Skip to content

Release v15.0.0 #2811

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
cschetan77 merged 3 commits into from
Jun 5, 2026
+27 −5
Merged

Release v15.0.0 #2811

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
fc7eb93
Release v15.0.0
cschetan77 Jun 5, 2026
f0a75f7
Update changelog
cschetan77 Jun 5, 2026
b9ea970
shorten breaking change desc
cschetan77 Jun 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .version
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
v14.3.0
v15.0.0
22 changes: 22 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,27 @@
# Change Log

## [v15.0.0](https://github.com/auth0/lock/tree/v15.0.0) (2026-06-05)
[Full Changelog](https://github.com/auth0/lock/compare/v14.3.0...v15.0.0)

### Highlights

This release upgrades `auth0-js` to [v10.0.0](https://github.com/auth0/auth0.js/releases/tag/v10.0.0), which resolves [CVE-2026-42280](https://www.cve.org/CVERecord?id=CVE-2026-42280) — a security vulnerability in token validation for browser-based applications.

**⚠️ Breaking Changes**

- feat!: upgrade auth0-js from v9 to v10 [\#2810](https://github.com/auth0/lock/pull/2810) ([cschetan77](https://github.com/cschetan77))

**HS256 is no longer supported.** Applications configured with HS256 as the JWT Signature Algorithm will see `parseHash()` return an `invalid_token` error. HS256 requires the client secret to be present in the browser to verify tokens, which is a security vulnerability. Applications using RS256 are not affected.

**Migration:** Switch to RS256 before upgrading:
> Auth0 Dashboard → Applications → [Your App] → Settings → Advanced Settings → OAuth → JsonWebToken Signature Algorithm → **RS256**

**Changed**

- fix(deps): remove `trim` dependency [\#2783](https://github.com/auth0/lock/pull/2783) ([gameroman](https://github.com/gameroman))

The third-party `trim` package has been removed. All string trimming now uses the native `String.prototype.trim()` method, which has been available in all supported browsers and Node.js versions for many years. This removes one dependency from the shipped package with no change in behaviour.

## [v14.3.0](https://github.com/auth0/lock/tree/v14.3.0) (2026-04-06)
[Full Changelog](https://github.com/auth0/lock/compare/v14.2.5...v14.3.0)

Expand Down
2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ From CDN

```html
<!-- Latest patch release (recommended for production) -->
<script src="https://cdn.auth0.com/js/lock/14.3.0/lock.min.js"></script>
<script src="https://cdn.auth0.com/js/lock/15.0.0/lock.min.js"></script>
```

### Configure Auth0
Expand Down
4 changes: 2 additions & 2 deletions package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "auth0-lock",
"version": "14.3.0",
"version": "15.0.0",
"description": "Auth0 Lock",
"author": "Auth0 <support@auth0.com> (http://auth0.com)",
"license": "MIT",
Expand Down
Loading