chore(deps): update dependency @clerk/nextjs to v6.23.3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@clerk/nextjs (source)	6.12.7 → 6.23.3

GitHub Vulnerability Alerts

CVE-2025-53548

Impact

Applications that use the verifyWebhook() helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events.

Patches

• @clerk/backend: the helper has been patched as of 2.4.0
• @clerk/astro: the helper has been patched as of 2.10.2
• @clerk/express: the helper has been patched as of 1.7.4
• @clerk/fastify: the helper has been patched as of 2.4.4
• @clerk/nextjs: the helper has been patched as of 6.23.3
• @clerk/nuxt: the helper has been patched as of 1.7.5
• @clerk/react-router: the helper has been patched as of 1.6.4
• @clerk/remix: the helper has been patched as of 4.8.5
• @clerk/tanstack-react-start: the helper has been patched as of 0.18.3

Resolution

The issue was resolved in @clerk/backend 2.4.0 by:

• Properly parsing the webhook request's signatures and comparing them against the signature generated from the received event

Workarounds

If unable to upgrade, developers can workaround this issue by verifying webhooks manually, per this documentation.

---

Release Notes

clerk/javascript (@​clerk/nextjs)

v6.23.3

Compare Source

Patch Changes

• Updated dependencies [c2f24da, abd8446, 8387a39, feba23c, f2a6641, de9c01a, a8638b0, 3b4b3cb]:
  • @​clerk/backend@​2.4.0
  • @​clerk/shared@​3.10.2
  • @​clerk/types@​4.63.0
  • @​clerk/clerk-react@​5.32.4

v6.23.2

Compare Source

Patch Changes

• Updated dependencies [02a1f42, edc0bfd]:
  • @​clerk/shared@​3.10.1
  • @​clerk/clerk-react@​5.32.3
  • @​clerk/types@​4.62.1
  • @​clerk/backend@​2.3.1

v6.23.1

Compare Source

Patch Changes

• Updated dependencies [f1be1fe, 8bfdf94, bffb42a, 084e7cc]:
  • @​clerk/types@​4.62.0
  • @​clerk/backend@​2.3.0
  • @​clerk/shared@​3.10.0
  • @​clerk/clerk-react@​5.32.2

v6.23.0

Compare Source

Minor Changes

• Fix auth.protect() unauthorized error propagation within middleware (#​6169) by @​wobsoriano

• • Optimize auth() calls to avoid unnecessary verification calls when the provided token type is not in the acceptsToken array. (#​6123) by @​wobsoriano

  • Add handling for invalid token types when acceptsToken is an array in authenticateRequest(): now returns a clear unauthenticated state (tokenType: null) if the token is not in the accepted list.

Patch Changes

• Updated dependencies [b495279, c3fa15d, 628583a, 52d5e57, 15a945c, 10f3dda, 72629b0, 2692124]:
  • @​clerk/types@​4.61.0
  • @​clerk/backend@​2.2.0
  • @​clerk/shared@​3.9.8
  • @​clerk/clerk-react@​5.32.1

v6.22.0

Compare Source

Minor Changes

• Add <APIKeys /> component. This component will initially be in early access and not recommended for production usage just yet. (#​5858) by @​wobsoriano

• Respect acceptsToken when returning unauthenticated session or machine object. (#​6112) by @​wobsoriano

Patch Changes

• Re-organize internal types for the recently added "machine authentication" feature. (#​6067) by @​wobsoriano

• Resolve machine token property mixing in discriminated unions (#​6079) by @​wobsoriano

• Updated dependencies [19e9e11, 18bcb64, 2148166, 4319257, 607d333, 138f733, 4118ed7, 18bcb64, d832d91, 6842ff1, 48be55b, 183e382, 2c6f805, 97749d5]:

  • @​clerk/types@​4.60.1
  • @​clerk/backend@​2.1.0
  • @​clerk/clerk-react@​5.32.0
  • @​clerk/shared@​3.9.7

v6.21.0

Compare Source

Minor Changes

• Introduces machine authentication, supporting four token types: api_key, oauth_token, machine_token, and session_token. For backwards compatibility, session_token remains the default when no token type is specified. This enables machine-to-machine authentication and use cases such as API keys and OAuth integrations. Existing applications continue to work without modification. (#​5689) by @​wobsoriano

  You can specify which token types are allowed for a given route or handler using the acceptsToken property in the auth() helper, or the token property in the auth.protect() helper. Each can be set to a specific type, an array of types, or 'any' to accept all supported tokens.

  Example usage in Nextjs middleware:

  import { clerkMiddleware, createRouteMatcher } from '@​clerk/nextjs/server';
  
  const isOAuthAccessible = createRouteMatcher(['/oauth(.*)']);
  const isApiKeyAccessible = createRouteMatcher(['/api(.*)']);
  const isMachineTokenAccessible = createRouteMatcher(['/m2m(.*)']);
  const isUserAccessible = createRouteMatcher(['/user(.*)']);
  const isAccessibleToAnyValidToken = createRouteMatcher(['/any(.*)']);
  
  export default clerkMiddleware(async (auth, req) => {
    if (isOAuthAccessible(req)) await auth.protect({ token: 'oauth_token' });
    if (isApiKeyAccessible(req)) await auth.protect({ token: 'api_key' });
    if (isMachineTokenAccessible(req)) await auth.protect({ token: 'machine_token' });
    if (isUserAccessible(req)) await auth.protect({ token: 'session_token' });
  
    if (isAccessibleToAnyValidToken(req)) await auth.protect({ token: 'any' });
  });
  
  export const config = {
    matcher: [
      '/((?!_next|[^?]*\\.(?:html?|css|js(?!on)|jpe?g|webp|png|gif|svg|ttf|woff2?|ico|csv|docx?|xlsx?|zip|webmanifest)).*)',
      '/(api|trpc)(.*)',
    ],
  };

  Leaf node route protection:

  import { auth } from '@​clerk/nextjs/server';
  
  // In this example, we allow users and oauth tokens with the "profile" scope
  // to access the data. Other types of tokens are rejected.
  function POST(req, res) {
    const authObject = await auth({ acceptsToken: ['session_token', 'oauth_token'] });
  
    if (authObject.tokenType === 'oauth_token' && !authObject.scopes?.includes('profile')) {
      throw new Error('Unauthorized: OAuth token missing the "profile" scope');
    }
  
    // get data from db using userId
    const data = db.select().from(user).where(eq(user.id, authObject.userId));
  
    return { data };
  }

• The svix dependency is no longer needed when using the verifyWebhook() function. verifyWebhook() was refactored to not rely on svix anymore while keeping the same functionality and behavior. (#​6059) by @​royanger

  If you previously installed svix to use verifyWebhook() you can uninstall it now:

  npm uninstall svix

Patch Changes

• Updated URL for 'auth() was called but Clerk can't detect usage of clerkMiddleware()' (#​6035) by @​royanger

• Introduce getAuthObjectFromJwt as internal utility function that centralizes the logic for generating auth objects from session JWTs. (#​6053) by @​LauraBeatris

• Updated dependencies [ea622ba, d8fa5d9, be2e89c, c656270, 5644d94, a3232c7, b578225, 918e2e0, 795d09a, 4f93634, 8838120]:

  • @​clerk/backend@​2.0.0
  • @​clerk/types@​4.60.0
  • @​clerk/clerk-react@​5.31.9
  • @​clerk/shared@​3.9.6

v6.20.2

Compare Source

Patch Changes

• Updated dependencies [5421421, f897773, 1c97fd0, 2c6a0cc, 71e6a1f]:
  • @​clerk/backend@​1.34.0
  • @​clerk/shared@​3.9.5
  • @​clerk/types@​4.59.3
  • @​clerk/clerk-react@​5.31.8

v6.20.1

Compare Source

Patch Changes

• Updated dependencies [6ed3dfc, 22c3363, ac6b231]:
  • @​clerk/types@​4.59.2
  • @​clerk/backend@​1.33.1
  • @​clerk/clerk-react@​5.31.7
  • @​clerk/shared@​3.9.4

v6.20.0

Compare Source

Minor Changes

• Introduce treatPendingAsSignedOut option to getAuth and auth from clerkMiddleware (#​5756) by @​LauraBeatris

  By default, treatPendingAsSignedOut is set to true, which means pending sessions are treated as signed-out. You can set this option to false to treat pending sessions as authenticated.

  const { userId } = auth({ treatPendingAsSignedOut: false });

  const { userId } = getAuth(req, { treatPendingAsSignedOut: false });

  <SignedIn treatPendingAsSignedOut={false}>
    User has a session that is either pending (requires tasks resolution) or active
  </SignedIn>

Patch Changes

• Updated dependencies [ced8912, f237d76, 5f1375b]:
  • @​clerk/backend@​1.33.0
  • @​clerk/shared@​3.9.3
  • @​clerk/clerk-react@​5.31.6

v6.19.5

Compare Source

Patch Changes

• Updated dependencies [c305b31, b813cbe, 6bb480e]:
  • @​clerk/types@​4.59.1
  • @​clerk/backend@​1.32.3
  • @​clerk/shared@​3.9.2
  • @​clerk/clerk-react@​5.31.5

v6.19.4

Compare Source

Patch Changes

• Updated dependencies [b1337df, 65f0878, df6fefd, 4282bfa, 5491491]:
  • @​clerk/types@​4.59.0
  • @​clerk/backend@​1.32.2
  • @​clerk/clerk-react@​5.31.4
  • @​clerk/shared@​3.9.1

v6.19.3

Compare Source

Patch Changes

• Updated dependencies [1ff6d6e, fbf3cf4]:
  • @​clerk/shared@​3.9.0
  • @​clerk/types@​4.58.1
  • @​clerk/clerk-react@​5.31.3
  • @​clerk/backend@​1.32.1

v6.19.2

Compare Source

Patch Changes

• Updated dependencies [0769a9b, 0f5145e, afdfd18, b7c51ba, 437b53b, 5217155]:
  • @​clerk/backend@​1.32.0
  • @​clerk/types@​4.58.0
  • @​clerk/clerk-react@​5.31.2
  • @​clerk/shared@​3.8.2

v6.19.1

Compare Source

Patch Changes

• Updated dependencies [4db96e0, 36fb43f, e5ac444, 4db96e0, d227805]:
  • @​clerk/types@​4.57.1
  • @​clerk/clerk-react@​5.31.1
  • @​clerk/backend@​1.31.4
  • @​clerk/shared@​3.8.1

v6.19.0

Compare Source

Minor Changes

• Export a new <PricingTable /> component. This component renders plans for user or organizations and upon selection the end-user is prompted with a checkout form. (#​5833) by @​nikosdouvlis

• Mark commerce apis as stable (#​5833) by @​nikosdouvlis

Patch Changes

• Introduce checkoutContinueUrl option. (#​5807) by @​alexcarpenter

• Rename __experimental_checkoutContinueUrl to checkoutContinueUrl (#​5826) by @​nikosdouvlis

• Replace __experimental_PricingTable with PricingTable (#​5828) by @​nikosdouvlis

• Updated dependencies [db0138f, 45e8298, aa97231, c792f37, 3bf08a9, 74cf3b2, 037b113, c15a412, 7726a03, ed10566, b846a9a, e66c800, 45e8298, 9c41091, 29462b4, 322c43f, 17397f9, 45e8298]:

  • @​clerk/types@​4.57.0
  • @​clerk/clerk-react@​5.31.0
  • @​clerk/shared@​3.8.0
  • @​clerk/backend@​1.31.3

v6.18.5

Compare Source

Patch Changes

• Updated dependencies [9ec0a73, d9222fc]:
  • @​clerk/types@​4.56.3
  • @​clerk/backend@​1.31.2
  • @​clerk/clerk-react@​5.30.4
  • @​clerk/shared@​3.7.8

v6.18.4

Compare Source

Patch Changes

• Updated dependencies [225b9ca]:
  • @​clerk/types@​4.56.2
  • @​clerk/backend@​1.31.1
  • @​clerk/clerk-react@​5.30.3
  • @​clerk/shared@​3.7.7

v6.18.3

Compare Source

Patch Changes

• Updated dependencies [be1c5d6, a122121]:
  • @​clerk/backend@​1.31.0

v6.18.2

Compare Source

Patch Changes

• Updated dependencies [387bf62, 2716622, 294da82, 4a8fe40]:
  • @​clerk/types@​4.56.1
  • @​clerk/shared@​3.7.6
  • @​clerk/backend@​1.30.2
  • @​clerk/clerk-react@​5.30.2

v6.18.1

Compare Source

Patch Changes

• Updated dependencies [b02e766, 5d78b28, d7f4438, 5866855, 0007106, 462b5b2, 447d7a9, 2beea29, 115601d]:
  • @​clerk/types@​4.56.0
  • @​clerk/clerk-react@​5.30.1
  • @​clerk/backend@​1.30.1
  • @​clerk/shared@​3.7.5

v6.18.0

Compare Source

Minor Changes

• Adding reportTo and reportOnly configuration options to the contentSecurityPolicy config for clerkMiddleware (#​5702) by @​jacekradko

• Export <__experimental_PricingTable />. (#​5691) by @​panteliselef

Patch Changes

• Resolved an issue with Keyless on Safari where users appeared to be signed out immediately after a successful sign-in. (#​5696) by @​panteliselef

• Updated dependencies [ba19465, 8b25035, f0f1ed7, 25c3502]:

  • @​clerk/backend@​1.30.0
  • @​clerk/types@​4.55.1
  • @​clerk/clerk-react@​5.30.0
  • @​clerk/shared@​3.7.4

v6.17.0

Compare Source

Minor Changes

• Introduce useClerk().status alongside <ClerkFailed /> and <ClerkDegraded />. (#​5476) by @​panteliselef

useClerk().status

Possible values for useClerk().status are:

• "loading": Set during initialization
• "error": Set when hotloading clerk-js failed or Clerk.load() failed
• "ready": Set when Clerk is fully operational
• "degraded": Set when Clerk is partially operational
  The computed value of useClerk().loaded is:
• true when useClerk().status is either "ready" or "degraded".
• false when useClerk().status is "loading" or "error".

<ClerkFailed />

<ClerkLoaded>
  <MyCustomSignInForm/>
</ClerkLoaded>
<ClerkFailed>
  <ContactSupportBanner/>
</ClerkFailed>

<ClerkDegraded />

<ClerkLoaded>
  <MyCustomPasskeyRegistration />
  <ClerkDegraded>We are experiencing issues, registering a passkey might fail.</ClerkDegraded>
</ClerkLoaded>

Patch Changes

• Updated dependencies [4334598, 33201bf, 4334598, 0ae0403]:
  • @​clerk/clerk-react@​5.29.0
  • @​clerk/types@​4.55.0
  • @​clerk/backend@​1.29.2
  • @​clerk/shared@​3.7.3

v6.16.0

Compare Source

Minor Changes

• Adjust the CSP configuration option from mode to boolean strict to make it more intuitive (#​5648) by @​jacekradko

Patch Changes

• Default strict configuration option for CSP to false (#​5652) by @​jacekradko

• Updated dependencies [45486ac, 837692a, 0c00e59, 6a5f644]:

  • @​clerk/types@​4.54.2
  • @​clerk/backend@​1.29.1
  • @​clerk/shared@​3.7.2
  • @​clerk/clerk-react@​5.28.2

v6.15.1

Compare Source

Patch Changes

• Add support for webhook verification with Next.js Pages Router. (#​5618) by @​wobsoriano

  // Next.js Pages Router
  import type { NextApiRequest, NextApiResponse } from 'next';
  import { verifyWebhook } from '@​clerk/nextjs/webhooks';
  
  export const config = {
    api: {
      bodyParser: false,
    },
  };
  
  export default async function handler(req: NextApiRequest, res: NextApiResponse) {
    try {
      const evt = await verifyWebhook(req);
      // Handle webhook event
      res.status(200).json({ received: true });
    } catch (err) {
      res.status(400).json({ error: 'Webhook verification failed' });
    }
  }
  
  // tRPC
  import { verifyWebhook } from '@​clerk/nextjs/webhooks';
  
  const webhookRouter = router({
    webhook: publicProcedure.input(/** schema */).mutation(async ({ ctx }) => {
      const evt = await verifyWebhook(ctx.req);
      // Handle webhook event
      return { received: true };
    }),
  });

• Updated dependencies [ab939fd, 03284da, 7389ba3, 00f16e4, bb35660, efb5d8c, c2712e7, aa93f7f, a7f3ebc, d3fa403, f6ef841, 6cba4e2, fb6aa20, e634830, f8887b2]:

  • @​clerk/types@​4.54.1
  • @​clerk/backend@​1.29.0
  • @​clerk/shared@​3.7.1
  • @​clerk/clerk-react@​5.28.1

v6.15.0

Compare Source

Minor Changes

• Add support for feature or plan based authorization (#​5582) by @​panteliselef

v6.14.3

Compare Source

Patch Changes

• Improve JSDoc comments (#​5575) by @​LekoArts

• Updated dependencies [70c9db9, 554242e, cc1f9a0, 8186cb5]:

  • @​clerk/backend@​1.27.3
  • @​clerk/shared@​3.6.0
  • @​clerk/clerk-react@​5.27.0
  • @​clerk/types@​4.53.0

v6.14.2

Compare Source

Patch Changes

• Updated dependencies [3ad3bc8, 3ad3bc8, cfa94b8, 2033919, 1b34bcb, 5f3cc46]:
  • @​clerk/shared@​3.5.0
  • @​clerk/types@​4.52.0
  • @​clerk/backend@​1.27.2
  • @​clerk/clerk-react@​5.26.2

v6.14.1

Compare Source

Patch Changes

• Updated dependencies [f6f275d]:
  • @​clerk/backend@​1.27.1
  • @​clerk/types@​4.51.1
  • @​clerk/clerk-react@​5.26.1
  • @​clerk/shared@​3.4.1

v6.14.0

Compare Source

Minor Changes

• Update useAuth to handle pending sessions as signed-out by default, with opt-out via useAuth({ treatPendingAsSignedOut: false }) or <ClerkProvider treatPendingAsSignedOut={false} /> (#​5507) by @​LauraBeatris

• • Introduce auth().redirectToSignUp() that can be used in API routes and pages. Originally effort by @​sambarnes (#​5533) by @​panteliselef

  import { clerkMiddleware } from '@​clerk/nextjs/server';
  
  export default clerkMiddleware(async auth => {
    const { userId, redirectToSignUp } = await auth();
  
    if (!userId) {
      return redirectToSignUp();
    }
  });

• Added Content Security Policy (CSP) header generation functionality to clerkMiddleware with support for both standard and strict-dynamic modes. Key features: (#​5493) by @​jacekradko

  • Automatic generation of CSP headers with default security policies compatible with Clerk requirements
  • Support for both standard and strict-dynamic CSP modes
  • Automatic nonce generation for strict-dynamic mode
  • Ability to add custom directives to match project requirements

  Example

  export default clerkMiddleware(
    async (auth, request) => {
      if (!isPublicRoute(request)) {
        await auth.protect();
      }
    },
    {
      contentSecurityPolicy: {
        mode: "strict-dynamic",
        directives: {
          "connect-src": ["external.api.com"],
          "script-src": ["external.scripts.com"]
        }
      }
    }
  );
  

Patch Changes

• Updated dependencies [e1ec52b, bebb6d8, a8180ce, d0d5203, 6112420, 2cceeba, 026ad57, 9b25e31]:
  • @​clerk/clerk-react@​5.26.0
  • @​clerk/types@​4.51.0
  • @​clerk/backend@​1.27.0
  • @​clerk/shared@​3.4.0

v6.13.0

Compare Source

Minor Changes

• Introduce a verifyWebhook() function to verify incoming Clerk webhook requests and process the payload. This function handles webhook signature verification using Svix and is now available across all backend and fullstack SDKs. (#​5468) by @​wobsoriano

  To get started, install svix, which Clerk uses to verify its webhooks:

  npm install svix

  Then in your webhook route handler, import verifyWebhook() from the Next.js SDK:

  // app/api/webhooks/route.ts
  import { verifyWebhook } from '@​clerk/nextjs/webhooks';
  
  export async function POST(req: Request) {
    try {
      const evt = await verifyWebhook(req);
  
      // Do something with payload
      const { id } = evt.data;
      const eventType = evt.type;
      console.log(`Received webhook with ID ${id} and event type of ${eventType}`);
      console.log('Webhook payload:', body);
  
      return new Response('Webhook received', { status: 200 });
    } catch (err) {
      console.error('Error: Could not verify webhook:', err);
      return new Response('Error: Verification error', {
        status: 400,
      });
    }
  }

  For more information on how to sync Clerk data to your app with webhooks, see our guide.

• Redirect to tasks on auth.protect and auth.redirectToSignIn (#​5440) by @​LauraBeatris

Patch Changes

• Fixing a Typing error in clerkMiddleware (#​5470) by @​jacekradko

• Remove telemtry event from clerkMiddleware(). (#​5501) by @​brkalow

• Updated dependencies [60a9a51, e984494, cd6ee92, ec4521b, 38828ae, f30fa75, 9c68678, fe065a9, 619cde8]:

  • @​clerk/backend@​1.26.0
  • @​clerk/shared@​3.3.0
  • @​clerk/clerk-react@​5.25.6
  • @​clerk/types@​4.50.2

v6.12.12

Compare Source

Patch Changes

• Updated dependencies [e20fb6b, 77e6462]:
  • @​clerk/shared@​3.2.3
  • @​clerk/types@​4.50.1
  • @​clerk/clerk-react@​5.25.5
  • @​clerk/backend@​1.25.8

v6.12.11

Compare Source

Patch Changes

• Updated dependencies [1da28a2, a9b618d, f20dc15, 4d9f1ee]:
  • @​clerk/types@​4.50.0
  • @​clerk/shared@​3.2.2
  • @​clerk/backend@​1.25.7
  • @​clerk/clerk-react@​5.25.4

v6.12.10

Compare Source

Patch Changes

• Updated dependencies [27d66a5, 466ed13]:
  • @​clerk/backend@​1.25.6
  • @​clerk/types@​4.49.2
  • @​clerk/clerk-react@​5.25.3
  • @​clerk/shared@​3.2.1

v6.12.9

Compare Source

Patch Changes

• The majority of Clerk applications are not impacted by the NextJS vulnerability disclosed on 22 MAR 2025. Your application might be impacted if you're not using the latest NextJS release and you do not call auth() in your routes or pages. We still recommend upgrading to the latest NextJS version as soon as possible. (#​5426) by @​nikosdouvlis

  For more details, please see https://clerk.com/blog/cve-2025-29927

v6.12.8

Compare Source

Patch Changes

• Updated dependencies [892bc0e, 892bc0e]:
  • @​clerk/backend@​1.25.5
  • @​clerk/shared@​3.2.0
  • @​clerk/clerk-react@​5.25.2

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud