Highlights

This release upgrades auth0-js to v10.0.0, which resolves CVE-2026-42280 — a security vulnerability in token validation for browser-based applications.

⚠️ Breaking Changes

• feat: upgrade auth0-js from v9 to v10 #2810 (cschetan77)

  HS256 is no longer supported. Applications configured with HS256 as the JWT Signature Algorithm will see parseHash() return an invalid_token error. HS256 requires the client secret to be present in the browser to verify tokens, which is a security vulnerability. Applications using RS256 are not affected.

  Migration: Switch to RS256 before upgrading:

  Auth0 Dashboard → Applications → [Your App] → Settings → Advanced Settings → OAuth → JsonWebToken Signature Algorithm → RS256

Changed

• fix(deps): remove trim dependency #2783 (gameroman)

  The third-party trim package has been removed. All string trimming now uses the native String.prototype.trim() method, which has been available in all supported browsers and Node.js versions for many years. This removes one dependency from the shipped package with no change in behaviour.

Added

• feat(types): ship TypeScript definitions directly from the lock repo, supersedes @types/auth0-lock #2763 (ankita10119)

Changed

• chore(deps): upgrade webpack-dev-server to v5, auth0-password-policies to 3.1.0, and fix dev setup #2771 (ankita10119)

Deprecated

• chore: remove deprecated yammer, renren, miicard strategies #2747 (omarquazi-okta)

Fixed

• Fix: TypeError in matchConnection and findADConnectionWithoutDomain for enterprise connections with null/undefined domains (#2749) #2758 (ankita10119)

Fixed

• Fix: TypeError when CordovaAuth0Plugin is not a constructor (auth0-js 9.30.1+) #2742 (ankita10119)
• Fix: TypeError in matchConnection for enterprise connections with no domains #2736 (ankita10119)

Fixed

• fix: update className and InputWrap name in SelectInput component (#2534) #2719 (ankita10119)
• fix: handle undefined and empty domain values in HRD screen (#2526) #2720 (ankita10119)
• fix: add 'too_many_attempts' to error codes in logInError function #2718 (ankita10119)

Added

• feat: add too_many_attempts error to passwordless #2700 (avamachado-okta)

Fixed

• Fix: Auth0-Lock Error with React 19 and Nextjs 15 #2701 (ankita10119)

Fixed

• Fix: connectionResolver receives incorrect field value when switching between Login and Sign-up tabs #2697 (ankita10119)

Added

• feat: add Claude Code PR Review workflow #2679 (ankita10119)

Fixed

• fix: captcha not rendering for initial signup screen in classic login #2677 (paebanks)

Changed

• Bump karma from 6.4.3 to 6.4.4
• Bump pbkdf2 from 3.1.2 to 3.1.3
• Bump validator from 13.15.0 to 13.15.15
• Bump sha.js from 2.4.11 to 2.4.12
• Bump cipher-base from 1.0.4 to 1.0.6
• Bump codecov/codecov-action from 5.4.3 to 5.5.1
• Bump puppeteer from 24.9.0 to 24.19.0
• Bump tmp from 0.2.3 to 0.2.5
• bump fsevents to latest(SEC- 2161)
• Bump eslint-plugin-react from 7.34.1 to 7.37.5
• Bump @grpc/grpc-js and @google-cloud/translate

Fixed

• Fix: social connection names not showing displayName correctly #2651 (omarquazi-okta)
• Update old Twitter icon and name to "X" #2649 (omarquazi-okta)
• Fix issue 2546 - TypeError: Super expression must either be null or a function #2578 (Hworden)
• Fix: Accessibility Issues #2624 #2642 (ankita10119)
• fix: Rename shop strategy #2641 (omarquazi-okta)
• Fix release pipeline cdn #2628 (developerkunal)
• Fix Release PIPELINE #2627 (developerkunal)
• chore: update .gitignore and Makefile for Puppeteer cache and config directories #2626 (developerkunal)
• Fix Makefile for Puppeteer cache support #2625 (developerkunal)

Removed

• chore(ci): Remove Semgrep GHA Workflow #2650 (eduardoboronat-okta)

Security

• security: Remove vulnerable node-es-module-loader dependency (SEC-2160) #2629 (harekrishnarai)

Testing

• This change adds unit test coverage
• This change adds integration test coverage
• This change has been tested on the latest version of the platform/language

Checklist

• I have read the Auth0 general contribution guidelines
• I have read the Auth0 Code of Conduct
• All code quality tools/guidelines have been run/followed
• All relevant assets have been compiled

Fixes

• Update old Twitter icon and name to "X" #2649 (
  omarquazi-okta)
• Fix: social connection names not showing displayName correctly #2651 (
  omarquazi-okta)
• Fix: Accessibility Issues #2624 (ankita10119)
• security: Remove vulnerable node-es-module-loader dependency (SEC-2160) #2629 (harekrishnarai)