auth0-lock 14.3.0 → 15.0.0

package/.github/workflows/test.yml

@@ -56,4 +56,4 @@ jobs:
         run: npm run test:e2e
 
       - name: Upload coverage
-        uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # pin@5.5.3
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # pin@6.0.1

package/.husky/pre-commit

@@ -0,0 +1,4 @@
+#!/bin/sh
+. "$(dirname "$0")/_/husky.sh"
+
+./node_modules/.bin/lint-staged

package/.version

@@ -1 +1 @@
-v14.3.0
+v15.0.0

package/CHANGELOG.md

@@ -1,5 +1,27 @@
 # Change Log
 
+## [v15.0.0](https://github.com/auth0/lock/tree/v15.0.0) (2026-06-05)
+[Full Changelog](https://github.com/auth0/lock/compare/v14.3.0...v15.0.0)
+
+### Highlights
+
+This release upgrades `auth0-js` to [v10.0.0](https://github.com/auth0/auth0.js/releases/tag/v10.0.0), which resolves [CVE-2026-42280](https://www.cve.org/CVERecord?id=CVE-2026-42280) — a security vulnerability in token validation for browser-based applications.
+
+**⚠️ Breaking Changes**
+
+- feat!: upgrade auth0-js from v9 to v10 [\#2810](https://github.com/auth0/lock/pull/2810) ([cschetan77](https://github.com/cschetan77))
+
+  **HS256 is no longer supported.** Applications configured with HS256 as the JWT Signature Algorithm will see `parseHash()` return an `invalid_token` error. HS256 requires the client secret to be present in the browser to verify tokens, which is a security vulnerability. Applications using RS256 are not affected.
+
+  **Migration:** Switch to RS256 before upgrading:
+  > Auth0 Dashboard → Applications → [Your App] → Settings → Advanced Settings → OAuth → JsonWebToken Signature Algorithm → **RS256**
+
+**Changed**
+
+- fix(deps): remove `trim` dependency [\#2783](https://github.com/auth0/lock/pull/2783) ([gameroman](https://github.com/gameroman))
+
+  The third-party `trim` package has been removed. All string trimming now uses the native `String.prototype.trim()` method, which has been available in all supported browsers and Node.js versions for many years. This removes one dependency from the shipped package with no change in behaviour.
+
 ## [v14.3.0](https://github.com/auth0/lock/tree/v14.3.0) (2026-04-06)
 [Full Changelog](https://github.com/auth0/lock/compare/v14.2.5...v14.3.0)
 

package/README.md

@@ -31,7 +31,7 @@ From CDN
 
 ```html
 <!-- Latest patch release (recommended for production) -->
-<script src="https://cdn.auth0.com/js/lock/14.3.0/lock.min.js"></script>
+<script src="https://cdn.auth0.com/js/lock/15.0.0/lock.min.js"></script>
 ```
 
 ### Configure Auth0

package/lib/avatar/gravatar_provider.js

@@ -6,13 +6,12 @@ Object.defineProperty(exports, "__esModule", {
 exports.displayName = displayName;
 exports.url = url;
 var _blueimpMd = _interopRequireDefault(require("blueimp-md5"));
-var _trim = _interopRequireDefault(require("trim"));
 var _jsonp_utils = _interopRequireDefault(require("../utils/jsonp_utils"));
 var _email = require("../field/email");
 function _interopRequireDefault(e) { return e && e.__esModule ? e : { default: e }; }
 var md5 = _blueimpMd.default.md5 || _blueimpMd.default;
 function normalize(str) {
-  return typeof str === 'string' ? (0, _trim.default)(str.toLowerCase()) : '';
+  return typeof str === 'string' ? str.toLowerCase().trim() : '';
 }
 function displayName(email, cb) {
   email = normalize(email);

package/lib/connection/database/index.js

@@ -38,7 +38,6 @@ var l = _interopRequireWildcard(require("../../core/index"));
 var _index2 = require("../../field/index");
 var _data_utils = require("../../utils/data_utils");
 var _sync = _interopRequireDefault(require("../../sync"));
-var _trim = _interopRequireDefault(require("trim"));
 var _tenant = require("../../core/tenant");
 var _enterprise = require("../../connection/enterprise");
 function _interopRequireDefault(e) { return e && e.__esModule ? e : { default: e }; }
@@ -66,7 +65,7 @@ function assertMaybeEnum(opts, name, a) {
   return valid;
 }
 function assertMaybeString(opts, name) {
-  var valid = opts[name] === undefined || typeof opts[name] === 'string' && (0, _trim.default)(opts[name]).length > 0;
+  var valid = opts[name] === undefined || typeof opts[name] === 'string' && opts[name].trim().length > 0;
   if (!valid) l.warn(opts, "The `".concat(name, "` option will be ignored, because it is not a non-empty string."));
   return valid;
 }

package/lib/core/index.js

@@ -81,7 +81,6 @@ var _media_utils = require("../utils/media_utils");
 var _string_utils = require("../utils/string_utils");
 var _url_utils = require("../utils/url_utils");
 var i18n = _interopRequireWildcard(require("../i18n"));
-var _trim = _interopRequireDefault(require("trim"));
 var gp = _interopRequireWildcard(require("../avatar/gravatar_provider"));
 var _data_utils = require("../utils/data_utils");
 var _index = require("./client/index");
@@ -243,7 +242,7 @@ function extractUIOptions(id, options) {
     closable: closable,
     hideMainScreenTitle: !!hideMainScreenTitle,
     labeledSubmitButton: undefined === labeledSubmitButton ? true : !!labeledSubmitButton,
-    language: undefined === options.language ? 'en' : (0, _trim.default)(options.language || '').toLowerCase(),
+    language: undefined === options.language ? 'en' : (options.language || '').trim().toLowerCase(),
     dict: _typeof(options.languageDictionary) === 'object' ? options.languageDictionary : {},
     disableWarnings: options.disableWarnings === undefined ? false : !!options.disableWarnings,
     mobile: undefined === options.mobile ? false : !!options.mobile,

package/lib/core/web_api/helper.js

@@ -169,5 +169,5 @@ function trimAuthParams() {
   return p;
 }
 function getVersion() {
-  return "14.3.0";
+  return "15.0.0";
 }

package/lib/field/email.js

@@ -9,7 +9,6 @@ exports.emailLocalPart = emailLocalPart;
 exports.isEmail = isEmail;
 exports.setEmail = setEmail;
 exports.validateEmail = validateEmail;
-var _trim = _interopRequireDefault(require("trim"));
 var _isEmail2 = _interopRequireDefault(require("validator/lib/isEmail"));
 var _index = require("./index");
 var _enterprise = require("../connection/enterprise");
@@ -25,7 +24,7 @@ function isEmail(str) {
   if (typeof str !== 'string') {
     return false;
   }
-  var trimmed = (0, _trim.default)(str);
+  var trimmed = str.trim();
   return strictValidation ? (0, _isEmail2.default)(str) : trimmed.indexOf('@') >= 0 && trimmed.indexOf('.') >= 0 && trimmed.indexOf(' ') === -1;
 }
 function setEmail(m, str) {

package/lib/field/index.js

@@ -26,7 +26,6 @@ exports.username = username;
 exports.vcode = vcode;
 var _react = _interopRequireDefault(require("react"));
 var _immutable = require("immutable");
-var _trim = _interopRequireDefault(require("trim"));
 var _option_selection_pane = _interopRequireDefault(require("./option_selection_pane"));
 var l = _interopRequireWildcard(require("../core/index"));
 function _interopRequireWildcard(e, t) { if ("function" == typeof WeakMap) var r = new WeakMap(), n = new WeakMap(); return (_interopRequireWildcard = function _interopRequireWildcard(e, t) { if (!t && e && e.__esModule) return e; var o, i, f = { __proto__: null, default: e }; if (null === e || "object" != _typeof(e) && "function" != typeof e) return f; if (o = t ? n : r) { if (o.has(e)) return o.get(e); o.set(e, f); } for (var _t in e) "default" !== _t && {}.hasOwnProperty.call(e, _t) && ((i = (o = Object.defineProperty) && Object.getOwnPropertyDescriptor(e, _t)) && (i.get || i.set) ? o(f, _t, i) : f[_t] = e[_t]); return f; })(e, t); }
@@ -40,19 +39,19 @@ var getDefaultValidator = function getDefaultValidator(field) {
     case 'family_name':
     case 'given_name':
       return function (str) {
-        return minMax((0, _trim.default)(str), 1, 150);
+        return minMax(str.trim(), 1, 150);
       };
     case 'name':
       return function (str) {
-        return minMax((0, _trim.default)(str), 1, 300);
+        return minMax(str.trim(), 1, 300);
       };
     case 'nickname':
       return function (str) {
-        return minMax((0, _trim.default)(str), 1, 300);
+        return minMax(str.trim(), 1, 300);
       };
     default:
       return function (str) {
-        return (0, _trim.default)(str).length > 0;
+        return str.trim().length > 0;
       };
   }
 };

package/lib/field/mfa_code.js

@@ -8,8 +8,6 @@ exports.setMFACode = setMFACode;
 var _index = require("./index");
 var _email = require("./email");
 var _database = require("../connection/database");
-var _trim = _interopRequireDefault(require("trim"));
-function _interopRequireDefault(e) { return e && e.__esModule ? e : { default: e }; }
 var DEFAULT_VALIDATION = {
   mfa_code: {
     length: 6
@@ -18,7 +16,7 @@ var DEFAULT_VALIDATION = {
 var regExp = /^[0-9]+$/;
 function validateMFACode(str) {
   var settings = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : DEFAULT_VALIDATION.mfa_code;
-  var value = (0, _trim.default)(str);
+  var value = str.trim();
 
   // check min value matched
   if (value.length < settings.length) {

package/lib/field/username.js

@@ -9,8 +9,6 @@ exports.usernameLooksLikeEmail = usernameLooksLikeEmail;
 var _index = require("./index");
 var _email = require("./email");
 var _database = require("../connection/database");
-var _trim = _interopRequireDefault(require("trim"));
-function _interopRequireDefault(e) { return e && e.__esModule ? e : { default: e }; }
 var DEFAULT_CONNECTION_VALIDATION = {
   username: {
     min: 1,
@@ -24,9 +22,9 @@ function validateUsername(str, validateFormat) {
   // If the connection does not have validation settings, it should only check if the field is empty.
   // validateFormat overrides this logic to disable validation on login (login should never validate format)
   if (!validateFormat || settings == null) {
-    return (0, _trim.default)(str).length > 0;
+    return str.trim().length > 0;
   }
-  var lowercased = (0, _trim.default)(str.toLowerCase());
+  var lowercased = str.toLowerCase().trim();
 
   // check min value matched
   if (lowercased.length < settings.min) {

package/lib/i18n.js

@@ -90,7 +90,7 @@ function assertLanguage(m, language, base) {
 function syncLang(m, language, _cb) {
   (0, _cdn_utils.load)({
     method: 'registerLanguageDictionary',
-    url: "".concat(l.languageBaseUrl(m), "/js/lock/").concat("14.3.0", "/").concat(language, ".js"),
+    url: "".concat(l.languageBaseUrl(m), "/js/lock/").concat("15.0.0", "/").concat(language, ".js"),
     check: function check(str) {
       return str && str === language;
     },

package/lib/lock.js

@@ -36,7 +36,7 @@ var Auth0Lock = exports.default = /*#__PURE__*/function (_Core) {
   _inherits(Auth0Lock, _Core);
   return _createClass(Auth0Lock);
 }(_core.default); // telemetry
-Auth0Lock.version = "14.3.0";
+Auth0Lock.version = "15.0.0";
 
 // TODO: should we have different telemetry for classic/passwordless?
 // TODO: should we set telemetry info before each request?

package/lib/passwordless.js

@@ -36,4 +36,4 @@ var Auth0LockPasswordless = exports.default = /*#__PURE__*/function (_Core) {
   _inherits(Auth0LockPasswordless, _Core);
   return _createClass(Auth0LockPasswordless);
 }(_core.default);
-Auth0LockPasswordless.version = "14.3.0";
+Auth0LockPasswordless.version = "15.0.0";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "auth0-lock",
-  "version": "14.3.0",
+  "version": "15.0.0",
   "description": "Auth0 Lock",
   "author": "Auth0 <support@auth0.com> (http://auth0.com)",
   "license": "MIT",
@@ -38,7 +38,8 @@
     "publish:cdn": "ccu --trace",
     "i18n:translate": "grunt dist && node scripts/complete-translations.js && npm run i18n:prettier && npm run build",
     "i18n:prettier": "prettier --write src/i18n/*",
-    "i18n:validate": "node scripts/lang-audit.mjs"
+    "i18n:validate": "node scripts/lang-audit.mjs",
+    "prepare": "husky install"
   },
   "devDependencies": {
     "@auth0/component-cdn-uploader": "^3.0.2",
@@ -120,7 +121,7 @@
     "webpack-dev-server": "^5.2.1"
   },
   "dependencies": {
-    "auth0-js": "^9.29.0",
+    "auth0-js": "^10.0.0",
     "auth0-password-policies": "^3.1.0",
     "blueimp-md5": "^2.19.0",
     "classnames": "^2.3.2",
@@ -134,7 +135,6 @@
     "react": "^18.2.0",
     "react-dom": "^18.2.0",
     "react-transition-group": "^4.4.5",
-    "trim": "^1.0.1",
     "url-join": "^1.1.0",
     "validator": "^13.15.22"
   },
@@ -187,6 +187,9 @@
     ],
     "*.{js,jsx,json}": [
       "prettier --write"
+    ],
+    "package-lock.json": [
+      "node scripts/strip-lock-resolved.js"
     ]
   },
   "optionalDependencies": {