auth0-lock 14.0.0 → 14.2.0

package/.github/workflows/claude-code-review.yml

@@ -0,0 +1,18 @@
+name: Claude Code PR Review
+
+on:
+  issue_comment:
+    types: [created]
+  pull_request_review_comment:
+    types: [created]
+  pull_request_review:
+    types: [submitted]
+
+jobs:
+  claude-review:
+    permissions:
+      contents: write
+      issues: write
+      pull-requests: write
+      id-token: write
+    uses: auth0/auth0-ai-pr-analyzer-gh-action/.github/workflows/claude-code-review.yml@main

package/.github/workflows/codeql.yml

@@ -40,15 +40,15 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
         with:
           languages: ${{ matrix.language }}
           queries: +security-and-quality
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@v4
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4
         with:
           category: '/language:${{ matrix.language }}'

package/.github/workflows/test.yml

@@ -56,4 +56,4 @@ jobs:
         run: npm run test:e2e
 
       - name: Upload coverage
-        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # pin@5.4.3
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # pin@5.5.1

package/.version

@@ -1 +1 @@
-v14.0.0
+v14.2.0

package/CHANGELOG.md

@@ -1,5 +1,47 @@
 # Change Log
 
+## [v14.2.0](https://github.com/auth0/lock/tree/v14.2.0) (2025-10-21)
+[Full Changelog](https://github.com/auth0/lock/compare/v14.1.0...v14.2.0)
+
+**Added**
+- feat: add Claude Code PR Review workflow [\#2679](https://github.com/auth0/lock/pull/2679) ([ankita10119](https://github.com/ankita10119))
+
+**Fixed**
+- fix: captcha not rendering for initial signup screen in classic login  [\#2677](https://github.com/auth0/lock/pull/2677) ([paebanks](https://github.com/paebanks))
+
+## [v14.1.0](https://github.com/auth0/lock/tree/v14.1.0) (2025-09-12)
+[Full Changelog](https://github.com/auth0/lock/compare/v14.0.0...v14.1.0)
+
+**Changed**
+- chore(deps-dev): Bump karma from 6.4.3 to 6.4.4 [\#2668](https://github.com/auth0/lock/pull/2668) ([dependabot[bot]](https://github.com/apps/dependabot))
+- chore(deps): Bump pbkdf2 from 3.1.2 to 3.1.3 [\#2633](https://github.com/auth0/lock/pull/2633) ([dependabot[bot]](https://github.com/apps/dependabot))
+- chore(deps): Bump validator from 13.15.0 to 13.15.15 [\#2620](https://github.com/auth0/lock/pull/2620) ([dependabot[bot]](https://github.com/apps/dependabot))
+- chore(deps): Bump sha.js from 2.4.11 to 2.4.12 [\#2661](https://github.com/auth0/lock/pull/2661) ([dependabot[bot]](https://github.com/apps/dependabot))
+- chore(deps): Bump cipher-base from 1.0.4 to 1.0.6 [\#2662](https://github.com/auth0/lock/pull/2662) ([dependabot[bot]](https://github.com/apps/dependabot))
+- chore(deps): Bump codecov/codecov-action from 5.4.3 to 5.5.1 [\#2666](https://github.com/auth0/lock/pull/2666) ([dependabot[bot]](https://github.com/apps/dependabot))
+- chore(deps-dev): Bump puppeteer from 24.9.0 to 24.19.0 [\#2667](https://github.com/auth0/lock/pull/2667) ([dependabot[bot]](https://github.com/apps/dependabot))
+- chore(deps-dev): Bump tmp from 0.2.3 to 0.2.5 [\#2656](https://github.com/auth0/lock/pull/2656) ([dependabot[bot]](https://github.com/apps/dependabot))
+- security: bump fsevents to latest(SEC- 2161) [\#2643](https://github.com/auth0/lock/pull/2643) ([katesaikishore](https://github.com/katesaikishore))
+- chore(deps-dev): Bump eslint-plugin-react from 7.34.1 to 7.37.5 [\#2617](https://github.com/auth0/lock/pull/2617) ([dependabot[bot]](https://github.com/apps/dependabot))
+- chore(deps): Bump @grpc/grpc-js and @google-cloud/translate [\#2565](https://github.com/auth0/lock/pull/2565) ([dependabot[bot]](https://github.com/apps/dependabot))
+
+**Fixed**
+- Fix: social connection names not showing displayName correctly [\#2651](https://github.com/auth0/lock/pull/2651) ([omarquazi-okta](https://github.com/omarquazi-okta))
+- Update old Twitter icon and name to "X" [\#2649](https://github.com/auth0/lock/pull/2649) ([omarquazi-okta](https://github.com/omarquazi-okta))
+- Fix issue 2546 - TypeError: Super expression must either be null or a function [\#2578](https://github.com/auth0/lock/pull/2578) ([Hworden](https://github.com/Hworden))
+- Fix: Accessibility Issues #2624 [\#2642](https://github.com/auth0/lock/pull/2642) ([ankita10119](https://github.com/ankita10119))
+- fix: Rename shop strategy [\#2641](https://github.com/auth0/lock/pull/2641) ([omarquazi-okta](https://github.com/omarquazi-okta))
+- Fix release pipeline cdn [\#2628](https://github.com/auth0/lock/pull/2628) ([developerkunal](https://github.com/developerkunal))
+- Fix Release PIPELINE [\#2627](https://github.com/auth0/lock/pull/2627) ([developerkunal](https://github.com/developerkunal))
+- chore: update .gitignore and Makefile for Puppeteer cache and config directories [\#2626](https://github.com/auth0/lock/pull/2626) ([developerkunal](https://github.com/developerkunal))
+- Fix Makefile for Puppeteer cache support [\#2625](https://github.com/auth0/lock/pull/2625) ([developerkunal](https://github.com/developerkunal))
+
+**Removed**
+- chore(ci): Remove Semgrep GHA Workflow [\#2650](https://github.com/auth0/lock/pull/2650) ([eduardoboronat-okta](https://github.com/eduardoboronat-okta))
+
+**Security**
+- security: Remove vulnerable node-es-module-loader dependency (SEC-2160) [\#2629](https://github.com/auth0/lock/pull/2629) ([harekrishnarai](https://github.com/harekrishnarai))
+
 ## [v14.0.0](https://github.com/auth0/lock/tree/v14.0.0) (2025-06-02)
 [Full Changelog](https://github.com/auth0/lock/compare/v13.0.0...v14.0.0)
 

package/Makefile

@@ -1,12 +1,24 @@
 #!/usr/bin/env make
 
-#SHELL := /bin/bash
-#.SHELLFLAGS = -ec
+# SHELL := /bin/bash
+# .SHELLFLAGS = -ec
 
-.PHONY: install lint test build cdn-publish
+.PHONY: install lint test build publish
+
+# Puppeteer and config/cache directories
+PUPPETEER_CACHE_DIR := $(CURDIR)/.puppeteer-cache
+XDG_CONFIG_HOME := $(WORKSPACE)@tmp/.chromium
+XDG_CACHE_HOME := $(WORKSPACE)@tmp/.chromium
 
 install:
 	@echo "Running install..."
+	mkdir -p $(PUPPETEER_CACHE_DIR)
+	mkdir -p $(XDG_CONFIG_HOME)
+	mkdir -p $(XDG_CACHE_HOME)
+	XDG_CONFIG_HOME=$(XDG_CONFIG_HOME) \
+	XDG_CACHE_HOME=$(XDG_CACHE_HOME) \
+	PUPPETEER_CACHE_DIR=$(PUPPETEER_CACHE_DIR) \
+	PUPPETEER_SKIP_DOWNLOAD=true \
 	npm install
 
 test:
@@ -19,4 +31,4 @@ build:
 
 publish:
 	@echo "Running cdn-publish..."
-	npm run publish:cdn
+	npm run publish:cdn

package/README.md

@@ -3,6 +3,7 @@
 ![Downloads](https://img.shields.io/npm/dw/auth0-lock)
 [![License](https://img.shields.io/:license-mit-blue.svg?style=flat)](https://opensource.org/licenses/MIT)
 [![Build Status](https://github.com/auth0/lock/actions/workflows/test.yml/badge.svg)](https://github.com/auth0/lock/actions/workflows/test.yml)
+[![Ask DeepWiki](https://deepwiki.com/badge.svg)](https://deepwiki.com/auth0/lock)
 
 > :warning: Lock is built using React 18 from v12 onwards. Getting issues? Please [submit a bug report](https://github.com/auth0/lock/issues/new?assignees=&labels=bug+report,v12&template=report_a_bug.md&title=).
 
@@ -30,7 +31,7 @@ From CDN
 
 ```html
 <!-- Latest patch release (recommended for production) -->
-<script src="https://cdn.auth0.com/js/lock/14.0.0/lock.min.js"></script>
+<script src="https://cdn.auth0.com/js/lock/14.2.0/lock.min.js"></script>
 ```
 
 ### Configure Auth0
@@ -137,4 +138,4 @@ Please do not report security vulnerabilities on the public GitHub issue tracker
 </p>
 <p align="center">
   This project is licensed under the MIT license. See the <a href="https://github.com/auth0/lock/blob/master/LICENSE"> LICENSE</a> file for more info.
-</p>
+</p>

package/lib/__tests__/core/remote_data.js

@@ -13,7 +13,9 @@ var getSyncRemoteData = function getSyncRemoteData() {
   return require('core/remote_data').syncRemoteData;
 };
 jest.mock('sync', function () {
-  return jest.fn();
+  return jest.fn(function (model, key, options) {
+    return model;
+  });
 });
 jest.mock('connection/enterprise', function () {
   return {
@@ -30,7 +32,11 @@ jest.mock('core/index', function () {
     id: function id() {
       return 'id';
     },
-    emitEvent: jest.fn()
+    emitEvent: jest.fn(),
+    setCaptcha: jest.fn(),
+    setPasswordlessCaptcha: jest.fn(),
+    setPasswordResetCaptcha: jest.fn(),
+    setSignupChallenge: jest.fn()
   };
 });
 jest.mock('core/sso/data', function () {
@@ -40,6 +46,12 @@ jest.mock('core/sso/data', function () {
     })
   };
 });
+jest.mock('core/web_api', function () {
+  return {
+    getChallenge: jest.fn(),
+    getSignupChallenge: jest.fn()
+  };
+});
 describe('remote_data.syncRemoteData()', function () {
   beforeEach(function () {
     jest.clearAllMocks();
@@ -63,4 +75,123 @@ describe('remote_data.syncRemoteData()', function () {
       });
     });
   });
+  describe('captcha syncing', function () {
+    it('should sync login captcha when initialScreen is login', function () {
+      var syncRemoteData = getSyncRemoteData();
+      syncRemoteData('mockModel', 'login');
+      var syncCalls = require('sync').mock.calls;
+      var captchaCall = syncCalls.find(function (c) {
+        return c[1] === 'captcha';
+      });
+      var signupCaptchaCall = syncCalls.find(function (c) {
+        return c[1] === 'signupCaptcha';
+      });
+      expect(captchaCall).toBeDefined();
+      expect(signupCaptchaCall).toBeUndefined();
+    });
+    it('should sync signup captcha when initialScreen is signUp', function () {
+      var syncRemoteData = getSyncRemoteData();
+      syncRemoteData('mockModel', 'signUp');
+      var syncCalls = require('sync').mock.calls;
+      var captchaCall = syncCalls.find(function (c) {
+        return c[1] === 'captcha';
+      });
+      var signupCaptchaCall = syncCalls.find(function (c) {
+        return c[1] === 'signupCaptcha';
+      });
+      expect(captchaCall).toBeUndefined();
+      expect(signupCaptchaCall).toBeDefined();
+    });
+    it('should call webApi.getChallenge when login captcha syncFn is executed', function () {
+      var mockModel = {
+        get: jest.fn().mockReturnValue('test-id')
+      };
+      var syncRemoteData = getSyncRemoteData();
+      require('core/web_api').getChallenge.mockClear();
+      syncRemoteData(mockModel, 'login');
+      var syncCalls = require('sync').mock.calls;
+      var captchaCall = syncCalls.find(function (c) {
+        return c[1] === 'captcha';
+      });
+      var mockCallback = jest.fn();
+      captchaCall[2].syncFn(mockModel, mockCallback);
+      expect(require('core/web_api').getChallenge).toHaveBeenCalledWith('test-id', expect.any(Function));
+    });
+    it('should call webApi.getSignupChallenge when signup captcha syncFn is executed', function () {
+      var mockModel = {
+        get: jest.fn().mockReturnValue('test-id')
+      };
+      var syncRemoteData = getSyncRemoteData();
+      require('core/web_api').getSignupChallenge.mockClear();
+      syncRemoteData(mockModel, 'signUp');
+      var syncCalls = require('sync').mock.calls;
+      var signupCaptchaCall = syncCalls.find(function (c) {
+        return c[1] === 'signupCaptcha';
+      });
+      var mockCallback = jest.fn();
+      signupCaptchaCall[2].syncFn(mockModel, mockCallback);
+      expect(require('core/web_api').getSignupChallenge).toHaveBeenCalledWith('test-id', expect.any(Function));
+    });
+    it('should default to login captcha when no initialScreen is provided', function () {
+      var syncRemoteData = getSyncRemoteData();
+      syncRemoteData('mockModel'); // No second parameter
+
+      var syncCalls = require('sync').mock.calls;
+      var captchaCall = syncCalls.find(function (c) {
+        return c[1] === 'captcha';
+      });
+      var signupCaptchaCall = syncCalls.find(function (c) {
+        return c[1] === 'signupCaptcha';
+      });
+      expect(captchaCall).toBeDefined();
+      expect(signupCaptchaCall).toBeUndefined();
+    });
+    it('should not sync any captcha for other initialScreen values', function () {
+      var syncRemoteData = getSyncRemoteData();
+      syncRemoteData('mockModel', 'forgotPassword');
+      var syncCalls = require('sync').mock.calls;
+      var captchaCall = syncCalls.find(function (c) {
+        return c[1] === 'captcha';
+      });
+      var signupCaptchaCall = syncCalls.find(function (c) {
+        return c[1] === 'signupCaptcha';
+      });
+      expect(captchaCall).toBeUndefined();
+      expect(signupCaptchaCall).toBeUndefined();
+    });
+    it('should handle webApi.getSignupChallenge errors gracefully', function () {
+      var mockModel = {
+        get: jest.fn().mockReturnValue('test-id')
+      };
+      var syncRemoteData = getSyncRemoteData();
+      syncRemoteData(mockModel, 'signUp');
+      var syncCalls = require('sync').mock.calls;
+      var signupCaptchaCall = syncCalls.find(function (c) {
+        return c[1] === 'signupCaptcha';
+      });
+      require('core/web_api').getSignupChallenge.mockImplementation(function (id, cb) {
+        cb(new Error('404 Not Found'), null);
+      });
+      var mockCallback = jest.fn();
+      signupCaptchaCall[2].syncFn(mockModel, mockCallback);
+      expect(mockCallback).toHaveBeenCalledWith(null, null);
+    });
+    it('should handle webApi.getChallenge errors gracefully', function () {
+      var mockModel = {
+        get: jest.fn().mockReturnValue('test-id')
+      };
+      var syncRemoteData = getSyncRemoteData();
+      syncRemoteData(mockModel, 'login');
+      var syncCalls = require('sync').mock.calls;
+      var captchaCall = syncCalls.find(function (c) {
+        return c[1] === 'captcha';
+      });
+      require('core/web_api').getChallenge.mockImplementation(function (id, cb) {
+        cb(new Error('Network error'), null);
+      });
+      var mockCallback = jest.fn();
+      captchaCall[2].syncFn(mockModel, mockCallback);
+      expect(mockCallback).toHaveBeenCalledWith(null, null);
+    });
+  });
 });

package/lib/connection/social/index.js

@@ -43,12 +43,12 @@ var STRATEGIES = exports.STRATEGIES = {
   evernote: 'Evernote',
   'evernote-sandbox': 'Evernote (sandbox)',
   shopify: 'Shopify',
-  'sign-in-with-shop': 'Shop',
+  shop: 'Shop',
   soundcloud: 'Soundcloud',
   thecity: 'The City',
   'thecity-sandbox': 'The City (sandbox)',
   thirtysevensignals: 'Basecamp',
-  twitter: 'Twitter',
+  twitter: 'X',
   vkontakte: 'vKontakte',
   windowslive: 'Microsoft',
   wordpress: 'Wordpress',
@@ -60,7 +60,7 @@ var STRATEGIES = exports.STRATEGIES = {
 };
 function displayName(connection) {
   if (['oauth1', 'oauth2'].indexOf(connection.get('strategy')) !== -1) {
-    return connection.get('name');
+    return connection.get('displayName') || connection.get('name');
   }
   return STRATEGIES[connection.get('strategy')];
 }

package/lib/core/actions.js

@@ -34,7 +34,7 @@ function _toPropertyKey(t) { var i = _toPrimitive(t, "string"); return "symbol"
 function _toPrimitive(t, r) { if ("object" != _typeof(t) || !t) return t; var e = t[Symbol.toPrimitive]; if (void 0 !== e) { var i = e.call(t, r || "default"); if ("object" != _typeof(i)) return i; throw new TypeError("@@toPrimitive must return a primitive value."); } return ("string" === r ? String : Number)(t); }
 function setupLock(id, clientID, domain, options, hookRunner, emitEventFn, handleEventFn) {
   var m = l.setup(id, clientID, domain, options, hookRunner, emitEventFn, handleEventFn);
-  m = (0, _remote_data.syncRemoteData)(m);
+  m = (0, _remote_data.syncRemoteData)(m, options === null || options === void 0 ? void 0 : options.initialScreen);
   (0, _preload_utils.img)(l.ui.logo(m) || _container.defaultProps.logo);
   _web_api.default.setupClient(id, clientID, domain, l.withAuthOptions(m, _objectSpread(_objectSpread({}, options), {}, {
     popupOptions: l.ui.popupOptions(m)

package/lib/core/remote_data.js

@@ -19,6 +19,7 @@ function _interopRequireDefault(e) { return e && e.__esModule ? e : { default: e
 // shouldn't depend on this
 
 function syncRemoteData(m) {
+  var initialScreen = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : 'login';
   if (l.useTenantInfo(m)) {
     m = (0, _sync.default)(m, 'client', {
       syncFn: function syncFn(m, cb) {
@@ -69,13 +70,24 @@ function syncRemoteData(m) {
       }
     }
   });
-  m = (0, _sync.default)(m, 'captcha', {
-    syncFn: function syncFn(m, cb) {
-      _web_api.default.getChallenge(m.get('id'), function (err, r) {
-        cb(null, r);
-      });
-    },
-    successFn: _index2.setCaptcha
-  });
+  if (initialScreen === 'login') {
+    m = (0, _sync.default)(m, 'captcha', {
+      syncFn: function syncFn(m, cb) {
+        _web_api.default.getChallenge(m.get('id'), function (err, r) {
+          cb(null, r);
+        });
+      },
+      successFn: _index2.setCaptcha
+    });
+  } else if (initialScreen === 'signUp') {
+    m = (0, _sync.default)(m, 'signupCaptcha', {
+      syncFn: function syncFn(m, cb) {
+        _web_api.default.getSignupChallenge(m.get('id'), function (err, r) {
+          cb(null, r);
+        });
+      },
+      successFn: _index2.setSignupChallenge
+    });
+  }
   return m;
 }

package/lib/core/web_api/helper.js

@@ -169,5 +169,5 @@ function trimAuthParams() {
   return p;
 }
 function getVersion() {
-  return "14.0.0";
+  return "14.2.0";
 }