Skip to content

fix(deps): update dependency @clerk/nextjs to v7#266

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/clerk-nextjs-7.x
Open

fix(deps): update dependency @clerk/nextjs to v7#266
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/clerk-nextjs-7.x

Conversation

@renovate

@renovate renovate Bot commented Mar 4, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
@clerk/nextjs (source) 6.39.37.5.13 age confidence

Release Notes

clerk/javascript (@​clerk/nextjs)

v7.5.13

Compare Source

Patch Changes
  • createPathMatcher() and createRouteMatcher() route suggestions now use the :path* subtree form (e.g. /dashboard/:path*) instead of (.*). Unlike /dashboard(.*), which also matches sibling routes such as /dashboardxyz, /dashboard/:path* matches only /dashboard and its path-segment subtree. The new suggestion type is exported as WithPathSegmentWildcard; the existing WithPathPatternWildcard type is unchanged (now deprecated), and (.*) patterns keep working. This only changes the type-level autocomplete suggestion. (#​9057) by @​jacekradko

  • Updated dependencies [1efc7e5, 5028b54, 2e1fec7]:

v7.5.12

Compare Source

Patch Changes

v7.5.11

Patch Changes

v7.5.10

Patch Changes

v7.5.9

Compare Source

Patch Changes

v7.5.8

Compare Source

Patch Changes

v7.5.7

Compare Source

Patch Changes

v7.5.6

Compare Source

Patch Changes

v7.5.5

Patch Changes

v7.5.4

Patch Changes

v7.5.3

Compare Source

Patch Changes

v7.5.2

Compare Source

Patch Changes

v7.5.1

Compare Source

Patch Changes

v7.5.0

Compare Source

Minor Changes
  • Remove the <ConfigureSSO /> component from the public API in favor of usage within OrganizationProfile (#​8779) by @​LauraBeatris

    Removing these exports has no breaking changes impact on production applications, as was never released as a GA component

Patch Changes

v7.4.3

Compare Source

Patch Changes

v7.4.2

Compare Source

Patch Changes

v7.4.1

Compare Source

Patch Changes

v7.4.0

Compare Source

Minor Changes
Patch Changes

v7.3.7

Patch Changes

v7.3.6

Patch Changes

v7.3.5

Compare Source

Patch Changes

v7.3.4

Compare Source

Patch Changes

v7.3.3

Compare Source

Patch Changes

v7.3.2

Compare Source

Patch Changes

v7.3.1

Compare Source

Patch Changes

v7.3.0

Compare Source

Minor Changes
  • Expose OAuthConsent as a public component export across React-based SDKs. (#​8381) by @​wobsoriano

    Example:

    import { OAuthConsent } from '@&#8203;clerk/react';
    
    export default function Page() {
      return <OAuthConsent />;
    }
Patch Changes

v7.2.9

Compare Source

Patch Changes

v7.2.8

Compare Source

Patch Changes
  • Use a constant-time comparison when validating the integrity signature on the middleware-to-origin auth header handoff (assertTokenSignature). The previous !== compare was timing-variable; the new helper is synchronous and runtime-agnostic so it works in both Node and Edge Runtime. (#​8411) by @​jacekradko

  • Auto-proxy FAPI requests for .vercel.app subdomains. When deployed to a .vercel.app domain without explicit proxy or domain configuration, the SDK automatically routes Frontend API requests through /__clerk on the app's own origin. This enables Clerk production mode on Vercel deployments without manual proxy setup. (#​8035) by @​brkalow

  • Updated dependencies [9b57986, a9f9b29, e0a63f9]:

v7.2.7

Compare Source

Patch Changes

v7.2.6

Patch Changes

v7.2.5

Patch Changes
  • Refactor clerkMiddleware internals to factor the post-authentication pipeline (handler invocation, CSP, redirects, response decoration) into a private runHandlerWithRequestState helper. Pure refactor — no behavioral change. (#​8368) by @​jacekradko

  • Updated dependencies [93855c2]:

v7.2.4

Patch Changes
  • Add helpful TypeScript error for incorrect auth import path (#​8358) by @​jacekradko

  • Fix an authorization bypass in has(), auth.protect(), and related predicates when a single call combined conditions from more than one dimension (for example, { permission, reverification } or { feature, permission }). A dimension that should have denied the request was treated as indeterminate and ignored by the combining logic, allowing other passing dimensions to carry the result and authorize the call when it should have failed closed. (#​8372) by @​nikosdouvlis

    Behavior is now:

    • When a requested dimension cannot be satisfied because the underlying session data is missing, malformed, or invalid, the call denies. Previously these cases were treated as indeterminate and ignored, which could let another passing dimension carry the call.
    • Fixed a minor bug where session.checkAuthorization() was building authorization options from the membership row id instead of the organization id.

    Single-condition role, permission, feature, and plan checks (has({ permission }), etc.) are unchanged. Single-condition reverification checks are unchanged on well-formed session data; calls with a missing or malformed factorVerificationAge payload now deny where they previously returned indeterminate. Callback-form auth.protect(has => ...) is unaffected unless the callback itself invokes the affected shapes.

    Separately, auth.protect() in @clerk/nextjs previously discarded authorization params (role, permission, feature, plan, reverification) whenever the same argument object also contained unauthenticatedUrl, unauthorizedUrl, or token. TypeScript's excess-property check caught this for inline object literals but did not apply once the argument was assigned to a variable, spread, or used from JavaScript. Mixed-shape calls like auth.protect({ role: 'org:admin', unauthorizedUrl: '/denied' }) or auth.protect({ permission: 'org:X', token: 'session_token' }) now correctly enforce the authorization check instead of silently letting every authenticated caller through.

  • Updated dependencies [d52b311, abaa339]:

v7.2.3

Compare Source

Patch Changes

v7.2.2

Compare Source

Patch Changes

v7.2.1

Patch Changes

v7.2.0

Minor Changes
  • Introduce internal <OAuthConsent /> component for rendering a zero-config OAuth consent screen on an OAuth authorize redirect page. (#​8289) by @​wobsoriano

    Usage example:

    import { OAuthConsent } from '@&#8203;clerk/nextjs';
    
    export default function OAuthConsentPage() {
      return <OAuthConsent />;
    }
Patch Changes

v7.1.0

Compare Source

Minor Changes
  • Introduce internal useOAuthConsent() hook for fetching OAuth consent screen metadata for the signed-in user. (#​8286) by @​jfoshee
Patch Changes

v7.0.12

Compare Source

Patch Changes
  • Re-exports useAPIKeys() hook. (#​8269) by @​wobsoriano

    Usage example:

    'use client';
    
    import { useAPIKeys } from '@&#8203;clerk/nextjs';
    
    export default function CustomAPIKeys() {
      const { data, isLoading, page, pageCount, fetchNext, fetchPrevious } = useAPIKeys({
        pageSize: 10,
        initialPage: 1,
      });
    
      if (isLoading) return <div>Loading...</div>;
    
      return (
        <ul>
          {data?.map(key => (
            <li key={key.id}>{key.name}</li>
          ))}
        </ul>
      );
    }
  • Updated dependencies [fdac10e, 4e3cb0a, aa32bbc]:

v7.0.11

Compare Source

Patch Changes

v7.0.8

Compare Source

Patch Changes

v7.0.7

Compare Source

Patch Changes

v7.0.6

Compare Source

Patch Changes

v7.0.5

Compare Source

Patch Changes

v7.0.4

Compare Source

Patch Changes

v7.0.2

Compare Source

Patch Changes

v7.0.1

Compare Source

Patch Changes

v7.0.0

Compare Source

Major Changes
  • Align experimental/unstable prefixes to use consistent naming: (#​7361) by @​brkalow

    • Renamed all __unstable_* methods to __internal_* (for internal APIs)
    • Renamed all experimental__* and experimental_* methods to __experimental_* (for beta features)
    • Removed deprecated billing-related props (__unstable_manageBillingUrl, __unstable_manageBillingLabel, __unstable_manageBillingMembersLimit) and experimental__forceOauthFirst
  • Renamed __unstable_invokeMiddlewareOnAuthStateChange to __internal_invokeMiddlewareOnAuthStateChange. (#​7925) by @​jacekradko

  • useAuth().getToken is no longer undefined during server-side rendering, it is a function and calling it will throw. (#​7730) by @​Ephem

    • If you are only using getToken in useEffect, event handlers or with non-suspenseful data fetching libraries, no change is necessary as these only trigger on the client.
    • If you are using suspenseful data fetching libraries that do trigger during SSR, you likely have strategies in place to avoid calling getToken already, since this has never been possible.
    • If you are using getToken === undefined checks to avoid calling it, know that it will now throw instead and you should catch and handle the error.
    async function doThingWithToken(getToken: GetToken) {
      try {
        const token = await getToken();
    
        // Use token
      } catch (error) {
        if (isClerkRuntimeError(error) && error.code === 'clerk_runtime_not_browser') {
          // Handle error
        }
      }
    }

    To access auth data server-side, see the Auth object reference doc.

  • Refactor React SDK hooks to subscribe to auth state via useSyncExternalStore. This is a mostly internal refactor to unlock future improvements, but includes a few breaking changes and fixes. (#​7411) by @​Ephem

    Breaking changes:

    • Removes ability to pass in initialAuthState to useAuth
      • This was added for internal use and is no longer needed
      • Instead pass in initialState to the <ClerkProvider>, or dynamic if using the Next package
      • See your specific SDK documentation for more information on Server Rendering

    Fixes:

    • A bug where useAuth would sometimes briefly return the initialState rather than undefined
      • This could in certain situations incorrectly lead to a brief user: null on the first page after signing in, indicating a signed out state
    • Hydration mismatches in certain rare scenarios where subtrees would suspend and hydrate only after clerk-js had loaded fully
  • Updating minimum version of Node to v20.9.0 (#​6936) by @​jacekradko

  • Throw an error when an encryption key is missing when passing a secret key at runtime clerkMiddleware(). To migrate, ensure your application specifies a CLERK_ENCRYPTION_KEY environment variable when passing secretKey as a runtime option. (#​7360) by @​brkalow

  • Return 401 instead of 404 for unauthenticated server action requests in auth.protect() (#​7820) by @​jacekradko

  • Remove clerkJSUrl, clerkJSVersion, clerkUIUrl, and clerkUIVersion props from all SDKs. To pin a specific version of @clerk/clerk-js, import the Clerk constructor from @clerk/clerk-js and pass it to ClerkProvider via the Clerk prop. To pin a specific version of @clerk/ui, import ui from @clerk/ui and pass it via the ui prop. This bundles the modules directly with your application instead of loading them from the CDN. (#​7879) by @​jacekradko

  • Remove all previously deprecated UI props across the Next.js, React and clerk-js SDKs. The legacy afterSign(In|Up)Url/redirectUrl props, UserButton sign-out overrides, organization hideSlug flags, OrganizationSwitcher's afterSwitchOrganizationUrl, Client.activeSessions, setActive({ beforeEmit }), and the ClerkMiddlewareAuthObject type alias are no longer exported. Components now rely solely on the new redirect options and server-side configuration. (#​7243) by @​jacekradko

  • Introduce <Show when={...}> as the cross-framework authorization control component and remove <Protect>, <SignedIn>, and <SignedOut> in favor of <Show>. (#​7373) by @​jacekradko

  • getToken() now throws ClerkOfflineError instead of returning null when the client is offline. (#​7598) by @​bratsos

    This makes it explicit that a token fetch failure was due to network conditions, not authentication state. Previously, returning null could be misinterpreted as "user is signed out," potentially causing the cached token to be cleared.

    To handle this change, catch ClerkOfflineError from getToken() calls:

    import { ClerkOfflineError } from '@&#8203;clerk/react/errors';
    
    try {
      const token = await session.getToken();
    } catch (error) {
      if (ClerkOfflineError.is(error)) {
        // Handle offline scenario - show offline UI, retry later, etc.
      }
      throw error;
    }
  • Drop support for next@13 and next@14 since they have reached EOL. Now >= next@15.2.3 is required. (#​7197) by @​panteliselef

Minor Changes
  • Add unsafe_disableDevelopmentModeConsoleWarning option to disable the development mode warning that's emitted to the console when Clerk is first loaded. (#​7505) by @​dstaley

  • Add Frontend API proxy support via frontendApiProxy option in clerkMiddleware (#​7602) by @​brkalow

  • Introducing setup_mfa session task (#​7626) by @​octoper

  • Remove clerkJSVariant option and headless bundle. Use prefetchUI={false} instead. (#​7629) by @​jacekradko

  • Add ui prop to ClerkProvider for passing @clerk/ui (#​7664) by @​jacekradko

  • Add standalone getToken() function for retrieving session tokens outside of framework component trees. (#​7325) by @​bratsos

    This function is safe to call from anywhere in the browser, such as API interceptors, data fetching layers (e.g., React Query, SWR), or vanilla JavaScript code. It a

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/clerk-nextjs-7.x branch 5 times, most recently from 1d7368b to 80c3339 Compare March 11, 2026 02:45
@renovate renovate Bot force-pushed the renovate/clerk-nextjs-7.x branch 4 times, most recently from a3ce101 to 3b949ec Compare March 20, 2026 17:49
@renovate renovate Bot force-pushed the renovate/clerk-nextjs-7.x branch 3 times, most recently from 402c781 to 7284400 Compare April 7, 2026 04:25
@renovate renovate Bot force-pushed the renovate/clerk-nextjs-7.x branch 3 times, most recently from f7623f6 to 9d5df31 Compare April 15, 2026 00:55
@renovate renovate Bot force-pushed the renovate/clerk-nextjs-7.x branch from 9d5df31 to f69f6d2 Compare April 16, 2026 09:05
@renovate renovate Bot changed the title fix(deps): update dependency @clerk/nextjs to v7 fix(deps): update dependency @clerk/nextjs to v7 - autoclosed Apr 16, 2026
@renovate renovate Bot closed this Apr 16, 2026
@renovate renovate Bot deleted the renovate/clerk-nextjs-7.x branch April 16, 2026 23:16
@renovate renovate Bot changed the title fix(deps): update dependency @clerk/nextjs to v7 - autoclosed fix(deps): update dependency @clerk/nextjs to v7 Apr 18, 2026
@renovate renovate Bot reopened this Apr 18, 2026
@renovate renovate Bot force-pushed the renovate/clerk-nextjs-7.x branch 6 times, most recently from 34d6939 to e0beb70 Compare April 25, 2026 04:44
@renovate renovate Bot force-pushed the renovate/clerk-nextjs-7.x branch from e0beb70 to c124414 Compare April 29, 2026 19:43
@renovate renovate Bot changed the title fix(deps): update dependency @clerk/nextjs to v7 fix(deps): update dependency @clerk/nextjs to v7 - autoclosed Apr 30, 2026
@renovate renovate Bot closed this Apr 30, 2026
@renovate renovate Bot changed the title fix(deps): update dependency @clerk/nextjs to v7 - autoclosed fix(deps): update dependency @clerk/nextjs to v7 May 1, 2026
@renovate renovate Bot reopened this May 1, 2026
@renovate renovate Bot force-pushed the renovate/clerk-nextjs-7.x branch 4 times, most recently from cbc12bb to 34a054a Compare May 7, 2026 05:17
@renovate renovate Bot force-pushed the renovate/clerk-nextjs-7.x branch 3 times, most recently from 9a96f79 to a026cda Compare May 14, 2026 17:59
@renovate renovate Bot force-pushed the renovate/clerk-nextjs-7.x branch 4 times, most recently from d3fabfd to cd575a5 Compare May 22, 2026 23:07
@renovate renovate Bot force-pushed the renovate/clerk-nextjs-7.x branch 2 times, most recently from 03fd3c9 to 8b5596b Compare June 3, 2026 18:40
@renovate renovate Bot force-pushed the renovate/clerk-nextjs-7.x branch 3 times, most recently from 749aa31 to 9241838 Compare June 15, 2026 23:07
@renovate renovate Bot force-pushed the renovate/clerk-nextjs-7.x branch 5 times, most recently from 684460b to 58089d2 Compare June 23, 2026 21:53
@renovate renovate Bot force-pushed the renovate/clerk-nextjs-7.x branch 4 times, most recently from 9a473ee to 5a22818 Compare July 1, 2026 22:11
@renovate renovate Bot force-pushed the renovate/clerk-nextjs-7.x branch from 5a22818 to 505eee7 Compare July 6, 2026 12:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants