Bump drizzle-orm and better-auth in /with-nextjs-better-auth-cloudflare-workers

[dependabot]

Bumps drizzle-orm and better-auth. These dependencies needed to be updated together.
Updates drizzle-orm from 0.44.7 to 0.45.2

Release notes

Sourced from drizzle-orm's releases.

0.45.2

• Fixed sql.identifier(), sql.as() escaping issues. Previously all the values passed to this functions were not properly escaped causing a possible SQL Injection (CWE-89) vulnerability

Thanks to @​EthanKim88, @​0x90sh and @​wgoodall01 for reaching out to us with a reproduction and suggested fix

0.45.1

• Fixed pg-native Pool detection in node-postgres transactions breaking in environments with forbidden require() (#5107)

0.45.0

• Fixed pg-native Pool detection in node-postgres transactions
• Allowed subqueries in select fields
• Updated typo algorythm => algorithm
• Fixed $onUpdate not handling SQL values (fixes #2388, tests implemented by L-Mario564 in #2911)
• Fixed pg mappers not handling Date instances in bun-sql:postgresql driver responses for date, timestamp types (fixes #4493)

Commits

• 273c780 + 0.45.2 (#5534)
• 4aa6ecf Kit updates (#5490)
• e8e6edf feat(drizzle-kit): support d1 via binding (#5302)
• a086f59 Fixed pg-native Pool detection in node-postgres transactions breaking in envi...
• c445637 Merge pull request #5095 from drizzle-team/main-workflows
• e7b3aaa Merge branch 'main' into main-workflows
• 0d885a5 refactor: Update condition for run-feature job to improve clarity and functio...
• 45a1ffb Merge pull request #5087 from drizzle-team/main-workflows
• 6357645 chore: Comment out NEON_HTTP_CONNECTION_STRING requirement in release workflows
• 53dec98 refactor: Simplify release router workflow by removing unnecessary switch job...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for drizzle-orm since your current version.

Updates better-auth from 1.4.7 to 1.6.0

Release notes

Sourced from better-auth's releases.

v1.6.0

Blog post: Better Auth 1.6

better-auth

⚠️ Breaking Changes

Session freshAge aligned with creation time — session.freshAge now calculates from createdAt instead of updatedAt. Previously, any session activity extended the freshness window. (#8762)

// to disable the check entirely:
{ session: { freshAge: 0 } }

oidc-provider deprecated — The oidc-provider plugin emits a one-time deprecation warning. It still works in 1.6 but will be removed in the next major release. (#8985)

- import { oidcProvider } from "better-auth/plugins";
+ import { oauthProvider } from "@better-auth/oauth-provider";

Migration guide →

Features

• Experimental OpenTelemetry instrumentation for endpoints, hooks, middleware, and database operations (#8027)
• Non-blocking password hashing via node:crypto.scrypt on Node.js, Bun, and Deno (#8685)
• Allow passwordless users (magic link, passkey, OAuth) to manage 2FA (#7243)
• Case-insensitive query support (mode: "insensitive") across all adapters (#8556)
• Expose plugin version field on all built-in plugins (#8750)
• Dedicated secret option for OAuth proxy, separate from BETTER_AUTH_SECRET (#8699)
• FedCM opt-in to suppress Google GSI deprecation warnings (#8720)
• Read callback params from body for form_post response mode (#8895)
• enable option for HaveIBeenPwned plugin (#8728)
• Migrate MCP server URL to mcp.better-auth.com (#8747)
• Treat omitted required as true in Drizzle and Prisma generators (#8614)
• Reduce published package sizes (56% for better-auth, 64% for @better-auth/core) (#8884)

Bug Fixes

• Compare account cookie by provider accountId instead of internal id (#8786)
• Don't mark redirect APIErrors as span errors (#8850)
• Prevent any from collapsing base type and client inference (#8981)
• Set stateless cookieCache maxAge to match session.expiresIn (#8648)
• Normalize missing resolver path (#8589)
• Prevent revoked sessions from being restored via database fallback (#8708)
• Handle throw: true in client session refresh (#8610)
• Prevent double-hashing of state when storeIdentifier is hashed (#8980)
• Drizzle adapter failing date transformation (#8289)
• Generate session id when using secondary storage without database (#8927)
• Remove deprecated numUpdatedOrDeletedRows from D1 dialect (#8798)
• Use IS NULL / IS NOT NULL for null value comparisons (#8660)
• Don't set other username prop in updateUser (#7570)

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.0

Minor Changes

• #8836 5dd9e44 Thanks @​gustavovalverde! - Add case-insensitive query support for database adapters

• #8836 5dd9e44 Thanks @​gustavovalverde! - Add optional version field to the plugin interface and expose version from all built-in plugins

Patch Changes

• #8985 dd537cb Thanks @​gustavovalverde! - deprecate oidc-provider plugin in favor of @better-auth/oauth-provider

  The oidc-provider plugin now emits a one-time runtime deprecation warning when instantiated and is marked as @deprecated in TypeScript. It will be removed in the next major version. Migrate to @better-auth/oauth-provider.

• #8843 bd9bd58 Thanks @​gustavovalverde! - enforce role-based authorization on SCIM management endpoints and normalize passkey ownership checks via shared authorization middleware

• #8836 5dd9e44 Thanks @​gustavovalverde! - Return additional user fields and session data from the magic-link verify endpoint

• #8836 5dd9e44 Thanks @​gustavovalverde! - Allow passwordless users to enable, disable, and manage two-factor authentication

• #8836 5dd9e44 Thanks @​gustavovalverde! - Prevent updateUser from overwriting unrelated username or displayUsername fields

• #8836 5dd9e44 Thanks @​gustavovalverde! - Use non-blocking scrypt for password hashing to avoid blocking the event loop

• #8836 5dd9e44 Thanks @​gustavovalverde! - Enforce username uniqueness when updating a user profile

• #8836 5dd9e44 Thanks @​gustavovalverde! - Align session fresh age calculation with creation time instead of update time

• #8836 5dd9e44 Thanks @​gustavovalverde! - Compare account cookie by provider accountId instead of internal id

• #8836 5dd9e44 Thanks @​gustavovalverde! - Trigger session signal after requesting email change in email-otp plugin

• #8836 5dd9e44 Thanks @​gustavovalverde! - Rethrow sendOTP failures in phone-number plugin instead of silently swallowing them

• #8836 5dd9e44 Thanks @​gustavovalverde! - Read OAuth proxy callback parameters from request body when using form_post response mode

• #8980 469eee6 Thanks @​bytaesu! - fix oauth state double-hashing when verification storeIdentifier is set to hashed

• #8981 560230f Thanks @​bytaesu! - Prevent any from collapsing auth.$Infer and auth.$ERROR_CODES. Preserve client query typing when body is any.

• Updated dependencies [5dd9e44, 5dd9e44, 5dd9e44]:

  • @​better-auth/drizzle-adapter@​1.6.0
  • @​better-auth/kysely-adapter@​1.6.0
  • @​better-auth/memory-adapter@​1.6.0
  • @​better-auth/mongo-adapter@​1.6.0
  • @​better-auth/prisma-adapter@​1.6.0
  • @​better-auth/core@​1.6.0
  • @​better-auth/telemetry@​1.6.0

1.6.0-beta.0

... (truncated)

Commits

• d9b16d2 chore: sync main to next
• 141781d fix: generate session id when using secondary storage without database (#8927)
• d666a03 chore: exit pre-release mode for v1.6.0
• 29d197e chore: sync main to next (#8976)
• bd9bd58 fix(security): enforce authorization on SCIM management endpoints and normali...
• 560230f fix(types): prevent any from collapsing base type and client inference (#8981)
• dd537cb chore(oidc-provider): deprecate plugin in favor of @​better-auth/oauth-provide...
• 469eee6 fix(oauth): prevent double-hashing of state when storeIdentifier is hashed (#...
• 475d512 chore: revert better-call v2 migration, downgrade to v1.3.5 (#8973)
• 73beda2 chore: version packages (beta) (#8945)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for better-auth since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
oauth2-with-fastapi	Ready	Preview, Comment	Apr 8, 2026 5:29am