Revert "fix(clerk-js): If password is enabled, instanceIsPasswordBased is true (#6599)"

[dmoerner]

This reverts commit a23b718. There is additional backend logic which we need to verify for this attribute combination, and I don't want to push this change to the SDK prematurely.

Description

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

Summary by CodeRabbit

• Bug Fixes
  • Instances are now considered password-based only when passwords are both enabled and required, avoiding unintended password prompts.
  • Sign-in flow and Security page consistently reflect whether a password is required, improving user authentication clarity.

[changeset-bot]

🦋 Changeset detected

Latest commit: a38bfa3

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 0 packages

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
clerk-js-sandbox	Ready	Preview	Comment	Aug 26, 2025 6:35pm

[coderabbitai]

Walkthrough

The PR removes one changeset entry, adds an empty changeset file, tightens UserSettings.instanceIsPasswordBased to require both password.enabled and password.required, and updates tests and fixtures to reflect the required-password behavior.

Changes

Cohort / File(s)	Summary
Changeset files .changeset/khaki-ravens-cheer.md, .changeset/lemon-paths-brake.md	Deleted the prior changeset entry (khaki-ravens-cheer.md) and added a new, empty changeset file (lemon-paths-brake.md).
Core logic: UserSettings packages/clerk-js/src/core/resources/UserSettings.ts	instanceIsPasswordBased now returns true only when both password.enabled and password.required are truthy.
Core tests: UserSettings packages/clerk-js/src/core/resources/__tests__/UserSettings.spec.ts	Removed test scenarios that treated password.enabled: true with required: false as password-based; adjusted remaining assertions to match the new logic.
UI tests: SignIn packages/clerk-js/src/ui/components/SignIn/__tests__/SignInStart.test.tsx	Fixture call changed from withPassword() to withPassword({ required: true }) to make password required in the test setup.
UI tests: UserProfile/Security packages/clerk-js/src/ui/components/UserProfile/__tests__/SecurityPage.test.tsx	Fixture call changed from withPassword() to withPassword({ required: true }) to make password required in the test setup.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant UI as UI Component / Tests
  participant US as UserSettings
  participant CFG as Instance Config

  UI->>US: request instanceIsPasswordBased
  US->>CFG: read password.enabled, password.required
  alt enabled AND required
    US-->>UI: true
  else otherwise
    US-->>UI: false
  end

  note right of UI: Tests updated to call withPassword({ required: true })

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

I nibble on bytes beneath the moon,
Enabled and required now sing in tune.
Tests rearranged to match the rule,
A changeset tucked away in the burrowed pool.
Hops of joy — the rabbit grins, code soon. 🐇✨

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch daniel/revert-password-enabled-change

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@6643

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@6643

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@6643

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@6643

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@6643

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@6643

@clerk/elements

npm i https://pkg.pr.new/@clerk/elements@6643

@clerk/clerk-expo

npm i https://pkg.pr.new/@clerk/clerk-expo@6643

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@6643

@clerk/express

npm i https://pkg.pr.new/@clerk/express@6643

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@6643

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@6643

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@6643

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@6643

@clerk/clerk-react

npm i https://pkg.pr.new/@clerk/clerk-react@6643

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@6643

@clerk/remix

npm i https://pkg.pr.new/@clerk/remix@6643

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@6643

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@6643

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@6643

@clerk/themes

npm i https://pkg.pr.new/@clerk/themes@6643

@clerk/types

npm i https://pkg.pr.new/@clerk/types@6643

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@6643

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@6643

commit: a38bfa3

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

packages/clerk-js/src/core/resources/UserSettings.ts (1)

193-195: Make optional chaining consistent and null-safe in instanceIsPasswordBased

Minor nit: use optional chaining on both sides for consistency and future-safety. Functionally equivalent today (given defaults), but safer and clearer.

Apply this diff:

-    return Boolean(this.attributes?.password?.enabled && this.attributes.password?.required);
+    return Boolean(this.attributes?.password?.enabled && this.attributes?.password?.required);

Optionally, add a brief JSDoc to document the reverted semantics (enabled AND required):

/** True when password sign-in is both enabled and required for the instance. */
get instanceIsPasswordBased() { /* ... */ }

If helpful, I can add/adjust unit tests to explicitly assert:

• enabled=true, required=true -> true
• enabled=true, required=false -> false
• enabled=false, required=false -> false

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between f871573 and 656e0a6.

📒 Files selected for processing (5)

• .changeset/khaki-ravens-cheer.md (0 hunks)
• packages/clerk-js/src/core/resources/UserSettings.ts (1 hunks)
• packages/clerk-js/src/core/resources/__tests__/UserSettings.spec.ts (0 hunks)
• packages/clerk-js/src/ui/components/SignIn/__tests__/SignInStart.test.tsx (1 hunks)
• packages/clerk-js/src/ui/components/UserProfile/__tests__/SecurityPage.test.tsx (1 hunks)

💤 Files with no reviewable changes (2)

• .changeset/khaki-ravens-cheer.md
• packages/clerk-js/src/core/resources/tests/UserSettings.spec.ts

🧰 Additional context used

📓 Path-based instructions (13)

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

**/*.{js,jsx,ts,tsx}: All code must pass ESLint checks with the project's configuration
Follow established naming conventions (PascalCase for components, camelCase for variables)
Maintain comprehensive JSDoc comments for public APIs
Use dynamic imports for optional features
All public APIs must be documented with JSDoc
Provide meaningful error messages to developers
Include error recovery suggestions where applicable
Log errors appropriately for debugging
Lazy load components and features when possible
Implement proper caching strategies
Use efficient data structures and algorithms
Profile and optimize critical paths
Validate all inputs and sanitize outputs
Implement proper logging with different levels

Files:

• packages/clerk-js/src/core/resources/UserSettings.ts
• packages/clerk-js/src/ui/components/UserProfile/__tests__/SecurityPage.test.tsx
• packages/clerk-js/src/ui/components/SignIn/__tests__/SignInStart.test.tsx

**/*.{js,jsx,ts,tsx,json,css,scss,md,yaml,yml}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use Prettier for consistent code formatting

Files:

• packages/clerk-js/src/core/resources/UserSettings.ts
• packages/clerk-js/src/ui/components/UserProfile/__tests__/SecurityPage.test.tsx
• packages/clerk-js/src/ui/components/SignIn/__tests__/SignInStart.test.tsx

packages/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

TypeScript is required for all packages

Files:

• packages/clerk-js/src/core/resources/UserSettings.ts
• packages/clerk-js/src/ui/components/UserProfile/__tests__/SecurityPage.test.tsx
• packages/clerk-js/src/ui/components/SignIn/__tests__/SignInStart.test.tsx

packages/**/*.{ts,tsx,d.ts}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Packages should export TypeScript types alongside runtime code

Files:

• packages/clerk-js/src/core/resources/UserSettings.ts
• packages/clerk-js/src/ui/components/UserProfile/__tests__/SecurityPage.test.tsx
• packages/clerk-js/src/ui/components/SignIn/__tests__/SignInStart.test.tsx

**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use proper TypeScript error types

**/*.{ts,tsx}: Always define explicit return types for functions, especially public APIs
Use proper type annotations for variables and parameters where inference isn't clear
Avoid any type - prefer unknown when type is uncertain, then narrow with type guards
Use interface for object shapes that might be extended
Use type for unions, primitives, and computed types
Prefer readonly properties for immutable data structures
Use private for internal implementation details
Use protected for inheritance hierarchies
Use public explicitly for clarity in public APIs
Prefer readonly for properties that shouldn't change after construction
Prefer composition and interfaces over deep inheritance chains
Use mixins for shared behavior across unrelated classes
Implement dependency injection for loose coupling
Let TypeScript infer when types are obvious
Use const assertions for literal types: as const
Use satisfies operator for type checking without widening
Use mapped types for transforming object types
Use conditional types for type-level logic
Leverage template literal types for string manipulation
Use ES6 imports/exports consistently
Use default exports sparingly, prefer named exports
Use type-only imports: import type { ... } from ...
No any types without justification
Proper error handling with typed errors
Consistent use of readonly for immutable data
Proper generic constraints
No unused type parameters
Proper use of utility types instead of manual type construction
Type-only imports where possible
Proper tree-shaking friendly exports
No circular dependencies
Efficient type computations (avoid deep recursion)

Files:

• packages/clerk-js/src/core/resources/UserSettings.ts
• packages/clerk-js/src/ui/components/UserProfile/__tests__/SecurityPage.test.tsx
• packages/clerk-js/src/ui/components/SignIn/__tests__/SignInStart.test.tsx

**/*.{js,ts,tsx,jsx}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Support multiple Clerk environment variables (CLERK_, NEXT_PUBLIC_CLERK_, etc.) for configuration.

Files:

• packages/clerk-js/src/core/resources/UserSettings.ts
• packages/clerk-js/src/ui/components/UserProfile/__tests__/SecurityPage.test.tsx
• packages/clerk-js/src/ui/components/SignIn/__tests__/SignInStart.test.tsx

packages/clerk-js/src/ui/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/clerk-js-ui.mdc)

packages/clerk-js/src/ui/**/*.{ts,tsx}: Element descriptors should always be camelCase
Use element descriptors in UI components to enable consistent theming and styling via appearance.elements
Element descriptors should generate unique, stable CSS classes for theming
Element descriptors should handle state classes (e.g., cl-loading, cl-active, cl-error, cl-open) automatically based on component state
Do not render hard-coded values; all user-facing strings must be localized using provided localization methods
Use the useLocalizations hook and localizationKeys utility for all text and error messages
Use the styled system (sx prop, theme tokens, responsive values) for custom component styling
Use useCardState for card-level state, useFormState for form-level state, and useLoadingStatus for loading states
Always use handleError utility for API errors and use translateError for localized error messages
Use useFormControl for form field state, implement proper validation, and handle loading and error states in forms
Use localization keys for all form labels and placeholders
Use element descriptors for consistent styling and follow the theme token system
Use the Card and FormContainer patterns for consistent UI structure

Files:

• packages/clerk-js/src/ui/components/UserProfile/__tests__/SecurityPage.test.tsx
• packages/clerk-js/src/ui/components/SignIn/__tests__/SignInStart.test.tsx

**/*.{jsx,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

**/*.{jsx,tsx}: Use error boundaries in React components
Minimize re-renders in React components

**/*.{jsx,tsx}: Always use functional components with hooks instead of class components
Follow PascalCase naming for components: UserProfile, NavigationMenu
Keep components focused on a single responsibility - split large components
Limit component size to 150-200 lines; extract logic into custom hooks
Use composition over inheritance - prefer smaller, composable components
Export components as named exports for better tree-shaking
One component per file with matching filename and component name
Use useState for simple state management
Use useReducer for complex state logic
Implement proper state initialization
Use proper state updates with callbacks
Implement proper state cleanup
Use Context API for theme/authentication
Implement proper state selectors
Use proper state normalization
Implement proper state persistence
Use React.memo for expensive components
Implement proper useCallback for handlers
Use proper useMemo for expensive computations
Implement proper virtualization for lists
Use proper code splitting with React.lazy
Implement proper cleanup in useEffect
Use proper refs for DOM access
Implement proper event listener cleanup
Use proper abort controllers for fetch
Implement proper subscription cleanup
Use proper HTML elements
Implement proper ARIA attributes
Use proper heading hierarchy
Implement proper form labels
Use proper button types
Implement proper focus management
Use proper keyboard shortcuts
Implement proper tab order
Use proper skip links
Implement proper focus traps
Implement proper error boundaries
Use proper error logging
Implement proper error recovery
Use proper error messages
Implement proper error fallbacks
Use proper form validation
Implement proper error states
Use proper error messages
Implement proper form submission
Use proper form reset
Use proper component naming
Implement proper file naming
Use proper prop naming
Implement proper...

Files:

• packages/clerk-js/src/ui/components/UserProfile/__tests__/SecurityPage.test.tsx
• packages/clerk-js/src/ui/components/SignIn/__tests__/SignInStart.test.tsx

packages/**/*.{test,spec}.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Unit tests should use Jest or Vitest as the test runner.

Files:

• packages/clerk-js/src/ui/components/UserProfile/__tests__/SecurityPage.test.tsx
• packages/clerk-js/src/ui/components/SignIn/__tests__/SignInStart.test.tsx

packages/{clerk-js,elements,themes}/**/*.{test,spec}.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Visual regression testing should be performed for UI components.

Files:

• packages/clerk-js/src/ui/components/UserProfile/__tests__/SecurityPage.test.tsx
• packages/clerk-js/src/ui/components/SignIn/__tests__/SignInStart.test.tsx

**/*.tsx

📄 CodeRabbit inference engine (.cursor/rules/react.mdc)

**/*.tsx: Use proper type definitions for props and state
Leverage TypeScript's type inference where possible
Use proper event types for handlers
Implement proper generic types for reusable components
Use proper type guards for conditional rendering

Files:

• packages/clerk-js/src/ui/components/UserProfile/__tests__/SecurityPage.test.tsx
• packages/clerk-js/src/ui/components/SignIn/__tests__/SignInStart.test.tsx

**/*.test.{jsx,tsx}

📄 CodeRabbit inference engine (.cursor/rules/react.mdc)

**/*.test.{jsx,tsx}: Use React Testing Library
Test component behavior, not implementation
Use proper test queries
Implement proper test isolation
Use proper test coverage
Test component interactions
Use proper test data
Implement proper test setup
Use proper test cleanup
Implement proper test assertions
Use proper test structure

Files:

• packages/clerk-js/src/ui/components/UserProfile/__tests__/SecurityPage.test.tsx
• packages/clerk-js/src/ui/components/SignIn/__tests__/SignInStart.test.tsx

**/__tests__/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/typescript.mdc)

**/__tests__/**/*.{ts,tsx}: Create type-safe test builders/factories
Use branded types for test isolation
Implement proper mock types that match interfaces

Files:

• packages/clerk-js/src/ui/components/UserProfile/__tests__/SecurityPage.test.tsx
• packages/clerk-js/src/ui/components/SignIn/__tests__/SignInStart.test.tsx

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Formatting | Dedupe | Changeset
• GitHub Check: semgrep/ci
• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (1)

packages/clerk-js/src/ui/components/UserProfile/__tests__/SecurityPage.test.tsx (1)

35-37: Tests correctly reflect reverted password-based semantics

Switching to withPassword({ required: true }) aligns the fixture with the updated instanceIsPasswordBased logic. Looks good.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Fixture update matches reverted logic; consider scanning for other call sites

The change to withPassword({ required: true }) is correct for the new semantics. To avoid flaky tests elsewhere, scan the repo for remaining withPassword() usages without options that might implicitly rely on the old behavior.

Run:

If any tests expect password-based behavior, update them to withPassword({ required: true }).

---

🏁 Script executed:

#!/bin/bash
# Find call sites still using withPassword() without options
rg -nP --type=ts --type=tsx -C2 '\bwithPassword\s*\(\s*\)'

Length of output: 88

---

🏁 Script executed:

#!/bin/bash
# Retry search using file globs since 'tsx' isn’t a built-in type for rg
rg -nP -C2 '\bwithPassword\s*\(\s*\)' --glob '*.ts' --glob '*.tsx'

Length of output: 37360

---

Update remaining f.withPassword() calls to include { required: true }

The new semantics require explicitly passing { required: true } to withPassword() to preserve the previous default behavior. Tests still using bare f.withPassword() will now behave differently and should be updated to avoid flakiness.

• packages/clerk-js/src/ui/components/UserProfile/tests/PasswordSection.test.tsx
• packages/clerk-js/src/ui/components/SignUp/tests/SignUpStart.spec.tsx
• packages/clerk-js/src/ui/components/SignIn/tests/SignInFactorTwo.test.tsx
• packages/clerk-js/src/ui/components/SignIn/tests/SignInFactorOne.test.tsx

Example change:

- f.withPassword();
+ f.withPassword({ required: true });

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In packages/clerk-js/src/ui/components/SignIn/__tests__/SignInStart.test.tsx
around line 479 (and likewise update the listed files:
packages/clerk-js/src/ui/components/UserProfile/__tests__/PasswordSection.test.tsx,
packages/clerk-js/src/ui/components/SignUp/__tests__/SignUpStart.spec.tsx,
packages/clerk-js/src/ui/components/SignIn/__tests__/SignInFactorTwo.test.tsx,
packages/clerk-js/src/ui/components/SignIn/__tests__/SignInFactorOne.test.tsx),
change any bare f.withPassword() calls to f.withPassword({ required: true }); to
preserve previous required semantics; search each test file for occurrences of
"withPassword(" and replace calls that lack an options object with the explicit
{ required: true } argument so tests retain prior behavior.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 656e0a6 and a38bfa3.

📒 Files selected for processing (1)

• .changeset/lemon-paths-brake.md (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

.changeset/**

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Automated releases must use Changesets.

Files:

• .changeset/lemon-paths-brake.md

🪛 LanguageTool

.changeset/lemon-paths-brake.md

[grammar] ~1-~1: Hier könnte ein Fehler sein.
Context: --- ---

(QB_NEW_DE)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (17)

• GitHub Check: Integration Tests (react-router, chrome)
• GitHub Check: Integration Tests (vue, chrome)
• GitHub Check: Integration Tests (astro, chrome)
• GitHub Check: Integration Tests (tanstack-react-start, chrome)
• GitHub Check: Integration Tests (sessions, chrome)
• GitHub Check: Integration Tests (elements, chrome)
• GitHub Check: Integration Tests (quickstart, chrome)
• GitHub Check: Integration Tests (generic, chrome)
• GitHub Check: Integration Tests (express, chrome)
• GitHub Check: Integration Tests (ap-flows, chrome)
• GitHub Check: Publish with pkg-pr-new
• GitHub Check: Unit Tests (22, **)
• GitHub Check: Static analysis
• GitHub Check: Unit Tests (18, --filter=@clerk/astro --filter=@clerk/backend --filter=@clerk/express --filter=@c...
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: semgrep-cloud-platform/scan

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Empty Changeset frontmatter is invalid and will break/skip automated releases

This file has only two --- lines and no package bump metadata or summary. Changesets expects frontmatter with one or more package release entries and a body. As-is, the release tooling will either error or ignore this file, defeating the “Automated releases must use Changesets” guideline for this PR (which reverts a prior change and likely needs a patch release).

Choose one:

• If this revert should not trigger a release: delete this file entirely.
• If this revert should trigger a release for @clerk/clerk-js: populate the changeset with a patch bump and a brief summary.

Apply this replacement to fix the file content:

--- 
---
+---
+'@clerk/clerk-js': patch
+---
+
+Revert: instanceIsPasswordBased returns true only when password.enabled && password.required.

Notes:

• If other published packages are affected by the revert, add them to the frontmatter with their bump levels.
• Keep the summary concise; it will appear in the changelog.

Run this quick sanity check to ensure all changeset files have valid package bump entries and are not empty:

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Checking for empty or malformed changeset files..."
# 1) Detect files that contain only frontmatter delimiters or whitespace
awk -v RS= -v ORS='\n\n' '
  FNR==1{file=FILENAME; empty=1; haspkg=0}
  {
    for(i=1;i<=NF;i++){
      line=$i
    }
  }
  {
    # Count non-delimiter, non-blank lines
    while((getline l)<0) {}
  }
' . >/dev/null 2>&1 || true

# Using ripgrep to validate presence of at least one "'pkg': (patch|minor|major)" in each changeset file
fail=0
while IFS= read -r -d '' f; do
  if ! rg -nP "^'@[^']+':\s*(patch|minor|major)\s*$" "$f" > /dev/null; then
    echo "Malformed or empty changeset: $f"
    rg -n "^" "$f" || true
    fail=1
  fi
done < <(fd -0 --extension md .changeset)

if [[ $fail -eq 1 ]]; then
  echo "One or more changesets are invalid."
  exit 1
else
  echo "All changesets look structurally valid."
fi

Length of output: 491

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Listing all .changeset markdown files:"
# List all markdown files under .changeset
if command -v fd &>/dev/null; then
  fd --extension md .changeset
else
  find .changeset -type f -name '*.md'
fi
echo

# For each changeset file, dump contents and check for bump entry
for f in $(fd --extension md .changeset); do
  echo "=== File: $f ==="
  # Print file with line numbers
  cat -n "$f" || { echo "Cannot read $f"; continue; }
  echo

  # Check for valid bump entries
  echo "Bump entry grep results:"
  grep -nP "'@[^']+':\s*(patch|minor|major)" "$f" || echo "  ▶ None found"
  echo
done

Length of output: 193

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Verify that the .changeset directory exists and list its contents
if [[ ! -d .changeset ]]; then
  echo ".changeset directory not found"
  exit 1
fi

echo "Files in .changeset:"
ls -1 .changeset
echo

# Show contents of each markdown file and check for bump entries
for f in .changeset/*.md; do
  if [[ -f "$f" ]]; then
    echo "=== File: $f ==="
    cat -n "$f"
    echo
    echo "Looking for bump metadata in $f:"
    grep -nP "'@[^']+':\s*(patch|minor|major)" "$f" || echo "  ▶ No bump entry found"
    echo
  fi
done

Length of output: 18268

---

.changeset/lemon-paths-brake.md is empty and will break releases

The changeset file .changeset/lemon-paths-brake.md only contains the two frontmatter delimiters (---) with no package bump entries or summary body. As-is, the automated release tool will error or skip this file, preventing the intended patch for the revert from being published.

Please choose one of the following fixes:

• If this revert should not produce a release, delete the file .changeset/lemon-paths-brake.md.
• If you do want to ship a patch release for @clerk/clerk-js, replace its contents with valid frontmatter and a changelog summary. For example:

--- .changeset/lemon-paths-brake.md
- ---
- ---
+ ---
+ '@clerk/clerk-js': patch
+ ---
+
+ Revert: `instanceIsPasswordBased` now returns `true` only when `password.enabled && password.required`.

Notes:

• If this revert affects other published packages, include them in the frontmatter with their bump levels.
• Keep the summary concise; it will appear directly in the changelog.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	---
	---
	---
	'@clerk/clerk-js': patch
	---
	Revert: `instanceIsPasswordBased` now returns `true` only when `password.enabled && password.required`.

🧰 Tools

🪛 LanguageTool

[grammar] ~1-~1: Hier könnte ein Fehler sein.
Context: --- ---

(QB_NEW_DE)

🤖 Prompt for AI Agents

In .changeset/lemon-paths-brake.md around lines 1 to 2 the file contains only
frontmatter delimiters and no package bumps or summary, which breaks releases;
either delete this file if the revert should not produce a release, OR replace
its contents with valid changeset frontmatter listing affected packages and
their bump levels (e.g., include "@clerk/clerk-js: patch" if that package should
be released) plus a concise changelog summary; if other published packages are
affected add them to the frontmatter as well and keep the summary short.