chore(deps): bump better-auth from 1.6.14 to 1.6.18 in the better-auth group across 1 directory

[dependabot]

Bumps the better-auth group with 1 update in the / directory: better-auth.

Updates better-auth from 1.6.14 to 1.6.18

Release notes

Sourced from better-auth's releases.

v1.6.18

better-auth

Bug Fixes

• Fixed getCookieCache to return null for expired sessions instead of treating stale signed cookies as live sessions.
• Fixed the delete-account confirmation link to prevent duplicate account deletions from concurrent callback requests.
• Fixed one-time tokens from being redeemable multiple times under concurrent requests.
• Fixed password reset tokens from changing a password more than once under concurrent requests.
• Fixed Reddit sign-in to assign a non-routable placeholder address (<id>@reddit.invalid) to users with no email, preventing accidental matches with real mailboxes.
• Fixed Sign-In with Ethereum nonces from being accepted multiple times under concurrent sign-in requests.
• Added internalAdapter.reserveVerificationValue to atomically record single-use markers, ensuring only one concurrent caller succeeds for replay-protected operations.
• Added the incrementOne adapter method and SecondaryStorage.increment for atomic counter updates, enabling strict rate-limit and usage-counter enforcement under concurrent load.
• Fixed expired two-factor challenges from completing login and prevented duplicate session creation from concurrent verifications.
• Fixed captcha verification to time out after 10 seconds, preventing slow or unreachable captcha providers from hanging requests indefinitely.
• Fixed /delete-user/callback to reject account deletion when the session has been revoked server-side (cookie-only session deployments are unaffected).
• Fixed rate limiting to prevent concurrent requests from slipping past configured limits, with a new optional consume method for custom storage backends to opt into strict enforcement.
• Fixed team deletion to preserve pending invitations by removing only the deleted team's reference rather than invalidating the invitations entirely.
• Fixed expected authentication validation failures to log as warnings instead of errors.
• Fixed MCP bearer token validation to reject expired access tokens and require the offline_access scope for refresh token usage.
• Fixed plugin API inference in composite monorepo setups where the core package resolved through multiple paths (#9583)
• Fixed OpenAPI generation to accurately serialize Zod request schemas, including optional, nullable, intersected, and record-shaped types (#9315)
• Fixed a memory leak where the JWKS cache could grow on every access token verification.
• Fixed Google One Tap to require a configured client ID (set via the oneTap plugin or socialProviders.google) and reject tokens issued for other applications.
• Fixed device-authorization token polling to prevent the same approved device code from being redeemed multiple times under concurrent polls.
• Fixed account cookie preservation when switching users in the same browser session.
• Fixed email OTP sign-in to prevent concurrent requests from signing in multiple times or exceeding the attempt limit.
• Fixed phone-number OTP sign-in to prevent concurrent requests from signing in multiple times or exceeding the attempt limit.
• Fixed two-factor OTP sign-in to prevent concurrent requests from signing in multiple times or exceeding the attempt limit.
• Fixed the Have I Been Pwned plugin to check breached passwords on additional endpoints, including email-OTP and phone-number reset-password routes and admin password-setting routes.
• Fixed the multi-session set-active and revoke endpoints to only act on sessions the caller holds a signed cookie for, preventing unauthorized session manipulation.
• Fixed the OIDC /oauth2/endsession endpoint to reject cross-site logout requests that carry only a session cookie without a valid id_token_hint.
• Fixed WeChat sign-in to work without an email address by assigning a stable placeholder email, with mapProfileToUser available to supply a real one.

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

• Fixed SAML assertion replay protection to hold under concurrent requests, preventing a duplicate submission from being accepted more than once.
• Fixed organization admins and owners to verify domain ownership for SSO providers their organization owns, not just the member who originally registered the provider.
• Fixed trustEmailVerified to treat only a boolean true or the string "true" as a verified email, rejecting the string "false" as unverified.

For detailed changes, see CHANGELOG

@better-auth/memory-adapter

Bug Fixes

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.18

Patch Changes

• #9315 9ef7240 Thanks @​GautamBytes! - fix OpenAPI requestBody generation for intersected and default-wrapped body schemas

• #9583 b21a5f7 Thanks @​GautamBytes! - Fix plugin-provided client methods and additional session fields not being inferred in composite monorepos.

• Updated dependencies [b21a5f7]:

  • @​better-auth/core@​1.6.18
  • @​better-auth/drizzle-adapter@​1.6.18
  • @​better-auth/kysely-adapter@​1.6.18
  • @​better-auth/memory-adapter@​1.6.18
  • @​better-auth/mongo-adapter@​1.6.18
  • @​better-auth/prisma-adapter@​1.6.18
  • @​better-auth/telemetry@​1.6.18

1.6.17

Patch Changes

• #9993 baeaa00 Thanks @​gustavovalverde! - When a team had a single open slot, accepting an invitation into it was wrongly rejected as over the member limit and left a dangling membership record. Two invitations accepted into a nearly-full team at the same time could also push it past its limit. Both are fixed.

• #9482 3e99e6c Thanks @​bytaesu! - admin.setUserPassword now creates a credential account when the target user does not have one, matching the behavior of resetPassword. Previously the call returned status: true without doing anything for users without an existing credential account (e.g., social-only or magic-link signups), so admins migrating users from another auth system or assigning an initial password to a social-only user can now do so directly without poking the account table.

• 96c78c3 Thanks @​GautamBytes! - Downgrade expected auth validation failures from error logs to warnings.

• #9993 baeaa00 Thanks @​gustavovalverde! - Captcha provider verification requests now time out after 10 seconds and fail closed, so a slow or unreachable captcha provider can no longer tie up a request indefinitely.

• #9993 baeaa00 Thanks @​gustavovalverde! - A delete-account confirmation link can no longer delete the account more than once when its callback is opened concurrently.

• #9991 0c3856f Thanks @​gustavovalverde! - Completing account deletion through /delete-user/callback now fails when the session has been revoked server-side, instead of proceeding within the cookie-cache window. Deployments that keep sessions only in the cookie are unaffected.

• #9993 baeaa00 Thanks @​gustavovalverde! - Polling for a device-authorization token can no longer redeem the same approved device code more than once when several polls arrive together.

• #9993 baeaa00 Thanks @​gustavovalverde! - Submitting the same email OTP from several requests at once can no longer sign in more than once or gain extra tries beyond the attempt limit.

• #10002 ed7b6c9 Thanks @​gustavovalverde! - Adding a member to a team that is already at its maximumMembersPerTeam limit is now rejected on every path. addMember with a teamId and add-team-member previously skipped the limit that invitation acceptance enforced, so they could push a team over its cap. A rejected addMember no longer creates the organization member.

• #9677 e0a768c Thanks @​GautamBytes! - Refactor role.authorize control flow while preserving existing authorization behavior.

• #9987 7343284 Thanks @​bytaesu! - Generic OAuth sign-in works again for providers whose userinfo response has no sub or id field when mapProfileToUser derives the account id. An empty id field now falls back to sub.

• #9991 0c3856f Thanks @​gustavovalverde! - getCookieCache now returns null for an expired session instead of the stale session data. Middleware that calls it to gate access no longer treats an expired signed cookie as a live session.

• #9993 baeaa00 Thanks @​gustavovalverde! - The Have I Been Pwned plugin now checks submitted passwords against the breach database on more password-setting endpoints by default, including the email-OTP and phone-number reset-password routes and the admin create-user and set-user-password routes. A breached password can no longer be set through those routes when the plugin is enabled with its default paths.

• #9987 7343284 Thanks @​bytaesu! - Preserve the fresh account cookie issued while switching users in the same browser instead of expiring it from stale request cookie state.

• #9991 0c3856f Thanks @​gustavovalverde! - Expired MCP access tokens are no longer accepted. A protected MCP resource now rejects a bearer token once it has expired, both on the server and through the remote client. A refresh token is accepted only when the original authorization included the offline_access scope.

... (truncated)

Commits

• 04debbf chore: release v1.6.18 (#10026)
• 9ef7240 fix(open-api): serialize zod request schemas accurately (#9315)
• b21a5f7 fix(client): preserve plugin inference in composite monorepos (#9583)
• 0d8b238 chore: release v1.6.17 (#9984)
• eff3c99 test(next-js): verify nextCookies forwards all set-cookie headers (#10013)
• e0a768c refactor(access): flatten access plugin role authorization logic (#9677)
• 3310ebc fix(open-api): mark model ids as required (#9704)
• 59e0ccb fix(client): updateSession should infer session additional fields (#9777)
• 96c78c3 fix(logger): downgrade validation logs level to warn
• 5c289b5 fix(account): resolve stateless account cookies across instances (#9979)
• Additional commits viewable in compare view