sim build(deps): bump the npm_and_yarn group across 2 directories with 3 updates

Bumps the npm_and_yarn group with 2 updates in the /apps/sim directory: better-auth and js-yaml. Bumps the npm_and_yarn group with 1 update in the /scripts directory: glob.

Updates better-auth from 1.3.12 to 1.4.2

Release notes

Sourced from better-auth's releases.

v1.4.2

   🚀 Features

cli: Check /auth for auth.ts - by @ping-maxwell in better-auth/better-auth#6273 (53a74)

github: Add PKCE support for Github - by @Shridhad in better-auth/better-auth#6276 (deb62)

jwt: Allow custom jwks endpoint - by @luist18 in better-auth/better-auth#6269 (1c45f)

   🐞 Bug Fixes

Support @tanstack/solid-start in tanstackStartCookies plugin - by @jakst in better-auth/better-auth#6235 (c69b3)

SignIn/signUp API returns user additional field - by @himself65 in better-auth/better-auth#6287 (5ea36)

cli:

Kysely migration fails due to chaining addIndex and addColumn on the same alterTable builder - by @ping-maxwell in better-auth/better-auth#6214 (b8a73)

Prevent duplicate index creation in Prisma schema generation - by @rovertrack in better-auth/better-auth#6234 (0bbd8)

client:

Get-session gets triggered twice on foucs - by @Bekacru in better-auth/better-auth#6186 (54852)

email-otp:

Sign-in email-otp bugs with capitalized emails - by @ping-maxwell in better-auth/better-auth#6237 (fd010)

oidc-provider:

Session shouldn't be required - by @Bekacru in better-auth/better-auth#6282 (201a7)

organization:

Have deleteOrganization use adapter.deleteMany instead of delete - by @kefimoto in better-auth/better-auth#6226 (32d3f)

    View changes on GitHub

v1.4.2-beta.5

   🚀 Features

cli: Check /auth for auth.ts - by @ping-maxwell in better-auth/better-auth#6273 (519ef)

github: Add PKCE support for Github - by @Shridhad in better-auth/better-auth#6276 (39c84)

jwt: Allow custom jwks endpoint - by @luist18 in better-auth/better-auth#6269 (92218)

   🐞 Bug Fixes

SignIn/signUp API returns user additional field - by @himself65 in better-auth/better-auth#6287 (93606)

docs: Fix Next.js 16 proxy build error issue - by @DimplesY in better-auth/better-auth#6302 (a1f1c)

oidc-provider: Session shouldn't be required - by @Bekacru in better-auth/better-auth#6282 (84ad3)

    View changes on GitHub

v1.4.2-beta.4

No significant changes

    View changes on GitHub

v1.4.2-beta.3

No significant changes

    View changes on GitHub

... (truncated)

Commits

f2c28dd chore: release v1.4.2
7e7a4ca chore: release v1.4.2-beta.2
a2e6a8a Revert "chore: lint (#6290)"
5ea36ab fix: signIn/signUp API returns user additional field (#6287)
205c294 chore(email-otp): unit tests for sign-in with capitalizations (#6238)
201a7c2 fix(oidc-provider): session shouldn't be required (#6282)
1c1c913 chore: more join tests for missing data scenarios (#6166)
1c45f37 feat(jwt): allow custom jwks endpoint (#6269)
fc662c5 chore: remove incorrect auth cli (#6242)
fabf8dc docs: updated og image and add merch link to community section (#6251)
Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

Fix prototype pollution issue in yaml merge (<<) operator.

Commits

cc482e7 4.1.1 released
50968b8 dist rebuild
d092d86 lint fix
383665f fix prototype pollution in merge (<<)
0d3ca7a README.md: HTTP => HTTPS (#678)
49baadd doc: 'empty' style option for !!null
ba3460e Fix demo link (#618)
See full diff in compare view

Updates glob from 11.0.2 to 11.1.0

Changelog

Sourced from glob's changelog.

changeglob

13

Move the CLI program out to a separate package, glob-bin. Install that if you'd like to continue using glob from the command line.

12

Remove the unsafe --shell option. The --shell option is now ONLY supported on known shells where the behavior can be implemented safely.

11.1

GHSA-5j98-mcp5-4vw2

Add the --shell option for the command line, with a warning that this is unsafe. (It will be removed in v12.)

Add the --cmd-arg/-g as a way to safely add positional arguments to the command provided to the CLI tool.

Detect commands with space or quote characters on known shells, and pass positional arguments to them safely, avoiding shell:true execution.

11.0

Drop support for node before v20

10.4

Add includeChildMatches: false option

Export the Ignore class

10.3

Add --default -p flag to provide a default pattern

exclude symbolic links to directories when follow and nodir are both set

10.2

Add glob cli

10.1

Return '.' instead of the empty string '' when the current working directory is returned as a match.

Add posix: true option to return / delimited paths, even on

... (truncated)

Commits

2551fb5 11.1.0
47473c0 bin: Do not expose filenames to shell expansion
bc33fe1 skip tilde test on systems that lack tilde expansion
59bf9ca fix notes
dde4fa6 docs(README): add #anchor and improve notes
0559b0e docs: add better links to path-scurry docs
c9773c2 fix: correct typos in README.md
13e68ea Fix punctuation in traversal function documentation
1527e2b fix repo url
7e190e8 fix typo maths → paths
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the Security Alerts page.

Dec 02 '25 00:12 dependabot[bot]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
docs	Ready	Preview	Comment	Dec 2, 2025 0:41am

Dec 02 '25 00:12 vercel[bot]

Greptile Overview

Greptile Summary

This PR updates three npm packages across two directories:

better-auth (1.3.12 → 1.4.2): Minor version update with bug fixes for CLI, client, email-otp, oidc-provider, and organization features. Includes new features like GitHub PKCE support and custom JWKS endpoints. No breaking changes.
js-yaml (4.1.0 → 4.1.1): Critical security patch fixing a prototype pollution vulnerability in the YAML merge (<<) operator. This should be merged immediately.
glob (11.0.2 → 11.1.0): Security update addressing GHSA-5j98-mcp5-4vw2, which prevents filenames from being exposed to shell expansion attacks.

All updates are non-breaking and include important security fixes. The changes are safe to merge.

Confidence Score: 5/5

This PR is safe to merge - contains only dependency updates with critical security fixes and no breaking changes
All three dependency updates are minor/patch versions with no breaking changes. Two of them (js-yaml and glob) include critical security fixes for prototype pollution and shell expansion vulnerabilities. The better-auth update includes bug fixes and new features without breaking changes. Automated dependency updates from Dependabot are generally reliable.
No files require special attention

Important Files Changed

File Analysis

Filename	Score	Overview
apps/sim/package.json	5/5	Updated `better-auth` to 1.4.2 (bug fixes, no breaking changes) and `js-yaml` to 4.1.1 (critical security fix for prototype pollution)
scripts/package.json	5/5	Updated `glob` to 11.1.0 (security fix to prevent shell expansion vulnerabilities)
scripts/package-lock.json	5/5	Lock file updated to reflect `glob` 11.1.0 and its transitive dependencies

Sequence Diagram

sequenceDiagram
    participant D as Dependabot
    participant NPM as npm Registry
    participant App as apps/sim
    participant Scripts as scripts
    
    D->>NPM: Check for updates
    NPM-->>D: better-auth 1.4.2 available
    NPM-->>D: js-yaml 4.1.1 available (security)
    NPM-->>D: glob 11.1.0 available (security)
    
    D->>App: Update better-auth: 1.3.12 → 1.4.2
    Note over App: Bug fixes, new features<br/>No breaking changes
    
    D->>App: Update js-yaml: 4.1.0 → 4.1.1
    Note over App: Security fix:<br/>Prototype pollution in merge operator
    
    D->>Scripts: Update glob: 11.0.2 → 11.1.0
    Note over Scripts: Security fix:<br/>Shell expansion vulnerability
    
    D->>Scripts: Update package-lock.json
    Note over Scripts: Lock transitive dependencies

Dec 02 '25 00:12 greptile-apps[bot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

Dec 03 '25 03:12 dependabot[bot]