Releases: auth0/lock
v15.0.0
Highlights
This release upgrades auth0-js to v10.0.0, which resolves CVE-2026-42280 — a security vulnerability in token validation for browser-based applications.
-
feat: upgrade auth0-js from v9 to v10 #2810 (cschetan77)
HS256 is no longer supported. Applications configured with HS256 as the JWT Signature Algorithm will see
parseHash()return aninvalid_tokenerror. HS256 requires the client secret to be present in the browser to verify tokens, which is a security vulnerability. Applications using RS256 are not affected.Migration: Switch to RS256 before upgrading:
Auth0 Dashboard → Applications → [Your App] → Settings → Advanced Settings → OAuth → JsonWebToken Signature Algorithm → RS256
Changed
-
fix(deps): remove
trimdependency #2783 (gameroman)The third-party
trimpackage has been removed. All string trimming now uses the nativeString.prototype.trim()method, which has been available in all supported browsers and Node.js versions for many years. This removes one dependency from the shipped package with no change in behaviour.
v14.3.0
Added
- feat(types): ship TypeScript definitions directly from the lock repo, supersedes
@types/auth0-lock#2763 (ankita10119)
Changed
- chore(deps): upgrade webpack-dev-server to v5, auth0-password-policies to 3.1.0, and fix dev setup #2771 (ankita10119)
Deprecated
- chore: remove deprecated yammer, renren, miicard strategies #2747 (omarquazi-okta)
Fixed
- Fix: TypeError in matchConnection and findADConnectionWithoutDomain for enterprise connections with null/undefined domains (#2749) #2758 (ankita10119)
v14.2.5
Fixed
- Fix: TypeError when CordovaAuth0Plugin is not a constructor (auth0-js 9.30.1+) #2742 (ankita10119)
- Fix: TypeError in matchConnection for enterprise connections with no domains #2736 (ankita10119)
v14.2.4
Fixed
- fix: update className and InputWrap name in SelectInput component (#2534) #2719 (ankita10119)
- fix: handle undefined and empty domain values in HRD screen (#2526) #2720 (ankita10119)
- fix: add 'too_many_attempts' to error codes in logInError function #2718 (ankita10119)
v14.2.3
Added
- feat: add too_many_attempts error to passwordless #2700 (avamachado-okta)
v14.2.2
Fixed
- Fix: Auth0-Lock Error with React 19 and Nextjs 15 #2701 (ankita10119)
v14.2.1
Fixed
- Fix: connectionResolver receives incorrect field value when switching between Login and Sign-up tabs #2697 (ankita10119)
v14.2.0
v14.1.0
Changed
- Bump karma from 6.4.3 to 6.4.4
- Bump pbkdf2 from 3.1.2 to 3.1.3
- Bump validator from 13.15.0 to 13.15.15
- Bump sha.js from 2.4.11 to 2.4.12
- Bump cipher-base from 1.0.4 to 1.0.6
- Bump codecov/codecov-action from 5.4.3 to 5.5.1
- Bump puppeteer from 24.9.0 to 24.19.0
- Bump tmp from 0.2.3 to 0.2.5
- bump fsevents to latest(SEC- 2161)
- Bump eslint-plugin-react from 7.34.1 to 7.37.5
- Bump @grpc/grpc-js and @google-cloud/translate
Fixed
- Fix: social connection names not showing displayName correctly #2651 (omarquazi-okta)
- Update old Twitter icon and name to "X" #2649 (omarquazi-okta)
- Fix issue 2546 - TypeError: Super expression must either be null or a function #2578 (Hworden)
- Fix: Accessibility Issues #2624 #2642 (ankita10119)
- fix: Rename shop strategy #2641 (omarquazi-okta)
- Fix release pipeline cdn #2628 (developerkunal)
- Fix Release PIPELINE #2627 (developerkunal)
- chore: update .gitignore and Makefile for Puppeteer cache and config directories #2626 (developerkunal)
- Fix Makefile for Puppeteer cache support #2625 (developerkunal)
Removed
- chore(ci): Remove Semgrep GHA Workflow #2650 (eduardoboronat-okta)
Security
- security: Remove vulnerable node-es-module-loader dependency (SEC-2160) #2629 (harekrishnarai)
Testing
- This change adds unit test coverage
- This change adds integration test coverage
- This change has been tested on the latest version of the platform/language
Checklist
- I have read the Auth0 general contribution guidelines
- I have read the Auth0 Code of Conduct
- All code quality tools/guidelines have been run/followed
- All relevant assets have been compiled
v13.2.0
Fixes
- Update old Twitter icon and name to "X" #2649 (
omarquazi-okta) - Fix: social connection names not showing displayName correctly #2651 (
omarquazi-okta) - Fix: Accessibility Issues #2624 (ankita10119)
- security: Remove vulnerable node-es-module-loader dependency (SEC-2160) #2629 (harekrishnarai)