ci(repo): Version packages

[clerk-cookie]

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

@clerk/backend@3.5.0

Minor Changes

• Add support for new Backend API user endpoints: (#8694) by @dmoerner
  • users.replaceUserEmailAddress(userId, { emailAddress }) replaces all of a user's email addresses with a single verified, primary email address (PUT /users/{user_id}/email_address).
  • users.replaceUserPhoneNumber(userId, { phoneNumber }) replaces all of a user's phone numbers with a single verified, primary phone number (PUT /users/{user_id}/phone_number).
  • users.createUser now accepts banned and locked parameters to create a user that is already banned or locked.

Patch Changes

• Emit the "session token from cookie is missing the azp claim" warning once per process instead of on every authenticated request. An azp-less cookie token is reused across requests, so the previous unguarded console.warn could flood production logs. (#8698) by @jacekradko

• Stop authenticateRequest from consuming the incoming request body, which previously left downstream handlers unable to read it (for example a Hono POST route calling c.req.json()). (#8708) by @jacekradko

• Preserve custom claims when verifying JWT-format M2M tokens. M2MToken.fromJwtPayload previously hardcoded claims to null, so client.m2m.verify() (and request-level auth()) dropped any custom claims embedded in the token. Custom claims are now reconstructed from the verified payload by stripping only the structural claims the backend adds when minting the token (iss, sub, exp, nbf, iat, jti). User-supplied claims such as aud are preserved. Tokens without custom claims still return claims: null, consistent with the opaque-token path. (#8697) by @jacekradko

• Updated dependencies [afb75e6, c3df67a, 8d6bb56]:

  • @clerk/shared@4.14.1

@clerk/astro@3.3.3

Patch Changes

• Updated dependencies [1c42351, 1701e0f, afb75e6, c3df67a, ff0cfef, be55c4e, 8d6bb56]:
  • @clerk/backend@3.5.0
  • @clerk/shared@4.14.1

@clerk/chrome-extension@3.1.32

Patch Changes

• Updated dependencies [afb75e6, c3df67a, 4dd97bd, 152c255, 846a145, da93ece, b09788e, 8d6bb56, b07afc4, a1d96f1]:
  • @clerk/shared@4.14.1
  • @clerk/ui@1.14.1
  • @clerk/react@6.7.3
  • @clerk/clerk-js@6.13.1

@clerk/clerk-js@6.13.1

Patch Changes

• Updated dependencies [afb75e6, c3df67a, 8d6bb56]:
  • @clerk/shared@4.14.1

@clerk/expo@3.3.1

Patch Changes

• Preserve custom token cache method context when initializing the native Clerk singleton. (#8713) by @mikepitre

• Bump the bundled clerk-android SDK (clerk-android-api and clerk-android-ui) from 1.0.16 to 1.0.18. This pulls in the fix from clerk-android #671, which sets the correct IME actions on the prebuilt auth input fields so pressing Enter/Return submits the form (e.g. "Continue") instead of inserting a newline. (#8716) by @wobsoriano

• Updated dependencies [afb75e6, c3df67a, 8d6bb56]:

  • @clerk/shared@4.14.1
  • @clerk/react@6.7.3
  • @clerk/clerk-js@6.13.1

@clerk/expo-passkeys@1.1.1

Patch Changes

• Updated dependencies [afb75e6, c3df67a, 8d6bb56]:
  • @clerk/shared@4.14.1

@clerk/express@2.1.23

Patch Changes

• Updated dependencies [1c42351, 1701e0f, afb75e6, c3df67a, ff0cfef, be55c4e, 8d6bb56]:
  • @clerk/backend@3.5.0
  • @clerk/shared@4.14.1

@clerk/fastify@3.1.33

Patch Changes

• Fixed clerkPlugin() to honor publishableKey and secretKey passed in plugin options when authenticating Fastify requests. The plugin now also exposes request.clerk, which uses the same plugin keys and resolves the correct Clerk API host for non-production publishable keys. (#8640) by @wobsoriano

• Updated dependencies [1c42351, 1701e0f, afb75e6, c3df67a, ff0cfef, be55c4e, 8d6bb56]:

  • @clerk/backend@3.5.0
  • @clerk/shared@4.14.1

@clerk/hono@0.1.33

Patch Changes

• Updated dependencies [1c42351, 1701e0f, afb75e6, c3df67a, ff0cfef, be55c4e, 8d6bb56]:
  • @clerk/backend@3.5.0
  • @clerk/shared@4.14.1

@clerk/localizations@4.7.1

Patch Changes

• Add support for Google Workspace SAML provider to self-serve SSO (#8690) by @LauraBeatris

• Layer architecture for configure steps per IdP and protocol on <ConfigureSSO /> (#8651) by @LauraBeatris

• Add support for Microsoft Entra SAML provider to self-serve SSO (#8695) by @LauraBeatris

• Updated dependencies [afb75e6, c3df67a, 8d6bb56]:

  • @clerk/shared@4.14.1

@clerk/nextjs@7.4.3

Patch Changes

• Updated dependencies [1c42351, 1701e0f, afb75e6, c3df67a, ff0cfef, be55c4e, 8d6bb56]:
  • @clerk/backend@3.5.0
  • @clerk/shared@4.14.1
  • @clerk/react@6.7.3

@clerk/nuxt@2.5.3

Patch Changes

• Updated dependencies [1c42351, 1701e0f, afb75e6, c3df67a, ff0cfef, be55c4e, 8d6bb56]:
  • @clerk/backend@3.5.0
  • @clerk/shared@4.14.1
  • @clerk/vue@2.3.3

@clerk/react@6.7.3

Patch Changes

• Updated dependencies [afb75e6, c3df67a, 8d6bb56]:
  • @clerk/shared@4.14.1

@clerk/react-router@3.3.3

Patch Changes

• Read VITE_CLERK_UNSAFE_DISABLE_DEVELOPMENT_MODE_CONSOLE_WARNING on the client when React Router is used in SPA mode (or as a library). Previously the env-var shortcut only took effect through the SSR rootAuthLoader, so client-only setups had no way to suppress the development-keys warning without passing unsafe_disableDevelopmentModeConsoleWarning to <ClerkProvider> directly. (#8682) by @jacekradko

• Updated dependencies [1c42351, 1701e0f, afb75e6, c3df67a, ff0cfef, be55c4e, 8d6bb56]:

  • @clerk/backend@3.5.0
  • @clerk/shared@4.14.1
  • @clerk/react@6.7.3

@clerk/shared@4.14.1

Patch Changes

• Add support for Google Workspace SAML provider to self-serve SSO (#8690) by @LauraBeatris

• Layer architecture for configure steps per IdP and protocol on <ConfigureSSO /> (#8651) by @LauraBeatris

• Add support for Microsoft Entra SAML provider to self-serve SSO (#8695) by @LauraBeatris

@clerk/tanstack-react-start@1.3.3

Patch Changes

• Updated dependencies [1c42351, 1701e0f, afb75e6, c3df67a, ff0cfef, be55c4e, 8d6bb56]:
  • @clerk/backend@3.5.0
  • @clerk/shared@4.14.1
  • @clerk/react@6.7.3

@clerk/testing@2.0.35

Patch Changes

• Updated dependencies [1c42351, 1701e0f, afb75e6, c3df67a, ff0cfef, be55c4e, 8d6bb56]:
  • @clerk/backend@3.5.0
  • @clerk/shared@4.14.1

@clerk/ui@1.14.1

Patch Changes

• Add support for Google Workspace SAML provider to self-serve SSO (#8690) by @LauraBeatris

• Layer architecture for configure steps per IdP and protocol on <ConfigureSSO /> (#8651) by @LauraBeatris

• Reworks the <ConfigureSSO /> confirmation step and adds a dedicated reset connection dialog: (#8706) by @iagodahlem

  • Introduces <ResetConnectionDialog /> — a modal-based, type-to-confirm dialog scoped to the wizard container that replaces the inline reset confirmation card. Wraps the destructive delete behind useReverification, clears the local provider selection, and rewinds the wizard to provider selection on success.
  • Restyles the confirmation step body: unified status header with an inline Active / Inactive badge, grouped Enable SSO and Domain rows, two-column configuration details rendered through ProfileSection.ItemList, outlined Configure again, destructive Reset connection, and an inactive-state banner inside the step footer.
  • Step.Header now accepts a badge prop so a step can render an inline status pill next to its title without crowding the right-aligned children slot.
  • OrganizationProfile forwards the shared content ref to <ConfigureSSO /> so the new dialog portals into the wizard chrome when the component is embedded inside the organization profile.

• Fix the legal consent checkbox growing in size when its label wraps to a second line while using the simple theme. The checkbox is now aligned to the start of the row so it no longer stretches to match the label height. (#8705) by @dmoerner

• Avoid sending duplicate verification codes when persisted email or phone code verifications are already pending. (#8548) by @jacekradko

• Adds a wizard-wide reset connection entry on the <ConfigureSSO /> step footers: (#8711) by @iagodahlem

  • New Step.Footer.Reset compound part that renders a destructive ghost button on the leading edge of the footer and opens the existing ResetConnectionDialog. The slot owns its own open state and gates itself on the current enterprise connection, so it stays hidden on the provider selection step.
  • Wires the reset entry into the Verify Domain, Configure (Okta and Custom SAML), and Test steps so the reset action is reachable from anywhere in the wizard. The confirmation step keeps its in-body destructive button.
  • Exposes a configureSSOFooterResetButton element descriptor so the new button surface can be themed via appearance customizations.

• Fix stepper chevron wrapping in <ConfigureSSO /> (#8693) by @alexcarpenter

• Add support for Microsoft Entra SAML provider to self-serve SSO (#8695) by @LauraBeatris

• Add mobile support for <ConfigureSSO /> navbar to display application name, logo and organization name (#8675) by @LauraBeatris

• Scope the UserProfile active-devices fetch cache by user.id so a session switch or sign-out/sign-in on a shared device no longer renders the previous user's device activity (IP, location, browser/device) from the module-scoped cache. (#8703) by @dominic-clerk

• Updated dependencies [afb75e6, c3df67a, 8d6bb56]:

  • @clerk/localizations@4.7.1
  • @clerk/shared@4.14.1

@clerk/upgrade@2.0.3

Patch Changes

• Removed unused generate-changelog script (#8686) by @dominic-clerk

@clerk/vue@2.3.3

Patch Changes

• Updated dependencies [afb75e6, c3df67a, 8d6bb56]:
  • @clerk/shared@4.14.1

@clerk/msw@0.0.31

Patch Changes

• Updated dependencies [afb75e6, c3df67a, 8d6bb56]:
  • @clerk/shared@4.14.1

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Jun 2, 2026 2:32am

[github-actions]

Snapi: no API changes detected in @clerk/backend, @clerk/clerk-js, @clerk/nextjs, @clerk/react, @clerk/shared, @clerk/ui.

[pkg-pr-new]

Open in StackBlitz

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8679

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8679

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8679

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8679

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8679

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8679

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8679

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8679

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8679

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8679

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8679

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8679

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8679

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8679

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8679

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8679

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8679

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8679

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8679

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8679

commit: a39b71e

[github-actions]

API Changes Report

Generated by Break Check on 2026-06-02T02:35:41.062Z

Summary

Metric	Count
Packages analyzed	19
Packages with changes	1
🔴 Breaking changes	0
🟡 Non-breaking changes	1
🟢 Additions	0

🤖 This report was reviewed by claude-sonnet-4-6.

Note
Break Check could not snapshot 3 subpaths; the diff below excludes them.

• @clerk/astro ./env: Internal Error: Unable to determine module for: /home/runner/_work/javascript/javascript/packages/astro/env.d.ts You have encountered a software defect. Please consider reporting the issue to the maintainers of this application.
• @clerk/shared ./cookie: Internal Error: Unable to follow symbol for "Cookies" You have encountered a software defect. Please consider reporting the issue to the maintainers of this application.
• @clerk/testing ./cypress: Symbol not found for identifier: Cypress

---

@clerk/shared

Version: 4.14.0 → 4.14.1
Recommended bump: MINOR
Actual bump: PATCH ❌ (insufficient)

Subpath ./apiUrlFromPublishableKey

🟡 Non-breaking Changes (1)

Modified: apiUrlFromPublishableKey

- apiUrlFromPublishableKey: (publishableKey: string) => "https://api.lclclerk.com" | "https://api.clerkstage.dev" | "https://api.clerk.com"
+ apiUrlFromPublishableKey: (publishableKey: string) => "https://api.clerk.com" | "https://api.lclclerk.com" | "https://api.clerkstage.dev"

Static analyzer: Breaking change in function apiUrlFromPublishableKey: Return type changed: "https://api.lclclerk.com"|"https://api.clerkstage.dev"|"https://api.clerk.com" → "https://api.clerk.com"|"https://api.lclclerk.com"|"https://api.clerkstage.dev"

🤖 AI review (reclassified as non-breaking) (95%): The union type members are identical in both versions; only the order of the string literal members changed. Union types in TypeScript are order-independent for type compatibility, so no well-typed consumer code is affected by this reordering.

---

Report generated by Break Check