fix(deps): patch @clerk/nextjs to 6.39.2 and @clerk/shared to 3.47.5

[tobyhede]

Bumps the security catalog entry for @clerk/nextjs 6.31.2 → 6.39.2, which transitively updates @clerk/shared 3.41.0 → 3.47.5.

Both fix versions satisfy CVE-2026-41248 / GHSA-vqx2-fgx2-5wq9 — createRouteMatcher / createPathMatcher can be bypassed by crafted requests, allowing them to skip middleware gating and reach downstream handlers. Sessions are not compromised; the bypass only affects middleware-level route gating.

Resolves two Linear issues in one PR:

• CIP-3025 (@clerk/shared 3.x → 3.47.4)
• CIP-3026 (@clerk/nextjs 6.x → 6.39.2)

This is an automated security patch update.

Summary by CodeRabbit

• Chores
  • Updated Clerk authentication library dependency from version 6.31.2 to 6.39.2 for improved stability and compatibility.

[changeset-bot]

⚠️ No Changeset found

Latest commit: f77cd3f

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Warning

Rate limit exceeded

@coderdan has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 12 minutes and 26 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c0b75e7c-24c8-42d7-b186-c7f55661737f

📥 Commits

Reviewing files that changed from the base of the PR and between bdefcbf and f77cd3f.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• package.json
• pnpm-workspace.yaml

📝 Walkthrough

Walkthrough

The pull request updates the @clerk/nextjs dependency version from 6.31.2 to 6.39.2 across workspace-wide dependency catalog configuration files. Both package.json and pnpm-workspace.yaml catalog entries are synchronized to reference the newer version.

Changes

Cohort / File(s)	Summary
Dependency Catalog Updates package.json, pnpm-workspace.yaml	Version bump for @clerk/nextjs from 6.31.2 to 6.39.2 in workspace-wide dependency catalogs.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Suggested reviewers

• yujiyokoo
• coderdan

Poem

🐰 A version hop, so small and sweet,
From 6.31 to 6.39 we leap with feat,
Clerk's magic updated in every place,
Workspace catalogs keeping perfect pace! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately describes the main change: patching @clerk/nextjs to 6.39.2 and @clerk/shared to 3.47.5, which aligns with the dependency updates shown in both package.json and pnpm-workspace.yaml.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-cip-3026-clerk-nextjs-patch

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 12 minutes and 26 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

package.json (1)

26-39: ⚠️ Potential issue | 🟡 Minor

Synchronize @cipherstash/auth version in catalogs.

The @cipherstash/auth version in the repo catalog differs:

• package.json (line 28): 0.35.0
• pnpm-workspace.yaml: 0.36.0 (matches npm latest)

Update package.json to use 0.36.0 for consistency across workspace configuration.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 26 - 39, Update the catalogs entry for the package
"@cipherstash/auth" in package.json (under the "catalogs" -> "repo" object) from
"0.35.0" to "0.36.0" so it matches the version specified in pnpm-workspace.yaml
and the npm latest; ensure the string value is changed exactly to "0.36.0" to
keep workspace dependency versions consistent.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@package.json`:
- Around line 26-39: Update the catalogs entry for the package
"@cipherstash/auth" in package.json (under the "catalogs" -> "repo" object) from
"0.35.0" to "0.36.0" so it matches the version specified in pnpm-workspace.yaml
and the npm latest; ensure the string value is changed exactly to "0.36.0" to
keep workspace dependency versions consistent.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4711a0d5-7dde-4997-a967-4029f603c0b3

📥 Commits

Reviewing files that changed from the base of the PR and between dd59a9e and bdefcbf.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• package.json
• pnpm-workspace.yaml

[auxesis]

Thanks for this @tobyhede ❤️