{
  "repository": "https://github.com/better-auth/better-auth.git",
  "commit_source": "git_rev_parse",
  "commit_sha": "37f60cb176cb53147da7dfd5ec15afa5b486e81e",
  "submitted_target": {
    "target_kind": "npm_version",
    "version": "1.6.10",
    "display": "@better-auth/sso@1.6.10 / better-auth@1.6.10"
  },
  "variant_target": {
    "target_kind": "git_commit",
    "commit_sha": "37f60cb176cb53147da7dfd5ec15afa5b486e81e",
    "version": "1.6.11",
    "display": "better-auth@37f60cb / @better-auth/sso@1.6.11"
  },
  "runtime_tested": {
    "package_manager": "npm",
    "installed_packages": {
      "better-auth": "1.6.11",
      "@better-auth/sso": "1.6.11"
    },
    "package_integrity": {
      "@better-auth/sso": "sha512-lJHmoCayp9Woh/MPKTHDfGq7k1oQbU2yz5tIOZXl/pzrgLxV7fMGo9aJCyabHkw3GHMjBes4byC6aakHYzpZIg=="
    }
  },
  "notes": "The bypass was reproduced against the npm-published @better-auth/sso@1.6.11 package. The exact source revision is commit 37f60cb176cb53147da7dfd5ec15afa5b486e81e from the better-auth monorepo, which is the commit that introduced the 1.6.11 fix (PR #9574). A shallow clone at that commit was used for source verification; the runtime test used the corresponding npm package."
}
