feat: remove react from next-auth, move to vue#1
Open
phoenix-ru wants to merge 23 commits into
Open
Conversation
commit: |
The inline email normalizer validated the address on the ASCII `@` before any
Unicode normalization. A character that is a homoglyph of `@` — e.g. U+FF20
FULLWIDTH COMMERCIAL AT — passed the single-`@` (atCount) check, but can be
canonicalized to an ASCII `@` by a downstream address parser (NFKC), splitting
the address into multiple recipients (CWE-180: validate before canonicalize).
Apply `String.prototype.normalize("NFKC")` before validation so any such
homoglyph becomes a real `@` and is rejected by the existing atCount check.
Behaviour on legitimate addresses is unchanged. Adds a regression test.
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
(cherry picked from commit 19d2feb)
`detectOrigin` returned the auto-detected forwarded host whenever `VERCEL`/`AUTH_TRUST_HOST` was set, ignoring an explicitly configured `NEXTAUTH_URL`. A configured canonical URL should always win; only fall back to the forwarded host when no `NEXTAUTH_URL` is set. Adds unit tests for detectOrigin precedence. (cherry picked from commit 2a39465)
fix(github): add issuer to github (cherry picked from commit 0497da4)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
☕️ Reasoning
This PR removes
react,preactandnextdependencies from thenext-authpackage, replacing the functionality withvueinstead, for better integration with NuxtAuth.nodemailerpeer support to allow newer patched releases and avoid known audit findings from older 7.x versions. Consumers using advanced Nodemailer options should review the breaking changes in 8.0 and 9.0, especially auth error codes and stricter TLS validation for remote content/OAuth/proxy requests.🧢 Checklist
🎫 Affected issues
📌 Resources