releases.shpreview

Stored XSS via session claims fixed; initialization hardened

@clerk/astro@3.4.19

2 fixesThis release2 fixesBug fixesAI-tallied from the release notes
From the original release noteView original ↗

Patch Changes

  • Fix Astro initialization when bundled ui or prefetchUI: false is passed to the integration. (#8628) by @jescalan

  • Escape <, >, and / when serializing the Clerk auth state into SSR <script> tags, preventing a </script> sequence inside user-controllable session claims from breaking out of the script element (stored XSS). The embedded JSON still parses to identical values on the client. (#9166) by @dominic-clerk

  • Updated dependencies [bcbdda6, e657d99]:

    • @clerk/shared@4.25.5
    • @clerk/backend@3.11.7

Fetched July 16, 2026

Stored XSS via session claims fixed; initialization… — releases.sh