chore: bump @btst/db to 2.2.2

[olliethedev]

Summary

• Bump @btst/db and @btst/adapter-memory from 2.2.1 to 2.2.2 in packages/stack
• This moves the transitive better-auth / @better-auth/core from 1.6.2 to 1.6.16 (pinned exactly by @btst/db)
• Bump the better-call catalog entry 1.3.5 → 1.3.6 to satisfy the new @better-auth/core@1.6.16 peer requirement
• @btst/better-auth-ui is not version-pinned in this repo (CLI installs latest), so no change needed there

Test plan

• pnpm build passes locally
• pnpm typecheck passes locally
• pnpm lint passes locally
• pnpm test passes locally (225 tests)
• CI (including codegen E2E) green

Made with Cursor

---

Note

Medium Risk
Touches the auth/data layer transitively (better-auth, kysely, better-call) across stack and codegen E2E; no code changes, but runtime behavior could shift until CI codegen E2E is green.

Overview
Bumps @btst/db and @btst/adapter-memory from 2.2.1 to 2.2.2 in packages/stack (runtime + dev), and aligns codegen setup scripts and lockfile consumers to @btst/adapter-memory ^2.2.2.

The lockfile refresh pulls in a large better-auth stack upgrade (1.6.2 → 1.6.16 via @btst/db), plus better-call 1.3.5 → 1.3.6 in the workspace catalog to satisfy new @better-auth/core peers. Transitive updates include kysely 0.28 → 0.29, @better-fetch/fetch 1.2.2, and @better-auth/utils 0.4.1; some drizzle-orm edges drop out of certain install graphs (e.g. nitro/db0).

No application or library source changes—only manifests, lockfile, and codegen scaffolding pins.

^{Reviewed by Cursor Bugbot for commit 5e9a073. Bugbot is set up for automated code reviews on this repo. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
better-stack-docs	Ready	Preview, Comment	Jun 10, 2026 11:28pm
better-stack-playground	Ready	Preview, Comment	Jun 10, 2026 11:28pm

[cursor]

Security Assessment

This PR bumps @btst/db from 2.2.1 → 2.2.2 and @btst/adapter-memory (devDep) from 2.2.1 → 2.2.2. The lockfile reveals that the internal better-auth dependency moves from 1.6.2 → 1.6.16 for the main @btst/stack package. This is a positive security improvement.

---

✅ Confirmed improvement: CVE-2026-45337 and related fixes picked up

better-auth@1.6.2 is within the vulnerable range (>= 1.6.0, < 1.6.11) for CVE-2026-45337 (CVSS 7.6 — High):

The deviceAuthorization plugin treated any authenticated session as the owner of any pending device code. An attacker who learns a valid user_code before the legitimate user can bind the device to the attacker's account or deny the legitimate flow.

Upgrading to better-auth@1.6.16 (via @btst/db@2.2.2) resolves this and also picks up:

• GHSA-7w99-5wm4-3g79 (High) — OAuth authorization-code redemption (fixed 1.6.11)
• GHSA-392p-2q2v-4372 (High) — OAuth refresh-token rotation (fixed in @better-auth/oauth-provider@1.6.11)
• SIWE verification bound to server state before session creation
• JWKS cache scoped per verification source (prevents key cross-contamination)
• verifyAccessToken now rejects tokens with missing/mismatching aud claim
• Admin plugin now enforces permissions on role changes
• Origin header validation on email sign-up against trustedOrigins

---

⚠️ Residual concern: Example apps still carry @btst/db@2.2.1 → @better-auth/core@1.6.2 internally

Evidence from pnpm-lock.yaml:

The three example apps specify "@btst/adapter-memory": "^2.1.1", which still resolves to @btst/adapter-memory@2.2.1 in the lockfile. While the top-level better-auth for those workspaces has been lifted to 1.6.16 (visible in the updated snapshot hashes), @btst/db@2.2.1 — a sub-dependency inside @btst/adapter-memory@2.2.1 — still resolves against @better-auth/core@1.6.2:

# New snapshots added for @btst/db@2.2.1 variants still reference core@1.6.2:
'@btst/db@2.2.1(154c028...)':
  dependencies:
    '@better-auth/core': 1.6.2(...)     # ← still the vulnerable version
    better-auth: 1.6.2(...)

This means the vulnerable @better-auth/core@1.6.2 is still installed in the monorepo's node_modules as a sub-tree dependency of example apps. The direct auth surface for those apps uses 1.6.16 at the top level, but code within @btst/db@2.2.1 that invokes @better-auth/core will invoke the 1.6.2 instance.

Recommendation: Also bump @btst/adapter-memory from ^2.1.1 to 2.2.2 (pinned or ^2.2.2) in all three example app package.json files to eliminate the 2.2.1 subtree and its embedded @better-auth/core@1.6.2 from the resolved tree entirely.

---

No new vulnerabilities introduced

• No application code changes — the diff is entirely package.json and lockfile.
• No secrets, tokens, or credentials appear in the diff.
• No injection, SSRF, XSS, or path traversal vectors are introduced.
• better-call@1.3.5 → 1.3.6: minor bump; no new advisories found.
• Integrity hashes for @btst/db@2.2.2 and @btst/adapter-memory@2.2.2 are present in the lockfile — verify these match your private registry's published artifacts before merge.

  

_{Sent by Cursor Automation: Find vulnerabilities}

[github-actions]

✅ Shadcn registry validated — no registry changes detected.