chore(deps): bump better-auth from 1.4.7 to 1.6.0

[dependabot]

Bumps better-auth from 1.4.7 to 1.6.0.

Release notes

Sourced from better-auth's releases.

v1.6.0

Blog post: Better Auth 1.6

better-auth

⚠️ Breaking Changes

Session freshAge aligned with creation time — session.freshAge now calculates from createdAt instead of updatedAt. Previously, any session activity extended the freshness window. (#8762)

// to disable the check entirely:
{ session: { freshAge: 0 } }

oidc-provider deprecated — The oidc-provider plugin emits a one-time deprecation warning. It still works in 1.6 but will be removed in the next major release. (#8985)

- import { oidcProvider } from "better-auth/plugins";
+ import { oauthProvider } from "@better-auth/oauth-provider";

Migration guide →

Features

• Experimental OpenTelemetry instrumentation for endpoints, hooks, middleware, and database operations (#8027)
• Non-blocking password hashing via node:crypto.scrypt on Node.js, Bun, and Deno (#8685)
• Allow passwordless users (magic link, passkey, OAuth) to manage 2FA (#7243)
• Case-insensitive query support (mode: "insensitive") across all adapters (#8556)
• Expose plugin version field on all built-in plugins (#8750)
• Dedicated secret option for OAuth proxy, separate from BETTER_AUTH_SECRET (#8699)
• FedCM opt-in to suppress Google GSI deprecation warnings (#8720)
• Read callback params from body for form_post response mode (#8895)
• enable option for HaveIBeenPwned plugin (#8728)
• Migrate MCP server URL to mcp.better-auth.com (#8747)
• Treat omitted required as true in Drizzle and Prisma generators (#8614)
• Reduce published package sizes (56% for better-auth, 64% for @better-auth/core) (#8884)

Bug Fixes

• Compare account cookie by provider accountId instead of internal id (#8786)
• Don't mark redirect APIErrors as span errors (#8850)
• Prevent any from collapsing base type and client inference (#8981)
• Set stateless cookieCache maxAge to match session.expiresIn (#8648)
• Normalize missing resolver path (#8589)
• Prevent revoked sessions from being restored via database fallback (#8708)
• Handle throw: true in client session refresh (#8610)
• Prevent double-hashing of state when storeIdentifier is hashed (#8980)
• Drizzle adapter failing date transformation (#8289)
• Generate session id when using secondary storage without database (#8927)
• Remove deprecated numUpdatedOrDeletedRows from D1 dialect (#8798)
• Use IS NULL / IS NOT NULL for null value comparisons (#8660)
• Don't set other username prop in updateUser (#7570)

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.0

Minor Changes

• #8836 5dd9e44 Thanks @​gustavovalverde! - Add case-insensitive query support for database adapters

• #8836 5dd9e44 Thanks @​gustavovalverde! - Add optional version field to the plugin interface and expose version from all built-in plugins

Patch Changes

• #8985 dd537cb Thanks @​gustavovalverde! - deprecate oidc-provider plugin in favor of @better-auth/oauth-provider

  The oidc-provider plugin now emits a one-time runtime deprecation warning when instantiated and is marked as @deprecated in TypeScript. It will be removed in the next major version. Migrate to @better-auth/oauth-provider.

• #8843 bd9bd58 Thanks @​gustavovalverde! - enforce role-based authorization on SCIM management endpoints and normalize passkey ownership checks via shared authorization middleware

• #8836 5dd9e44 Thanks @​gustavovalverde! - Return additional user fields and session data from the magic-link verify endpoint

• #8836 5dd9e44 Thanks @​gustavovalverde! - Allow passwordless users to enable, disable, and manage two-factor authentication

• #8836 5dd9e44 Thanks @​gustavovalverde! - Prevent updateUser from overwriting unrelated username or displayUsername fields

• #8836 5dd9e44 Thanks @​gustavovalverde! - Use non-blocking scrypt for password hashing to avoid blocking the event loop

• #8836 5dd9e44 Thanks @​gustavovalverde! - Enforce username uniqueness when updating a user profile

• #8836 5dd9e44 Thanks @​gustavovalverde! - Align session fresh age calculation with creation time instead of update time

• #8836 5dd9e44 Thanks @​gustavovalverde! - Compare account cookie by provider accountId instead of internal id

• #8836 5dd9e44 Thanks @​gustavovalverde! - Trigger session signal after requesting email change in email-otp plugin

• #8836 5dd9e44 Thanks @​gustavovalverde! - Rethrow sendOTP failures in phone-number plugin instead of silently swallowing them

• #8836 5dd9e44 Thanks @​gustavovalverde! - Read OAuth proxy callback parameters from request body when using form_post response mode

• #8980 469eee6 Thanks @​bytaesu! - fix oauth state double-hashing when verification storeIdentifier is set to hashed

• #8981 560230f Thanks @​bytaesu! - Prevent any from collapsing auth.$Infer and auth.$ERROR_CODES. Preserve client query typing when body is any.

• Updated dependencies [5dd9e44, 5dd9e44, 5dd9e44]:

  • @​better-auth/drizzle-adapter@​1.6.0
  • @​better-auth/kysely-adapter@​1.6.0
  • @​better-auth/memory-adapter@​1.6.0
  • @​better-auth/mongo-adapter@​1.6.0
  • @​better-auth/prisma-adapter@​1.6.0
  • @​better-auth/core@​1.6.0
  • @​better-auth/telemetry@​1.6.0

1.6.0-beta.0

... (truncated)

Commits

• d9b16d2 chore: sync main to next
• 141781d fix: generate session id when using secondary storage without database (#8927)
• d666a03 chore: exit pre-release mode for v1.6.0
• 29d197e chore: sync main to next (#8976)
• bd9bd58 fix(security): enforce authorization on SCIM management endpoints and normali...
• 560230f fix(types): prevent any from collapsing base type and client inference (#8981)
• dd537cb chore(oidc-provider): deprecate plugin in favor of @​better-auth/oauth-provide...
• 469eee6 fix(oauth): prevent double-hashing of state when storeIdentifier is hashed (#...
• 475d512 chore: revert better-call v2 migration, downgrade to v1.3.5 (#8973)
• 73beda2 chore: version packages (beta) (#8945)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for better-auth since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)