a40b1f4: Migrate the Base connector to canonical base naming, while preserving backwards-compatible aliases baseAccount and coinbaseWallet.

3672dc6: Added Anchorage Digital wallet support with the anchorageDigitalWallet wallet connector.

1043d88: Added MeCo Wallet support with mecoWallet wallet connector.

f52657f: Exposed RainbowKitProviderProps and WalletButtonRendererProps as public type exports to support Custom Wallet Button scenarios.

4f2de17: Fixed a crash that could occur when selecting a wallet while multiple browser wallet extensions were installed and the specific injected wallet was missing. Wallet-specific injected connectors now bind only to their matching provider instead of falling back to available defaults.

bc4625c: Fix recent transaction tracking so failed transactions no longer prevent an app's own transaction receipt wait from settling.

25c4c2b: Improved SSR safety to prevent WalletConnect initialization warnings and mitigate localStorage API availability changes in Node.js v25 and above.

f52657f: Fixed useWindowSize triggering a state update after unmount, which could surface as a React warning.

eb4251d: The AuthenticationAdapter.createMessage API can now return a promise, so dApps can fetch or construct a custom SIWE message asynchronously. This enables server-side SIWE message creation before prompting the wallet, while preserving existing synchronous behavior.

See the server-side message creation docs for guidance.

b0f6d52: fix: harden useCoolMode against malicious wallet icon URLs

The cool mode particle animation built image elements via innerHTML, which
parses its input as HTML. A malicious EIP-6963 wallet could supply a crafted
icon URL containing injected attributes (e.g. onerror) that would execute
in the dApp's origin when a user interacts with the wallet button.

Switched to document.createElement('img') with property assignment so the
icon value is always treated as a plain URL rather than markup.

f2523a9: Updated MetaMask wallet icon

e90c2dd: Upgraded to NextAuth v5. This is a breaking change.

Key changes:

• Requires NextAuth v5 (next-auth >=5.0.0-0 <6); NextAuth v4 apps must migrate before upgrading.
• NextAuth server configuration now uses v5 APIs like NextAuthConfig, Credentials, and the exported auth helper.
• Pages Router server calls must pass req and res separately to auth; passing the full GetServerSidePropsContext is no longer valid.
• NextAuth v5 internal cookies use authjs names, including authjs.csrf-token or __Host-authjs.csrf-token for CSRF depending on secure-cookie settings.
• CSRF nonce validation now compares the SIWE nonce against the csrfToken value that NextAuth v5 posts to the Credentials provider, instead of parsing CSRF cookies from request headers.

Migration guide:

1. Upgrade next-auth to v5 and upgrade @rainbow-me/rainbowkit-siwe-next-auth.

- npm install next-auth@^4 @rainbow-me/rainbowkit-siwe-next-auth
+ npm install next-auth@5.0.0-beta.31 @rainbow-me/rainbowkit-siwe-next-auth

2. Update your NextAuth server configuration to the v5 API.

- import type { NextAuthOptions } from 'next-auth';
- import CredentialsProvider from 'next-auth/providers/credentials';
+ import NextAuth from 'next-auth';
+ import type { NextAuthConfig } from 'next-auth';
+ import Credentials from 'next-auth/providers/credentials';
- export const authOptions: NextAuthOptions = {
+ export const authOptions: NextAuthConfig = {
 providers: [
- CredentialsProvider({
+ Credentials({
 async authorize(credentials) {
 /* your SIWE validation */
 },
 }),
 ],
 };
+
+ export const { handlers, auth, signIn, signOut } = NextAuth(authOptions);

3. Update Pages Router server-side session lookups to use the exported auth helper. Pass req and res separately; passing the full GetServerSidePropsContext is not supported by the v5 overloads.

- import { getServerSession } from 'next-auth';
- import { authOptions } from '../auth';
+ import { auth } from '../auth';
 export const getServerSideProps: GetServerSideProps = async (context) => {
- const session = await getServerSession(
- context.req,
- context.res,
- authOptions,
- );
+ const session = await auth(context.req, context.res);
 return {
 props: {
 session,
 },
 };
 };

4. Update SIWE nonce checks that call getCsrfToken inside authorize. When using signIn('credentials', ...), NextAuth v5 validates the CSRF cookie before authorize runs and includes the verified token in credentials.csrfToken.

- import { getCsrfToken } from 'next-auth/react';
- if (
- siweMessage.nonce !==
- (await getCsrfToken({ req: { headers: req.headers } }))
- ) {
- return null;
- }
+ const csrfToken =
+ credentials && 'csrfToken' in credentials
+ ? credentials.csrfToken
+ : undefined;
+ if (siweMessage.nonce !== csrfToken) {
+ return null;
+ }

5. If upgrading from before @rainbow-me/rainbowkit-siwe-next-auth@0.5.0, also follow the 0.5.0 changelog entry for the viem/siwe migration and the 0.3.0 changelog entry for the earlier getCsrfToken request-shape change.

acb7444: Security update: upgraded React and Next.js in create-rainbowkit template to patch critical vulnerabilities.

Critical CVEs Fixed:

• CVE-2025-55184: Denial of Service - https://nextjs.org/blog/security-update-2025年12月11日
• CVE-2025-55183: Source Code Exposure - https://nextjs.org/blog/security-update-2025年12月11日

Updated:

• React/React-DOM: 19.1.2 → 19.1.3
• Next.js: 15.3.6 → 15.3.7

e74f604: Improve UI on the mobile connect flow to hint to users that they can horizontally scroll to see additional wallet connectors

eb72c37: Fix Gemini wallet connector to use icon instead of icons in appMetadata

e58367e: Fix mobile visibility for Coin98, CLV, SafePal, Frontier, and BeraSig wallets.

b7b7b43: Rename the Argent wallet connector to readyWallet

507f583: Add additional wallet flags to isMetaMask() to detect impersonating providers.

16963de: Add ctrlWallet wallet connector to replace xdefiWallet. XDEFI Wallet has been rebranded to CTRL Wallet.

6c745a5: Disable third-party connector telemetry by default for user privacy. h/t @TimDaub

To opt-in to WalletConnect analytics:

With getDefaultConfig:

const config = getDefaultConfig({
 /** ... **/
 walletConnectParameters: {
 telemetryEnabled: true,
 },
});

To opt-in to Base Account telemetry:

baseAccount.preference = {
 telemetry: true,
};

To opt-in to MetaMask analytics:

metaMaskWallet.enableAnalytics = true;

060e074: Security update: upgraded React and Next.js in create-rainbowkit template to patch critical vulnerabilities.

Critical CVEs Fixed:

• CVE-2025-55182: React Server Components RCE - https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
• CVE-2025-66478: Next.js RCE - https://nextjs.org/blog/CVE-2025-66478

Updated:

• React/React-DOM: 19.1.0 → 19.1.2
• Next.js: 15.3.3 → 15.3.6

eb72c37: Upgrade wagmi to ^2.19.3 and viem to 2.38.0.