Bump better-auth from 1.6.14 to 1.6.15

[dependabot]

Bumps better-auth from 1.6.14 to 1.6.15.

Release notes

Sourced from better-auth's releases.

v1.6.15

better-auth

Bug Fixes

• Fixed the listSessions endpoint to properly enforce fresh-age session checks (#9865)
• Fixed unbanUser, setRole, and adminUpdateUser to return USER_NOT_FOUND instead of a generic 500 when the target user does not exist (#9875)
• Fixed Kysely migration constant import path to restore Kysely 0.28 and 0.29 compatibility (#9811)
• Improved cookie regex character ranges for more accurate cookie parsing (#9879)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Features

• Added POST support to the /oauth2/userinfo endpoint, allowing the access token to be passed in the Authorization header (#9937)

Bug Fixes

• Fixed hooks.before and hooks.after to run correctly when OAuth authorization resumes after sign-in, account selection, or consent (#9919)

For detailed changes, see CHANGELOG

@better-auth/kysely-adapter

Bug Fixes

• Fixed Turbopack build failures by inlining migration table constants, also restoring compatibility with Kysely 0.28 and 0.29 (#9933)

For detailed changes, see CHANGELOG

@better-auth/passkey

Features

• Added automatic resolution of authenticator names from AAGUID, exposing getAuthenticatorName(aaguid) and commonAuthenticatorNames so passkeys can display a friendly provider name like "1Password" or "Google Password Manager" (#9927)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

• Fixed ERR_SUBJECT_UNCONFIRMED errors caused by clockSkew not being forwarded to samlify's ServiceProvider when validating SAML responses (#9748)

For detailed changes, see CHANGELOG

Contributors

... (truncated)

Changelog

Sourced from better-auth's changelog.

1.6.15

Patch Changes

• #9875 1012b69 Thanks @​WilsonnnTan! - The admin plugin's unbanUser, setRole and adminUpdateUser endpoints used to call internalAdapter.updateUser without checking that the target user existed, so when the caller passed an unknown id the underlying database error (for example Prisma's P2025) bubbled up as a generic HTTP 500. those endpoints now mirror the existing guard in banUser: look the user up via findUserById, and throw a clean NOT_FOUND (USER_NOT_FOUND) when no row is returned. Closes #9800.

• #9865 ad60333 Thanks @​ping-maxwell! - list-session endpoint now requires a fresh-age session check.

• #9811 0933c05 Thanks @​zeroknowledge0x! - Restore Kysely 0.28 and 0.29 compatibility for SQLite dialect introspection. The dialects now mirror Kysely's stable migration table names locally, avoiding strict ESM build failures in Turbopack without forcing consumers onto Kysely 0.29.

• #9919 b0ddfd3 Thanks @​gustavovalverde! - Run configured hooks through the whole OAuth sign-in flow

  hooks.before / hooks.after configured on the auth instance now run for the OAuth authorization that continues after a user signs in, selects an account, or consents. They were being skipped there.

  Headers or cookies a hooks.before sets before returning its own response are no longer dropped, and a hooks.after that throws an APIError no longer loses either its cookies or the error's headers.

• Updated dependencies []:

  • @​better-auth/core@​1.6.15
  • @​better-auth/drizzle-adapter@​1.6.15
  • @​better-auth/kysely-adapter@​1.6.15
  • @​better-auth/memory-adapter@​1.6.15
  • @​better-auth/mongo-adapter@​1.6.15
  • @​better-auth/prisma-adapter@​1.6.15
  • @​better-auth/telemetry@​1.6.15

Commits

• 03e0e36 chore: release v1.6.15 (#9886)
• b0ddfd3 fix(oauth-provider): run configured hooks when authorize resumes (#9919)
• 1012b69 fix(admin): return USER_NOT_FOUND for missing users before update (#9875)
• ad60333 fix: list-session fresh age session check (#9865)
• e111d63 refactor(cookies): clarify cookie regex ranges (#9879)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
learn-postgres	Ready	Preview	Jun 8, 2026 11:27pm