Release v15.0.0 (#2811)

### Highlights

This release upgrades `auth0-js` to
[v10.0.0](https://github.com/auth0/auth0.js/releases/tag/v10.0.0), which
resolves
[CVE-2026-42280](https://www.cve.org/CVERecord?id=CVE-2026-42280) — a
security vulnerability in token validation for browser-based
applications.

**⚠️ Breaking Changes**

  **HS256 token signing is no longer supported.**

**Changed**

- fix(deps): remove `trim` dependency
[\#2783](#2783)
([gameroman](https://github.com/gameroman))

  The third-party `trim` package has been removed.

Release v14.3.0 (#2775)

**Added**
- feat(types): ship TypeScript definitions directly from the lock repo
[\#2763](#2763)
([ankita10119](https://github.com/ankita10119))

**Changed**
- chore(deps): upgrade webpack-dev-server to v5, auth0-password-policies
to 3.1.0, and fix dev setup
[\#2771](#2771)
([ankita10119](https://github.com/ankita10119))

**Deprecated**
- chore: remove deprecated yammer, renren, miicard strategies
[\#2747](#2747)
([omarquazi-okta](https://github.com/omarquazi-okta))

**Fixed**
- Fix: TypeError in matchConnection and findADConnectionWithoutDomain
for enterprise connections with null/undefined domains (#2749)
[\#2758](#2758)
([ankita10119](https://github.com/ankita10119))

Release v14.2.5 (#2745)

**Fixed**
- Fix: TypeError when CordovaAuth0Plugin is not a constructor (auth0-js
9.30.1+) [\#2742](#2742)
([ankita10119](https://github.com/ankita10119))
- Fix: TypeError in matchConnection for enterprise connections with no
domains [\#2736](#2736)
([ankita10119](https://github.com/ankita10119))

Release v14.2.4 (#2721)

**Fixed**
- fix: update className and InputWrap name in SelectInput component
(#2534) [\#2719](#2719)
([ankita10119](https://github.com/ankita10119))
- fix: handle undefined and empty domain values in HRD screen (#2526)
[\#2720](#2720)
([ankita10119](https://github.com/ankita10119))
- fix: add 'too_many_attempts' to error codes in logInError function
[\#2718](#2718)
([ankita10119](https://github.com/ankita10119))

Release v14.2.3 (#2713)

**Added**
- feat: add too_many_attempts error to passwordless
[\#2700](#2700)
([avamachado-okta](https://github.com/avamachado-okta))

**Changed**
- Update: Upgrade Node.js from 18 to 22
[\#2711](#2711)
([ankita10119](https://github.com/ankita10119))

Release v14.2.2 (#2707)

**Fixed**
- Fix: Auth0-Lock Error with React 19 and Nextjs 15
[\#2701](#2701)
([ankita10119](https://github.com/ankita10119))

Release v14.2.1 (#2698)

**Fixed**

- Fix: connectionResolver receives incorrect field value when switching
between Login and Sign-up tabs
[\#2697](#2697)
([ankita10119](https://github.com/ankita10119))

Release v14.2.0 (#2686)

**Added**
- feat: add Claude Code PR Review workflow
[\#2679](#2679)
([ankita10119](https://github.com/ankita10119))

**Fixed**
- fix: captcha not rendering for initial signup screen in classic login
[\#2677](#2677)
([paebanks](https://github.com/paebanks))

Release v14.1.0 (#2674)

### Changed 

- Bump karma from 6.4.3 to 6.4.4
- Bump pbkdf2 from 3.1.2 to 3.1.3
- Bump validator from 13.15.0 to 13.15.15
- Bump sha.js from 2.4.11 to 2.4.12
- Bump cipher-base from 1.0.4 to 1.0.6
- Bump codecov/codecov-action from 5.4.3 to 5.5.1
- Bump puppeteer from 24.9.0 to 24.19.0
- Bump tmp from 0.2.3 to 0.2.5
- bump fsevents to latest(SEC- 2161)
- Bump eslint-plugin-react from 7.34.1 to 7.37.5
- Bump @grpc/grpc-js and @google-cloud/translate

### Fixed

- Fix: social connection names not showing displayName correctly
[\#2651](#2651)
([omarquazi-okta](https://github.com/omarquazi-okta))
- Update old Twitter icon and name to "X"
[\#2649](#2649)
([omarquazi-okta](https://github.com/omarquazi-okta))
- Fix issue 2546 - TypeError: Super expression must either be null or a
function [\#2578](#2578)
([Hworden](https://github.com/Hworden))
- Fix: Accessibility Issues #2624
[\#2642](#2642)
([ankita10119](https://github.com/ankita10119))
- fix: Rename shop strategy
[\#2641](#2641)
([omarquazi-okta](https://github.com/omarquazi-okta))
- Fix release pipeline cdn
[\#2628](#2628)
([developerkunal](https://github.com/developerkunal))
- Fix Release PIPELINE [\#2627](#2627)
([developerkunal](https://github.com/developerkunal))
- chore: update .gitignore and Makefile for Puppeteer cache and config
directories [\#2626](#2626)
([developerkunal](https://github.com/developerkunal))
- Fix Makefile for Puppeteer cache support
[\#2625](#2625)
([developerkunal](https://github.com/developerkunal))


### Removed


- chore(ci): Remove Semgrep GHA Workflow
[\#2650](#2650)
([eduardoboronat-okta](https://github.com/eduardoboronat-okta))

### Security

- security: Remove vulnerable node-es-module-loader dependency
(SEC-2160) [\#2629](#2629)
([harekrishnarai](https://github.com/harekrishnarai))



### Testing

<!--
Please describe how this can be tested by reviewers. Be specific about
anything not tested and reasons why. If this library has unit and/or
integration testing, tests should be added for new functionality and
existing tests should complete without errors.
-->

* [ ] This change adds unit test coverage
* [ ] This change adds integration test coverage
* [ ] This change has been tested on the latest version of the
platform/language

### Checklist

* [x] I have read the [Auth0 general contribution
guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md)
* [x] I have read the [Auth0 Code of
Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md)
* [x] All code quality tools/guidelines have been run/followed
* [x] All relevant assets have been compiled

Release/v13.2.0 (#2652)

**Fixes**
- Update old Twitter icon and name to "X"
[\#2649](#2649) ([
omarquazi-okta](https://github.com/omarquazi-okta))
- Fix: social connection names not showing displayName correctly
[\#2651](#2651) ([
omarquazi-okta](https://github.com/omarquazi-okta))
- Fix: Accessibility Issues
[\#2624](#2624)
([ankita10119](https://github.com/ankita10119))
- security: Remove vulnerable node-es-module-loader dependency
(SEC-2160) [\#2629](#2629)
([harekrishnarai](https://github.com/harekrishnarai))