chore(deps): update dependency better-auth to v1.6.10

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
better-auth (source)	1.6.9 → 1.6.10

---

Release Notes

better-auth/better-auth (better-auth)

v1.6.10

Compare Source

Patch Changes

• #​8339 1e0f26d Thanks @​ping-maxwell! - fix(captcha): breaks email-otp flow

• #​9484 8c1e917 Thanks @​ping-maxwell! - fix: warn for cookie-plugin being last in array

• #​9437 b2d655c Thanks @​cyphercodes! - Allow organization invitation role input types to accept dynamic access control roles.

• #​9497 09f1327 Thanks @​bytaesu! - Endpoints that set cookies before redirecting (such as social sign-in
  callbacks and magic-link verification) no longer emit each Set-Cookie
  entry twice on the response.

• #​9387 906b7b3 Thanks @​bytaesu! - The bearer plugin now produces a single entry per cookie name when merging
  its session token into the request Cookie header. Previously the merged
  header could carry two entries for the same name if the request already
  had a stale session cookie, which would surface to downstream code that
  picks the first occurrence.

• #​9475 e9c978e Thanks @​jaydeep-pipaliya! - fix(username): respect callbackURL on /sign-in/username

  The endpoint accepted a callbackURL body field but ignored it, so
  authClient.signIn.username({ ..., callbackURL }) silently did nothing
  while authClient.signIn.email redirected as expected. The handler now
  sets a Location header when callbackURL is provided and returns
  { redirect, url } alongside token/user, matching the email flow.

• #​9440 e71aad3 Thanks @​cyphercodes! - Clear organization active hook state after sign-out so useActiveMemberRole does not retain a previous user's role in SPA sign-out/sign-in flows.

• #​9402 80a655d Thanks @​onmax! - Revalidate the client session after admin impersonation starts or stops.

• #​9503 15ff28a Thanks @​bytaesu! - internalAdapter.deleteAccount parameter renamed from accountId to id to reflect that it queries by primary key, not the accountId column. No runtime behavior change.

• #​9268 88a7c67 Thanks @​ping-maxwell! - fix: openAPI schema for POST /sign-in/social mis-declares required fields

• #​8839 9a7b51d Thanks @​dipan-ck! - Apply email enumeration protection when emailAndPassword.autoSignIn is false. Duplicate sign-ups now return a synthetic user (token: null) and trigger onExistingUserSignUp, and new sign-ups skip auto sign-in (token: null)—even without requireEmailVerification, aligning with the docs.

• #​9065 1b25902 Thanks @​ping-maxwell! - non-ASCII error_description in generic-oauth callback routes causes TypeError on redirect

• #​9349 cf59136 Thanks @​ping-maxwell! - fix(organization): re-export field types to prevent TS2742 with additionalFields

• #​9453 a597ee0 Thanks @​mausic! - The organization plugin's cancelPendingInvitationsOnReInvite option now actually cancels the prior pending invitation when re-inviting the same email. Previously the option had no effect — re-inviting always failed with USER_IS_ALREADY_INVITED_TO_THIS_ORGANIZATION

• #​9456 fc02ced Thanks @​cyphercodes! - Reject OAuth callbacks when provider user info omits the account id to avoid linking accounts under the literal undefined id.

• #​9461 9f1ef1f Thanks @​cyphercodes! - Expose authClient.siwe.getNonce() as a compatibility alias for the SIWE nonce endpoint.

• #​9369 36ef808 Thanks @​ping-maxwell! - fix: incorrect email casing across one-tap, email-otp & email-verification

• #​9239 c1336c5 Thanks @​GautamBytes! - Fix organization.setActiveTeam so it only accepts teams from the current active organization.

• #​7764 3a9a2c3 Thanks @​programming-with-ia! - chore: expose refreshUserSessions on internal adapter

• #​9521 fde0432 Thanks @​ping-maxwell! - fix: improve link accessibility issues

• Updated dependencies [2220a6d]:

  • @​better-auth/core@​1.6.10
  • @​better-auth/drizzle-adapter@​1.6.10
  • @​better-auth/kysely-adapter@​1.6.10
  • @​better-auth/memory-adapter@​1.6.10
  • @​better-auth/mongo-adapter@​1.6.10
  • @​better-auth/prisma-adapter@​1.6.10
  • @​better-auth/telemetry@​1.6.10

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[safedep]

SafeDep Report Summary

Package Details

Package	Malware	Vulnerability	Risky License	Report
@better-auth/core @ 1.6.10 pnpm-lock.yaml				🔗
@better-auth/drizzle-adapter @ 1.6.10 pnpm-lock.yaml				🔗
@better-auth/kysely-adapter @ 1.6.10 pnpm-lock.yaml				🔗
@better-auth/memory-adapter @ 1.6.10 pnpm-lock.yaml				🔗
@better-auth/mongo-adapter @ 1.6.10 pnpm-lock.yaml				🔗
@better-auth/passkey @ 1.6.9 pnpm-lock.yaml				🔗
@better-auth/prisma-adapter @ 1.6.10 pnpm-lock.yaml				🔗
@better-auth/telemetry @ 1.6.10 pnpm-lock.yaml				🔗
better-auth @ 1.6.10 pnpm-lock.yaml				🔗

View complete scan results →

_{This report is generated by SafeDep Github App}