Clerk

Normalized URL path handling prevents route protection bypass across framework integrations.

The most urgent recent activity is a security fix cascading through all framework SDKs. In @clerk/shared@3.47.4 and @clerk/shared@4.8.1, path normalization in createPathMatcher was corrected to block URL bypass attempts. This patch shipped across Next.js, Nuxt, Astro, and other integrations almost simultaneously—a sign this was treated as security-critical.

OAuth consent APIs enable custom authorization flows. @clerk/react@6.3.0 added OAuthApplication resource and getConsentInfo() method, with matching useOAuthConsent() hooks in @clerk/nextjs@7.1.0 and @clerk/react-router@3.1.0. An internal <OAuthConsent /> component for zero-config consent screens shipped in parallel—this moves Clerk toward developer control over the OAuth experience rather than opaque redirects.

iOS Expo OAuth and UI fixes landed. @clerk/expo@3.1.10 resolved silent failures during OAuth sign-in from the forgot password screen and a white flash on mount, plus an Android <AuthView> hang after sign-out. These are small but high-friction bugs for mobile developers.

Express middleware now forwards clock skew tolerance. @clerk/express@2.1.1 pipes clockSkewInMs from clerkMiddleware() through to backend authenticateRequest(), closing a configuration gap for token validation in distributed systems.

Next.js bumped devDep to patch React Server Components DoS (CVE-2026-23869). @clerk/nextjs@7.1.0 updated to Next.js 15.5.15 / 16.2.3. High-severity (CVSS 7.5) RSC vulnerability—worth noting if you're on App Router.

Dashboard now filters test users and scrolls infinitely on Overview. Recent platform releases added test user filtering and infinite scroll across user/organization cohorts and waitlist tables—quality-of-life improvements for managing larger datasets in the admin console.