chore(deps): bump the production-minor-patch group with 2 updates

[dependabot]

Bumps the production-minor-patch group with 2 updates: @clerk/backend and @clerk/vue.

Updates @clerk/backend from 3.4.14 to 3.5.0

Release notes

Sourced from @​clerk/backend's releases.

@​clerk/backend@​3.5.0

Minor Changes

• Add support for new Backend API user endpoints: (#8694) by @​dmoerner
  • users.replaceUserEmailAddress(userId, { emailAddress }) replaces all of a user's email addresses with a single verified, primary email address (PUT /users/{user_id}/email_address).
  • users.replaceUserPhoneNumber(userId, { phoneNumber }) replaces all of a user's phone numbers with a single verified, primary phone number (PUT /users/{user_id}/phone_number).
  • users.createUser now accepts banned and locked parameters to create a user that is already banned or locked.

Patch Changes

• Emit the "session token from cookie is missing the azp claim" warning once per process instead of on every authenticated request. An azp-less cookie token is reused across requests, so the previous unguarded console.warn could flood production logs. (#8698) by @​jacekradko

• Stop authenticateRequest from consuming the incoming request body, which previously left downstream handlers unable to read it (for example a Hono POST route calling c.req.json()). (#8708) by @​jacekradko

• Prevent keyless mode from activating in CI and other automated environments in framework SDKs. (#8676) by @​mwickett

• Preserve custom claims when verifying JWT-format M2M tokens. M2MToken.fromJwtPayload previously hardcoded claims to null, so client.m2m.verify() (and request-level auth()) dropped any custom claims embedded in the token. Custom claims are now reconstructed from the verified payload by stripping only the structural claims the backend adds when minting the token (iss, sub, exp, nbf, iat, jti). User-supplied claims such as aud are preserved. Tokens without custom claims still return claims: null, consistent with the opaque-token path. (#8697) by @​jacekradko

• Strip private_metadata from the backend resource _raw payload in stripPrivateDataFromObject, preventing it from leaking into __clerk_ssr_state when a User/Organization resource is passed to buildClerkProps. (#8702) by @​dominic-clerk

• Updated dependencies [afb75e6, c3df67a, 86fd38f, 8d6bb56, 43dfefa, 5fc7b21, c2ba134]:

  • @​clerk/shared@​4.15.0

Changelog

Sourced from @​clerk/backend's changelog.

3.5.0

Minor Changes

• Add support for new Backend API user endpoints: (#8694) by @​dmoerner
  • users.replaceUserEmailAddress(userId, { emailAddress }) replaces all of a user's email addresses with a single verified, primary email address (PUT /users/{user_id}/email_address).
  • users.replaceUserPhoneNumber(userId, { phoneNumber }) replaces all of a user's phone numbers with a single verified, primary phone number (PUT /users/{user_id}/phone_number).
  • users.createUser now accepts banned and locked parameters to create a user that is already banned or locked.

Patch Changes

• Emit the "session token from cookie is missing the azp claim" warning once per process instead of on every authenticated request. An azp-less cookie token is reused across requests, so the previous unguarded console.warn could flood production logs. (#8698) by @​jacekradko

• Stop authenticateRequest from consuming the incoming request body, which previously left downstream handlers unable to read it (for example a Hono POST route calling c.req.json()). (#8708) by @​jacekradko

• Prevent keyless mode from activating in CI and other automated environments in framework SDKs. (#8676) by @​mwickett

• Preserve custom claims when verifying JWT-format M2M tokens. M2MToken.fromJwtPayload previously hardcoded claims to null, so client.m2m.verify() (and request-level auth()) dropped any custom claims embedded in the token. Custom claims are now reconstructed from the verified payload by stripping only the structural claims the backend adds when minting the token (iss, sub, exp, nbf, iat, jti). User-supplied claims such as aud are preserved. Tokens without custom claims still return claims: null, consistent with the opaque-token path. (#8697) by @​jacekradko

• Strip private_metadata from the backend resource _raw payload in stripPrivateDataFromObject, preventing it from leaking into __clerk_ssr_state when a User/Organization resource is passed to buildClerkProps. (#8702) by @​dominic-clerk

• Updated dependencies [afb75e6, c3df67a, 86fd38f, 8d6bb56, 43dfefa, 5fc7b21, c2ba134]:

  • @​clerk/shared@​4.15.0

Commits

• c9d9e6a ci(repo): Version packages (#8679)
• 86fd38f fix(repo): harden keyless accountless requests (#8676)
• fb184de fix(backend): strip private_metadata from resource _raw in SSR sanitizer (#8702)
• ff0cfef fix(backend): stop authenticateRequest from consuming the request body (#8708)
• be55c4e fix(backend): preserve custom claims when verifying JWT M2M tokens (#8697)
• 1701e0f feat(backend): Support recent BAPI users and email/phone features (#8694)
• 1c42351 fix(backend): warn once for azp-less cookie token instead of per request (#8698)
• See full diff in compare view

Updates @clerk/vue from 2.3.2 to 2.3.3

Release notes

Sourced from @​clerk/vue's releases.

@​clerk/vue@​2.3.3

Patch Changes

• Updated dependencies [afb75e6, c3df67a, 86fd38f, 8d6bb56, 43dfefa, 5fc7b21, c2ba134]:
  • @​clerk/shared@​4.15.0

Changelog

Sourced from @​clerk/vue's changelog.

2.3.3

Patch Changes

• Updated dependencies [afb75e6, c3df67a, 86fd38f, 8d6bb56, 43dfefa, 5fc7b21, c2ba134]:
  • @​clerk/shared@​4.15.0

Commits

• c9d9e6a ci(repo): Version packages (#8679)
• cfb9394 ci(repo): extend break-check coverage to all SDK packages (#8691)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Security audit status (production deps only): unknown

The full-tree audit (including dev tooling like vitepress/wrangler) is now non-blocking to avoid brittleness from known build-dep CVEs.
Only high-severity issues affecting production/runtime will block auto-merge.

[Copilot]

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

[github-actions]

Cloudflare Pages preview: https://dependabot-npm-and-yarn-prod.autovault-website.pages.dev

Commit: 83d346593690056164332ea9436d20d6056c706b