auth0-deploy-cli 8.26.0 → 8.27.0

package/CHANGELOG.md

@@ -7,6 +7,19 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [8.27.0] - 2026-02-13
+
+### Added
+
+- Add support for `custom_password_hash.action_id` in `databases` (Universal Custom Password Hash EA). [#1288]
+- Add support for `allowed_strategies` in `selfServiceProfiles`. [#1298]
+
+### Fixed
+
+- Fix validation handling for `authentication_methods.password.enabled` and `disable_self_service_change_password` in `databases`. [#1297]
+- Fix stripping deprecated `enabled_clients` for `connections` with enhanced client management. [#1294]
+- Fix exclude third-party `clientGrants` when `AUTH0_EXCLUDE_THIRD_PARTY_CLIENTS` is enabled. [#1289]
+
 ## [8.26.0] - 2026-01-30
 
 ### Added
@@ -1634,7 +1647,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 [#1282]: https://github.com/auth0/auth0-deploy-cli/issues/1282
 [#1283]: https://github.com/auth0/auth0-deploy-cli/issues/1283
 [#1284]: https://github.com/auth0/auth0-deploy-cli/issues/1284
-[Unreleased]: https://github.com/auth0/auth0-deploy-cli/compare/v8.26.0...HEAD
+[#1288]: https://github.com/auth0/auth0-deploy-cli/issues/1288
+[#1289]: https://github.com/auth0/auth0-deploy-cli/issues/1289
+[#1294]: https://github.com/auth0/auth0-deploy-cli/issues/1294
+[#1297]: https://github.com/auth0/auth0-deploy-cli/issues/1297
+[#1298]: https://github.com/auth0/auth0-deploy-cli/issues/1298
+[Unreleased]: https://github.com/auth0/auth0-deploy-cli/compare/v8.27.0...HEAD
+[8.27.0]: https://github.com/auth0/auth0-deploy-cli/compare/v8.26.0...v8.27.0
 [8.26.0]: https://github.com/auth0/auth0-deploy-cli/compare/v8.25.0...v8.26.0
 [8.25.0]: https://github.com/auth0/auth0-deploy-cli/compare/v8.24.0...v8.25.0
 [8.24.0]: https://github.com/auth0/auth0-deploy-cli/compare/v8.23.2...v8.24.0

package/lib/tools/auth0/handlers/clientGrants.js

@@ -117,6 +117,15 @@ class ClientGrantsHandler extends default_1.default {
         // As it could cause problems if the grants are deleted or updated etc
         const currentClient = this.config('AUTH0_CLIENT_ID');
         this.existing = this.existing.filter((grant) => grant.client_id !== currentClient);
+        // Filter out third-party client grants when AUTH0_EXCLUDE_THIRD_PARTY_CLIENTS is enabled
+        if ((0, utils_1.shouldExcludeThirdPartyClients)(this.config)) {
+            const clients = await (0, client_1.paginate)(this.client.clients.list, {
+                paginate: true,
+                is_first_party: true,
+            });
+            const firstPartyClientIds = new Set(clients.map((c) => c.client_id));
+            this.existing = this.existing.filter((grant) => firstPartyClientIds.has(grant.client_id));
+        }
         return this.existing;
     }
     // Run after clients are updated so we can convert client_id names to id's
@@ -140,19 +149,28 @@ class ClientGrantsHandler extends default_1.default {
         });
         // Always filter out the client we are using to access Auth0 Management API
         const currentClient = this.config('AUTH0_CLIENT_ID');
+        // Build a set of third-party client IDs for efficient lookup
+        const thirdPartyClientIds = new Set(clients.filter((c) => c.is_first_party === false).map((c) => c.client_id));
         const { del, update, create, conflicts } = await this.calcChanges({
             ...assets,
             clientGrants: formatted,
         });
         const filterGrants = (list) => {
+            let filtered = list;
+            // Filter out the current client (Auth0 Management API client)
+            filtered = filtered.filter((item) => item.client_id !== currentClient);
+            // Filter out excluded clients
             if (excludedClients.length) {
-                return list.filter((item) => item.client_id !== currentClient &&
-                    item.client_id &&
+                filtered = filtered.filter((item) => item.client_id &&
                     ![...excludedClientsByNames, ...excludedClients].includes(item.client_id));
             }
-            return list
-                .filter((item) => item.client_id !== currentClient)
-                .filter((item) => item.is_system !== true);
+            // Filter out system grants
+            filtered = filtered.filter((item) => item.is_system !== true);
+            // Filter out third-party client grants when flag is enabled
+            if ((0, utils_1.shouldExcludeThirdPartyClients)(this.config)) {
+                filtered = filtered.filter((item) => !thirdPartyClientIds.has(item.client_id));
+            }
+            return filtered;
         };
         const changes = {
             // @ts-ignore because this expects `client_id` and that's not yet typed on Asset

package/lib/tools/auth0/handlers/clients.js

@@ -10,6 +10,7 @@ const default_1 = __importDefault(require("./default"));
 const connectionProfiles_1 = require("./connectionProfiles");
 const userAttributeProfiles_1 = require("./userAttributeProfiles");
 const logger_1 = __importDefault(require("../../../logger"));
+const utils_1 = require("../../utils");
 const multiResourceRefreshTokenPoliciesSchema = {
     type: ['array', 'null'],
     description: 'A collection of policies governing multi-resource refresh token exchange (MRRT), defining how refresh tokens can be used across different resource servers',
@@ -397,8 +398,6 @@ class ClientHandler extends default_1.default {
             return;
         assets.clients = await this.sanitizeMapExpressConfiguration(this.client, clients);
         const excludedClients = (assets.exclude && assets.exclude.clients) || [];
-        const excludeThirdPartyClients = this.config('AUTH0_EXCLUDE_THIRD_PARTY_CLIENTS') === 'true' ||
-            this.config('AUTH0_EXCLUDE_THIRD_PARTY_CLIENTS') === true;
         const { del, update, create, conflicts } = await this.calcChanges(assets);
         // Always filter out the client we are using to access Auth0 Management API
         // As it could cause problems if it gets deleted or updated etc
@@ -412,7 +411,7 @@ class ClientHandler extends default_1.default {
         const filterClients = (list) => list.filter((item) => item.client_id !== currentClient &&
             item.name &&
             !excludedClients.includes(item.name) &&
-            (!excludeThirdPartyClients || item.is_first_party));
+            (!(0, utils_1.shouldExcludeThirdPartyClients)(this.config) || item.is_first_party));
         // Sanitize client fields
         const sanitizeClientFields = (list) => {
             const sanitizedClients = createClientSanitizer(list)
@@ -447,12 +446,10 @@ class ClientHandler extends default_1.default {
     async getType() {
         if (this.existing)
             return this.existing;
-        const excludeThirdPartyClients = this.config('AUTH0_EXCLUDE_THIRD_PARTY_CLIENTS') === 'true' ||
-            this.config('AUTH0_EXCLUDE_THIRD_PARTY_CLIENTS') === true;
         const clients = await (0, client_1.paginate)(this.client.clients.list, {
             paginate: true,
             is_global: false,
-            ...(excludeThirdPartyClients && { is_first_party: true }),
+            ...((0, utils_1.shouldExcludeThirdPartyClients)(this.config) && { is_first_party: true }),
         });
         this.existing = createClientSanitizer(clients).sanitizeCrossOriginAuth().get();
         return this.existing;

package/lib/tools/auth0/handlers/connections.d.ts

@@ -141,7 +141,7 @@ export declare const getConnectionEnabledClients: (auth0Client: Auth0APIClient,
  * @returns Promise that resolves to true if the update was successful, false otherwise
  *
  */
-export declare const updateConnectionEnabledClients: (auth0Client: Auth0APIClient, typeName: string, connectionId: string, enabledClientIds: string[]) => Promise<boolean>;
+export declare const updateConnectionEnabledClients: (auth0Client: Auth0APIClient, typeName: string, connectionId: string, enabledClientIds: string[], existingConnections: Asset[] | Asset | null) => Promise<boolean>;
 /**
  * This function processes enabled clients for create, update, and conflict operations.
  * Note: This function mutates the `create` array by adding IDs to the connection objects after creation.
@@ -153,7 +153,7 @@ export declare const updateConnectionEnabledClients: (auth0Client: Auth0APIClien
  *
  * @returns A Promise that resolves when all enabled client updates are complete
  */
-export declare const processConnectionEnabledClients: (auth0Client: Auth0APIClient, typeName: string, changes: CalculatedChanges, delayMs?: number) => Promise<void>;
+export declare const processConnectionEnabledClients: (auth0Client: Auth0APIClient, typeName: string, existingConnections: Asset[] | null, changes: CalculatedChanges, delayMs?: number) => Promise<void>;
 export default class ConnectionsHandler extends DefaultAPIHandler {
     existing: Connection[] | null;
     scimHandler: ScimHandler;

package/lib/tools/auth0/handlers/connections.js

@@ -200,13 +200,36 @@ exports.getConnectionEnabledClients = getConnectionEnabledClients;
  * @returns Promise that resolves to true if the update was successful, false otherwise
  *
  */
-const updateConnectionEnabledClients = async (auth0Client, typeName, connectionId, enabledClientIds) => {
+const updateConnectionEnabledClients = async (auth0Client, typeName, connectionId, enabledClientIds, existingConnections) => {
     if (!connectionId || !Array.isArray(enabledClientIds) || !enabledClientIds.length)
         return false;
-    const enabledClientUpdatePayloads = enabledClientIds.map((clientId) => ({
-        client_id: clientId,
-        status: true,
-    }));
+    let existingEnabledClients = [];
+    if (Array.isArray(existingConnections)) {
+        const existingConnection = existingConnections.find((con) => con.id === connectionId);
+        existingEnabledClients = existingConnection?.enabled_clients ?? [];
+    }
+    // Determine which clients to enable vs. disable by comparing the incoming `enabledClientIds` with the `existingEnabledClients`.
+    const enabledClientIdSet = new Set(enabledClientIds);
+    const existingClientIdSet = new Set(existingEnabledClients);
+    // If both sets are identical, skip the update entirely.
+    if (enabledClientIdSet.size === existingClientIdSet.size &&
+        [...enabledClientIdSet].every((id) => existingClientIdSet.has(id))) {
+        logger_1.default.debug(`Enabled clients for ${typeName}: ${connectionId} are unchanged, skipping update`);
+        return true;
+    }
+    const clientsToEnable = enabledClientIds;
+    // Any client that exists on the tenant but not in the provided `enabledClientIds` should be disabled.
+    const clientsToDisable = existingEnabledClients.filter((clientId) => !enabledClientIdSet.has(clientId));
+    const enabledClientUpdatePayloads = [
+        ...clientsToEnable.map((clientId) => ({
+            client_id: clientId,
+            status: true,
+        })),
+        ...clientsToDisable.map((clientId) => ({
+            client_id: clientId,
+            status: false,
+        })),
+    ];
     const payloadChunks = (0, lodash_1.chunk)(enabledClientUpdatePayloads, 50);
     try {
         await Promise.all(payloadChunks.map((payload) => auth0Client.connections.clients.update(connectionId, payload)));
@@ -230,7 +253,7 @@ exports.updateConnectionEnabledClients = updateConnectionEnabledClients;
  *
  * @returns A Promise that resolves when all enabled client updates are complete
  */
-const processConnectionEnabledClients = async (auth0Client, typeName, changes, delayMs = 2500 // Default delay is 2.5 seconds
+const processConnectionEnabledClients = async (auth0Client, typeName, existingConnections, changes, delayMs = 2500 // Default delay is 2.5 seconds
 ) => {
     const { create, update, conflicts } = changes;
     let createWithId = [];
@@ -267,9 +290,9 @@ const processConnectionEnabledClients = async (auth0Client, typeName, changes, d
     // Process enabled clients for each change type
     // Delete is handled by the `processChanges` method, removed connection completely
     await Promise.all([
-        ...createWithId.map((conn) => (0, exports.updateConnectionEnabledClients)(auth0Client, typeName, conn.id, conn.enabled_clients)),
-        ...update.map((conn) => (0, exports.updateConnectionEnabledClients)(auth0Client, typeName, conn.id, conn.enabled_clients)),
-        ...conflicts.map((conn) => (0, exports.updateConnectionEnabledClients)(auth0Client, typeName, conn.id, conn.enabled_clients)),
+        ...createWithId.map((conn) => (0, exports.updateConnectionEnabledClients)(auth0Client, typeName, conn.id, conn.enabled_clients, existingConnections)),
+        ...update.map((conn) => (0, exports.updateConnectionEnabledClients)(auth0Client, typeName, conn.id, conn.enabled_clients, existingConnections)),
+        ...conflicts.map((conn) => (0, exports.updateConnectionEnabledClients)(auth0Client, typeName, conn.id, conn.enabled_clients, existingConnections)),
     ]);
 };
 exports.processConnectionEnabledClients = processConnectionEnabledClients;
@@ -543,7 +566,7 @@ class ConnectionsHandler extends default_1.default {
         changes = (0, utils_1.filterIncluded)(changes, includedConnections);
         await super.processChanges(assets, changes);
         // process enabled clients
-        await (0, exports.processConnectionEnabledClients)(this.client, this.type, changes);
+        await (0, exports.processConnectionEnabledClients)(this.client, this.type, await this.existing, changes);
         // process directory provisioning
         await this.processConnectionDirectoryProvisioning(changes);
     }

package/lib/tools/auth0/handlers/databases.d.ts

@@ -1,5 +1,7 @@
 import DefaultAPIHandler from './default';
-import { CalculatedChanges, Assets, Asset } from '../../../types';
+import { CalculatedChanges, Assets } from '../../../types';
+import { Connection } from './connections';
+import { Action } from './actions';
 export declare const schema: {
     type: string;
     items: {
@@ -180,6 +182,14 @@ export declare const schema: {
                             };
                         };
                     };
+                    custom_password_hash: {
+                        type: string;
+                        properties: {
+                            action_id: {
+                                type: string;
+                            };
+                        };
+                    };
                 };
             };
         };
@@ -187,13 +197,15 @@ export declare const schema: {
     };
 };
 export default class DatabaseHandler extends DefaultAPIHandler {
+    existing: Connection[] | null;
     constructor(config: DefaultAPIHandler);
     objString(db: any): string;
+    getFormattedOptions(options: any, actions?: Action[]): any;
     validate(assets: Assets): Promise<void>;
     private validatePasswordlessSettings;
     private validateEmailUniqueConstraints;
     getClientFN(fn: 'create' | 'delete' | 'getAll' | 'update'): Function;
-    getType(): Promise<Asset | Asset[]>;
+    getType(): Promise<Connection[]>;
     calcChanges(assets: Assets): Promise<CalculatedChanges>;
     processChanges(assets: Assets): Promise<void>;
 }

package/lib/tools/auth0/handlers/databases.js

@@ -173,6 +173,12 @@ exports.schema = {
                             },
                         },
                     },
+                    custom_password_hash: {
+                        type: 'object',
+                        properties: {
+                            action_id: { type: 'string' },
+                        },
+                    },
                 },
             },
         },
@@ -190,6 +196,22 @@ class DatabaseHandler extends default_1.default {
     objString(db) {
         return super.objString({ name: db.name, id: db.id });
     }
+    getFormattedOptions(options, actions = []) {
+        try {
+            const formattedOptions = { ...options };
+            // Handle custom_password_hash.action_id conversion
+            if (options?.custom_password_hash?.action_id) {
+                formattedOptions.custom_password_hash = {
+                    ...options.custom_password_hash,
+                    action_id: (0, utils_1.convertActionNameToId)(options.custom_password_hash.action_id, actions),
+                };
+            }
+            return formattedOptions;
+        }
+        catch (e) {
+            return {};
+        }
+    }
     async validate(assets) {
         const { databases } = assets;
         // Do nothing if not set
@@ -198,7 +220,7 @@ class DatabaseHandler extends default_1.default {
         // Validate each database
         databases.forEach((database) => {
             this.validateEmailUniqueConstraints(database);
-            this.validatePasswordlessSettings(database);
+            // this.validatePasswordlessSettings(database); // Enable only the feature is GA PR:#1282
         });
         await super.validate(assets);
     }
@@ -242,7 +264,12 @@ class DatabaseHandler extends default_1.default {
     getClientFN(fn) {
         // Override this as a database is actually a connection but we are treating them as a different object
         if (fn === 'create') {
-            return (payload) => this.client.connections.create(payload);
+            return (payload) => {
+                // Remove deprecated enabled_clients field
+                if ('enabled_clients' in payload)
+                    delete payload.enabled_clients;
+                return this.client.connections.create(payload);
+            };
         }
         // If we going to update database, we need to get current options first
         if (fn === 'update') {
@@ -265,6 +292,9 @@ class DatabaseHandler extends default_1.default {
                 if (payload.options && Object.keys(payload.options).length === 0) {
                     delete payload.options;
                 }
+                // Remove deprecated enabled_clients field
+                if ('enabled_clients' in payload)
+                    delete payload.enabled_clients;
                 return this.client.connections.update(id, payload);
             });
         }
@@ -273,25 +303,52 @@ class DatabaseHandler extends default_1.default {
     async getType() {
         if (this.existing)
             return this.existing;
-        const connections = await (0, client_1.paginate)(this.client.connections.list, {
-            strategy: [auth0_1.Management.ConnectionStrategyEnum.Auth0],
-            checkpoint: true,
-        });
+        // Fetch connections and actions concurrently
+        const [connections, actions] = await Promise.all([
+            (0, client_1.paginate)(this.client.connections.list, {
+                strategy: [auth0_1.Management.ConnectionStrategyEnum.Auth0],
+                checkpoint: true,
+            }),
+            (0, client_1.paginate)(this.client.actions.list, {
+                paginate: true,
+                include_totals: true,
+            }),
+        ]);
         const dbConnectionsWithEnabledClients = await Promise.all(connections.map(async (con) => {
             if (!con?.id)
                 return con;
             const enabledClients = await (0, connections_1.getConnectionEnabledClients)(this.client, con.id);
+            const connection = { ...con };
             if (enabledClients && enabledClients?.length) {
-                return { ...con, enabled_clients: enabledClients };
+                connection.enabled_clients = enabledClients;
             }
-            return con;
+            return connection;
         }));
+        // Convert action ID back to action name for export
+        const dbConnectionsWithActionNames = dbConnectionsWithEnabledClients.map((connection) => {
+            if (connection.options && 'custom_password_hash' in connection.options) {
+                const customPasswordHash = connection.options?.custom_password_hash;
+                if (customPasswordHash?.action_id) {
+                    return {
+                        ...connection,
+                        options: {
+                            ...connection.options,
+                            custom_password_hash: {
+                                ...customPasswordHash,
+                                action_id: (0, utils_1.convertActionIdToName)(customPasswordHash.action_id, actions),
+                            },
+                        },
+                    };
+                }
+            }
+            return connection;
+        });
         // If options option is empty for all connection, log the missing options scope.
-        const isOptionExists = dbConnectionsWithEnabledClients.every((c) => c.options && Object.keys(c.options).length > 0);
+        const isOptionExists = dbConnectionsWithActionNames.every((c) => c.options && Object.keys(c.options).length > 0);
         if (!isOptionExists) {
             logger_1.default.warn(`Insufficient scope the read:connections_options scope is required to get ${this.type} options.`);
         }
-        this.existing = dbConnectionsWithEnabledClients;
+        this.existing = dbConnectionsWithActionNames;
         return this.existing;
     }
     async calcChanges(assets) {
@@ -305,22 +362,29 @@ class DatabaseHandler extends default_1.default {
                 conflicts: [],
             };
         // Convert enabled_clients by name to the id
-        const clients = await (0, client_1.paginate)(this.client.clients.list, {
-            paginate: true,
-        });
-        const existingDatabasesConnections = await (0, client_1.paginate)(this.client.connections.list, {
-            strategy: [auth0_1.Management.ConnectionStrategyEnum.Auth0],
-            checkpoint: true,
-            include_totals: true,
-        });
+        // Fetch clients, connections, and actions concurrently
+        const [clients, existingDatabasesConnections, actions] = await Promise.all([
+            (0, client_1.paginate)(this.client.clients.list, {
+                paginate: true,
+            }),
+            (0, client_1.paginate)(this.client.connections.list, {
+                strategy: [auth0_1.Management.ConnectionStrategyEnum.Auth0],
+                checkpoint: true,
+                include_totals: true,
+            }),
+            (0, client_1.paginate)(this.client.actions.list, {
+                paginate: true,
+                include_totals: true,
+            }),
+        ]);
         const formatted = databases.map((db) => {
+            const { options, ...rest } = db;
+            const formattedOptions = this.getFormattedOptions(options, actions);
+            const formattedDb = { ...rest, options: formattedOptions };
             if (db.enabled_clients) {
-                return {
-                    ...db,
-                    enabled_clients: (0, utils_1.getEnabledClients)(assets, db, existingDatabasesConnections, clients),
-                };
+                formattedDb.enabled_clients = (0, utils_1.getEnabledClients)(assets, db, existingDatabasesConnections, clients);
             }
-            return db;
+            return formattedDb;
         });
         return super.calcChanges({ ...assets, databases: formatted });
     }
@@ -339,7 +403,7 @@ class DatabaseHandler extends default_1.default {
         const changes = await this.calcChanges(assets);
         await super.processChanges(assets, (0, utils_1.filterExcluded)(changes, excludedConnections));
         // process enabled clients
-        await (0, connections_1.processConnectionEnabledClients)(this.client, this.type, (0, utils_1.filterExcluded)(changes, excludedConnections));
+        await (0, connections_1.processConnectionEnabledClients)(this.client, this.type, await this.existing, (0, utils_1.filterExcluded)(changes, excludedConnections));
     }
 }
 exports.default = DatabaseHandler;

package/lib/tools/auth0/handlers/scimHandler.js

@@ -191,6 +191,9 @@ class ScimHandler {
         const { scim_configuration: scimBodyParams } = bodyParams;
         delete bodyParams.scim_configuration;
         delete bodyParams.directory_provisioning_configuration;
+        // Remove deprecated enabled_clients field
+        if ('enabled_clients' in bodyParams)
+            delete bodyParams.enabled_clients;
         // First, update `connections`.
         const updated = await this.connectionsManager.update(connectionId, bodyParams);
         const idMapEntry = this.idMap.get(connectionId);
@@ -225,6 +228,9 @@ class ScimHandler {
         const { scim_configuration: scimBodyParams } = bodyParams;
         delete bodyParams.scim_configuration;
         delete bodyParams.directory_provisioning_configuration;
+        // Remove deprecated enabled_clients field
+        if ('enabled_clients' in bodyParams)
+            delete bodyParams.enabled_clients;
         // First, create the new `connection`.
         const data = await this.connectionsManager.create(bodyParams);
         if (data?.id && scimBodyParams && this.scimScopes.create) {

package/lib/tools/auth0/handlers/selfServiceProfiles.d.ts

@@ -48,6 +48,14 @@ export declare const schema: {
                     };
                 };
             };
+            allowed_strategies: {
+                type: string;
+                description: string;
+                items: {
+                    type: string;
+                    enum: ("pingfederate" | "adfs" | "waad" | "google-apps" | "okta" | "oidc" | "samlp" | "auth0-samlp" | "okta-samlp" | "keycloak-samlp")[];
+                };
+            };
             branding: {
                 type: string;
                 properties: {

package/lib/tools/auth0/handlers/selfServiceProfiles.js

@@ -43,6 +43,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.schema = void 0;
+const auth0_1 = require("auth0");
 const lodash_1 = require("lodash");
 const logger_1 = __importDefault(require("../../../logger"));
 const default_1 = __importStar(require("./default"));
@@ -86,6 +87,14 @@ exports.schema = {
                     },
                 },
             },
+            allowed_strategies: {
+                type: 'array',
+                description: 'List of IdP strategies that will be shown to users during the Self-Service SSO flow.',
+                items: {
+                    type: 'string',
+                    enum: Object.values(auth0_1.Management.SelfServiceProfileAllowedStrategyEnum),
+                },
+            },
             branding: {
                 type: 'object',
                 properties: {

package/lib/tools/utils.d.ts

@@ -6,6 +6,8 @@ export declare function keywordStringReplace(input: string, mappings: KeywordMap
 export declare function keywordReplace(input: string | undefined, mappings: KeywordMappings): string;
 export declare function wrapArrayReplaceMarkersInQuotes(body: string, mappings: KeywordMappings): string;
 export declare function convertClientNameToId(name: string, clients: Asset[]): string;
+export declare function convertActionNameToId(name: string, actions: Asset[]): string;
+export declare function convertActionIdToName(id: string, actions: Asset[]): string;
 export declare function convertClientNamesToIds(names: string[], clients: Asset[]): string[];
 export declare function loadFileAndReplaceKeywords(file: string, { mappings, disableKeywordReplacement, }: {
     mappings: KeywordMappings;
@@ -44,3 +46,12 @@ export declare function maskSecretAtPath({ resourceTypeName, maskedKeyName, mask
     maskOnObj: object;
     keyJsonPath: string;
 }): any;
+/**
+ * Determines whether third-party clients should be excluded based on configuration.
+ * Checks the AUTH0_EXCLUDE_THIRD_PARTY_CLIENTS config value and returns true if it's
+ * set to boolean true or string 'true'.
+ *
+ * @param configFn - The configuration function to retrieve the config value.
+ * @returns True if third-party clients should be excluded, false otherwise.
+ */
+export declare const shouldExcludeThirdPartyClients: (configFn: (key: string) => any) => boolean;

package/lib/tools/utils.js

@@ -36,12 +36,14 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.isForbiddenFeatureError = exports.isDeprecatedError = exports.detectInsufficientScopeError = exports.stripObfuscatedFieldsFromPayload = exports.obfuscateSensitiveValues = exports.keywordReplaceStringRegExp = exports.keywordReplaceArrayRegExp = void 0;
+exports.shouldExcludeThirdPartyClients = exports.isForbiddenFeatureError = exports.isDeprecatedError = exports.detectInsufficientScopeError = exports.stripObfuscatedFieldsFromPayload = exports.obfuscateSensitiveValues = exports.keywordReplaceStringRegExp = exports.keywordReplaceArrayRegExp = void 0;
 exports.keywordArrayReplace = keywordArrayReplace;
 exports.keywordStringReplace = keywordStringReplace;
 exports.keywordReplace = keywordReplace;
 exports.wrapArrayReplaceMarkersInQuotes = wrapArrayReplaceMarkersInQuotes;
 exports.convertClientNameToId = convertClientNameToId;
+exports.convertActionNameToId = convertActionNameToId;
+exports.convertActionIdToName = convertActionIdToName;
 exports.convertClientNamesToIds = convertClientNamesToIds;
 exports.loadFileAndReplaceKeywords = loadFileAndReplaceKeywords;
 exports.flatten = flatten;
@@ -115,6 +117,14 @@ function convertClientNameToId(name, clients) {
     const found = clients.find((c) => c.name === name);
     return (found && found.client_id) || name;
 }
+function convertActionNameToId(name, actions) {
+    const found = actions.find((a) => a.name === name);
+    return (found && found.id) || name;
+}
+function convertActionIdToName(id, actions) {
+    const found = actions.find((a) => a.id === id);
+    return (found && found.name) || id;
+}
 function convertClientNamesToIds(names, clients) {
     const resolvedNames = names.map((name) => ({ name, resolved: false }));
     const result = clients.reduce((acc, client) => {
@@ -311,3 +321,16 @@ function maskSecretAtPath({ resourceTypeName, maskedKeyName, maskOnObj, keyJsonP
     }
     return maskOnObj;
 }
+/**
+ * Determines whether third-party clients should be excluded based on configuration.
+ * Checks the AUTH0_EXCLUDE_THIRD_PARTY_CLIENTS config value and returns true if it's
+ * set to boolean true or string 'true'.
+ *
+ * @param configFn - The configuration function to retrieve the config value.
+ * @returns True if third-party clients should be excluded, false otherwise.
+ */
+const shouldExcludeThirdPartyClients = (configFn) => {
+    const value = configFn('AUTH0_EXCLUDE_THIRD_PARTY_CLIENTS');
+    return value === 'true' || value === true;
+};
+exports.shouldExcludeThirdPartyClients = shouldExcludeThirdPartyClients;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "auth0-deploy-cli",
-  "version": "8.26.0",
+  "version": "8.27.0",
   "description": "A command line tool for deploying updates to your Auth0 tenant",
   "main": "lib/index.js",
   "bin": {
@@ -33,7 +33,7 @@
   "homepage": "https://github.com/auth0/auth0-deploy-cli#readme",
   "dependencies": {
     "ajv": "^6.12.6",
-    "auth0": "^5.3.0",
+    "auth0": "^5.3.1",
     "dot-prop": "^5.3.0",
     "fs-extra": "^10.1.0",
     "js-yaml": "^4.1.1",
@@ -42,7 +42,7 @@
     "nconf": "^0.13.0",
     "promise-pool-executor": "^1.1.1",
     "sanitize-filename": "^1.6.3",
-    "undici": "^7.19.2",
+    "undici": "^7.21.0",
     "winston": "^3.19.0",
     "yargs": "^15.4.1"
   },
@@ -52,8 +52,8 @@
     "@types/mocha": "^10.0.10",
     "@types/nconf": "^0.10.7",
     "@eslint/js": "^9.39.2",
-    "@typescript-eslint/eslint-plugin": "^8.54.0",
-    "@typescript-eslint/parser": "^8.54.0",
+    "@typescript-eslint/eslint-plugin": "^8.55.0",
+    "@typescript-eslint/parser": "^8.55.0",
     "chai": "^4.5.0",
     "chai-as-promised": "^7.1.2",
     "eslint": "^9.39.2",