auth0-deploy-cli 8.29.3 → 8.30.0

package/.circleci/config.yml

@@ -48,42 +48,6 @@ jobs:
           paths: .
       - codecov/upload
 
-  deploy:
-    parameters:
-      v:
-        type: string
-        default: "lts"
-    docker:
-      - image: cimg/node:<< parameters.v >>
-    working_directory: ~/repo
-    steps:
-      - attach_workspace:
-          at: ~/repo
-      - run:
-          name: Authenticate with registry
-          command: echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" > ~/repo/.npmrc
-      - run:
-          name: Publish package
-          command: npm publish
-
-  deploy_beta:
-    parameters:
-      v:
-        type: string
-        default: "lts"
-    docker:
-      - image: cimg/node:<< parameters.v >>
-    working_directory: ~/repo
-    steps:
-      - attach_workspace:
-          at: ~/repo
-      - run:
-          name: Authenticate with registry
-          command: echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" > ~/repo/.npmrc
-      - run:
-          name: Publish beta package
-          command: npm publish --tag beta
-
   does_typescript_compile:
     docker:
       - image: cimg/node:22.12.0
@@ -128,48 +92,3 @@ workflows:
           name: Unit tests with Node current
           v: "22.12.0"
 
-  test_and_deploy:
-    jobs:
-      - unit_test:
-          name: Unit tests with Node LTS
-          v: "lts"
-          filters:
-            branches:
-              only: master
-            tags:
-              only: /^v.*/
-      - deploy:
-          name: Publish to NPM
-          v: "lts"
-          requires:
-            - Unit tests with Node LTS
-          filters:
-            branches:
-              ignore: /.*/
-            tags:
-              only: /^v[0-9]+\.[0-9]+\.[0-9]+$/
-          context:
-            - publish-npm
-
-  test_and_deploy_beta:
-    jobs:
-      - unit_test:
-          name: Unit tests with Node LTS (Beta)
-          v: "lts"
-          filters:
-            branches:
-              only: beta
-            tags:
-              only: /^v[0-9]+\.[0-9]+\.[0-9]+-beta\.[0-9]+$/
-      - deploy_beta:
-          name: Publish Beta to NPM
-          v: "lts"
-          requires:
-            - Unit tests with Node LTS (Beta)
-          filters:
-            branches:
-              ignore: /.*/
-            tags:
-              only: /^v[0-9]+\.[0-9]+\.[0-9]+-beta\.[0-9]+$/
-          context:
-            - publish-npm

package/.github/workflows/npm-publish.yml

@@ -0,0 +1,52 @@
+name: Publish package to npm
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: actions/setup-node@v6
+        with:
+          node-version: 22.14.0
+          registry-url: https://registry.npmjs.org
+          package-manager-cache: false
+
+      - name: Update npm for trusted publishing
+        run: npm install --global npm@11
+
+      - name: Install dependencies
+        run: npm install
+
+      - name: Build package
+        run: npm run build
+
+      - name: Determine npm dist-tag
+        id: npm_dist_tag
+        shell: bash
+        run: |
+          VERSION="${GITHUB_REF_NAME#v}"
+
+          if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-beta\.[0-9]+)?$ ]]; then
+            echo "Unsupported release tag: ${GITHUB_REF_NAME}" >&2
+            exit 1
+          fi
+
+          if [[ "$VERSION" == *"-beta."* ]]; then
+            echo "value=beta" >> "$GITHUB_OUTPUT"
+          else
+            echo "value=latest" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Publish package
+        run: npm publish --tag "${{ steps.npm_dist_tag.outputs.value }}"

package/CHANGELOG.md

@@ -7,6 +7,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [8.30.0] - 2026-04-02
+
+### Added
+
+- Add support for passkey enrollment in `prompts` partials. [#1328]
+- Add support for `dpop_signing_alg` validation in OIDC and Okta `connections`. [#1343]
+
+### Fixed
+
+- Fix action module fetching logic to resolve correct module IDs. [#1340]
+- Fix `AUTH0_EXCLUDED_*` options not respected during export. [#1342]
+
 ## [8.29.3] - 2026-03-25
 
 ### Fixed
@@ -1692,9 +1704,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 [#1320]: https://github.com/auth0/auth0-deploy-cli/issues/1320
 [#1321]: https://github.com/auth0/auth0-deploy-cli/issues/1321
 [#1322]: https://github.com/auth0/auth0-deploy-cli/issues/1322
+[#1328]: https://github.com/auth0/auth0-deploy-cli/issues/1328
 [#1333]: https://github.com/auth0/auth0-deploy-cli/issues/1333
 [#1334]: https://github.com/auth0/auth0-deploy-cli/issues/1334
-[Unreleased]: https://github.com/auth0/auth0-deploy-cli/compare/v8.29.3...HEAD
+[#1340]: https://github.com/auth0/auth0-deploy-cli/issues/1340
+[#1342]: https://github.com/auth0/auth0-deploy-cli/issues/1342
+[#1343]: https://github.com/auth0/auth0-deploy-cli/issues/1343
+[Unreleased]: https://github.com/auth0/auth0-deploy-cli/compare/v8.30.0...HEAD
+[8.30.0]: https://github.com/auth0/auth0-deploy-cli/compare/v8.29.3...v8.30.0
 [8.29.3]: https://github.com/auth0/auth0-deploy-cli/compare/v8.29.2...v8.29.3
 [8.29.2]: https://github.com/auth0/auth0-deploy-cli/compare/v8.29.1...v8.29.2
 [8.29.1]: https://github.com/auth0/auth0-deploy-cli/compare/v8.29.0...v8.29.1

package/lib/context/directory/handlers/clientGrants.js

@@ -25,13 +25,14 @@ function parse(context) {
     };
 }
 async function dump(context) {
-    const { clientGrants } = context.assets;
+    let { clientGrants } = context.assets;
     if (!clientGrants)
         return; // Skip, nothing to dump
     const grantsFolder = path_1.default.join(context.filePath, tools_1.constants.CLIENTS_GRANTS_DIRECTORY);
     fs_extra_1.default.ensureDirSync(grantsFolder);
     if (clientGrants.length === 0)
         return;
+    const excludedClientsByNames = (context.assets.exclude && context.assets.exclude.clients) || [];
     const allResourceServers = await (0, client_1.paginate)(context.mgmtClient.resourceServers.list, {
         paginate: true,
         include_totals: true,
@@ -40,6 +41,13 @@ async function dump(context) {
         paginate: true,
         include_totals: true,
     });
+    // Filter out grants for excluded clients
+    if (excludedClientsByNames.length) {
+        const excludedClientIds = new Set(allClients
+            .filter((c) => c.name !== undefined && excludedClientsByNames.includes(c.name))
+            .map((c) => c.client_id));
+        clientGrants = clientGrants.filter((grant) => !excludedClientIds.has(grant.client_id));
+    }
     // Convert client_id to the client name for readability
     clientGrants.forEach((grant) => {
         const dumpGrant = { ...grant };

package/lib/context/directory/handlers/clients.js

@@ -36,10 +36,15 @@ function parse(context) {
     };
 }
 async function dump(context) {
-    const { clients } = context.assets;
+    let { clients } = context.assets;
     const { userAttributeProfiles, connectionProfiles } = context.assets;
     if (!clients)
         return; // Skip, nothing to dump
+    // Filter excluded clients
+    const excludedClients = (context.assets.exclude && context.assets.exclude.clients) || [];
+    if (excludedClients.length) {
+        clients = clients.filter((client) => !excludedClients.includes(client.name ?? ''));
+    }
     const clientsFolder = path_1.default.join(context.filePath, tools_1.constants.CLIENTS_DIRECTORY);
     fs_extra_1.default.ensureDirSync(clientsFolder);
     clients.forEach((client) => {

package/lib/context/directory/handlers/connections.js

@@ -40,9 +40,15 @@ function parse(context) {
     };
 }
 async function dump(context) {
-    const { connections, clientsOrig } = context.assets;
+    let { connections } = context.assets;
+    const { clientsOrig } = context.assets;
     if (!connections)
         return; // Skip, nothing to dump
+    // Filter excluded connections
+    const excludedConnections = (context.assets.exclude && context.assets.exclude.connections) || [];
+    if (excludedConnections.length) {
+        connections = connections.filter((connection) => !excludedConnections.includes(connection.name));
+    }
     const connectionsFolder = path_1.default.join(context.filePath, tools_1.constants.CONNECTIONS_DIRECTORY);
     fs_extra_1.default.ensureDirSync(connectionsFolder);
     // Convert enabled_clients from id to name

package/lib/context/directory/handlers/databases.js

@@ -65,9 +65,14 @@ function parse(context) {
     };
 }
 async function dump(context) {
-    const { databases } = context.assets;
+    let { databases } = context.assets;
     if (!databases)
         return; // Skip, nothing to dump
+    // Filter excluded databases
+    const excludedDatabases = (context.assets.exclude && context.assets.exclude.databases) || [];
+    if (excludedDatabases.length) {
+        databases = databases.filter((database) => !excludedDatabases.includes(database.name));
+    }
     const databasesFolder = path_1.default.join(context.filePath, tools_1.constants.DATABASE_CONNECTIONS_DIRECTORY);
     fs_extra_1.default.ensureDirSync(databasesFolder);
     databases.forEach((database) => {

package/lib/context/directory/handlers/resourceServers.js

@@ -24,10 +24,15 @@ function parse(context) {
     };
 }
 async function dump(context) {
-    const { resourceServers } = context.assets;
+    let { resourceServers } = context.assets;
     let { clients } = context.assets;
     if (!resourceServers)
         return; // Skip, nothing to dump
+    // Filter excluded resource servers
+    const excludedResourceServers = (context.assets.exclude && context.assets.exclude.resourceServers) || [];
+    if (excludedResourceServers.length) {
+        resourceServers = resourceServers.filter((resourceServer) => !excludedResourceServers.includes(resourceServer.name ?? ''));
+    }
     const resourceServersFolder = path_1.default.join(context.filePath, tools_1.constants.RESOURCE_SERVERS_DIRECTORY);
     fs_extra_1.default.ensureDirSync(resourceServersFolder);
     if (clients === undefined) {

package/lib/context/directory/handlers/rules.js

@@ -30,9 +30,14 @@ function parse(context) {
     };
 }
 async function dump(context) {
-    const { rules } = context.assets;
+    let { rules } = context.assets;
     if (!rules)
         return; // Skip, nothing to dump
+    // Filter excluded rules
+    const excludedRules = (context.assets.exclude && context.assets.exclude.rules) || [];
+    if (excludedRules.length) {
+        rules = rules.filter((rule) => !excludedRules.includes(rule.name));
+    }
     // Create Rules folder
     const rulesFolder = path_1.default.join(context.filePath, tools_1.constants.RULES_DIRECTORY);
     fs_extra_1.default.ensureDirSync(rulesFolder);

package/lib/context/yaml/handlers/clientGrants.js

@@ -12,7 +12,7 @@ async function parse(context) {
 }
 async function dump(context) {
     let { clients } = context.assets;
-    const { clientGrants } = context.assets;
+    let { clientGrants } = context.assets;
     if (!clientGrants)
         return { clientGrants: null };
     if (clients === undefined) {
@@ -21,6 +21,14 @@ async function dump(context) {
             include_totals: true,
         });
     }
+    // Filter out grants for excluded clients
+    const excludedClientsByNames = (context.assets.exclude && context.assets.exclude.clients) || [];
+    if (excludedClientsByNames.length) {
+        const excludedClientIds = new Set((clients || [])
+            .filter((c) => c.name !== undefined && excludedClientsByNames.includes(c.name))
+            .map((c) => c.client_id));
+        clientGrants = clientGrants.filter((grant) => !excludedClientIds.has(grant.client_id));
+    }
     // Convert client_id to the client name for readability
     return {
         clientGrants: clientGrants.map((grant) => {

package/lib/context/yaml/handlers/clients.js

@@ -36,6 +36,11 @@ async function dump(context) {
     const { userAttributeProfiles, connectionProfiles } = context.assets;
     if (!clients)
         return { clients: null };
+    // Filter excluded clients
+    const excludedClients = (context.assets.exclude && context.assets.exclude.clients) || [];
+    if (excludedClients.length) {
+        clients = clients.filter((client) => !excludedClients.includes(client.name ?? ''));
+    }
     // map ids to names for user attribute profiles and connection profiles
     clients = clients.map((client) => {
         const userAttributeProfileId = client?.express_configuration?.user_attribute_profile_id;

package/lib/context/yaml/handlers/connections.js

@@ -50,9 +50,15 @@ const getFormattedOptions = (connection, clients) => {
     }
 };
 async function dump(context) {
-    const { connections, clients } = context.assets;
+    let { connections } = context.assets;
+    const { clients } = context.assets;
     if (!connections)
         return { connections: null };
+    // Filter excluded connections
+    const excludedConnections = (context.assets.exclude && context.assets.exclude.connections) || [];
+    if (excludedConnections.length) {
+        connections = connections.filter((connection) => !excludedConnections.includes(connection.name));
+    }
     return {
         connections: connections.map((connection) => {
             let dumpedConnection = {

package/lib/context/yaml/handlers/databases.js

@@ -31,9 +31,15 @@ async function parse(context) {
     };
 }
 async function dump(context) {
-    const { databases, clients } = context.assets;
+    let { databases } = context.assets;
+    const { clients } = context.assets;
     if (!databases)
         return { databases: null };
+    // Filter excluded databases
+    const excludedDatabases = (context.assets.exclude && context.assets.exclude.databases) || [];
+    if (excludedDatabases.length) {
+        databases = databases.filter((database) => !excludedDatabases.includes(database.name));
+    }
     const sortCustomScripts = ([name1], [name2]) => {
         if (name1 === name2)
             return 0;

package/lib/context/yaml/handlers/resourceServers.js

@@ -2,7 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 const client_1 = require("../../../tools/auth0/client");
 const utils_1 = require("../../../utils");
-async function dumpAndParse(context) {
+async function parse(context) {
     const { resourceServers } = context.assets;
     let { clients } = context.assets;
     if (!resourceServers) {
@@ -24,8 +24,35 @@ async function dumpAndParse(context) {
         }),
     };
 }
+async function dump(context) {
+    let { resourceServers } = context.assets;
+    let { clients } = context.assets;
+    if (!resourceServers) {
+        return { resourceServers: null };
+    }
+    // Filter excluded resource servers
+    const excludedResourceServers = (context.assets.exclude && context.assets.exclude.resourceServers) || [];
+    if (excludedResourceServers.length) {
+        resourceServers = resourceServers.filter((rs) => !excludedResourceServers.includes(rs.name ?? ''));
+    }
+    if (clients === undefined) {
+        clients = await (0, client_1.paginate)(context.mgmtClient.clients.list, {
+            paginate: true,
+            include_totals: true,
+        });
+    }
+    return {
+        resourceServers: resourceServers.map((rs) => {
+            const dumpResourceServer = { ...rs };
+            if (dumpResourceServer.client_id) {
+                dumpResourceServer.client_id = (0, utils_1.convertClientIdToName)(dumpResourceServer.client_id, clients || []);
+            }
+            return dumpResourceServer;
+        }),
+    };
+}
 const resourceServersHandler = {
-    parse: dumpAndParse,
-    dump: dumpAndParse,
+    parse,
+    dump,
 };
 exports.default = resourceServersHandler;

package/lib/context/yaml/handlers/rules.js

@@ -25,6 +25,11 @@ async function dump(context) {
     if (!rules) {
         return { rules: null };
     }
+    // Filter excluded rules
+    const excludedRules = (context.assets.exclude && context.assets.exclude.rules) || [];
+    if (excludedRules.length) {
+        rules = rules.filter((rule) => !excludedRules.includes(rule.name));
+    }
     // Create Rules folder
     const rulesFolder = path_1.default.join(context.basePath, 'rules');
     fs_extra_1.default.ensureDirSync(rulesFolder);

package/lib/tools/auth0/handlers/actions.js

@@ -249,7 +249,7 @@ class ActionHandler extends default_1.default {
         }
     }
     async calcChanges(assets) {
-        let { actions, actionModules } = assets;
+        let { actions } = assets;
         // Do nothing if not set
         if (!actions)
             return {
@@ -259,19 +259,14 @@ class ActionHandler extends default_1.default {
                 conflicts: [],
             };
         let modules = null;
-        if (actionModules && actionModules.length > 0) {
-            modules = actionModules;
+        try {
+            modules = await (0, client_1.paginate)(this.client.actions.modules.list, {
+                paginate: true,
+            });
         }
-        else {
-            try {
-                modules = await (0, client_1.paginate)(this.client.actions.modules.list, {
-                    paginate: true,
-                });
-            }
-            catch {
-                logger_1.default.debug('Skipping actions modules enrichment because action modules could not be retrieved.');
-                modules = null;
-            }
+        catch {
+            logger_1.default.debug('Skipping actions modules enrichment because action modules could not be retrieved.');
+            modules = null;
         }
         if (modules != null) {
             // Use task queue to process actions in parallel
@@ -305,12 +300,15 @@ class ActionHandler extends default_1.default {
                         moduleVersions = await moduleVersions.getNextPage();
                         allModuleVersions.push(...moduleVersions.data);
                     }
+                    const moduleVersionId = allModuleVersions?.find((v) => v.version_number === module.module_version_number)?.id;
+                    if (!moduleVersionId) {
+                        throw new Error(`Could not find action module version id for module '${module.module_name}' version '${module.module_version_number}'`);
+                    }
                     return {
                         module_name: module.module_name,
                         module_id: foundModule.id,
                         module_version_number: module.module_version_number,
-                        module_version_id: allModuleVersions?.find((v) => v.version_number === module.module_version_number)
-                            ?.id || '',
+                        module_version_id: moduleVersionId,
                     };
                 }
                 return module;

package/lib/tools/auth0/handlers/connections.d.ts

@@ -16,6 +16,12 @@ export declare const schema: {
             };
             options: {
                 type: string;
+                properties: {
+                    dpop_signing_alg: {
+                        type: string;
+                        enum: ("ES256" | "Ed25519")[];
+                    };
+                };
             };
             enabled_clients: {
                 type: string;

package/lib/tools/auth0/handlers/connections.js

@@ -51,6 +51,15 @@ const utils_1 = require("../../utils");
 const client_1 = require("../client");
 const scimHandler_1 = __importDefault(require("./scimHandler"));
 const logger_1 = __importDefault(require("../../../logger"));
+const connectionOptionsSchema = {
+    type: 'object',
+    properties: {
+        dpop_signing_alg: {
+            type: 'string',
+            enum: Object.values(auth0_1.Management.ConnectionDpopSigningAlgEnum),
+        },
+    },
+};
 exports.schema = {
     type: 'array',
     items: {
@@ -58,7 +67,7 @@ exports.schema = {
         properties: {
             name: { type: 'string' },
             strategy: { type: 'string' },
-            options: { type: 'object' },
+            options: connectionOptionsSchema,
             enabled_clients: { type: 'array', items: { type: 'string' } },
             realms: { type: 'array', items: { type: 'string' } },
             metadata: { type: 'object' },

package/lib/tools/auth0/handlers/prompts.js

@@ -161,7 +161,10 @@ const customPartialsPromptTypes = [
     'signup',
     'signup-id',
     'signup-password',
+    'passkeys',
 ];
+// Prompts that may not be available on all tenants (early access features)
+const optionalPartialsPromptTypes = ['passkeys'];
 const customPartialsScreenTypes = [
     'login',
     'login-id',
@@ -171,6 +174,8 @@ const customPartialsScreenTypes = [
     'signup-password',
     'login-passwordless-sms-otp',
     'login-passwordless-email-code',
+    'passkeys-enrollment',
+    'passkeys-enrollment-local',
 ];
 const customPartialsInsertionPoints = [
     'form-content-start',
@@ -358,6 +363,19 @@ class PromptsHandler extends default_1.default {
                 this.IsFeatureSupported = false;
                 return null;
             }
+            // Handle 400 errors for prompt types not available on all tenants (early access features)
+            // Error format: "Path validation error: 'Invalid value \"passkeys\"' on property prompt (Name of the prompt)."
+            if (error &&
+                error?.statusCode === 400 &&
+                error.message?.includes('Path validation error') &&
+                error.message?.includes('on property prompt')) {
+                // Check if the error message contains any of the optional prompt types
+                const unavailablePrompt = optionalPartialsPromptTypes.find((promptType) => error.message?.includes(promptType));
+                if (unavailablePrompt) {
+                    logger_1.default.warn(`Skipping partials for prompt type '${unavailablePrompt}' because it is not available on this tenant.`);
+                    return null;
+                }
+            }
             if (error && error.statusCode === 429) {
                 logger_1.default.error(`The global rate limit has been exceeded, resulting in a ${error.statusCode} error. ${error.message}. Although this is an error, it is not blocking the pipeline.`);
                 return null;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "auth0-deploy-cli",
-  "version": "8.29.3",
+  "version": "8.30.0",
   "description": "A command line tool for deploying updates to your Auth0 tenant",
   "main": "lib/index.js",
   "bin": {
@@ -11,7 +11,7 @@
     "lint": "eslint . && kacl lint",
     "format": "npx prettier --write .",
     "test": "ts-mocha -p tsconfig.json --recursive 'test/**/*.test*' --exclude 'test/e2e/*' --timeout 20000",
-    "test:e2e:node-module": "ts-mocha -p tsconfig.json --recursive 'test/e2e/*.test*' --timeout 120000",
+    "test:e2e:node-module": "ts-mocha -p tsconfig.json --recursive 'test/e2e/*.test*' --timeout 150000",
     "test:e2e:cli": "sh ./test/e2e/e2e-cli.sh",
     "test:coverage": "nyc npm run test && nyc report --reporter=lcov",
     "build": "rimraf ./lib && npx tsc",
@@ -33,7 +33,7 @@
   "homepage": "https://github.com/auth0/auth0-deploy-cli#readme",
   "dependencies": {
     "ajv": "^6.12.6",
-    "auth0": "^5.4.0",
+    "auth0": "^5.5.0",
     "dot-prop": "^5.3.0",
     "fs-extra": "^10.1.0",
     "js-yaml": "^4.1.1",