chore(deps): bump the npm-deps group with 6 updates

[dependabot]

Bumps the npm-deps group with 6 updates:

Package	From	To
@hono/node-server	1.19.13	1.19.14
better-auth	1.6.2	1.6.5
better-sqlite3	12.8.0	12.9.0
globals	17.4.0	17.5.0
prettier	3.8.1	3.8.3
tap	21.6.3	21.7.0

Updates @hono/node-server from 1.19.13 to 1.19.14

Release notes

Sourced from @​hono/node-server's releases.

v1.19.14

What's Changed

• fix: add custom inspect to lightweight Request/Response to prevent TypeError on console.log by @​usualoma in honojs/node-server#340

Full Changelog: honojs/node-server@v1.19.13...v1.19.14

Commits

• b5e63a3 1.19.14
• c02d777 fix: add custom inspect to lightweight Request/Response to prevent TypeError ...
• See full diff in compare view

Updates better-auth from 1.6.2 to 1.6.5

Release notes

Sourced from better-auth's releases.

v1.6.5

better-auth

Bug Fixes

• Clarified recommended production usage for the test utils plugin (#9119)
• Fixed session not refreshing after /change-password and /revoke-other-sessions (#9087)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Security

• Fixed GHSA-xr8f-h2gw-9xh6, a high-severity authorization bypass in @better-auth/oauth-provider where unprivileged authenticated users could create OAuth clients when deployments relied on clientPrivileges to restrict client creation.
• First patched stable version: @better-auth/[email protected].
• Note: the published beta line (1.7.0-beta.0 and 1.7.0-beta.1) remains affected until a fixed beta release is published.

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@​GautamBytes, @​ramonclaudio

Full changelog: v1.6.4...v1.6.5

v1.6.4

better-auth

Bug Fixes

• Fixed forceAllowId UUIDs set in database hooks being ignored on PostgreSQL adapters when advanced.database.generateId is set to "uuid" (#9068)
• Reverted 2FA enforcement scope to credential sign-in paths only, so magic link, email OTP, OAuth, SSO, passkey, and other non-credential sign-in flows no longer trigger a 2FA challenge (#9205)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@​GautamBytes, @​gustavovalverde

Full changelog: v1.6.3...v1.6.4

v1.6.3

better-auth

Features

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.5

Patch Changes

• #9119 938dd80 Thanks @​GautamBytes! - clarify recommended production usage for the test utils plugin

• #9087 0538627 Thanks @​ramonclaudio! - fix(client): refetch session after /change-password and /revoke-other-sessions

• Updated dependencies []:

  • @​better-auth/core@​1.6.5
  • @​better-auth/drizzle-adapter@​1.6.5
  • @​better-auth/kysely-adapter@​1.6.5
  • @​better-auth/memory-adapter@​1.6.5
  • @​better-auth/mongo-adapter@​1.6.5
  • @​better-auth/prisma-adapter@​1.6.5
  • @​better-auth/telemetry@​1.6.5

1.6.4

Patch Changes

• #9205 9aed910 Thanks @​gustavovalverde! - fix(two-factor): revert enforcement broadening from #9122

  Restores the pre-#9122 enforcement scope. 2FA is challenged only on /sign-in/email, /sign-in/username, and /sign-in/phone-number, matching the behavior that shipped through v1.6.2. Non-credential sign-in flows (magic link, email OTP, OAuth, SSO, passkey, SIWE, one-tap, phone-number OTP, device authorization, email-verification auto-sign-in) are no longer gated by a 2FA challenge by default.

  A broader enforcement scope with per-method opt-outs and alignment to NIST SP 800-63B-4 authenticator assurance levels is planned for a future minor release.

• #9068 acbd6ef Thanks @​GautamBytes! - Fix forced UUID user IDs from create hooks being ignored on PostgreSQL adapters when advanced.database.generateId is set to "uuid".

• #9165 39d6af2 Thanks @​gustavovalverde! - chore(adapters): require patched drizzle-orm and kysely peer versions

  Narrows the drizzle-orm peer to ^0.45.2 and the kysely peer to ^0.28.14. Both new ranges track the minor line that carries the vulnerability fix and nothing newer, so the adapters only advertise support for versions that have actually been tested against. Consumers on older ORM releases see an install-time warning and can upgrade alongside the adapter; the peer is marked optional, so installs do not hard-fail.

• Updated dependencies [39d6af2]:

  • @​better-auth/drizzle-adapter@​1.6.4
  • @​better-auth/kysely-adapter@​1.6.4
  • @​better-auth/core@​1.6.4
  • @​better-auth/memory-adapter@​1.6.4
  • @​better-auth/mongo-adapter@​1.6.4
  • @​better-auth/prisma-adapter@​1.6.4
  • @​better-auth/telemetry@​1.6.4

1.6.3

Patch Changes

• #9131 5142e9c Thanks @​gustavovalverde! - harden dynamic baseURL handling for direct auth.api.* calls and plugin metadata helpers

  Direct auth.api.* calls

  • Throw APIError with a clear message when the baseURL can't be resolved (no source and no fallback), instead of leaving ctx.context.baseURL = "" for downstream plugins to crash on.

... (truncated)

Commits

• c8a91f4 chore: release v1.6.5 (#9209)
• 938dd80 docs(test-utils): clarify production usage (#9119)
• 0538627 fix(client): trigger $sessionSignal for session-rotating endpoints (#9087)
• 9ec849f chore: release v1.6.4 (#9175)
• 39d6af2 chore(adapters): require patched drizzle-orm and kysely peer versions (#9165)
• ba03fb5 chore(deps): bump electron and next devDependencies to patched versions (#9166)
• 9aed910 fix(two-factor): revert enforcement broadening from #9122 (#9205)
• acbd6ef fix: honor forceAllowId UUIDs on postgres adapters (#9068)
• 6f17bb3 chore: release v1.6.3 (#9081)
• 9a6d475 fix(client): prevent isMounted race condition causing many rps (#9078)
• Additional commits viewable in compare view

Updates better-sqlite3 from 12.8.0 to 12.9.0

Release notes

Sourced from better-sqlite3's releases.

v12.9.0

What's Changed

• Update SQLite to version 3.53.0 in WiseLibs/better-sqlite3#1464

Full Changelog: WiseLibs/better-sqlite3@v12.8.0...v12.9.0

Commits

• 4058d24 12.9.0
• f653513 Update SQLite to version 3.53.0 (#1464)
• See full diff in compare view

Updates globals from 17.4.0 to 17.5.0

Release notes

Sourced from globals's releases.

v17.5.0

• Update globals (2026-04-12) (#342) 5d84602

---

sindresorhus/globals@v17.4.0...v17.5.0

Commits

• b8170c8 17.5.0
• 5d84602 Update globals (2026-04-12) (#342)
• 1b727e5 Fix build script for ES globals (#341)
• See full diff in compare view

Updates prettier from 3.8.1 to 3.8.3

Release notes

Sourced from prettier's releases.

3.8.3

• SCSS: Prevent trailing comma in if() function (prettier/prettier#18471 by @​kovsu)

🔗 Changelog

3.8.2

• Support Angular v21.2

🔗 Changelog

Changelog

Sourced from prettier's changelog.

3.8.3

diff

SCSS: Prevent trailing comma in if() function (#18471 by @​kovsu)

// Input
$value: if(sass(false): 1; else: -1);
// Prettier 3.8.2
$value: if(
sass(false): 1; else: -1,
);
// Prettier 3.8.3
$value: if(sass(false): 1; else: -1);

3.8.2

diff

Angular: Support Angular v21.2 (#18722, #19034 by @​fisker)

Exhaustive typechecking with @default never;

<!-- Input -->
@switch (foo) {
  @case (1) {}
  @default never;
}
<!-- Prettier 3.8.1 -->
SyntaxError: Incomplete block "default never". If you meant to write the @ character, you should use the "&#64;" HTML entity instead. (3:3)
<!-- Prettier 3.8.2 -->
@​switch (foo) {
@​case (1) {}
@​default never;
}

arrow function and instanceof expressions.

</tr></table> 

... (truncated)

Commits

• d7108a7 Release 3.8.3
• 177f908 Prevent trailing comma in SCSS if() function (#18471)
• 1cd4066 Release @​prettier/plugin-oxc@​0.1.4
• a8700e2 Update oxc-parser to v0.125.0
• 752157c Fix tests
• 053fd41 Bump Prettier dependency to 3.8.2
• 904c636 Clean changelog_unreleased
• dc1f7fc Update dependents count
• b31557c Release 3.8.2
• 96bbaed Support Angular v21.2 (#18722)
• Additional commits viewable in compare view

Updates tap from 21.6.3 to 21.7.0

Commits

• d8dc6ad update versions
• 0109318 changelog 21.7
• f821b85 docs: add configuration guidance
• b594bbf update several dependencies
• 61edb39 config: look in config/taprc, warn about ignored rc files
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions