Update dependency @auth0/nextjs-auth0 to v4.18.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@auth0/nextjs-auth0	4.14.0 → 4.18.0

---

Release Notes

auth0/nextjs-auth0 (@​auth0/nextjs-auth0)

v4.18.0

Compare Source

Full Changelog

Added

• Reapply feat: add optional update() to SessionDataStore (#​2590) #​2616 (Piyush-85)

Fixed

• fix: DPoP nonce retry race issue #​2580 (nandan-bhat)

v4.17.1

Compare Source

Full Changelog

Fixed

• fix: defer AuthClientProvider construction when AUTH0_DOMAIN not set at build time #​2604 (sleitor)
• fix: Next.js edge runtime build error for crypto module #​2564 (Piyush-85)

v4.17.0

Compare Source

Full Changelog

Added

• feat: MCD (Multiple Custom Domains) Support #​2545 (tusharpandey13)

Fixed

• fix: prevent rolling session from re-creating a deleted session on concurrent logout #​2530 (sleitor)

v4.16.2

Compare Source

Full Changelog

Fixed

• fix: Middleware should not throw ERR_JWE_INVALID #​2546 (crob)
• fix: preserve error details from HTTP 5xx OAuth responses #​2533 (sleitor)

Security

• chore(deps): update eslint to fix flatted vulnerability #​2575 (Piyush-85)

v4.16.1

Compare Source

Full Changelog

Fixed

• fix: make withPageAuthRequired generic to support PageProps/LayoutProps types #​2529 (sleitor)
• fix: enable full generic type inference for withPageAuthRequired to correctly propagate PageProps and LayoutProps #​2550 (Piyush-85)

v4.16.0

Compare Source

Full Changelog

Added

• feat: added tokenRefreshBuffer for early access‑token refreshes #​2508 (nandan-bhat)
• feat: support allow list for dynamic APP_BASE_URL configuration #​2538 (frederikprijck)
• feat: Add dynamic app base URL handling #​2528 (nandan-bhat)

Fixed

• fix: do not strip falsey values from authorization params #​2526 (frederikprijck)

v4.15.0

Compare Source

Full Changelog

Added

• feat: MFA APIs #​2502 (tusharpandey13)
• feat: Base MFA support #​2480 (tusharpandey13)
• Add TTL to /auth/access-token and optional full client response #​2505 (nandan-bhat)

v4.14.1

Compare Source

Full Changelog

Fixed

• fix: do not throw ERR_JWE_DECRYPTION_FAILED, but catch it and ignore the cookie. #​2487 (frederikprijck)
• fix: avoid headers.append error when using getAccessToken with refresh in Next.js 16 proxy #​2495 (nandan-bhat)
• fix: removed un-intended class/type exports from the SDK #​2475 (nandan-bhat)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
tns-web	Ready	Preview, Comment	Apr 17, 2026 2:11pm