auth0-lock 14.2.5 → 15.0.0

package/.github/workflows/release.yml

@@ -18,7 +18,10 @@ jobs:
   release:
     uses: ./.github/workflows/npm-release.yml
     with:
-      node-version: 22
+      # Pinned to 22.22.1 — 22.22.2 has a regression (nodejs/node#62425) where
+      # the bundled npm is missing promise-retry, breaking npm install -g npm@11.
+      # Revert to node-version: 22 once the upstream fix is released.
+      node-version: 22.22.1
       require-build: true
     secrets:
       github-token: ${{ secrets.GITHUB_TOKEN }}

package/.github/workflows/test.yml

@@ -56,4 +56,4 @@ jobs:
         run: npm run test:e2e
 
       - name: Upload coverage
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # pin@5.5.2
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # pin@6.0.1

package/.husky/pre-commit

@@ -0,0 +1,4 @@
+#!/bin/sh
+. "$(dirname "$0")/_/husky.sh"
+
+./node_modules/.bin/lint-staged

package/.version

@@ -1 +1 @@
-v14.2.5
+v15.0.0

package/CHANGELOG.md

@@ -1,5 +1,42 @@
 # Change Log
 
+## [v15.0.0](https://github.com/auth0/lock/tree/v15.0.0) (2026-06-05)
+[Full Changelog](https://github.com/auth0/lock/compare/v14.3.0...v15.0.0)
+
+### Highlights
+
+This release upgrades `auth0-js` to [v10.0.0](https://github.com/auth0/auth0.js/releases/tag/v10.0.0), which resolves [CVE-2026-42280](https://www.cve.org/CVERecord?id=CVE-2026-42280) — a security vulnerability in token validation for browser-based applications.
+
+**⚠️ Breaking Changes**
+
+- feat!: upgrade auth0-js from v9 to v10 [\#2810](https://github.com/auth0/lock/pull/2810) ([cschetan77](https://github.com/cschetan77))
+
+  **HS256 is no longer supported.** Applications configured with HS256 as the JWT Signature Algorithm will see `parseHash()` return an `invalid_token` error. HS256 requires the client secret to be present in the browser to verify tokens, which is a security vulnerability. Applications using RS256 are not affected.
+
+  **Migration:** Switch to RS256 before upgrading:
+  > Auth0 Dashboard → Applications → [Your App] → Settings → Advanced Settings → OAuth → JsonWebToken Signature Algorithm → **RS256**
+
+**Changed**
+
+- fix(deps): remove `trim` dependency [\#2783](https://github.com/auth0/lock/pull/2783) ([gameroman](https://github.com/gameroman))
+
+  The third-party `trim` package has been removed. All string trimming now uses the native `String.prototype.trim()` method, which has been available in all supported browsers and Node.js versions for many years. This removes one dependency from the shipped package with no change in behaviour.
+
+## [v14.3.0](https://github.com/auth0/lock/tree/v14.3.0) (2026-04-06)
+[Full Changelog](https://github.com/auth0/lock/compare/v14.2.5...v14.3.0)
+
+**Added**
+- feat(types): ship TypeScript definitions directly from the lock repo, supersedes `@types/auth0-lock` [\#2763](https://github.com/auth0/lock/pull/2763) ([ankita10119](https://github.com/ankita10119))
+
+**Changed**
+- chore(deps): upgrade webpack-dev-server to v5, auth0-password-policies to 3.1.0, and fix dev setup  [\#2771](https://github.com/auth0/lock/pull/2771) ([ankita10119](https://github.com/ankita10119))
+
+**Deprecated**
+- chore: remove deprecated yammer, renren, miicard strategies [\#2747](https://github.com/auth0/lock/pull/2747) ([omarquazi-okta](https://github.com/omarquazi-okta))
+
+**Fixed**
+- Fix: TypeError in matchConnection and findADConnectionWithoutDomain for enterprise connections with null/undefined domains (#2749)  [\#2758](https://github.com/auth0/lock/pull/2758) ([ankita10119](https://github.com/ankita10119))
+
 ## [v14.2.5](https://github.com/auth0/lock/tree/v14.2.5) (2026-03-19)
 [Full Changelog](https://github.com/auth0/lock/compare/v14.2.4...v14.2.5)
 

package/README.md

@@ -31,7 +31,7 @@ From CDN
 
 ```html
 <!-- Latest patch release (recommended for production) -->
-<script src="https://cdn.auth0.com/js/lock/14.2.5/lock.min.js"></script>
+<script src="https://cdn.auth0.com/js/lock/15.0.0/lock.min.js"></script>
 ```
 
 ### Configure Auth0

package/babel.config.js

@@ -0,0 +1,15 @@
+const pkg = require('./package.json');
+const coreJsVersion = pkg.devDependencies['core-js'].replace(/^\^/, '');
+
+module.exports = {
+  plugins: [
+    'version-inline',
+    'transform-css-import-to-string',
+    'babel-plugin-stylus-compiler',
+    '@babel/plugin-proposal-function-bind'
+  ],
+  presets: [
+    ['@babel/preset-env', { useBuiltIns: 'entry', corejs: coreJsVersion }],
+    '@babel/preset-react'
+  ]
+};

package/lib/__tests__/connection/enterprise/matchConnection.js

@@ -12,11 +12,11 @@ describe('matchConnection', function () {
   afterEach(function () {
     return jest.resetAllMocks();
   });
-  it('does not throw when enterprise connection has no domains configured', function () {
+  it('does not throw when enterprise connection has no domains field (key absent)', function () {
     var _require = require('core/index'),
       connections = _require.connections;
 
-    // Simulate tenant endpoint returning a connection with no domains field
+    // Tenant omits the domains field entirely
     connections.mockReturnValue(_immutable.default.fromJS([{
       name: 'samlp-connection',
       strategy: 'samlp',
@@ -25,10 +25,42 @@ describe('matchConnection', function () {
     var m = _immutable.default.fromJS({
       id: '__lock__'
     });
-    var result;
     expect(function () {
-      result = (0, _enterprise.matchConnection)(m, 'test@example.com');
+      return (0, _enterprise.matchConnection)(m, 'test@example.com');
     }).not.toThrow();
-    expect(result).toBeFalsy();
+    expect((0, _enterprise.matchConnection)(m, 'test@example.com')).toBeFalsy();
+  });
+  it('does not throw when enterprise connection has domains explicitly set to null', function () {
+    var _require2 = require('core/index'),
+      connections = _require2.connections;
+
+    // Tenant returns domains: null
+    connections.mockReturnValue(_immutable.default.fromJS([{
+      name: 'samlp-connection',
+      strategy: 'samlp',
+      type: 'enterprise',
+      domains: null
+    }]));
+    var m = _immutable.default.fromJS({
+      id: '__lock__'
+    });
+    expect(function () {
+      return (0, _enterprise.matchConnection)(m, 'test@example.com');
+    }).not.toThrow();
+    expect((0, _enterprise.matchConnection)(m, 'test@example.com')).toBeFalsy();
+  });
+  it('matches a connection when the email domain is in the domains list', function () {
+    var _require3 = require('core/index'),
+      connections = _require3.connections;
+    connections.mockReturnValue(_immutable.default.fromJS([{
+      name: 'samlp-connection',
+      strategy: 'samlp',
+      type: 'enterprise',
+      domains: ['example.com']
+    }]));
+    var m = _immutable.default.fromJS({
+      id: '__lock__'
+    });
+    expect((0, _enterprise.matchConnection)(m, 'user@example.com')).toBeTruthy();
   });
 });

package/lib/avatar/gravatar_provider.js

@@ -6,13 +6,12 @@ Object.defineProperty(exports, "__esModule", {
 exports.displayName = displayName;
 exports.url = url;
 var _blueimpMd = _interopRequireDefault(require("blueimp-md5"));
-var _trim = _interopRequireDefault(require("trim"));
 var _jsonp_utils = _interopRequireDefault(require("../utils/jsonp_utils"));
 var _email = require("../field/email");
 function _interopRequireDefault(e) { return e && e.__esModule ? e : { default: e }; }
 var md5 = _blueimpMd.default.md5 || _blueimpMd.default;
 function normalize(str) {
-  return typeof str === 'string' ? (0, _trim.default)(str.toLowerCase()) : '';
+  return typeof str === 'string' ? str.toLowerCase().trim() : '';
 }
 function displayName(email, cb) {
   email = normalize(email);

package/lib/connection/database/index.js

@@ -38,7 +38,6 @@ var l = _interopRequireWildcard(require("../../core/index"));
 var _index2 = require("../../field/index");
 var _data_utils = require("../../utils/data_utils");
 var _sync = _interopRequireDefault(require("../../sync"));
-var _trim = _interopRequireDefault(require("trim"));
 var _tenant = require("../../core/tenant");
 var _enterprise = require("../../connection/enterprise");
 function _interopRequireDefault(e) { return e && e.__esModule ? e : { default: e }; }
@@ -66,7 +65,7 @@ function assertMaybeEnum(opts, name, a) {
   return valid;
 }
 function assertMaybeString(opts, name) {
-  var valid = opts[name] === undefined || typeof opts[name] === 'string' && (0, _trim.default)(opts[name]).length > 0;
+  var valid = opts[name] === undefined || typeof opts[name] === 'string' && opts[name].trim().length > 0;
   if (!valid) l.warn(opts, "The `".concat(name, "` option will be ignored, because it is not a non-empty string."));
   return valid;
 }

package/lib/connection/enterprise.js

@@ -105,7 +105,7 @@ function matchConnection(m, email) {
   var target = (0, _email.emailDomain)(email);
   if (!target) return false;
   return l.connections.apply(l, [m, 'enterprise'].concat(_toConsumableArray(strategies))).find(function (x) {
-    return x.get('domains', (0, _immutable.List)()).contains(target);
+    return (x.get('domains') || (0, _immutable.List)()).contains(target);
   });
 }
 function isEnterpriseDomain(m, email) {
@@ -128,7 +128,7 @@ function isADEnabled(m) {
 function findADConnectionWithoutDomain(m) {
   var name = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : undefined;
   return l.connections(m, 'enterprise', 'ad', 'auth0-adldap').find(function (x) {
-    return x.get('domains').isEmpty() && (!name || x.get('name') === name);
+    return (x.get('domains') || (0, _immutable.List)()).isEmpty() && (!name || x.get('name') === name);
   });
 }
 function findActiveFlowConnection(m) {

package/lib/connection/social/index.js

@@ -32,11 +32,9 @@ var STRATEGIES = exports.STRATEGIES = {
   'google-oauth2': 'Google',
   instagram: 'Instagram',
   linkedin: 'LinkedIn',
-  miicard: 'miiCard',
   paypal: 'PayPal',
   'paypal-sandbox': 'PayPal Sandbox',
   planningcenter: 'Planning Center',
-  renren: '人人',
   salesforce: 'Salesforce',
   'salesforce-community': 'Salesforce Community',
   'salesforce-sandbox': 'Salesforce (sandbox)',
@@ -53,7 +51,6 @@ var STRATEGIES = exports.STRATEGIES = {
   windowslive: 'Microsoft',
   wordpress: 'Wordpress',
   yahoo: 'Yahoo!',
-  yammer: 'Yammer',
   yandex: 'Yandex',
   weibo: '新浪微博',
   line: 'Line'

package/lib/core/index.js

@@ -81,7 +81,6 @@ var _media_utils = require("../utils/media_utils");
 var _string_utils = require("../utils/string_utils");
 var _url_utils = require("../utils/url_utils");
 var i18n = _interopRequireWildcard(require("../i18n"));
-var _trim = _interopRequireDefault(require("trim"));
 var gp = _interopRequireWildcard(require("../avatar/gravatar_provider"));
 var _data_utils = require("../utils/data_utils");
 var _index = require("./client/index");
@@ -243,7 +242,7 @@ function extractUIOptions(id, options) {
     closable: closable,
     hideMainScreenTitle: !!hideMainScreenTitle,
     labeledSubmitButton: undefined === labeledSubmitButton ? true : !!labeledSubmitButton,
-    language: undefined === options.language ? 'en' : (0, _trim.default)(options.language || '').toLowerCase(),
+    language: undefined === options.language ? 'en' : (options.language || '').trim().toLowerCase(),
     dict: _typeof(options.languageDictionary) === 'object' ? options.languageDictionary : {},
     disableWarnings: options.disableWarnings === undefined ? false : !!options.disableWarnings,
     mobile: undefined === options.mobile ? false : !!options.mobile,

package/lib/core/web_api/helper.js

@@ -169,5 +169,5 @@ function trimAuthParams() {
   return p;
 }
 function getVersion() {
-  return "14.2.5";
+  return "15.0.0";
 }

package/lib/core/web_api/p2_api.js

@@ -6,7 +6,6 @@ Object.defineProperty(exports, "__esModule", {
 exports.default = void 0;
 var _auth0Js = _interopRequireDefault(require("auth0-js"));
 var _qs = _interopRequireDefault(require("qs"));
-var _cordovaAuth0PluginMin = _interopRequireDefault(require("auth0-js/dist/cordova-auth0-plugin.min.js"));
 var _helper = require("./helper");
 function _interopRequireDefault(e) { return e && e.__esModule ? e : { default: e }; }
 function _typeof(o) { "@babel/helpers - typeof"; return _typeof = "function" == typeof Symbol && "symbol" == typeof Symbol.iterator ? function (o) { return typeof o; } : function (o) { return o && "function" == typeof Symbol && o.constructor === Symbol && o !== Symbol.prototype ? "symbol" : typeof o; }, _typeof(o); }
@@ -18,6 +17,10 @@ function _defineProperties(e, r) { for (var t = 0; t < r.length; t++) { var o =
 function _createClass(e, r, t) { return r && _defineProperties(e.prototype, r), t && _defineProperties(e, t), Object.defineProperty(e, "prototype", { writable: !1 }), e; }
 function _toPropertyKey(t) { var i = _toPrimitive(t, "string"); return "symbol" == _typeof(i) ? i : i + ""; }
 function _toPrimitive(t, r) { if ("object" != _typeof(t) || !t) return t; var e = t[Symbol.toPrimitive]; if (void 0 !== e) { var i = e.call(t, r || "default"); if ("object" != _typeof(i)) return i; throw new TypeError("@@toPrimitive must return a primitive value."); } return ("string" === r ? String : Number)(t); }
+// require() used intentionally: cordova-auth0-plugin.min.js is a UMD bundle;
+// webpack 5 cannot statically resolve a default export from module.exports,
+// so import-default syntax would emit a warning.
+var CordovaAuth0Plugin = require('auth0-js/dist/cordova-auth0-plugin.min.js');
 var Auth0APIClient = /*#__PURE__*/function () {
   function Auth0APIClient(lockID, clientID, domain, opts) {
     _classCallCheck(this, Auth0APIClient);
@@ -45,7 +48,7 @@ var Auth0APIClient = /*#__PURE__*/function () {
       responseMode: opts.responseMode,
       responseType: opts.responseType,
       leeway: opts.leeway || 60,
-      plugins: opts.plugins || (typeof _cordovaAuth0PluginMin.default === 'function' ? [new _cordovaAuth0PluginMin.default()] : []),
+      plugins: opts.plugins || (typeof CordovaAuth0Plugin === 'function' ? [new CordovaAuth0Plugin()] : []),
       overrides: (0, _helper.webAuthOverrides)(opts.overrides),
       _sendTelemetry: opts._sendTelemetry === false ? false : true,
       _telemetryInfo: telemetry,