build(deps): bump @clerk/nextjs from 6.33.7 to 6.39.3

[dependabot]

Bumps @clerk/nextjs from 6.33.7 to 6.39.3.

Changelog

Sourced from @​clerk/nextjs's changelog.

Change Log

7.2.8

Patch Changes

• Use a constant-time comparison when validating the integrity signature on the middleware-to-origin auth header handoff (assertTokenSignature). The previous !== compare was timing-variable; the new helper is synchronous and runtime-agnostic so it works in both Node and Edge Runtime. (#8411) by @​jacekradko

• Auto-proxy FAPI requests for .vercel.app subdomains. When deployed to a .vercel.app domain without explicit proxy or domain configuration, the SDK automatically routes Frontend API requests through /__clerk on the app's own origin. This enables Clerk production mode on Vercel deployments without manual proxy setup. (#8035) by @​brkalow

• Updated dependencies [9b57986, a9f9b29, e0a63f9]:

  • @​clerk/shared@​4.8.6
  • @​clerk/backend@​3.4.2
  • @​clerk/react@​6.4.6

7.2.7

Patch Changes

• Updated dependencies [da76490]:
  • @​clerk/shared@​4.8.5
  • @​clerk/backend@​3.4.1
  • @​clerk/react@​6.4.5

7.2.6

Patch Changes

• Updated dependencies [083c4c5, dcaf694, d9011b4]:
  • @​clerk/shared@​4.8.4
  • @​clerk/react@​6.4.4
  • @​clerk/backend@​3.4.0

7.2.5

Patch Changes

• Refactor clerkMiddleware internals to factor the post-authentication pipeline (handler invocation, CSP, redirects, response decoration) into a private runHandlerWithRequestState helper. Pure refactor — no behavioral change. (#8368) by @​jacekradko

• Updated dependencies [93855c2]:

  • @​clerk/backend@​3.3.0

7.2.4

Patch Changes

• Add helpful TypeScript error for incorrect auth import path (#8358) by @​jacekradko

• Fix an authorization bypass in has(), auth.protect(), and related predicates when a single call combined conditions from more than one dimension (for example, { permission, reverification } or { feature, permission }). A dimension that should have denied the request was treated as indeterminate and ignored by the combining logic, allowing other passing dimensions to carry the result and authorize the call when it should have failed closed. (#8372) by @​nikosdouvlis

... (truncated)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​clerk/nextjs since your current version.

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
nextstep.io	Error		Apr 30, 2026 6:36pm

[netlify]

❌ Deploy Preview for classy-dusk-d3d3f5 failed.

Name	Link
🔨 Latest commit	ad17fd5
🔍 Latest deploy log	https://app.netlify.com/projects/classy-dusk-d3d3f5/deploys/69f3a1132da99d0008e7f506

[netlify]

❌ Deploy Preview for nextstepio failed.

Name	Link
🔨 Latest commit	ad17fd5
🔍 Latest deploy log	https://app.netlify.com/projects/nextstepio/deploys/69f3a115ea277f0008128b52