Skip to content

Releases: auth0/lock

v15.0.1

Choose a tag to compare

@github-actions github-actions released this 30 Jun 07:32
a183cdb

Added

v15.0.0

Choose a tag to compare

@github-actions github-actions released this 05 Jun 09:14
8bca509

Highlights

This release upgrades auth0-js to v10.0.0, which resolves CVE-2026-42280 — a security vulnerability in token validation for browser-based applications.

⚠️ Breaking Changes

  • feat: upgrade auth0-js from v9 to v10 #2810 (cschetan77)

    HS256 is no longer supported. Applications configured with HS256 as the JWT Signature Algorithm will see parseHash() return an invalid_token error. HS256 requires the client secret to be present in the browser to verify tokens, which is a security vulnerability. Applications using RS256 are not affected.

    Migration: Switch to RS256 before upgrading:

    Auth0 Dashboard → Applications → [Your App] → Settings → Advanced Settings → OAuth → JsonWebToken Signature Algorithm → RS256

Changed

  • fix(deps): remove trim dependency #2783 (gameroman)

    The third-party trim package has been removed. All string trimming now uses the native String.prototype.trim() method, which has been available in all supported browsers and Node.js versions for many years. This removes one dependency from the shipped package with no change in behaviour.

v14.3.0

Choose a tag to compare

@github-actions github-actions released this 06 Apr 13:13
62aedb2

Added

  • feat(types): ship TypeScript definitions directly from the lock repo, supersedes @types/auth0-lock #2763 (ankita10119)

Changed

  • chore(deps): upgrade webpack-dev-server to v5, auth0-password-policies to 3.1.0, and fix dev setup #2771 (ankita10119)

Deprecated

Fixed

  • Fix: TypeError in matchConnection and findADConnectionWithoutDomain for enterprise connections with null/undefined domains (#2749) #2758 (ankita10119)

v14.2.5

Choose a tag to compare

@github-actions github-actions released this 19 Mar 14:30
53dff56

Fixed

  • Fix: TypeError when CordovaAuth0Plugin is not a constructor (auth0-js 9.30.1+) #2742 (ankita10119)
  • Fix: TypeError in matchConnection for enterprise connections with no domains #2736 (ankita10119)

v14.2.4

Choose a tag to compare

@github-actions github-actions released this 21 Jan 08:44
34c8f68

Fixed

v14.2.3

Choose a tag to compare

@github-actions github-actions released this 12 Jan 09:18
6be3fd2

Added

v14.2.2

Choose a tag to compare

@github-actions github-actions released this 17 Dec 07:19
99d241a

Fixed

v14.2.1

Choose a tag to compare

@github-actions github-actions released this 03 Dec 11:06
83ffae7

Fixed

  • Fix: connectionResolver receives incorrect field value when switching between Login and Sign-up tabs #2697 (ankita10119)

v14.2.0

Choose a tag to compare

@github-actions github-actions released this 21 Oct 12:15
5cae28e

Added

Fixed

  • fix: captcha not rendering for initial signup screen in classic login #2677 (paebanks)

v14.1.0

Choose a tag to compare

@github-actions github-actions released this 15 Sep 12:36
38add8d

Changed

  • Bump karma from 6.4.3 to 6.4.4
  • Bump pbkdf2 from 3.1.2 to 3.1.3
  • Bump validator from 13.15.0 to 13.15.15
  • Bump sha.js from 2.4.11 to 2.4.12
  • Bump cipher-base from 1.0.4 to 1.0.6
  • Bump codecov/codecov-action from 5.4.3 to 5.5.1
  • Bump puppeteer from 24.9.0 to 24.19.0
  • Bump tmp from 0.2.3 to 0.2.5
  • bump fsevents to latest(SEC- 2161)
  • Bump eslint-plugin-react from 7.34.1 to 7.37.5
  • Bump @grpc/grpc-js and @google-cloud/translate

Fixed

Removed

Security

  • security: Remove vulnerable node-es-module-loader dependency (SEC-2160) #2629 (harekrishnarai)

Testing

  • This change adds unit test coverage
  • This change adds integration test coverage
  • This change has been tested on the latest version of the platform/language

Checklist