported the same findings as "new." Now keyed on file + function + qualified_name, matching the dead-code and duplication baselines. Closes #169. Thanks @​M-Hassan-Raza.
• fallow --save-baseline <path> auto-creates the parent directory. Copy-pasting the fallow-baselines/dead-code.json example into a fresh repo used to error; now it does mkdir -p first. Applies to dead-code, health, and dupes save-baseline paths.
• Shallow nested package scripts are discovered again. The package-script walker stopped descending into workspaces/*/package.json entries one directory below the root. Now follows shallow nesting the same way it follows deep nesting.

Get it

npx fallow@2.46.0
# or
npm install -g fallow@2.46.0

Full Changelog: fallow-rs/fallow@v2.45.1...v2.46.0

... (truncated)

Changelog

Sourced from fallow's changelog.

[2.46.0] - 2026-04-23

Added

• fallow setup-hooks generates a Claude Code PreToolUse gate that intercepts Claude's git commit / git push Bash tool calls, runs fallow audit --format json --quiet --explain, and blocks with exit 2 + JSON-to-stderr on verdict: "fail". The agent reads the full audit envelope (including _meta.docs links and actions arrays on every finding), fixes the code, and retries. Runtime errors fail open with a single stderr notice so skips stay visible rather than silently trusting a missing gate. Writes project-level .claude/settings.json + .claude/hooks/fallow-gate.sh (chmod 755 on Unix), and optionally maintains an idempotent managed block in AGENTS.md between <!-- fallow:setup-hooks:start/end --> markers as a Codex fallback while Codex hooks stabilise. Flags: --agent claude|codex, --dry-run, --force, --user (installs globally under ~/.claude/ with a $HOME-based handler command), --gitignore-claude, --uninstall. The uninstall path removes the fallow handler while preserving any non-fallow handlers in the same matcher group, deletes the hook script if it still carries the generator marker, and strips the managed AGENTS.md block; idempotent on repeat runs. Re-running the installer upgrades handlers written by earlier manual setups (absolute paths, ~/-based paths, Windows drive paths) to the canonical "$CLAUDE_PROJECT_DIR" form without leaving duplicates. See https://docs.fallow.tools/integrations/claude-hooks.
• Zed editor extension. Thanks @​M-Hassan-Raza (#164).

Fixed

• Health baselines survive line-number churn. The health baseline keyed on file + function + line_start, so any refactor that shifted lines invalidated every entry and reported the same findings as "new." The key now uses file + function + qualified_name (line-stable), mirroring the dead-code and duplication baselines. Closes #169. Thanks @​M-Hassan-Raza.
• fallow --save-baseline <path> auto-creates the parent directory. Copy-pasting the fallow-baselines/dead-code.json example into a fresh repo used to error with "No such file or directory" because the baseline writer never ran mkdir -p. Applies to dead-code, health, and dupes save-baseline paths.
• Shallow nested package scripts are discovered again. The package-script walker stopped descending into workspaces/*/package.json entries that lived one directory below the root, silently dropping nested script declarations from the entry-point graph. The walker now follows shallow nesting the same way it follows deep nesting.

[2.45.1] - 2026-04-22

Fixed

• Istanbul --coverage now matches functions produced by standard Istanbul tooling (Jest, nyc, c8, babel-plugin-istanbul). Standard Istanbul producers omit the non-standard FnEntry.line field that oxc-coverage-instrument writes, so fallow's load_istanbul_coverage silently defaulted the line to 0 and every lookup failed — istanbul_matched: 0 out of N, all CRAP scores fell back to binary estimation, and --max-crap ran against estimates instead of real coverage. The loader now falls back to FnEntry.decl.start.line when FnEntry.line is missing, restoring the anonymous-by-line and fuzzy lookup paths for Jest/nyc/c8-produced coverage while preserving the fast path for oxc-coverage-instrument output. Closes #166.
• Repeated "entry point outside project root" warnings collapse into a single diagnostic. Monorepos with shared entry points (e.g. workspace package.json pointing at a sibling build output) used to emit the same warning once per analysis target, spamming stderr with dozens of identical lines. The warnings are now deduplicated with a counted summary so the signal stays visible without drowning out other diagnostics.
• fallow dupes tuning flags (--min-lines, --min-tokens, --mode, --cross-language) are forwarded correctly in combined GitLab CI mode. The wrapper's combined-mode ARGS=() block built the dupes invocation without reading the FALLOW_DUPES_* env vars, so user overrides set in .gitlab-ci.yml silently became defaults. Fix pairs with the same GitHub Action fix from v2.44.x so both CI integrations honor the same tuning surface.
• Entry point discovery and VS Code extension downloads are hardened. The entry-point walker now tolerates package manifests with missing / non-object bin or exports fields instead of aborting discovery, and the VS Code extension's binary-download path validates content-length + checksum against the expected artifact before unpacking (no more silent half-downloads that fail the first fallow invocation with an opaque error).
• CLI stderr noise reduced on normal runs. Incidental tracing / println! lines that leaked into stderr during analysis (progress prints, one-off debug lines) are gone; FALLOW_QUIET=1 runs are byte-clean on stdout/stderr for scripting integrations.
• --changed-since now includes untracked files that were added in the working tree but not yet committed. Changed-scope filtering based on git diff missed brand-new files until they were staged, so a PR-style run (--changed-since origin/main) could falsely report zero issues on new code. Untracked-and-added paths are now folded into the changed set.
• Production coverage signal alignment in CI reporting. fallow health --production-coverage output now consistently reports the same matched / unmatched / stale counts across human, JSON, markdown, and the GitHub Action / GitLab CI summary + annotation pipelines. Prior releases could show different subtotals depending on whether combined mode or the standalone command ran.

[2.45.0] - 2026-04-22

Added

• Static inventory extractor (fallow-extract). New extraction phase that produces a per-file list of exported functions keyed by (path, name, line). Feeds the line-aware production-coverage matcher so runtime samples can be joined against the AST view of "every function that exists" without collisions on overloaded names.
• fallow coverage upload-inventory. Uploads the static function inventory to fallow cloud so the Production Coverage dashboard can filter untracked functions (the AST side of the join: functions that exist in the code but were never observed at runtime). Requires a valid license. See https://docs.fallow.tools/analysis/production-coverage.

Fixed

• External CSS packages imported from Vue SFC <style> blocks are credited as used. CSS-only design-system packages imported only through <style src="pkg/dist/style.css"> or an @import "pkg/..." inside a Vue SFC <style> block used to be reported as unused-dependencies because the Vue plugin only walked script imports. A new external-style scanner now recognizes style-side package imports declared in .vue SFCs and credits the npm package, eliminating the false positive for Vue + Vite design-system codebases.
• compilerOptions.paths aliases in tsconfig.json are honored. Path aliases like "@/*": ["src/*"] declared in compilerOptions.paths are now extracted by the TypeScript plugin and registered as resolver path aliases, so @/foo imports resolve to src/foo in projects that rely on alias-only paths without a matching vite.config / webpack.config rewrite.
• tsconfig.references entries pointing at a .json file directly are followed. References of the form { "path": "./tsconfig.app.json" } are now resolved to the literal file rather than getting tsconfig.json concatenated onto them, fixing reference-chain walking for the common "one tsconfig per build" pattern.
• Coverage inventory upload aligned with line-aware function identity. fallow coverage upload-inventory now emits records keyed by (file, name, line) to match the line-aware sidecar protocol introduced alongside v2.44.x, replacing the older line-less identity that could collide on overloaded / re-declared names. Upload integration hardened against CI-only path normalization regressions that surfaced on Linux runners.

[2.44.2] - 2026-04-21

Fixed

• Class members used only through interface-typed bindings are no longer flagged unused. When a class method was called only via an interface-typed variable or parameter (e.g. const strategy: VirtualScrollStrategy = ...; strategy.attach(); where FixedSizeScrollStrategy implements VirtualScrollStrategy), the method appeared as an unused class member because the access resolved to the interface name, not the implementer. The extractor now tracks type-annotated bindings (locals, parameters, class fields, parameter properties) alongside new ClassName() bindings, and the member-usage analysis propagates interface member accesses to every class that implements the interface. Same-named interface exports in separate files stay isolated by ExportKey, so unrelated implementers do not silently credit each other. Cache version bumped to 44 so warm caches pick up the new extraction records on upgrade. Closes #132. Thanks @​M-Hassan-Raza.
• react-router.config.ts route modules with a routesFn are honored. Config-driven route modules (import { flatRoutes } from "@react-router/fs-routes"; export default { routes: flatRoutes() }) are now extracted the same way as static routes: [...] arrays, so route files referenced only through the filesystem convention are no longer reported as unused files in React Router 7 apps.
• rand 0.8 re-pinned in fallow-license dev-dependencies. A Dependabot bump to rand 0.9 broke the OsRng + SignatureEncoding wiring used by test key generation; the release build never exercised that path so CI missed the regression. Dev-deps now stay on 0.8 until the signing path is ported to 0.9's new TryRngCore trait set.

[2.44.1] - 2026-04-21

Fixed

... (truncated)

Commits

• b4b497d chore: release v2.46.0
• 5b18367 fix: harden setup-hooks upgrades
• 17c4ba5 fix: harden setup-hooks and baseline defaults
• 942df31 feat(setup-hooks): add --uninstall, structured summary, init cross-ref
• f05ae9a fix: make health baselines resilient to line churn (#169)
• 0c1dfb2 fix(setup-hooks): tighten install based on live-test feedback
• 9974825 docs: clarify compliance baselines and audit gate
• 5298468 feat(cli): add setup-hooks for Claude Code PreToolUse gate
• a0e9ba4 feat: add a Zed extension (#164)
• 742df71 fix: discover shallow nested package scripts
• Additional commits viewable in compare view

Updates tap from 21.7.0 to 21.7.1

Commits

• See full diff in compare view