fix(clerk-js,shared): upgrade Stripe SDK from v5 to v9

[jacekradko]

Summary

• Upgrade @stripe/stripe-js from 5.6.0 to 9.0.0 (4 major versions)
• Upgrade @stripe/react-stripe-js from 3.1.1 to 6.0.0 (3 major versions)
• Add unit tests for usePaymentElement hook covering the confirmSetup flow
• Bump stripe-vendors bundlewatch limit from 1KB to 2KB to accommodate slightly larger v9 vendor chunk (~1.3KB gzipped)

The codebase uses a narrow slice of the Stripe API (SetupIntents + PaymentElement via a forked react-stripe-js wrapper), so the breaking changes across these versions don't affect us:

• redirectToCheckout removed (v8) — not used
• createSource/retrieveSource types removed (v9) — not used, we use confirmSetup
• elements.update() returns Promise<void> (v9) — return value is already ignored
• options.layout.radios no longer accepts boolean (v9) — not used
• Checkout component renames (react-stripe-js v4-v6) — only types imported, no Checkout usage

Note: 9.0.1 / 6.1.0 exist but are blocked by the repo's 2-day minimumReleaseAge policy. Can be bumped in a follow-up.

Test plan

• pnpm build passes for @clerk/shared and @clerk/clerk-js
• All 18 billing/Stripe unit tests pass (8 new usePaymentElement tests + 10 existing)
• New tests cover confirmSetup success, error handling (card_error, validation_error), reset flow, and provider readiness states
• Verify Stripe PaymentElement renders correctly in a dev environment
• Verify confirmSetup flow works end-to-end

Summary by CodeRabbit

• Chores

  • Upgraded Stripe JavaScript library to v9.0.0
  • Upgraded Stripe React library to v6.0.0

• Tests

  • Added test coverage for payment element functionality

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Apr 1, 2026 7:46pm

[changeset-bot]

🦋 Changeset detected

Latest commit: 94c15c7

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 21 packages

Name	Type
@clerk/clerk-js	Patch
@clerk/shared	Patch
@clerk/chrome-extension	Patch
@clerk/expo	Patch
@clerk/agent-toolkit	Patch
@clerk/astro	Patch
@clerk/backend	Patch
@clerk/expo-passkeys	Patch
@clerk/express	Patch
@clerk/fastify	Patch
@clerk/hono	Patch
@clerk/localizations	Patch
@clerk/msw	Patch
@clerk/nextjs	Patch
@clerk/nuxt	Patch
@clerk/react-router	Patch
@clerk/react	Patch
@clerk/tanstack-react-start	Patch
@clerk/testing	Patch
@clerk/ui	Patch
@clerk/vue	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: 2e548f66-36b1-49e6-bcde-c2610628c4b2

📥 Commits

Reviewing files that changed from the base of the PR and between 4f86c47 and 94c15c7.

📒 Files selected for processing (1)

• packages/shared/src/react/billing/__tests__/usePaymentElement.spec.tsx

---

📝 Walkthrough

Walkthrough

This PR adds a Changeset entry and bumps Stripe dependencies: @stripe/stripe-js from 5.6.0 to 9.0.0 (in packages) and @stripe/react-stripe-js from 3.1.1 to 6.0.0 (in shared). It increases the bundlewatch threshold for Stripe vendor bundles and adds a Vitest test suite for the experimental payment element hook.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: upgrading Stripe SDK dependencies from v5 to v9 across clerk-js and shared packages, which aligns with the primary objective and changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@8223

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8223

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8223

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8223

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8223

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@8223

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8223

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8223

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8223

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8223

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8223

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8223

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8223

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8223

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8223

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8223

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8223

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8223

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8223

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8223

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8223

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8223

commit: 94c15c7

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/shared/package.json`:
- Around line 155-156: The Stripe SDK dependency bumps in package.json may
introduce breaking changes; specifically verify the payment confirmation flow by
exercising the confirmSetup() call in the PaymentElement component: add
automated coverage (unit or e2e) that simulates a full setup confirmation flow
(mocking Stripe elements and confirmSetup responses) or provide documented
manual verification steps and screenshots/logs proving confirmSetup() works with
the new `@stripe/stripe-js` and `@stripe/react-stripe-js` versions; update or add
tests targeting the PaymentElement component and its confirmSetup usage, or
revert the dependency change if tests/manual checks fail.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7c03a69a-42ed-4395-a980-2ca0d092fb31

📥 Commits

Reviewing files that changed from the base of the PR and between 82b02eb and a6f6fe6.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (3)

• .changeset/small-rugs-add.md
• packages/clerk-js/package.json
• packages/shared/package.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Verify whether test files were part of this PR branch changes
git diff --name-only --diff-filter=ACMRT origin/main...HEAD | rg -n '(\.test\.|\.spec\.)' || true

# Locate current critical Stripe flow callsites covered by tests
rg -n --type=ts --type=tsx 'confirmSetup\s*\(' packages/shared packages/clerk-js
rg -n --type=ts --type=tsx 'PaymentElement|useInitializePaymentMethod' packages/shared packages/clerk-js

Repository: clerk/javascript

Length of output: 128

---

🏁 Script executed:

# Check if packages/shared/package.json exists and contains the Stripe versions
cat -n packages/shared/package.json | sed -n '150,160p'

Repository: clerk/javascript

Length of output: 670

---

🏁 Script executed:

# Search for test files related to payments or Stripe
fd -e test.ts -e test.tsx -e spec.ts -e spec.tsx -e test.js -e test.jsx packages/ | head -20

Repository: clerk/javascript

Length of output: 401

---

🏁 Script executed:

# Search for confirmSetup usage in the codebase
rg -n 'confirmSetup' packages/shared packages/clerk-js --max-count=10

Repository: clerk/javascript

Length of output: 180

---

🏁 Script executed:

# Search for PaymentElement usage
rg -n 'PaymentElement' packages/shared packages/clerk-js --max-count=10

Repository: clerk/javascript

Length of output: 4393

---

🏁 Script executed:

cat -n packages/shared/src/react/__tests__/payment-element.test.tsx

Repository: clerk/javascript

Length of output: 11043

---

🏁 Script executed:

# Check recent git changes to understand what was modified
git status
git log --oneline -10

Repository: clerk/javascript

Length of output: 359

---

🏁 Script executed:

# Look for any recent payment-related changes
git diff packages/shared/src/react/billing/payment-element.tsx | head -100

Repository: clerk/javascript

Length of output: 42

---

🏁 Script executed:

# Check if there are other test files that may cover confirmSetup
fd -e test.ts -e test.tsx -e spec.ts -e spec.tsx . packages/ --full-path | grep -i stripe

Repository: clerk/javascript

Length of output: 42

---

🏁 Script executed:

# Check the payment-element.tsx source to see confirmSetup implementation
cat packages/shared/src/react/billing/payment-element.tsx | sed -n '320,340p'

Repository: clerk/javascript

Length of output: 678

---

🏁 Script executed:

# Check what changed in package.json specifically for Stripe
git diff HEAD -- packages/shared/package.json | grep -A 3 -B 3 stripe || echo "No git diff available"

Repository: clerk/javascript

Length of output: 81

---

🏁 Script executed:

# List all modified/added files in the PR
git show --name-only --oneline | head -30

Repository: clerk/javascript

Length of output: 905

---

🏁 Script executed:

# Check the changeset files to understand what's being upgraded
cat .changeset/cozy-lands-grow.md .changeset/nasty-insects-follow.md .changeset/new-seas-pick.md .changeset/polite-camels-chew.md .changeset/small-rugs-add.md 2>/dev/null | head -50

Repository: clerk/javascript

Length of output: 744

---

🏁 Script executed:

# Check if payment-element.test.tsx was modified in this commit
git show HEAD:packages/shared/src/react/__tests__/payment-element.test.tsx > /tmp/test_current.tsx 2>/dev/null && echo "File exists in HEAD" || echo "File does not exist in HEAD"

Repository: clerk/javascript

Length of output: 79

---

🏁 Script executed:

# Get Stripe SDK version changes from changeset or recent commits
rg -A 5 "stripe" .changeset/ 2>/dev/null | head -30

Repository: clerk/javascript

Length of output: 186

---

🏁 Script executed:

# Check the Stripe release notes / breaking changes between versions
# Search web for Stripe SDK v5 to v9 migration guide
cat > /tmp/check_stripe.txt << 'EOF'
Checking Stripe SDK upgrade: v5.6.0 -> v9.0.0 for `@stripe/stripe-js`
and v3.1.1 -> v6.0.0 for `@stripe/react-stripe-js`

Need to verify if confirmSetup API changed in breaking ways.
EOF
cat /tmp/check_stripe.txt

Repository: clerk/javascript

Length of output: 238

---

🏁 Script executed:

# Search for any migration or upgrade guidance in repo
rg -i "stripe.*breaking\|stripe.*migration\|confirmSetup" packages/ --max-count=5

Repository: clerk/javascript

Length of output: 42

---

🏁 Script executed:

# Check if there are any integration tests or e2e tests that might cover this
fd . packages/ -e cy.ts -e e2e.ts -e integration.test.ts -e integration.spec.ts --full-path

Repository: clerk/javascript

Length of output: 42

---

Major Stripe SDK upgrade requires verification of payment confirmation flow before merge.

Lines 155-156 upgrade Stripe SDKs across major versions (v5→v9 for stripe-js, v3→v6 for react-stripe-js). These are significant version jumps that may introduce breaking changes. The confirmSetup() call at packages/shared/src/react/billing/payment-element.tsx:329 is critical billing code that must be verified to work correctly after this upgrade. Add test coverage (unit or e2e) or manual verification evidence for the payment confirmation flow before merging to prevent runtime billing failures.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/shared/package.json` around lines 155 - 156, The Stripe SDK
dependency bumps in package.json may introduce breaking changes; specifically
verify the payment confirmation flow by exercising the confirmSetup() call in
the PaymentElement component: add automated coverage (unit or e2e) that
simulates a full setup confirmation flow (mocking Stripe elements and
confirmSetup responses) or provide documented manual verification steps and
screenshots/logs proving confirmSetup() works with the new `@stripe/stripe-js` and
`@stripe/react-stripe-js` versions; update or add tests targeting the
PaymentElement component and its confirmSetup usage, or revert the dependency
change if tests/manual checks fail.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/shared/src/react/billing/__tests__/usePaymentElement.spec.tsx`:
- Around line 7-8: Replace the explicit any annotations on mockStripe,
mockElements and submitResult with safer types (e.g., use unknown or the
specific Stripe types from `@stripe/stripe-js`) and narrow them where used; for
example change mockStripe: any and mockElements: any to mockStripe: unknown and
mockElements: unknown (or to Stripe | null / StripeElements | null if you import
those interfaces) and update the test usages by adding type guards or casts only
at the points of interaction (e.g., before calling
mockStripe.createPaymentMethod or mockElements.getElement) so the code is
statically typed and still mockable; ensure submitResult is typed (unknown or a
specific result interface) and narrowed before asserting fields.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: 364798fd-739c-417b-a0fe-5c4cbb9e4ec9

📥 Commits

Reviewing files that changed from the base of the PR and between 042fd15 and 4f86c47.

📒 Files selected for processing (1)

• packages/shared/src/react/billing/__tests__/usePaymentElement.spec.tsx

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify no explicit `any` remains in this test file.
rg -nP '\bany\b' packages/shared/src/react/billing/__tests__/usePaymentElement.spec.tsx

Repository: clerk/javascript

Length of output: 220

---

Remove explicit any type annotations in this test file.

The Stripe mock objects and submit results use any, which violates the repository's TypeScript guidelines and can mask type regressions in upgrade tests. Provide proper types for mockStripe, mockElements, and submitResult variables.

Proposed fix

-let mockStripe: any = null;
-let mockElements: any = null;
+type MockStripe = {
+  confirmSetup: ReturnType<typeof vi.fn>;
+};
+
+type MockElements = {
+  create: ReturnType<typeof vi.fn>;
+  update: ReturnType<typeof vi.fn>;
+};
+
+type SubmitResult = Awaited<
+  ReturnType<ReturnType<typeof __experimental_usePaymentElement>['submit']>
+>;
+
+let mockStripe: MockStripe | null = null;
+let mockElements: MockElements | null = null;
@@
-      let submitResult: any;
+      let submitResult: SubmitResult;
@@
-      let submitResult: any;
+      let submitResult: SubmitResult;
@@
-      let submitResult: any;
+      let submitResult: SubmitResult;

Per coding guidelines: "Avoid any type - prefer unknown when type is uncertain, then narrow with type guards" and "No any types without justification in code review". Instances at lines 7, 8, 135, 167, 198.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/shared/src/react/billing/__tests__/usePaymentElement.spec.tsx`
around lines 7 - 8, Replace the explicit any annotations on mockStripe,
mockElements and submitResult with safer types (e.g., use unknown or the
specific Stripe types from `@stripe/stripe-js`) and narrow them where used; for
example change mockStripe: any and mockElements: any to mockStripe: unknown and
mockElements: unknown (or to Stripe | null / StripeElements | null if you import
those interfaces) and update the test usages by adding type guards or casts only
at the points of interaction (e.g., before calling
mockStripe.createPaymentMethod or mockElements.getElement) so the code is
statically typed and still mockable; ensure submitResult is typed (unknown or a
specific result interface) and narrowed before asserting fields.

[dstaley]

I believe the highest we can upgrade to is stripe.js v6.1.0, which is the last major stripe.js aligned with the acacia API versions, which is what we use on the backend. Stripe's documentation recommends using the same versions on the frontend as the backend.

When performing API requests, each versioned Stripe.js automatically uses the API version associated with the Stripe.js version. That is, the Stripe.js acacia version uses a compatible API version such as 2024-12-18.acacia (which includes the date) to represent the release date of the API version. You can’t override the API version.

We recommend that businesses keep the Stripe.js version and server-side API version on the same release train. For example, if you use Stripe.js acacia, you can safely use 2025-02-24.acacia or another acacia minor version on your application server. Gradual updates are safe, so you don’t need to release both at the same time.

[jacekradko]

Thanks @dstaley ! Will adjust the PR accordingly