fix(deps): update dependency better-auth to v1.1.16 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
better-auth (source)	1.1.10 -> 1.1.16

GitHub Vulnerability Alerts

GHSA-9x4v-xfq5-m8x5

Summary

The better-auth /api/auth/error page was vulnerable to HTML injection, resulting in a reflected cross-site scripting (XSS) vulnerability.

Details

The value of error URL parameter was reflected as HTML on the error page: https://github.com/better-auth/better-auth/blob/05ada0b79dbcac93cc04ceb79b23ca598d07830c/packages/better-auth/src/api/routes/error.ts#L81

PoC

https://demo.better-auth.com/api/auth/error?error=%3Cscript%3Ealert(1)%3C/script%3E

Impact

An attacker who exploited this vulnerability by coercing a user to visit a specially-crafted URL could execute arbitrary JavaScript in the context of the user's browser.

Because better-auth is a dependency of web applications, the impact of such a vulnerability is unknowable; it depends on the functionality of the application/site using better-auth. I have calculated the CVSS score assuming the hypothetical victim is an administrator with elevated permissions and access.

---

Release Notes

better-auth/better-auth (better-auth)

v1.1.16

Compare Source

   🚀 Features

• Add cookie helper for middlewares  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/1275 (2eca1)
• Add refetch function for all client hooks  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/1206 (05afc)

   🐞 Bug Fixes

• Trigger session update on delete user  -  by @​Bekacru (0df2b)
• Handle converting date on session parsing from cookie cache  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/1342 (90064)
• Google IdToken auth issuer mismatch  -  by @​abegehr in https://github.com/better-auth/better-auth/issues/1351 (e83c0)
• Make session table optional when secondary storage is provided  -  by @​Bekacru (4c2ef)
• anonymous:
  • Add sign-up route to linking matcher  -  by @​Bekacru (6e659)
  • Link account user and session type should be less strict  -  by @​Bekacru (2cb80)
• drizzle:
  • Incorrect call to getModelName  -  by @​chrnorm in https://github.com/better-auth/better-auth/issues/1329 (9a3e2)
  • Drizzle adapter failing to return data on create and update when using mysql  -  by @​Kinfe123 in https://github.com/better-auth/better-auth/issues/1358 (4748b)
• oidc:
  • Missing content type header on openId configuration endpoint  -  by @​Bekacru (cb91d)
• passkey:
  • Use options base url for rpID  -  by @​Bekacru (2da63)
• security:
  • Santize query param on error page  -  by @​Bekacru (7ae34)

    View changes on GitHub

v1.1.15

Compare Source

   🚀 Features

• Allow manually linking account with different email address than user  -  by @​D3visionNL in https://github.com/better-auth/better-auth/issues/1238 (14377)
• Support .js config  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/1256 (db4b4)
• Support mssql directly  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/1255 (d7b4d)

   🐞 Bug Fixes

• Allow plugins to set email and password values  -  by @​kzlar in https://github.com/better-auth/better-auth/issues/1212 (f61d8)
• Improve additional fields inference ts server performance  -  by @​Bekacru (fe066)
• Ensure correct status code for unverified email in sign-in  -  by @​DilbertRV in https://github.com/better-auth/better-auth/issues/1262 (1e6b2)
• Expo client with cookie-cache overwrites the original token  -  by @​kzlar in https://github.com/better-auth/better-auth/issues/1269 (1280c)
• Make plugin options type exports consistent  -  by @​hongkongkiwi in https://github.com/better-auth/better-auth/issues/1270 (13d24)
• Allow custom body properties  -  by @​Bekacru (ab325)
• Mssql returning should use outputAll  -  by @​Bekacru (a8bfe)
• Use redirect URI from options rather than manually overriding  -  by @​arlyon in https://github.com/better-auth/better-auth/issues/1289 (cff6a)
• sendInvitationEmail use lowercase email  -  by @​ping-maxwell in https://github.com/better-auth/better-auth/issues/1283 (5f34c)
• expo: Make expo origin override optional  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/1236 (18e9e)
• oauth-proxy: Add production url param for oauth proxy  -  by @​Bekacru (66bff)
• organization: Update list organization atom on update organization  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/1235 (4f456)
• passkey: GetRpID did not trim path when baseURL has no port  -  by @​canstand in https://github.com/better-auth/better-auth/issues/1250 (dfcce)
• rate-limiter: Convert bigint lastRequest to number  -  by @​ammarmbe in https://github.com/better-auth/better-auth/issues/1232 (12c7d)

    View changes on GitHub

v1.1.14

Compare Source

   🚀 Features

• Support Microsoft Entra ID select_account prompt  -  by @​t3duk in https://github.com/better-auth/better-auth/issues/1219 (e57b1)
• Add organization deletion config  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/1227 (0046e)

   🐞 Bug Fixes

• generic-oauth: Remove code verifier on verification request if pkce isn't enabled  -  by @​Bekacru (6dc84)

    View changes on GitHub

v1.1.13

Compare Source

   🐞 Bug Fixes

• Mark nanostore and better fetch as direct dependencies  -  by @​Bekacru (4a89f)

    View changes on GitHub

v1.1.12

Compare Source

   🚀 Features

• Custom schema options for username plugin  -  by @​ping-maxwell in https://github.com/better-auth/better-auth/issues/1129 (6c64a)
• Add IdToken login support for facebook  -  by @​reslear in https://github.com/better-auth/better-auth/issues/1078 (f5db2)
• SecondaryStorage and storeSessionInDatabase behavior  -  by @​wh5938316 in https://github.com/better-auth/better-auth/issues/1172 (b27b5)
• New user callback url for sso and generic oauth  -  by @​kzlar in https://github.com/better-auth/better-auth/issues/1176 (1a97e)
• magic-link: Support passing name for registration through magic link  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/1205 (68c4d)

   🐞 Bug Fixes

• Remove current url from requests  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/1187 (3aa95)
• Number mapping for rate limit migration  -  by @​iqorex in https://github.com/better-auth/better-auth/issues/1191 (b8c46)
• Remove current url from requests "  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/1187 (fd457)
• Remove current url from requests  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/1193 (35df4)
• Database hooks merge issue with plugin  -  by @​kzlar in https://github.com/better-auth/better-auth/issues/1177 (f3090)
• Update scope on oauth re-login  -  by @​Bekacru (2161e)
• vue: Failing hook type  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/1207 (b42fa)

    View changes on GitHub

v1.1.11

Compare Source

   🐞 Bug Fixes

• Check new user callback url  -  by @​Bekacru (e97e2)
• Stricter origin check  -  by @​hyoban in https://github.com/better-auth/better-auth/issues/1158 (0816e)
• Validate org membership to get organization details  -  by @​msywulak (e2bde)
• Remove trailing slashes from base url  -  by @​snelusha in https://github.com/better-auth/better-auth/issues/1182 (db4f9)
• anonymous: Filter specefic endpoints for linking  -  by @​Bekacru (a1db4)
• expo: Support linking for new user and error callbacks  -  by @​kzlar in https://github.com/better-auth/better-auth/issues/1181 (52c06)
• jwt: Add required alg parameter to importJWK  -  by @​9j in https://github.com/better-auth/better-auth/issues/1161 (e06c9)
• two-factor: Set updated userinfo in cookie cache on 2fa disable  -  by @​Scooter1337 in https://github.com/better-auth/better-auth/issues/1140 (42503)

    View changes on GitHub

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.