{"id":"org_6JdxTmhM4dqZsi_ghliSQ","slug":"clerk","name":"Clerk","domain":"clerk.com","description":null,"category":"security","tags":["auth","identity","user-management"],"sourceCount":3,"releaseCount":524,"releasesLast30Days":232,"avgReleasesPerWeek":20.2,"lastFetchedAt":"2026-04-19T03:02:09.482Z","trackingSince":"2023-01-27T20:23:00.000Z","aliases":[],"accounts":[{"platform":"github","handle":"clerk"}],"products":[],"sources":[{"id":"src_M4sZyGVjPaGt67qbjuo0z","slug":"clerk-changelog","name":"Clerk Changelog","type":"feed","url":"https://clerk.com/changelog","isPrimary":false,"isHidden":false,"fetchPriority":"normal","releaseCount":207,"latestVersion":null,"latestDate":"2026-04-17T00:00:00.000Z","latestAddedAt":"2026-04-17T20:06:04.865Z","productSlug":null,"productName":null},{"id":"src_f8n2W7t5lZEB2SwUPeqs1","slug":"clerk-javascript-sdk","name":"JavaScript SDK","type":"github","url":"https://github.com/clerk/javascript","isPrimary":false,"isHidden":false,"fetchPriority":"normal","releaseCount":216,"latestVersion":"@clerk/clerk-js@6.7.4","latestDate":"2026-04-17T20:06:02.000Z","latestAddedAt":"2026-04-18T01:02:32.088Z","productSlug":null,"productName":null},{"id":"src_9YcfOEoAcCmTw1WJUhjLw","slug":"clerk-ios-sdk","name":"iOS SDK","type":"github","url":"https://github.com/clerk/clerk-ios","isPrimary":false,"isHidden":false,"fetchPriority":"normal","releaseCount":101,"latestVersion":"1.0.9","latestDate":"2026-04-09T16:07:26.000Z","latestAddedAt":"2026-04-09T20:03:25.389Z","productSlug":null,"productName":null}],"overview":{"scope":"org","content":"**Normalized URL path handling prevents route protection bypass across framework integrations.**\n\nThe most urgent recent activity is a security fix cascading through all framework SDKs. In `@clerk/shared@3.47.4` and `@clerk/shared@4.8.1`, path normalization in `createPathMatcher` was corrected to block URL bypass attempts. This patch shipped across Next.js, Nuxt, Astro, and other integrations almost simultaneously—a sign this was treated as security-critical.\n\n**OAuth consent APIs enable custom authorization flows.** `@clerk/react@6.3.0` added `OAuthApplication` resource and `getConsentInfo()` method, with matching `useOAuthConsent()` hooks in `@clerk/nextjs@7.1.0` and `@clerk/react-router@3.1.0`. An internal `<OAuthConsent />` component for zero-config consent screens shipped in parallel—this moves Clerk toward developer control over the OAuth experience rather than opaque redirects.\n\n**iOS Expo OAuth and UI fixes landed.** `@clerk/expo@3.1.10` resolved silent failures during OAuth sign-in from the forgot password screen and a white flash on mount, plus an Android `<AuthView>` hang after sign-out. These are small but high-friction bugs for mobile developers.\n\n**Express middleware now forwards clock skew tolerance.** `@clerk/express@2.1.1` pipes `clockSkewInMs` from `clerkMiddleware()` through to backend `authenticateRequest()`, closing a configuration gap for token validation in distributed systems.\n\n**Next.js bumped devDep to patch React Server Components DoS (CVE-2026-23869).** `@clerk/nextjs@7.1.0` updated to Next.js `15.5.15` / `16.2.3`. High-severity (CVSS 7.5) RSC vulnerability—worth noting if you're on App Router.\n\n**Dashboard now filters test users and scrolls infinitely on Overview.** Recent platform releases added test user filtering and infinite scroll across user/organization cohorts and waitlist tables—quality-of-life improvements for managing larger datasets in the admin console.","releaseCount":224,"lastContributingReleaseAt":"2026-04-15T15:11:57.000Z","generatedAt":"2026-04-16T15:16:09.072Z","updatedAt":"2026-04-16T15:16:09.072Z"},"knowledgePage":{"scope":"org","content":"**Normalized URL path handling prevents route protection bypass across framework integrations.**\n\nThe most urgent recent activity is a security fix cascading through all framework SDKs. In `@clerk/shared@3.47.4` and `@clerk/shared@4.8.1`, path normalization in `createPathMatcher` was corrected to block URL bypass attempts. This patch shipped across Next.js, Nuxt, Astro, and other integrations almost simultaneously—a sign this was treated as security-critical.\n\n**OAuth consent APIs enable custom authorization flows.** `@clerk/react@6.3.0` added `OAuthApplication` resource and `getConsentInfo()` method, with matching `useOAuthConsent()` hooks in `@clerk/nextjs@7.1.0` and `@clerk/react-router@3.1.0`. An internal `<OAuthConsent />` component for zero-config consent screens shipped in parallel—this moves Clerk toward developer control over the OAuth experience rather than opaque redirects.\n\n**iOS Expo OAuth and UI fixes landed.** `@clerk/expo@3.1.10` resolved silent failures during OAuth sign-in from the forgot password screen and a white flash on mount, plus an Android `<AuthView>` hang after sign-out. These are small but high-friction bugs for mobile developers.\n\n**Express middleware now forwards clock skew tolerance.** `@clerk/express@2.1.1` pipes `clockSkewInMs` from `clerkMiddleware()` through to backend `authenticateRequest()`, closing a configuration gap for token validation in distributed systems.\n\n**Next.js bumped devDep to patch React Server Components DoS (CVE-2026-23869).** `@clerk/nextjs@7.1.0` updated to Next.js `15.5.15` / `16.2.3`. High-severity (CVSS 7.5) RSC vulnerability—worth noting if you're on App Router.\n\n**Dashboard now filters test users and scrolls infinitely on Overview.** Recent platform releases added test user filtering and infinite scroll across user/organization cohorts and waitlist tables—quality-of-life improvements for managing larger datasets in the admin console.","releaseCount":224,"lastContributingReleaseAt":"2026-04-15T15:11:57.000Z","generatedAt":"2026-04-16T15:16:09.072Z","updatedAt":"2026-04-16T15:16:09.072Z"},"playbook":{"scope":"playbook","content":"# Clerk — Playbook\n\n> Agent reference for fetching and maintaining **Clerk** (`clerk`) changelog sources.\n\n**3** active sources · domain: clerk.com\n\n## Sources\n\n| Name | ID | Type | URL | Last Fetched |\n|------|-----|------|-----|--------------|\n| Clerk Changelog | `src_M4sZyGVjPaGt67qbjuo0z` | feed | https://clerk.com/changelog | Apr 18 |\n| JavaScript SDK | `src_f8n2W7t5lZEB2SwUPeqs1` | github | https://github.com/clerk/javascript | Apr 18 |\n| iOS SDK | `src_9YcfOEoAcCmTw1WJUhjLw` | github | https://github.com/clerk/clerk-ios | Apr 18 |\n\n## Agent Notes\n\n### Extraction patterns\n\n- `clerk-changelog` is the canonical platform changelog and should be treated as the primary source for Clerk product announcements. It has a known Atom feed (`https://clerk.com/changelog/atom.xml`) that is used automatically — prefer feed fetching over scrape fallback when the feed is healthy.\n- `clerk-javascript-sdk` (github: clerk/javascript) is a monorepo. Releases are tagged per-package (e.g., `@clerk/nextjs@x.y.z`, `@clerk/react@x.y.z`). Expect many tags per fetch cycle. Filter or group by package prefix when surfacing SDK releases.\n- `clerk-ios-sdk` (github: clerk/clerk-ios) follows standard iOS/Swift versioning (e.g., `1.2.3`). Release volume is lower than the JS monorepo.\n\n### Known quirks\n\n- The JS monorepo produces high release volume — a single bump across packages can generate dozens of GitHub tags. Set reasonable `--max` limits and expect deduplication to be active.\n- The scrape source (`clerk-changelog`) may lag behind GitHub SDK releases; it reflects user-facing platform changes, not every package version bump.\n- No products are defined for Clerk — all three sources are attached directly to the org.\n\n### Source coverage\n\n- **Platform changelog:** `clerk-changelog` (scrape + Atom feed) — covers product announcements and feature launches.\n- **JavaScript ecosystem:** `clerk-javascript-sdk` (GitHub monorepo) — covers all JS/TS packages including Next.js, React, Remix, Express, and Clerk Backend SDKs.\n- **iOS/Swift:** `clerk-ios-sdk` (GitHub) — covers the native iOS SDK.\n- No Android/backend-specific sources are currently tracked. If Clerk adds a dedicated changelog for backend SDKs or mobile, those would be candidates for new sources.\n","updatedAt":"2026-04-18T20:42:36.975Z"}}