Skip to content

chore(deps): bump the npm-deps group across 1 directory with 4 updates#27

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-deps-25f8a3c6d2
Open

chore(deps): bump the npm-deps group across 1 directory with 4 updates#27
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-deps-25f8a3c6d2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps the npm-deps group with 4 updates in the / directory: better-auth, date-fns, eslint and fallow.

Updates better-auth from 1.6.11 to 1.6.14

Release notes

Sourced from better-auth's releases.

v1.6.14

better-auth

Bug Fixes

  • Fixed Google One Tap authenticating the wrong user when the presented Google account was already linked to a different local user.
  • Fixed null values being rejected for optional fields in the generated database schema (#9841)
  • Fixed getSessionCookie to prefer the __Secure- prefixed cookie over a non-secure leftover, preventing a stale cookie from shadowing the current session (#9806)
  • Fixed redirect URI validation to work on all supported runtimes and to reject URIs containing a fragment component per RFC 6749 §3.1.2 (#9845)
  • Fixed organization invitation verification to restore the normal emailed-invitation flow while enforcing stricter email verification for externally controlled or predictable invitation IDs (#9877)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

  • Fixed SAML Single Logout leaving the user signed in due to the logout handlers matching the session by ID instead of token.

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@​bytaesu, @​gustavovalverde

Full changelog: v1.6.13...v1.6.14

v1.6.13

better-auth

Features

  • Added support for server-side accountInfo calls with an optional userId parameter, allowing trusted callers to read provider profiles without constructing session headers (#9813)

Bug Fixes

  • Clarified that viewBackupCodes is a server-only function not accessible via HTTP in its API documentation (#9822)
  • Fixed Google One Tap authenticating the wrong user when the presented Google account is already linked to a different local user, by resolving identity through the shared OAuth path
  • Fixed storeStateStrategy defaulting to "cookie" instead of "database" when only secondaryStorage is configured, preventing oversized-cookie errors on platforms like AWS Lambda (#9591)
  • Fixed updateUserInfoOnLink not being applied when linking accounts through the standard OAuth redirect flow (#8758)
  • Fixed oidc-provider and mcp plugins accepting invalid redirect_uri schemes such as javascript: and data: (#9838)
  • Fixed organization logo not accepting null, preventing users from clearing an existing logo on create and update (#9842)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.14

Patch Changes

  • #9877 2d9781a Thanks @​gustavovalverde! - Restore the normal emailed-invitation flow while documenting the stricter verification posture for organization invitations.

    Client-side listUserInvitations now always requires a verified session email because it enumerates invitation IDs from session.user.email. The requireEmailVerificationOnInvitation option now controls recipient calls that carry an invitation ID (acceptInvitation, rejectInvitation, getInvitation). When unset, Better Auth keeps the emailed-invitation sign-up flow for built-in opaque invitation IDs, including the default generator or advanced.database.generateId: "uuid", and requires verified email when invitation IDs are externally controlled or predictable, such as advanced.database.generateId: "serial" / false or custom ID generation. Apps that expose invitation IDs outside the invited user's mailbox, expose organization invitation lists to members, or require stricter ownership proof should set requireEmailVerificationOnInvitation: true or require verified email before sign-in.

  • #9841 5a2d642 Thanks @​bytaesu! - Optional fields (required: false) now accept null, not just omission. The generated input validation previously rejected null even though the column is nullable, so a nullable field could not be cleared by passing null.

  • #9845 13abc79 Thanks @​gustavovalverde! - Harden redirect-URI validation across the OAuth provider plugins. isSafeUrlScheme and SafeUrlSchema no longer call URL.canParse, which is absent on some supported runtimes and could throw or silently disable the dangerous-scheme check. They now parse with a try/catch fallback. SafeUrlSchema also rejects redirect URIs that contain a fragment component, per RFC 6749 §3.1.2.

  • #9806 9d3450a Thanks @​bytaesu! - getSessionCookie now prefers the __Secure- cookie when both it and a non-secure cookie are present, so the non-secure cookie no longer shadows the current session cookie.

  • Updated dependencies [13abc79]:

    • @​better-auth/core@​1.6.14
    • @​better-auth/drizzle-adapter@​1.6.14
    • @​better-auth/kysely-adapter@​1.6.14
    • @​better-auth/memory-adapter@​1.6.14
    • @​better-auth/mongo-adapter@​1.6.14
    • @​better-auth/prisma-adapter@​1.6.14
    • @​better-auth/telemetry@​1.6.14

1.6.13

Patch Changes

  • #9813 d3919dc Thanks @​gustavovalverde! - Support server-side accountInfo calls without session headers.

    auth.api.accountInfo now accepts an optional userId, so a trusted server-side caller can read a user's provider profile without constructing session headers. This mirrors getAccessToken and refreshToken. HTTP callers still require a valid session, and a session always takes precedence over a supplied userId.

    The shared "resolve the target user, then fetch a valid access token" logic behind these three endpoints now lives in one place. As part of that, a server-side call that supplies neither a session nor a userId reports USER_ID_OR_SESSION_REQUIRED (400) consistently, rather than UNAUTHORIZED on some endpoints.

  • #9591 5f282bd Thanks @​Vishesh-Verma-07! - When only secondaryStorage is configured (no primary database), storeStateStrategy now defaults to "database" instead of "cookie", preventing oversized-cookie errors on platforms like AWS Lambda. The account cookie that holds OAuth tokens in database-less setups stays enabled, so getAccessToken keeps working.

  • #9818 43c08a2 Thanks @​gustavovalverde! - Fix two buggy internalAdapter helpers.

    Remove findAccount(accountId). It looked accounts up by account ID alone, which is unique neither across providers nor across users, so it returned a non-deterministic match. All callers now use a user-scoped or provider-scoped lookup.

    Replace the ambiguous deleteSessions(string | string[]) with two explicit methods. deleteUserSessions(userId) revokes every session for a user, and deleteSessions(tokens) revokes sessions by token. The old single-string overload silently treated its argument as a user ID, so a caller that meant to delete one session token could instead wipe all of a user's sessions or quietly match nothing.

  • #9818 43c08a2 Thanks @​gustavovalverde! - Fix Google One Tap signing in the wrong user when the presented Google account is already linked to someone else. One Tap now resolves identity through the shared OAuth path, so the user who owns the Google subject is signed in, matching the redirect and signIn.social flows. Previously it matched a local user by the token's email and used the subject only to decide linking, so a Google credential owned by one user could authenticate a different user who happened to share that email.

    /account-info now resolves the account from the signed-in user's own linked accounts and accepts an optional providerId to disambiguate when two providers issue the same account ID. A colliding account ID returns a distinct AMBIGUOUS_ACCOUNT error instead of a misleading "not found", and an account with no configured social provider returns a 400 rather than a 500.

  • #9838 be32012 Thanks @​gustavovalverde! - Validate the scheme of OAuth redirect_uris in the oidc-provider and mcp plugins.

    Both plugins previously accepted any string as a redirect_uri at registration. They now reject the javascript:, data:, and vbscript: schemes, which are never valid OAuth redirect targets. The @better-auth/oauth-provider package already applied this check, so this change brings the two older plugins in line with it.

... (truncated)

Commits
  • 5038d41 chore: release v1.6.14 (#9846)
  • 2d9781a fix(organization): split invitation verification gates (#9877)
  • 5a2d642 fix: accept null for optional fields in generated schema (#9841)
  • 9d3450a fix(cookies): prefer __Secure- cookie in getSessionCookie (#9806)
  • a6f38c7 chore: release v1.6.13 (#9804)
  • 87c1a0c fix(organization): allow null logo on create and update (#9842)
  • be32012 fix(oauth): validate redirect_uri schemes in oidc-provider and mcp (#9838)
  • 9c8ded6 docs(two-factor): mark viewBackupCodes as server-only in its API comment (#...
  • 43c08a2 fix(account): scope OAuth account identity and fix buggy internalAdapter help...
  • 23d7cbf fix(oauth): apply updateUserInfoOnLink in OAuth callback link flow (#8758)
  • Additional commits viewable in compare view

Updates date-fns from 4.3.0 to 4.4.0

Release notes

Sourced from date-fns's releases.

v4.4.0

This release revisits the approach to CDN usage and introduces a new package, @date-fns/cdn and deprecates the date-fns CDN scripts. It allowed reducing the zipped package size from 5.83 MB down to 3.96 MB without introducing any breaking changes.

In v5.0.0-alpha.0 where CDN scripts are completely removed from date-fns the change is more significant and brings the zipped package size down to 2.89 MB.

It is just the first step in optimizing the package size. Expect further size reduction in the future v4 and v5 versions.

Changed

  • DEPRECATED: The date-fns CDN scripts are now deprecated and will be removed in the next major release. Please switch to the new @date-fns/cdn package for CDN usage.

  • Removed CDN source maps to reduce the package size. If you rely on them, please switch to the new @date-fns/cdn package that still includes them.

Commits
  • cd53d25 Promote to v4.4.0
  • d948ec1 Preserve but deprecate CDN versions for v4, set up v5 with polyfills
  • ee65753 Add root mise :format task
  • 9f5bdf5 Add positional argument to test/smoke.sh script
  • 651ead6 Split CDN bundles into separate @​date-fns/cdn package
  • 224c1a2 Deprecate type tests as attw hangs on date-fns package
  • 7bb2842 Switch PACKAGE_OUTPUT_PATH to --dist flag in the package build script
  • b6ad5ac Add flags to control package build script
  • 424a783 Fix docs release after moving to monorepo setup
  • See full diff in compare view

Updates eslint from 10.4.0 to 10.4.1

Release notes

Sourced from eslint's releases.

v10.4.1

Bug Fixes

  • e557467 fix: update @eslint/plugin-kit version to 0.7.2 (#20930) (Francesco Trotta)
  • d4ce898 fix: propagate failures from delegated commands (#20917) (Minh Vu)
  • f4f3507 fix: prefer-arrow-callback invalid autofix with newline after async (#20916) (kuldeep kumar)
  • c5bc78b fix: false positive for reference in finally block (#20655) (Tanuj Kanti)
  • 27538c0 fix: add missing CodePath and CodePathSegment types (#20853) (Pixel998)

Documentation

  • 61b0add docs: remove deprecated rule from related rules of max-params (#20921) (Tanuj Kanti)
  • 305d5b9 docs: remove deprecated rules from related rules section (#20911) (Tanuj Kanti)
  • 49b0202 docs: fix display: none of ad (#20901) (Tanuj Kanti)
  • 9067f94 docs: switch build to Node.js 24 (#20893) (Milos Djermanovic)
  • c91b041 docs: Update README (GitHub Actions Bot)
  • e349265 docs: clarify semver strings in rule deprecation objects (#20885) (Milos Djermanovic)

Chores

  • b0e466b test: add data property to invalid tests cases for rules (#20924) (Tanuj Kanti)
  • f78838b test: add CodePath type coverage (#20904) (Pixel998)
  • 1daa4bd chore: update eslint-plugin-eslint-comments test data to latest commit (#20922) (Francesco Trotta)
  • 002942c ci: declare contents:read on update-readme workflow (#20919) (Arpit Jain)
  • 64bca24 chore: update ecosystem plugins (#20912) (ESLint Bot)
  • 6d7c832 chore: ignore fflate updates in renovate (#20908) (Pixel998)
  • b2c8638 ci: bump pnpm/action-setup from 6.0.7 to 6.0.8 (#20889) (dependabot[bot])
  • a9b8d7f chore: increase maxBuffer for ecosystem tests (#20881) (sethamus)
  • b702ead chore: update ecosystem update PR settings (#20884) (Pixel998)
  • 507f60e chore: update ecosystem plugins (#20882) (ESLint Bot)
  • 92f5c5b test: add unit test for message-count (#20878) (kuldeep kumar)
  • df32108 chore: add @​eslint/markdown and typescript-eslint ecosystem tests (#20837) (sethamus)
  • 327f91d chore: use includeIgnoreFile internally (#20876) (Kirk Waiblinger)
  • f0dc4bd chore: pin fflate@0.8.2 (#20877) (Milos Djermanovic)
  • 0f4bd25 ci: run Discord alert for ecosystem test failures (#20873) (Copilot)
Commits
  • 4a3d15a 10.4.1
  • 43e7e2b Build: changelog update for 10.4.1
  • e557467 fix: update @eslint/plugin-kit version to 0.7.2 (#20930)
  • b0e466b test: add data property to invalid tests cases for rules (#20924)
  • d4ce898 fix: propagate failures from delegated commands (#20917)
  • f4f3507 fix: prefer-arrow-callback invalid autofix with newline after async (#20916)
  • f78838b test: add CodePath type coverage (#20904)
  • 61b0add docs: remove deprecated rule from related rules of max-params (#20921)
  • 1daa4bd chore: update eslint-plugin-eslint-comments test data to latest commit (#20...
  • 002942c ci: declare contents:read on update-readme workflow (#20919)
  • Additional commits viewable in compare view

Updates fallow from 2.83.0 to 2.88.3

Release notes

Sourced from fallow's releases.

v2.88.3: signed-tarball release gate and version-aware verification errors

Highlights

This release hardens binary distribution and makes signature-verification failures self-explanatory.

Release integrity gate for platform packages

A published @fallow-cli/<platform> package could ship without its fallow.sig signature siblings: npm silently drops a files whitelist entry that has no matching file on disk, and the release packing step only checked that a tarball was produced, not that its contents satisfied the declared contract. The GitHub Action installer then hard-failed every install resolving to such a package with sig-missing.

A release-time gate now inspects every packed tarball against its own package.json files, and independently requires every binary in a CLI platform package to have a .sig sibling, so a future regression that drops signatures from both the files list and disk cannot pass silently.

Version-aware verification errors

Signed platform binaries ship from fallow 2.77.0 onward. When the verifier (the GitHub Action installer or the npm wrapper) runs against an older resolved CLI, the missing-signature error now distinguishes the two causes:

  • Resolved version below 2.77.0 (predates signed binaries): bump the fallow dependency in your project's package.json to >=2.77.0 (npm install fallow@latest).
  • Resolved version 2.77.0 or newer with an absent signature: treated as a possible tampering or incomplete-install signal; reinstall.

The bypass escape hatch is no longer surfaced inline (it stays documented in SECURITY.md), so a possible-tampering case never nudges you to bypass. Verification still fails closed in both cases.

The Action installer also names which version knob to turn on failure (the Action ref selects the Action code, not the CLI version, which comes from your project pin or the version: input), and fallow --version now reports the resolved version's signing status (signed / unsigned (predates 2.77.0)), useful for confirming whether a pinned version is signable when running with FALLOW_SKIP_BINARY_VERIFY. SECURITY.md documents the 2.77.0 signing epoch.

Bug fixes

  • fallow -v through the npm package now prints the verified: integrity line like --version and -V.
  • The VS Code extension self-heals when the resolved fallow CLI on PATH predates the extension, switching to the managed download (when auto-download is enabled) so version-gated settings stop becoming silent no-ops. It never downgrades.

Thanks @​hc-12 for reporting the sig-missing packaging issue.

Full Changelog: fallow-rs/fallow@v2.88.2...v2.88.3

v2.88.2: fix bogus VS Code version-mismatch warning

Bug fixes

  • The VS Code extension's "binary in PATH is vX" version-mismatch warning no longer reports a bogus version. fallow-lsp (and fallow-mcp) did not handle --version: they started their stdio server, hit end-of-input, and exited with no output, so the extension's version probe got nothing back from the language server and its parser then accepted any number-shaped token from the surrounding output. An unrelated value (a Node banner such as Node.js v22.22.1, a digit in a sentinel path, or the npm launcher's appended verified: line) could surface as a warning like "binary in PATH is v22.22.1". The language server and MCP server now answer --version / -V / -v with their real version, and the extension only accepts a version in fallow's own <binary> <version> format (otherwise it treats the version as unknown rather than guessing). Thanks @​melroy89 for the screenshot that surfaced it.

Full Changelog: fallow-rs/fallow@v2.88.1...v2.88.2

v2.88.1: VS Code CLI compatibility and Angular injection-token template fixes

Bug fixes

  • The VS Code extension no longer fails its analysis against an older resolved fallow CLI. The extension and the CLI it runs are versioned and resolved independently (PATH, node_modules/.bin, the managed download, or a deliberately pinned binary), so a freshly updated extension could drive an older CLI. The sidebar passed --dupes-min-occurrences unconditionally, which only exists in CLI v2.88.0+, so an older binary aborted the whole run with an "unexpected argument" error. The extension default for that setting (2) is also the CLI default, so it was a no-op that broke older binaries for no benefit. The extension now omits the flag at the default, probes the resolved CLI version once and drops version-gated flags an older CLI cannot accept, and as a backstop strips a rejected known flag and retries instead of failing. A single warning per session (shared with the existing language-server version-mismatch notice) points at the skew, with per-run detail in the Fallow output channel. Thanks @​melroy89 for the report. (Regression from #894.)

  • Angular external templates now credit members reached through inject(InjectionToken<Interface>) fields. A component field readonly greeter = inject(GREETER), where GREETER is a new InjectionToken<Greeter>(...) and a project class implements Greeter, previously left that class's methods reported as unused when their only reference was a template call like {{ greeter.greet() }}. The earlier fix only covered injecting a concrete class. Fallow now records the token's interface type argument and credits the accessed member on every class implementing that interface, covering both the untyped (inject(GREETER)) and interface-typed (greeter: Greeter = inject(GREETER)) field forms. Thanks @​OmerGronich for the report. (Closes #920.)

Full Changelog: fallow-rs/fallow@v2.88.0...v2.88.1

v2.88.0: lowercase -v, combined-mode dupes minOccurrences, public/ HTML assets

Features

... (truncated)

Changelog

Sourced from fallow's changelog.

[2.88.3] - 2026-06-04

Fixed

  • fallow -v through the npm package now prints the verified: integrity line like --version and -V. The native binaries answer -v (added in 2.88.0), but the npm launcher's version-query detection only matched --version and -V, so fallow -v skipped the appended verified: status line. All three version flags now behave identically.
  • The VS Code extension self-heals when the resolved fallow CLI predates the extension. The extension and the CLI are versioned and distributed independently, so a stale global fallow on PATH (npm, Homebrew, cargo) could predate flags the extension emits, turning settings like duplication.minOccurrences into silent no-ops. Analysis and fix runs now resolve the CLI through a path that switches a too-old resolved binary to the managed download (pinned to the extension version, reused from disk when present) when auto-download is enabled, and the probed version belongs to the binary actually spawned. It never downgrades; with auto-download off the stale binary is kept and the run degrades loudly as before. (Follow-up to #894.)
  • Angular inline templates now credit members reached through inject(InjectionToken<Interface>) fields. The #920 token bridge covered external templateUrl files, but inline template: strings still kept calls such as {{ greeter.inlineGreet() }} on the component module's extraction path and left the implementing class member reported as unused. Inline template chains now feed the same token to interface to implementer bridge as external templates, while genuinely unused members on the same implementing class still report. (Closes #923.)
  • Binary verification now gives a version-aware error instead of a bare signature not found. Signed platform binaries ship in fallow 2.77.0 and later, so the GitHub Action installer and the npm wrapper can hard-fail when they verify an older resolved CLI (for example a project pinned to 2.76.0 or earlier) that has no signature and never will. The missing-signature error now distinguishes the two cases: for a version below 2.77.0 it explains the version predates signed binaries and tells you to bump the fallow dependency in your project's package.json to >=2.77.0 (npm install fallow@latest); for a 2.77.0-or-newer package whose signature is unexpectedly absent it flags possible tampering and advises reinstalling. The bypass escape hatch is no longer surfaced inline (it stays documented in SECURITY.md) so a possible-tampering case never nudges you to bypass. Verification still fails closed in both cases. Thanks @​hc-12 for the report. (Closes #944.)
  • The GitHub Action's verification failure now names which version knob to turn. A common confusion is conflating the Action ref (uses: fallow-rs/fallow@v2.83.0) with the resolved CLI version, which actually comes from your project's fallow pin, the action version: input, or the latest release. On a verification failure the installer now reports the installed CLI version and exactly where that version was resolved from, clarifying that the Action ref selects the Action code, not the CLI version. Refs #944.
  • fallow --version now reports the resolved version's signing status. The trailing verified: line gains a fallow <version> signed / fallow <version> unsigned (predates 2.77.0) annotation. This is most useful when verification is skipped (FALLOW_SKIP_BINARY_VERIFY): a fleet can confirm in one command whether a pinned version is even signable, without triggering a failure. Refs #944.

Changed

  • The release now fails if any platform npm tarball is missing a file it declares, or ships an unsigned binary. npm silently drops a files whitelist entry that has no matching file on disk, so a broken signature-staging step could publish a @fallow-cli/<platform> package without its fallow.sig siblings (the exact shape that breaks the Action installer). A new release-time gate inspects each packed tarball against its own declared files, and independently requires every binary in a CLI platform package to have a .sig sibling, aborting the publish if either check fails. Refs #944.

[2.88.2] - 2026-06-03

Fixed

  • The VS Code extension's "binary in PATH is vX" version-mismatch warning no longer reports a bogus version. fallow-lsp (and fallow-mcp) did not handle --version: they started their stdio server, hit end-of-input, and exited with no output. The extension's version probe therefore got nothing back from the language server, and its parser then accepted any number-shaped token from the surrounding output, so an unrelated value (a Node banner such as Node.js v22.22.1, a digit in a sentinel path, or the npm launcher's appended verified: line) could surface as a warning like "binary in PATH is v22.22.1". The language server and MCP server now answer --version / -V / -v with their real version, and the extension only accepts a version in fallow's own <binary> <version> format (otherwise it treats the version as unknown rather than guessing). Thanks @​melroy89 for the screenshot that surfaced it.

[2.88.1] - 2026-06-03

Fixed

  • Angular external templates now credit members reached through inject(InjectionToken<Interface>) fields. A component field readonly greeter = inject(GREETER), where GREETER is a new InjectionToken<Greeter>(...) and a project class implements Greeter, previously left that class's methods reported as unused when their only reference was a template call like {{ greeter.greet() }}. The previous fix only covered injecting a concrete class. Fallow now records the token's interface type argument and credits the accessed member on every class implementing that interface, covering both the untyped (inject(GREETER)) and interface-typed (greeter: Greeter = inject(GREETER)) field forms. The extraction cache version is bumped so warm caches re-extract affected files once. Thanks @​OmerGronich for the report. (Closes #920.)
  • The VS Code extension no longer fails its analysis against an older resolved fallow CLI. The extension and the CLI it runs are versioned and resolved independently (PATH, node_modules/.bin, the managed download, or a deliberately pinned binary), so a freshly updated extension could drive an older CLI. The sidebar passed --dupes-min-occurrences unconditionally, which only exists in CLI v2.88.0+, so an older binary aborted the whole run with an "unexpected argument" error. The extension default for that setting (2) is also the CLI default, so it was a no-op that broke older binaries for no benefit. The extension now omits the flag at the default, probes the resolved CLI version once and drops version-gated flags an older CLI cannot accept, and as a backstop strips a rejected known flag and retries instead of failing. A single warning per session (shared with the existing language-server version-mismatch notice) points at the skew, with per-run detail in the Fallow output channel. Thanks @​melroy89 for the report. (Regression from #894.)

[2.88.0] - 2026-06-03

Added

  • The duplication minOccurrences threshold is now reachable from the bare fallow command and the VS Code extension. Raising the rule-of-three threshold previously required editing the config file or running the standalone fallow dupes subcommand. A new global --dupes-min-occurrences N flag now applies in combined mode (validated >= 2, falling back to the config value), and the VS Code extension gains a fallow.duplication.minOccurrences setting that forwards it. The neighbouring fallow.duplication.threshold extension setting was also mislabeled: it is a duplication-percentage failure cap where 0 means no limit, not a minimum line count, and it defaulted to 5. Its description is corrected and its default aligned to 0 to match the CLI. (Closes #894. Thanks @​rbalet for the report.)
  • Lowercase -v now prints the version. fallow -v, fallow -V, and fallow --version all print the version string. Previously only -V and --version worked (clap's default). Lowercase -v is what the TS/JS toolchain uses for the version (node, npm, pnpm, yarn, bun, tsc), so it is now the primary short form, with -V kept for back-compat. (Closes #916. Thanks @​rbalet for the report.)

Fixed

  • Root-relative HTML assets under public/ no longer report as unresolved or unused. When a real HTML entry references browser-root assets such as /js/key.pressed.js or /style/index.css, resolution now tries the existing document-root candidates first, then falls back to <root>/public/... for HTML importers only. JS/TS root-relative imports keep their existing behavior, and genuinely missing public assets still report as unresolved. Thanks @​cope for the report. (Closes #915.)
  • The VS Code extension now backfills its managed fallow CLI binary. First-run binary acquisition now targets the GitHub release tag matching the extension version, downloads both fallow-lsp and fallow when needed, and lets sidebar analysis or fix commands download only the missing CLI if an LSP binary is already available. Failed managed downloads offer retry, settings, and output-channel actions, and changing fallow.autoDownload restarts binary resolution. Thanks @​rbalet for the report. (Closes #917.)
  • Angular external templates now credit service members reached through untyped inject() component fields. Exported Angular component classes now carry ClassHeritageInfo.instance_bindings for properties initialized with named-import inject(Service) or an alias such as inject as ngInject, so external templates like {{ exampleService.onValueChange() }} mark the target service member as used. Same-named inject functions from non-Angular modules stay ignored. Thanks @​OmerGronich for the report. (Closes #911.)
  • Bare pnpm <binary> script invocations now credit declared dependencies. Scripts and CI commands such as pnpm envinfo --system now mark the matching declared package as used, while local script shorthands (pnpm build) and pnpm built-ins (pnpm install, pnpm audit, pnpm add, pnpm test, pnpm start) remain ignored. Thanks @​cope for the report. (Closes #914.)
  • Class members used through local structurally typed function parameters are no longer reported as unused. When a concrete class instance is passed directly as new Class() or via a constructor-bound local into a same-file function whose typed parameter reads specific members, fallow now credits only those concrete class members. The fix stays scoped to local callees and exact argument positions, so unrelated class members still report. The extraction cache version is bumped so warm caches re-extract affected files once. Thanks @​palisarbaro for the report. (Closes #910.)

[2.87.0] - 2026-06-03

Added

  • fallow security now models untrusted sources to sharpen tainted-sink candidates. Beyond the non-literal-argument trigger, the analyzer recognizes a catalogue of untrusted sources (req.query / req.params / req.body, route parameters, process.argv, message-event / WebSocket / worker payloads via event.data, and fetch() responses) and performs a lightweight backward walk from a sink argument to a source within the same function. A candidate whose sink argument traces back to an untrusted source is a stronger candidate, while values derived only from constants or config no longer fire on the source axis. This approximates taint without a full inter-procedural data-flow engine: detection stays deterministic and syntactic, and findings remain candidates for downstream verification, not proven exploits. (Closes #859.)
  • Security candidates are now ranked by reachability from entry points. fallow security reuses the module graph to weight candidates that sit on a path reachable from an entry point (HTTP route handlers, request entry points) above candidates in one-off scripts or isolated helpers, turning a flat list into a prioritized one. Dependency / advisory concerns and authorization-logic reasoning stay out of scope. (Closes #860.)
  • Framework-aware security sinks now feed the catalogue via the plugin system. Per-framework sink idioms are recognized with higher precision: React dangerouslySetInnerHTML, Angular bypassSecurityTrust* (Html, Script, Style, Url, ResourceUrl), and DOM sinks such as document.write and jQuery-style .html(). The active framework plugin contributes its sink rows, so framework-specific shapes are covered without over-firing generic patterns. Framework authorization logic remains out of scope. (Closes #861.)

... (truncated)

Commits
  • 6e1a3db chore: release v2.88.3
  • 7d70933 fix(release): verify packed tarballs are complete and signed (#946)
  • 1538abc Merge pull request #934 from fallow-rs/dependabot/github_actions/crate-ci/typ...
  • 56b0a0d fix(npm): treat -v as a version query in the launcher shim
  • d1521c2 test(core): cover Vite array aliases
  • c335da2 fix(vscode): self-heal when the resolved CLI predates the extension
  • a45a326 chore(deps-dev): bump oxfmt from 0.51.0 to 0.52.0 (#939)
  • f1d60ff chore(deps-dev): bump rolldown from 1.0.1 to 1.0.3 in /editors/vscode (#943)
  • 406abbc chore(deps): bump http from 1.4.0 to 1.4.1 (#937)
  • 66bea11 chore(deps): bump serde_json from 1.0.149 to 1.0.150 (#935)
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 11, 2026
@dependabot dependabot Bot changed the title chore(deps): bump the npm-deps group with 4 updates chore(deps): bump the npm-deps group across 1 directory with 4 updates Jun 11, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/npm-deps-25f8a3c6d2 branch from 32698cb to bddcb25 Compare June 11, 2026 15:57
@dependabot
chore(deps): bump the npm-deps group across 1 directory with 4 updates
5a50695 
Bumps the npm-deps group with 4 updates in the / directory: [better-auth](https://github.com/better-auth/better-auth/tree/HEAD/packages/better-auth), [date-fns](https://github.com/date-fns/date-fns), [eslint](https://github.com/eslint/eslint) and [fallow](https://github.com/fallow-rs/fallow).


Updates `better-auth` from 1.6.11 to 1.6.14
- [Release notes](https://github.com/better-auth/better-auth/releases)
- [Changelog](https://github.com/better-auth/better-auth/blob/main/packages/better-auth/CHANGELOG.md)
- [Commits](https://github.com/better-auth/better-auth/commits/better-auth@1.6.14/packages/better-auth)

Updates `date-fns` from 4.3.0 to 4.4.0
- [Release notes](https://github.com/date-fns/date-fns/releases)
- [Commits](date-fns/date-fns@v4.3.0...v4.4.0)

Updates `eslint` from 10.4.0 to 10.4.1
- [Release notes](https://github.com/eslint/eslint/releases)
- [Commits](eslint/eslint@v10.4.0...v10.4.1)

Updates `fallow` from 2.83.0 to 2.88.3
- [Release notes](https://github.com/fallow-rs/fallow/releases)
- [Changelog](https://github.com/fallow-rs/fallow/blob/main/CHANGELOG.md)
- [Commits](fallow-rs/fallow@v2.83.0...v2.88.3)

---
updated-dependencies:
- dependency-name: better-auth
  dependency-version: 1.6.14
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-deps
- dependency-name: date-fns
  dependency-version: 4.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-deps
- dependency-name: eslint
  dependency-version: 10.4.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-deps
- dependency-name: fallow
  dependency-version: 2.88.3
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-deps
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/npm-deps-25f8a3c6d2 branch from bddcb25 to 5a50695 Compare June 11, 2026 17:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants