@convex-dev/better-auth

A Better Auth component for Convex.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

cowlingjordanhuntgautamg795emmaling27nipunnaritrakhianatconvexreece-convexerquhartsethconvexjamwtnicolapps

Keywords

convexcomponentauthauthenticationbetter-authconvex-auth

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	missing-githead	AI (provenance): Established publisher with strong track record; missing gitHead alone is insufficient to block given no other risk signals.	ai	2026/05/30
source-diff	obfuscated-file:dist/test/adapter-factory/basic.d.ts	AI (source-diff): Long lines are TypeScript union types listing test case names, not obfuscated code.	ai	2026/05/28
phantom-deps	phantom-dep:@convex-dev/resend	AI (phantom-deps): Same-org dependency declared but not directly imported; consistent with optional/peer usage pattern in this package.	ai	2026/05/18
dependencies	unvetted-dep:@better-auth/passkey	AI (dependencies): @better-auth/passkey is part of the Better Auth ecosystem (same namespace as the peer dependency better-auth); adding passkey support is a natural feature addition for this auth component.	ai	2026/04/27
publish-pattern	new-deps-added	AI (publish-pattern): @better-auth/passkey and @better-fetch/fetch are part of the better-auth ecosystem; additions are consistent with adding passkey support to this better-auth integration package.	ai	2026/04/27
maintainer-change	maintainer-added	AI (maintainer-change): New maintainers reece-convex and sethconvex follow the Convex org naming convention, consistent with legitimate team expansion for this get-convex org package.	ai	2026/04/27
provenance	no-provenance	AI (provenance): Established package with 61.4k weekly downloads and clean publisher history; lack of provenance is common and not a meaningful risk signal here.	ai	2026/04/27
dependencies	unvetted-dep:convex-helpers	AI (dependencies): convex-helpers is a well-known utility library from the get-convex org, the same organization that maintains this package. Expected dependency for a Convex component.	ai	2026/04/25

Versions (showing 67 of 67)

Version	Deps	Published
0.12.2	8 / 31	2026-05-03
0.12.1	8 / 30	2026-04-29
0.12.0	8 / 30	2026-04-25
0.11.5	8 / 30	2026-04-22
0.11.4	8 / 32	2026-03-28
0.11.3	8 / 32	2026-03-20
0.11.2	8 / 32	2026-03-15
0.11.1	8 / 32	2026-03-12
0.11.0	8 / 32	2026-03-12
0.10.13	9 / 29	2026-02-27
0.10.12	9 / 29	2026-02-26
0.10.11	9 / 29	2026-02-21
0.10.10	9 / 29	2026-01-10
0.10.9	9 / 29	2025-12-24
0.10.8	9 / 29	2025-12-24
0.10.7	9 / 29	2025-12-24
0.10.6	9 / 29	2025-12-19
0.10.5	9 / 29	2025-12-18
0.10.4	9 / 29	2025-12-17
0.10.3	9 / 28	2025-12-17
0.10.2	9 / 28	2025-12-17
0.10.1	9 / 28	2025-12-16
0.10.0	7 / 30	2025-12-16
0.9.11	7 / 31	2025-12-02
0.9.10	7 / 31	2025-12-02
0.9.9	7 / 31	2025-12-01
0.9.8	7 / 31	2025-12-01
0.9.7	7 / 20	2025-11-03
0.9.6	6 / 20	2025-10-15
0.9.5	6 / 20	2025-10-13
0.9.4	6 / 20	2025-10-13
0.9.3	5 / 21	2025-10-11
0.9.2	9 / 21	2025-10-10
0.9.1	9 / 21	2025-10-09
0.9.0	9 / 21	2025-10-07
0.8.9	6 / 23	2025-10-04
0.8.8	6 / 23	2025-10-02
0.8.7	6 / 23	2025-10-02
0.8.6	6 / 23	2025-09-18
0.8.5	6 / 23	2025-09-18
0.8.4	6 / 23	2025-09-17
0.8.3	6 / 23	2025-09-16
0.8.2	6 / 23	2025-09-16
0.8.1	6 / 23	2025-09-15
0.8.0	6 / 23	2025-09-13
0.7.18	5 / 23	2025-09-07
0.7.17	5 / 23	2025-08-26
0.7.16	5 / 23	2025-08-24
0.7.15	5 / 23	2025-08-20
0.7.14	5 / 23	2025-08-14
0.7.13	5 / 23	2025-07-31
0.7.12	5 / 23	2025-07-30
0.7.11	6 / 23	2025-07-24
0.7.10	6 / 21	2025-07-23
0.7.9	6 / 22	2025-07-20
0.7.8	5 / 22	2025-07-18
0.7.7	5 / 22	2025-07-15
0.7.6	5 / 22	2025-07-14
0.7.5	5 / 22	2025-07-14
0.7.4	5 / 22	2025-07-14
0.7.3	5 / 22	2025-07-14
0.7.2	5 / 20	2025-07-12
0.7.1	5 / 20	2025-07-12
0.7.0	5 / 20	2025-07-10
0.6.2	7 / 14	2025-06-27
0.6.1	7 / 14	2025-06-12
0.6.0	7 / 14	2025-06-12

v0.12.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.12.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.11.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.11.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.11.3

2 findings

HIGH New obfuscated file: dist/test/adapter-factory/basic.d.ts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.11.2

2 findings

HIGH New obfuscated file: dist/test/adapter-factory/basic.d.ts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.11.1

2 findings

HIGH New obfuscated file: dist/test/adapter-factory/basic.d.ts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.11.0

2 findings

HIGH New obfuscated file: dist/test/adapter-factory/basic.d.ts source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.10.13

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.10.12

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.10.11

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.10.10

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.10.9

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.10.8

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.10.7

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.10.6

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.10.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.10.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.10.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.10.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.10.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.10.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.11

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.10

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.9

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.8

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.7

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.6

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.9.5

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.9.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.9.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.9.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.9.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.9.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.9

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.8

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.7

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.6

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.5

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.18

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: erquhart.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.17

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: erquhart.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.16

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: erquhart.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.15

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.14

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.13

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.12

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.11

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.10

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.9

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.8

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.7

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.6

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.5

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.