docs(PLEN-1078): add changelog for auth config PATCH semantics fix #2353

anshugarg15 · 2026-01-08T08:40:48Z

Summary

https://github.com/ComposioHQ/hermes/pull/7598

Changes

Documents the breaking change in PATCH /api/v3/auth_configs/{id} endpoint where fields are now preserved when not explicitly provided (true PATCH semantics) instead of being reset to defaults (PUT-like behavior).

Type of change

How Has This Been Tested?

Vitests for the changes in hermes + Tested the python code snippets from changelog

Screenshots (if applicable)

Checklist

I have read the Code of Conduct and this PR adheres to it
I ran linters/tests locally and they passed
I updated documentation as needed
I added tests or explain why not applicable
I added a changeset if this change affects published packages

e2e test report

E2E Test Report - Auth Config PATCH Semantics

Environment: Staging (https://staging-backend.composio.dev)
Test Date: 2026-01-08

Python SDK Tests ✅ 4/4

#	Test	Result
1	Create custom auth config	✅
2	Update only `client_secret` (credentials merged)	✅
3	Update `tool_access_config` WITHOUT `credentials`	✅
4	Clear `tool_access_config` with `[]`	✅

TypeScript SDK Tests ✅ 4/4

#	Test	Result
1	Create custom auth config	✅
2	Update credentials	✅
3	Update credentials + `toolAccessConfig`	✅
4	Credential preservation (partial update merges, not replaces)	✅

Raw HTTP API Tests ✅ 11/11

#	Test	Result
1	Get initial auth config state	✅
2	Update only `client_secret` (credentials merged)	✅
3	Update `tool_access_config` WITHOUT `credentials`	✅
4	Set `proxy_config`	✅
5	Clear `proxy_config` with `null`	✅
6	Clear `tool_access_config` with `[]`	✅
7	Create default type auth config	✅
8	Get initial default auth config	✅
9	Update `scopes` for default type	✅
10	Update `tool_access_config` (scopes preserved)	✅
11	Update `shared_credentials`	✅

Changelog Code Verification ✅ 5/5

Every curl command in the changelog was executed on staging and verified:

Example	Description	Verified
1	Rotate single credential	✅ `client_id` preserved
2	Update `tool_access_config` without credentials	✅ credentials preserved
3	Update scopes for default type	✅ scopes updated
4	Clear `proxy_config` with `null`	✅ cleared
5	Clear `tool_access_config` with `[]`	✅ cleared

Summary

Category	Passed	Total
Python SDK	4	4
TypeScript SDK	4	4
Raw HTTP API	11	11
Changelog Examples	5	5
Total	24	24

✅ All 24 tests passed

Documents the breaking change in PATCH /api/v3/auth_configs/{id} endpoint where fields are now preserved when not explicitly provided (true PATCH semantics) instead of being reset to defaults (PUT-like behavior).

vercel · 2026-01-08T08:40:53Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
fumadocs	Ready	Preview, Comment	Jan 9, 2026 5:09am

github-actions · 2026-01-08T08:45:52Z

Preview your docs: https://composio-preview-30318d9a-cce1-4e4d-9dab-0a449bc31b5a.docs.buildwithfern.com

- Add TypeScript and Python examples - Remove duplication and redundant sections - Follow repo changelog standards - Remove unnecessary Benefits section

github-actions · 2026-01-08T10:12:02Z

Preview your docs: https://composio-preview-49361849-bbd5-42b9-a750-f93cc7ecaee0.docs.buildwithfern.com

github-actions · 2026-01-08T10:13:15Z

Preview your docs: https://composio-preview-eb3bd668-46d6-445a-b417-9a4c72a99004.docs.buildwithfern.com

github-actions · 2026-01-08T10:48:32Z

Preview your docs: https://composio-preview-4578076e-4838-4a8e-bbb2-1edde279cf9b.docs.buildwithfern.com

- Replace raw HTTP examples with TypeScript and Python SDK examples - Add CodeBlocks with tabs for both SDKs - Add 'Update Scopes for Default Auth Configs' example - Migration guide now uses SDK syntax - Tested on staging: all PATCH operations work correctly PLEN-1078

github-actions · 2026-01-08T11:19:08Z

Preview your docs: https://composio-preview-ec6e10cf-1aa6-4b1a-b276-c0dc237b9b14.docs.buildwithfern.com

- Fix TS SDK to make credentials optional for custom type updates - Add proxyConfig and sharedCredentials support to TS SDK update method - Fix changelog package name from composio-core to @composio/core - Simplify changelog examples TypeScript SDK changes: - authConfigs.types.ts: Make credentials optional, add proxyConfig and sharedCredentials - AuthConfigs.ts: Update method to handle new optional fields Tested on staging: - Python SDK: 12/12 tests passed - TypeScript SDK: 10/10 tests passed PLEN-1078

github-actions · 2026-01-08T12:11:39Z

⚠️ Security Audit Warning

The pnpm audit --prod check found security vulnerabilities in production dependencies.

Please review and fix the vulnerabilities. You can try running:

pnpm audit --fix --prod

Audit output

┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ LangChain serialization injection vulnerability        │
│                     │ enables secret extraction                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ langchain                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=1.0.0 <1.2.3                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=1.2.3                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__examples__langchain>langchain                      │
│                     │                                                        │
│                     │ ts__examples__tool-router>langchain                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-r399-636x-v7f6      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ LangChain serialization injection vulnerability        │
│                     │ enables secret extraction                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ @langchain/core                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=1.0.0 <1.1.8                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=1.1.8                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__examples__langchain>@langchain/core                │
│                     │                                                        │
│                     │ ts__examples__tool-router>@langchain/                  │
│                     │ anthropic>@langchain/core                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-r399-636x-v7f6      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ qs's arrayLimit bypass in its bracket notation allows  │
│                     │ DoS via memory exhaustion                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ qs                                                     │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <6.14.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=6.14.1                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ fern>supergateway>@modelcontextprotocol/sdk>express>qs │
│                     │                                                        │
│                     │ fern>supergateway>body-parser>qs                       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-6rw7-vpxm-498p      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ Anthropic's MCP TypeScript SDK has a ReDoS             │
│                     │ vulnerability                                          │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ @modelcontextprotocol/sdk                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <1.25.2                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=1.25.2                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ fern>supergateway>@modelcontextprotocol/sdk            │
│                     │                                                        │
│                     │ ts__examples__google>@modelcontextprotocol/sdk         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-8r9q-7v3j-jr4g      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ pnpm v10+ Bypass "Dependency lifecycle scripts         │
│                     │ execution disabled by default"                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ pnpm                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=10.0.0 <10.26.0                                      │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=10.26.0                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__examples__tool-router>pnpm                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-379q-355j-w6rj      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ pnpm Has Lockfile Integrity Bypass that Allows Remote  │
│                     │ Dynamic Dependencies                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ pnpm                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <10.26.0                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=10.26.0                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__examples__tool-router>pnpm                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-7vhp-vf5g-r2fw      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ pnpm vulnerable to Command Injection via environment   │
│                     │ variable substitution                                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ pnpm                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=6.25.0 <10.27.0                                      │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=10.27.0                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__examples__tool-router>pnpm                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-2phv-j68v-wwqx      │
└─────────────────────┴────────────────────────────────────────────────────────┘
11 vulnerabilities found
Severity: 11 high

github-actions · 2026-01-08T12:16:43Z

Preview your docs: https://composio-preview-0676dd89-18d8-4611-908c-a959f841afe4.docs.buildwithfern.com

…ture

github-actions · 2026-01-08T12:17:54Z

Preview your docs: https://composio-preview-666ab8a2-06a5-4fad-94bd-b2394ed1b6fd.docs.buildwithfern.com

github-actions · 2026-01-08T12:22:25Z

Preview your docs: https://composio-preview-192820f6-b622-4b78-90f8-b57734faa8ff.docs.buildwithfern.com

ts/packages/core/src/models/AuthConfigs.ts

PLEN-1078

Remove SDK-specific examples since current SDKs don't support all PATCH capabilities (proxy_config, shared_credentials, optional credentials). Added note about future SDK updates. Tested all examples on staging - 11/11 tests passed. PLEN-1078

PLEN-1078

github-actions · 2026-01-08T12:54:58Z

Preview your docs: https://composio-preview-15c2f9a7-fca7-4adf-87e5-499a57116a08.docs.buildwithfern.com

github-actions · 2026-01-08T12:57:42Z

Preview your docs: https://composio-preview-ee4580d3-8165-4106-a8dc-ade77c1d45fd.docs.buildwithfern.com

- Python SDK examples as primary - TypeScript SDK examples with note about credentials requirement - Raw HTTP API examples moved to end - All examples tested and verified on staging PLEN-1078

github-actions · 2026-01-08T13:23:50Z

Preview your docs: https://composio-preview-985e3e06-8f07-4163-9f57-f13b599aff3d.docs.buildwithfern.com

PLEN-1078

github-actions · 2026-01-08T13:55:00Z

Preview your docs: https://composio-preview-04d774c8-2541-4c02-b5e6-8c2a6ed23bf5.docs.buildwithfern.com

PLEN-1078

github-actions · 2026-01-09T05:12:28Z

Preview your docs: https://composio-preview-ffb89775-7c89-484e-a539-df9cde77a188.docs.buildwithfern.com

haxzie · 2026-01-09T08:19:40Z

fern/pages/src/changelog/01-08-26-auth-config-patch-semantics.md

+await composio.authConfigs.update("ac_yourAuthConfigId", {
+  type: "custom",
+  credentials: {
+    // Include existing credentials when using TS SDK


What does this mean?

docs(PLEN-1078): add changelog for auth config PATCH semantics fix

004dcb5

Documents the breaking change in PATCH /api/v3/auth_configs/{id} endpoint where fields are now preserved when not explicitly provided (true PATCH semantics) instead of being reset to defaults (PUT-like behavior).

anshugarg15 requested review from Sushmithamallesh and haxzie as code owners January 8, 2026 08:40

docs(PLEN-1078): polish changelog for auth config PATCH semantics

4b8d92f

- Add TypeScript and Python examples - Remove duplication and redundant sections - Follow repo changelog standards - Remove unnecessary Benefits section

vercel bot had a problem deploying to Preview January 8, 2026 10:06 Failure

Merge branch 'next' into docs/plen-1078-auth-config-patch-changelog

2af5aae

vercel bot deployed to Preview January 8, 2026 10:10 View deployment

docs(PLEN-1078): remove JS/TS gotcha section

8e384a7

vercel bot deployed to Preview January 8, 2026 10:45 View deployment

vercel bot deployed to Preview January 8, 2026 11:16 View deployment

fix: formatting fixes for changelog

02966e7

vercel bot deployed to Preview January 8, 2026 12:15 View deployment

test: fix auth config update tests to match new optional fields struc…

500cb67

…ture

vercel bot deployed to Preview January 8, 2026 12:19 View deployment

cursor bot reviewed Jan 8, 2026

View reviewed changes

ts/packages/core/src/models/AuthConfigs.ts Outdated Show resolved Hide resolved

anshugarg15 added 3 commits January 8, 2026 18:03

revert: undo SDK changes, keep changelog only

7c98d70

PLEN-1078

docs: remove SDK update note from changelog

cb8ea38

PLEN-1078

vercel bot deployed to Preview January 8, 2026 12:54 View deployment

docs: prioritize SDK examples in changelog

577a79b

- Python SDK examples as primary - TypeScript SDK examples with note about credentials requirement - Raw HTTP API examples moved to end - All examples tested and verified on staging PLEN-1078

vercel bot deployed to Preview January 8, 2026 13:21 View deployment

docs: add scopes to migration guide table

76a163b

PLEN-1078

vercel bot deployed to Preview January 8, 2026 13:52 View deployment

docs: fix Python indentation and markdown code blocks

e932e0f

PLEN-1078

vercel bot deployed to Preview January 9, 2026 05:09 View deployment

lingalarahul7 approved these changes Jan 9, 2026

View reviewed changes

haxzie requested changes Jan 9, 2026

View reviewed changes

docs(PLEN-1078): add changelog for auth config PATCH semantics fix #2353

Are you sure you want to change the base?

docs(PLEN-1078): add changelog for auth config PATCH semantics fix #2353

Uh oh!

Conversation

anshugarg15 commented Jan 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Changes

Type of change

How Has This Been Tested?

Screenshots (if applicable)

Checklist

e2e test report

E2E Test Report - Auth Config PATCH Semantics

Python SDK Tests ✅ 4/4

TypeScript SDK Tests ✅ 4/4

Raw HTTP API Tests ✅ 11/11

Changelog Code Verification ✅ 5/5

Summary

Uh oh!

vercel bot commented Jan 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Jan 8, 2026

Uh oh!

github-actions bot commented Jan 8, 2026

Uh oh!

github-actions bot commented Jan 8, 2026

Uh oh!

github-actions bot commented Jan 8, 2026

Uh oh!

github-actions bot commented Jan 8, 2026

Uh oh!

github-actions bot commented Jan 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Jan 8, 2026

Uh oh!

github-actions bot commented Jan 8, 2026

Uh oh!

github-actions bot commented Jan 8, 2026

Uh oh!

Uh oh!

github-actions bot commented Jan 8, 2026

Uh oh!

github-actions bot commented Jan 8, 2026

Uh oh!

github-actions bot commented Jan 8, 2026

Uh oh!

github-actions bot commented Jan 8, 2026

Uh oh!

github-actions bot commented Jan 9, 2026

Uh oh!

haxzie Jan 9, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

anshugarg15 commented Jan 8, 2026 •

edited

Loading

vercel bot commented Jan 8, 2026 •

edited

Loading

github-actions bot commented Jan 8, 2026 •

edited

Loading