9.6.0-alpha.37

9.6.0-alpha.37 (2026-03-18)

Bug Fixes

• Security fix fast-xml-parser from 5.5.5 to 5.5.6 (#10235) (f521576)

9.6.0-alpha.36

9.6.0-alpha.36 (2026-03-18)

Bug Fixes

• Rate limit bypass via HTTP method override and batch method spoofing (#10234) (7d72d26)

9.6.0-alpha.35

9.6.0-alpha.35 (2026-03-17)

Bug Fixes

• Protected fields leak via LiveQuery afterEvent trigger (GHSA-5hmj-jcgp-6hff) (#10232) (6648500)

9.6.0-alpha.34

9.6.0-alpha.34 (2026-03-17)

Bug Fixes

• Input type validation for query operators and batch path (#10230) (a628911)

9.6.0-alpha.33

9.6.0-alpha.33 (2026-03-17)

Features

• Add enableProductPurchaseLegacyApi option to disable legacy IAP validation (#10228) (622ee85)

8.6.50

8.6.50 (2026-03-17)

Bug Fixes

• Protected fields leak via LiveQuery afterEvent trigger (GHSA-5hmj-jcgp-6hff) (#10233) (743324e)

9.6.0-alpha.32

9.6.0-alpha.32 (2026-03-16)

Bug Fixes

• Instance comparison with instanceof is not realm-safe (#10225) (51efb1e)

9.6.0-alpha.31

9.6.0-alpha.31 (2026-03-16)

Bug Fixes

• Validate authData provider values in challenge endpoint (#10224) (e5e1f5b)

9.6.0-alpha.30

9.6.0-alpha.30 (2026-03-16)

Bug Fixes

• Block dot-notation updates to authData sub-fields and harden login provider checks (#10223) (12c24c6)

9.6.0-alpha.29

9.6.0-alpha.29 (2026-03-16)

Bug Fixes

• Empty authData bypasses credential requirement on signup (GHSA-wjqw-r9x4-j59v) (#10219) (5dcbf41)