fix(clerk-js): If password is enabled, instanceIsPasswordBased is true

[dmoerner]

The Clerk Dashboard now has improved support for enabling an instance configuration with password enabled, but not required. Such a configuration makes passwords optional on sign-up, allows users to add them to accounts, and allows users to use them for sign-in. Previously, passwords were both enabled and required together.

If the instance is configured with password enabled but not required, the SDK should still treat the instance as password based. Modify UserSettings.instanceIsPasswordBased to return true in this configuration. This (a) makes sure that the password card is displayed on the SecurityPage so that users can modify their passwords, and (b) allows instant password sign in.

Fixes USER-3245. Tested with unit testing and with local Clerk.

Revised and simplified version of
#6592 which modifies UserSettings.instanceIsPasswordBased instead of adding a new property.

Description

Checklist

• pnpm test runs as expected (for clerk-js package)
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

Summary by CodeRabbit

• Bug Fixes

  • Instances with passwords enabled (even if not required) are now treated as password-based. This ensures password sign-in flows behave consistently, instant password autofill works as expected, and the Password section appears in security settings when applicable.

• Tests

  • Updated test scenarios to reflect the new password-enabled behavior, removing assumptions that passwords must be required.

[changeset-bot]

🦋 Changeset detected

Latest commit: 972d056

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages

Name	Type
@clerk/clerk-js	Patch
@clerk/chrome-extension	Patch
@clerk/clerk-expo	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
clerk-js-sandbox	Ready	Preview	Comment	Aug 21, 2025 1:45pm

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@6599

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@6599

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@6599

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@6599

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@6599

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@6599

@clerk/elements

npm i https://pkg.pr.new/@clerk/elements@6599

@clerk/clerk-expo

npm i https://pkg.pr.new/@clerk/clerk-expo@6599

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@6599

@clerk/express

npm i https://pkg.pr.new/@clerk/express@6599

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@6599

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@6599

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@6599

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@6599

@clerk/clerk-react

npm i https://pkg.pr.new/@clerk/clerk-react@6599

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@6599

@clerk/remix

npm i https://pkg.pr.new/@clerk/remix@6599

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@6599

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@6599

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@6599

@clerk/themes

npm i https://pkg.pr.new/@clerk/themes@6599

@clerk/types

npm i https://pkg.pr.new/@clerk/types@6599

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@6599

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@6599

commit: 972d056

[coderabbitai]

📝 Walkthrough

Walkthrough

The change updates UserSettings.instanceIsPasswordBased to return true when password.enabled is true, regardless of password.required. Corresponding tests are adjusted to reflect the new logic: SecurityPage now treats an instance with password enabled (even if not required) as password-based, and SignInStart tests use withPassword() without requiring it. A patch-level changeset is added for @clerk/clerk-js. No public API signatures change.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Assessment against linked issues

Objective	Addressed	Explanation
Show password-related UI when password is enabled but not required (USER-3245)	✅
Update instant password sign-in behavior for enabled-but-not-required password (USER-3245)	✅

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

.changeset/khaki-ravens-cheer.md (1)

5-5: Tighten wording and reference the issue for better traceability.

Current sentence is a bit terse and flagged by grammar checks. Suggest clarifying impact and linking the bug ID.

Apply this diff:

-Update `UserSettings.instanceIsPasswordBased` to return true if password is enabled but not required.
+Treat instances as password-based when passwords are enabled, even if they are not required at sign-up. This shows the Password section in User Profile and enables instant password sign-in.
+
+Fixes USER-3245.

packages/clerk-js/src/core/resources/UserSettings.ts (1)

193-195: Add JSDoc and explicit return type to clarify semantics.

Per guidelines, add clear docs and an explicit return type. This getter’s meaning changed subtly; documenting it will prevent misuse.

-  get instanceIsPasswordBased() {
-    return Boolean(this.attributes?.password?.enabled);
-  }
+  /**
+   * Returns true when passwords are enabled for the instance, regardless of whether they are required at sign-up.
+   * Used to drive UI (e.g., Password section in SecurityPage) and instant password sign-in availability.
+   */
+  get instanceIsPasswordBased(): boolean {
+    return Boolean(this.attributes?.password?.enabled);
+  }

packages/clerk-js/src/core/resources/__tests__/UserSettings.spec.ts (1)

58-91: Add a case for missing password attribute to guard snapshot variability.

Older snapshots or minimized payloads may omit attributes.password entirely. The getter already handles this (returns false), so adding a test will codify the expectation.

Proposed addition (outside the current block):

// When password attribute is absent, treat as not password-based
expect(new UserSettings({ attributes: {} } as any).instanceIsPasswordBased).toEqual(false);

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between c3facf1 and 972d056.

📒 Files selected for processing (5)

• .changeset/khaki-ravens-cheer.md (1 hunks)
• packages/clerk-js/src/core/resources/UserSettings.ts (1 hunks)
• packages/clerk-js/src/core/resources/__tests__/UserSettings.spec.ts (1 hunks)
• packages/clerk-js/src/ui/components/SignIn/__tests__/SignInStart.test.tsx (1 hunks)
• packages/clerk-js/src/ui/components/UserProfile/__tests__/SecurityPage.test.tsx (1 hunks)

🧰 Additional context used

📓 Path-based instructions (15)

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

**/*.{js,jsx,ts,tsx}: All code must pass ESLint checks with the project's configuration
Follow established naming conventions (PascalCase for components, camelCase for variables)
Maintain comprehensive JSDoc comments for public APIs
Use dynamic imports for optional features
All public APIs must be documented with JSDoc
Provide meaningful error messages to developers
Include error recovery suggestions where applicable
Log errors appropriately for debugging
Lazy load components and features when possible
Implement proper caching strategies
Use efficient data structures and algorithms
Profile and optimize critical paths
Validate all inputs and sanitize outputs
Implement proper logging with different levels

Files:

• packages/clerk-js/src/core/resources/__tests__/UserSettings.spec.ts
• packages/clerk-js/src/ui/components/UserProfile/__tests__/SecurityPage.test.tsx
• packages/clerk-js/src/ui/components/SignIn/__tests__/SignInStart.test.tsx
• packages/clerk-js/src/core/resources/UserSettings.ts

**/*.{js,jsx,ts,tsx,json,css,scss,md,yaml,yml}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use Prettier for consistent code formatting

Files:

• packages/clerk-js/src/core/resources/__tests__/UserSettings.spec.ts
• packages/clerk-js/src/ui/components/UserProfile/__tests__/SecurityPage.test.tsx
• packages/clerk-js/src/ui/components/SignIn/__tests__/SignInStart.test.tsx
• packages/clerk-js/src/core/resources/UserSettings.ts

packages/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

TypeScript is required for all packages

Files:

• packages/clerk-js/src/core/resources/__tests__/UserSettings.spec.ts
• packages/clerk-js/src/ui/components/UserProfile/__tests__/SecurityPage.test.tsx
• packages/clerk-js/src/ui/components/SignIn/__tests__/SignInStart.test.tsx
• packages/clerk-js/src/core/resources/UserSettings.ts

packages/**/*.{ts,tsx,d.ts}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Packages should export TypeScript types alongside runtime code

Files:

• packages/clerk-js/src/core/resources/__tests__/UserSettings.spec.ts
• packages/clerk-js/src/ui/components/UserProfile/__tests__/SecurityPage.test.tsx
• packages/clerk-js/src/ui/components/SignIn/__tests__/SignInStart.test.tsx
• packages/clerk-js/src/core/resources/UserSettings.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use proper TypeScript error types

**/*.{ts,tsx}: Always define explicit return types for functions, especially public APIs
Use proper type annotations for variables and parameters where inference isn't clear
Avoid any type - prefer unknown when type is uncertain, then narrow with type guards
Use interface for object shapes that might be extended
Use type for unions, primitives, and computed types
Prefer readonly properties for immutable data structures
Use private for internal implementation details
Use protected for inheritance hierarchies
Use public explicitly for clarity in public APIs
Prefer readonly for properties that shouldn't change after construction
Prefer composition and interfaces over deep inheritance chains
Use mixins for shared behavior across unrelated classes
Implement dependency injection for loose coupling
Let TypeScript infer when types are obvious
Use const assertions for literal types: as const
Use satisfies operator for type checking without widening
Use mapped types for transforming object types
Use conditional types for type-level logic
Leverage template literal types for string manipulation
Use ES6 imports/exports consistently
Use default exports sparingly, prefer named exports
Use type-only imports: import type { ... } from ...
No any types without justification
Proper error handling with typed errors
Consistent use of readonly for immutable data
Proper generic constraints
No unused type parameters
Proper use of utility types instead of manual type construction
Type-only imports where possible
Proper tree-shaking friendly exports
No circular dependencies
Efficient type computations (avoid deep recursion)

Files:

• packages/clerk-js/src/core/resources/__tests__/UserSettings.spec.ts
• packages/clerk-js/src/ui/components/UserProfile/__tests__/SecurityPage.test.tsx
• packages/clerk-js/src/ui/components/SignIn/__tests__/SignInStart.test.tsx
• packages/clerk-js/src/core/resources/UserSettings.ts

packages/**/*.{test,spec}.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Unit tests should use Jest or Vitest as the test runner.

Files:

• packages/clerk-js/src/core/resources/__tests__/UserSettings.spec.ts
• packages/clerk-js/src/ui/components/UserProfile/__tests__/SecurityPage.test.tsx
• packages/clerk-js/src/ui/components/SignIn/__tests__/SignInStart.test.tsx

packages/{clerk-js,elements,themes}/**/*.{test,spec}.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Visual regression testing should be performed for UI components.

Files:

• packages/clerk-js/src/core/resources/__tests__/UserSettings.spec.ts
• packages/clerk-js/src/ui/components/UserProfile/__tests__/SecurityPage.test.tsx
• packages/clerk-js/src/ui/components/SignIn/__tests__/SignInStart.test.tsx

**/*.{js,ts,tsx,jsx}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Support multiple Clerk environment variables (CLERK_, NEXT_PUBLIC_CLERK_, etc.) for configuration.

Files:

• packages/clerk-js/src/core/resources/__tests__/UserSettings.spec.ts
• packages/clerk-js/src/ui/components/UserProfile/__tests__/SecurityPage.test.tsx
• packages/clerk-js/src/ui/components/SignIn/__tests__/SignInStart.test.tsx
• packages/clerk-js/src/core/resources/UserSettings.ts

**/__tests__/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/typescript.mdc)

**/__tests__/**/*.{ts,tsx}: Create type-safe test builders/factories
Use branded types for test isolation
Implement proper mock types that match interfaces

Files:

• packages/clerk-js/src/core/resources/__tests__/UserSettings.spec.ts
• packages/clerk-js/src/ui/components/UserProfile/__tests__/SecurityPage.test.tsx
• packages/clerk-js/src/ui/components/SignIn/__tests__/SignInStart.test.tsx

**/*

⚙️ CodeRabbit configuration file

If there are no tests added or modified as part of the PR, please suggest that tests be added to cover the changes.

Files:

• packages/clerk-js/src/core/resources/__tests__/UserSettings.spec.ts
• packages/clerk-js/src/ui/components/UserProfile/__tests__/SecurityPage.test.tsx
• packages/clerk-js/src/ui/components/SignIn/__tests__/SignInStart.test.tsx
• packages/clerk-js/src/core/resources/UserSettings.ts

.changeset/**

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Automated releases must use Changesets.

Files:

• .changeset/khaki-ravens-cheer.md

packages/clerk-js/src/ui/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/clerk-js-ui.mdc)

packages/clerk-js/src/ui/**/*.{ts,tsx}: Element descriptors should always be camelCase
Use element descriptors in UI components to enable consistent theming and styling via appearance.elements
Element descriptors should generate unique, stable CSS classes for theming
Element descriptors should handle state classes (e.g., cl-loading, cl-active, cl-error, cl-open) automatically based on component state
Do not render hard-coded values; all user-facing strings must be localized using provided localization methods
Use the useLocalizations hook and localizationKeys utility for all text and error messages
Use the styled system (sx prop, theme tokens, responsive values) for custom component styling
Use useCardState for card-level state, useFormState for form-level state, and useLoadingStatus for loading states
Always use handleError utility for API errors and use translateError for localized error messages
Use useFormControl for form field state, implement proper validation, and handle loading and error states in forms
Use localization keys for all form labels and placeholders
Use element descriptors for consistent styling and follow the theme token system
Use the Card and FormContainer patterns for consistent UI structure

Files:

• packages/clerk-js/src/ui/components/UserProfile/__tests__/SecurityPage.test.tsx
• packages/clerk-js/src/ui/components/SignIn/__tests__/SignInStart.test.tsx

**/*.{jsx,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

**/*.{jsx,tsx}: Use error boundaries in React components
Minimize re-renders in React components

**/*.{jsx,tsx}: Always use functional components with hooks instead of class components
Follow PascalCase naming for components: UserProfile, NavigationMenu
Keep components focused on a single responsibility - split large components
Limit component size to 150-200 lines; extract logic into custom hooks
Use composition over inheritance - prefer smaller, composable components
Export components as named exports for better tree-shaking
One component per file with matching filename and component name
Use useState for simple state management
Use useReducer for complex state logic
Implement proper state initialization
Use proper state updates with callbacks
Implement proper state cleanup
Use Context API for theme/authentication
Implement proper state selectors
Use proper state normalization
Implement proper state persistence
Use React.memo for expensive components
Implement proper useCallback for handlers
Use proper useMemo for expensive computations
Implement proper virtualization for lists
Use proper code splitting with React.lazy
Implement proper cleanup in useEffect
Use proper refs for DOM access
Implement proper event listener cleanup
Use proper abort controllers for fetch
Implement proper subscription cleanup
Use proper HTML elements
Implement proper ARIA attributes
Use proper heading hierarchy
Implement proper form labels
Use proper button types
Implement proper focus management
Use proper keyboard shortcuts
Implement proper tab order
Use proper skip links
Implement proper focus traps
Implement proper error boundaries
Use proper error logging
Implement proper error recovery
Use proper error messages
Implement proper error fallbacks
Use proper form validation
Implement proper error states
Use proper error messages
Implement proper form submission
Use proper form reset
Use proper component naming
Implement proper file naming
Use proper prop naming
Implement proper...

Files:

• packages/clerk-js/src/ui/components/UserProfile/__tests__/SecurityPage.test.tsx
• packages/clerk-js/src/ui/components/SignIn/__tests__/SignInStart.test.tsx

**/*.tsx

📄 CodeRabbit inference engine (.cursor/rules/react.mdc)

**/*.tsx: Use proper type definitions for props and state
Leverage TypeScript's type inference where possible
Use proper event types for handlers
Implement proper generic types for reusable components
Use proper type guards for conditional rendering

Files:

• packages/clerk-js/src/ui/components/UserProfile/__tests__/SecurityPage.test.tsx
• packages/clerk-js/src/ui/components/SignIn/__tests__/SignInStart.test.tsx

**/*.test.{jsx,tsx}

📄 CodeRabbit inference engine (.cursor/rules/react.mdc)

**/*.test.{jsx,tsx}: Use React Testing Library
Test component behavior, not implementation
Use proper test queries
Implement proper test isolation
Use proper test coverage
Test component interactions
Use proper test data
Implement proper test setup
Use proper test cleanup
Implement proper test assertions
Use proper test structure

Files:

• packages/clerk-js/src/ui/components/UserProfile/__tests__/SecurityPage.test.tsx
• packages/clerk-js/src/ui/components/SignIn/__tests__/SignInStart.test.tsx

🧬 Code graph analysis (1)

packages/clerk-js/src/core/resources/__tests__/UserSettings.spec.ts (2)

packages/clerk-js/src/core/resources/UserSettings.ts (1)

• UserSettings (47-265)

packages/types/src/userSettings.ts (1)

• UserSettingsJSON (112-130)

🪛 LanguageTool

.changeset/khaki-ravens-cheer.md

[grammar] ~5-~5: There might be a mistake here.
Context: ...instanceIsPasswordBased` to return true if password is enabled but not required.

(QB_NEW_EN)

---

[grammar] ~5-~5: There might be a mistake here.
Context: ...if password is enabled but not required.

(QB_NEW_EN)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (26)

• GitHub Check: Integration Tests (react-router, chrome)
• GitHub Check: Integration Tests (machine, chrome)
• GitHub Check: Integration Tests (nextjs, chrome, 15)
• GitHub Check: Integration Tests (nuxt, chrome)
• GitHub Check: Integration Tests (billing, chrome)
• GitHub Check: Integration Tests (nextjs, chrome, 14)
• GitHub Check: Integration Tests (tanstack-react-router, chrome)
• GitHub Check: Integration Tests (astro, chrome)
• GitHub Check: Integration Tests (expo-web, chrome)
• GitHub Check: Integration Tests (ap-flows, chrome)
• GitHub Check: Integration Tests (vue, chrome)
• GitHub Check: Integration Tests (localhost, chrome)
• GitHub Check: Integration Tests (tanstack-react-start, chrome)
• GitHub Check: Integration Tests (sessions, chrome)
• GitHub Check: Integration Tests (elements, chrome)
• GitHub Check: Integration Tests (quickstart, chrome)
• GitHub Check: Integration Tests (express, chrome)
• GitHub Check: Integration Tests (generic, chrome)
• GitHub Check: Publish with pkg-pr-new
• GitHub Check: Static analysis
• GitHub Check: Unit Tests (18, --filter=@clerk/astro --filter=@clerk/backend --filter=@clerk/express --filter=@c...
• GitHub Check: Unit Tests (22, **)
• GitHub Check: semgrep/ci
• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: semgrep-cloud-platform/scan

🔇 Additional comments (6)

packages/clerk-js/src/ui/components/UserProfile/__tests__/SecurityPage.test.tsx (1)

35-35: LGTM: test now reflects the new “enabled ⇒ password-based” semantics.

Switching to f.withPassword() aligns this test with the updated instanceIsPasswordBased behavior and the PR objective to show the Password section when passwords are enabled but not required.

packages/clerk-js/src/ui/components/SignIn/__tests__/SignInStart.test.tsx (2)

440-440: LGTM: fixture change matches the instant password sign-in requirement.

Using f.withPassword() ensures the test covers the case where passwords are enabled (not necessarily required), matching the new behavior and the customer scenario.

---

438-441: Fixture defaults confirmed—no test changes needed.

I’ve verified that the withPassword() helper in fixtureHelpers.ts sets
• enabled: true
• required: false
by default (lines 481–487), so the SignInStart test is correctly exercising the intended path.
No updates to the test fixtures are required.

packages/clerk-js/src/core/resources/UserSettings.ts (2)

193-195: Behavior change is correct and matches product direction.

Returning Boolean(this.attributes?.password?.enabled) is the right simplification to treat “password enabled (even if not required)” as password-based. This unblocks SecurityPage visibility and instant password sign-in as intended by USER-3245.

---

197-203: No downstream assumptions broken by updated required logic

I scanned all occurrences of instanceIsPasswordBased across the UI code and found only two usages:

• In SignInStart.tsx, where it drives the “password-based” tab of the sign-in flow.
• In UserProfile/SecurityPage.tsx, where it toggles the visibility of the password settings.

In both places, showing or hiding password UI based on whether password auth is enabled (rather than “required”) is the intended behavior. No component was relying on the stricter “username && password required” semantics, so the broadened definition is safe.

With that double-check complete, no further changes are needed here.

packages/clerk-js/src/core/resources/__tests__/UserSettings.spec.ts (1)

78-90: Good additions: covers enabled:true/required:false and fully disabled.

These assertions lock in the new semantics and protect against regressions.