feat(backend): Mark setPasswordCompromised and unsetPasswordCompromised as stable

[octoper]

Description

This PR drops __experimental prefix from setPasswordCompromised and unsetPasswordCompromised and marks them as stable

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

Summary by CodeRabbit

• New Features
  • Password compromise management functions (setPasswordCompromised / unsetPasswordCompromised) are promoted from experimental to stable public APIs.
• Chores
  • Backend package patched to a new patch version.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Dec 18, 2025 2:37pm

[changeset-bot]

🦋 Changeset detected

Latest commit: 77e18a4

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 10 packages

Name	Type
@clerk/backend	Patch
@clerk/agent-toolkit	Patch
@clerk/astro	Patch
@clerk/express	Patch
@clerk/fastify	Patch
@clerk/nextjs	Patch
@clerk/nuxt	Patch
@clerk/react-router	Patch
@clerk/tanstack-react-start	Patch
@clerk/testing	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

📝 Walkthrough

Walkthrough

Two experimental user API methods were renamed to stable names: __experimental_setPasswordCompromised → setPasswordCompromised and __experimental_unsetPasswordCompromised → unsetPasswordCompromised in the backend User API. Implementations, signatures, and behavior are unchanged. Test utilities were updated to call the new public methods. A changelog entry bumps the backend package patch version.

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: promoting two experimental functions to stable APIs by removing the __experimental prefix.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

📜 Recent review details

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 2bb5640 and 77e18a4.

📒 Files selected for processing (3)

• .changeset/curly-hornets-argue.md (1 hunks)
• integration/testUtils/usersService.ts (1 hunks)
• packages/backend/src/api/endpoints/UserApi.ts (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .changeset/curly-hornets-argue.md

🧰 Additional context used

📓 Path-based instructions (10)

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

All code must pass ESLint checks with the project's configuration

Files:

• packages/backend/src/api/endpoints/UserApi.ts
• integration/testUtils/usersService.ts

**/*.{js,jsx,ts,tsx,json,md,yml,yaml}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use Prettier for consistent code formatting

Files:

• packages/backend/src/api/endpoints/UserApi.ts
• integration/testUtils/usersService.ts

packages/**/src/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

TypeScript is required for all packages

Files:

• packages/backend/src/api/endpoints/UserApi.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Follow established naming conventions (PascalCase for components, camelCase for variables)

Files:

• packages/backend/src/api/endpoints/UserApi.ts
• integration/testUtils/usersService.ts

packages/**/src/**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

packages/**/src/**/*.{ts,tsx,js,jsx}: Maintain comprehensive JSDoc comments for public APIs
Use tree-shaking friendly exports
Validate all inputs and sanitize outputs
All public APIs must be documented with JSDoc
Use dynamic imports for optional features
Provide meaningful error messages to developers
Include error recovery suggestions where applicable
Log errors appropriately for debugging
Lazy load components and features when possible
Implement proper caching strategies
Use efficient data structures and algorithms
Implement proper logging with different levels

Files:

• packages/backend/src/api/endpoints/UserApi.ts

**/*.ts?(x)

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use proper TypeScript error types

Files:

• packages/backend/src/api/endpoints/UserApi.ts
• integration/testUtils/usersService.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/typescript.mdc)

**/*.{ts,tsx}: Always define explicit return types for functions, especially public APIs
Use proper type annotations for variables and parameters where inference isn't clear
Avoid any type - prefer unknown when type is uncertain, then narrow with type guards
Implement type guards for unknown types using the pattern function isType(value: unknown): value is Type
Use interface for object shapes that might be extended
Use type for unions, primitives, and computed types
Prefer readonly properties for immutable data structures
Use private for internal implementation details in classes
Use protected for inheritance hierarchies
Use public explicitly for clarity in public APIs
Use mixins for shared behavior across unrelated classes in TypeScript
Use generic constraints with bounded type parameters like <T extends { id: string }>
Use utility types like Omit, Partial, and Pick for data transformation instead of manual type construction
Use discriminated unions instead of boolean flags for state management and API responses
Use mapped types for transforming object types
Use conditional types for type-level logic
Leverage template literal types for string manipulation at the type level
Use ES6 imports/exports consistently
Use default exports sparingly, prefer named exports
Document functions with JSDoc comments including @param, @returns, @throws, and @example tags
Create custom error classes that extend Error for specific error types
Use the Result pattern for error handling instead of throwing exceptions
Use optional chaining (?.) and nullish coalescing (??) operators for safe property access
Let TypeScript infer obvious types to reduce verbosity
Use const assertions with as const for literal types
Use satisfies operator for type checking without widening types
Declare readonly arrays and objects for immutable data structures
Use spread operator and array spread for immutable updates instead of mutations
Use lazy loading for large types...

Files:

• packages/backend/src/api/endpoints/UserApi.ts
• integration/testUtils/usersService.ts

**/*.{js,ts,jsx,tsx}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Use ESLint with custom configurations tailored for different package types

Files:

• packages/backend/src/api/endpoints/UserApi.ts
• integration/testUtils/usersService.ts

**/*.{js,ts,jsx,tsx,json,md,yml,yaml}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Use Prettier for code formatting across all packages

Files:

• packages/backend/src/api/endpoints/UserApi.ts
• integration/testUtils/usersService.ts

**/*

⚙️ CodeRabbit configuration file

If there are no tests added or modified as part of the PR, please suggest that tests be added to cover the changes.

**/*: Only comment on issues that would block merging, ignore minor or stylistic concerns.
Restrict feedback to errors, security risks, or functionality-breaking problems.
Do not post comments on code style, formatting, or non-critical improvements.
Keep reviews short: flag only issues that make the PR unsafe to merge.
Group similar issues into a single comment instead of posting multiple notes.
Skip repetition: if a pattern repeats, mention it once at a summary level only.
Do not add general suggestions, focus strictly on merge-blocking concerns.
If there are no critical problems, respond with minimal approval (e.g., 'Looks good'). Do not add additional review.
Avoid line-by-line commentary unless it highlights a critical bug or security hole.
Highlight only issues that could cause runtime errors, data loss, or severe maintainability issues.
Ignore minor optimization opportunities, focus solely on correctness and safety.
Provide a top-level summary of critical blockers rather than detailed per-line notes.
Comment only when the issue must be resolved before merge, otherwise remain silent.
When in doubt, err on the side of fewer comments, brevity and blocking issues only.
Avoid posting any refactoring issues.

Files:

• packages/backend/src/api/endpoints/UserApi.ts
• integration/testUtils/usersService.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (27)

• GitHub Check: Integration Tests (quickstart, chrome, 15)
• GitHub Check: Integration Tests (react-router, chrome)
• GitHub Check: Integration Tests (vue, chrome)
• GitHub Check: Integration Tests (billing, chrome, RQ)
• GitHub Check: Integration Tests (billing, chrome)
• GitHub Check: Integration Tests (nuxt, chrome)
• GitHub Check: Integration Tests (machine, chrome)
• GitHub Check: Integration Tests (machine, chrome, RQ)
• GitHub Check: Integration Tests (nextjs, chrome, 16)
• GitHub Check: Integration Tests (nextjs, chrome, 15)
• GitHub Check: Integration Tests (custom, chrome)
• GitHub Check: Integration Tests (astro, chrome)
• GitHub Check: Integration Tests (quickstart, chrome, 16)
• GitHub Check: Integration Tests (tanstack-react-start, chrome)
• GitHub Check: Integration Tests (express, chrome)
• GitHub Check: Integration Tests (nextjs, chrome, 16, RQ)
• GitHub Check: Integration Tests (generic, chrome)
• GitHub Check: Integration Tests (sessions, chrome)
• GitHub Check: Integration Tests (handshake, chrome)
• GitHub Check: Integration Tests (handshake:staging, chrome)
• GitHub Check: Integration Tests (localhost, chrome)
• GitHub Check: Integration Tests (ap-flows, chrome)
• GitHub Check: Integration Tests (sessions:staging, chrome)
• GitHub Check: Formatting | Dedupe | Changeset
• GitHub Check: check-major-bump
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: semgrep-cloud-platform/scan

🔇 Additional comments (2)

packages/backend/src/api/endpoints/UserApi.ts (1)

455-475: LGTM - Clean API stabilization.

The methods have been correctly renamed from experimental to stable with no behavior changes.

integration/testUtils/usersService.ts (1)

240-240: LGTM - Correctly updated to use stable API.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/backend/src/api/endpoints/UserApi.ts (1)

455-475: Add JSDoc documentation for public API methods.

These methods are graduating from experimental to stable but lack JSDoc comments. Per coding guidelines, all public APIs must be documented with JSDoc including @param, @returns, and descriptions.

As per coding guidelines, public APIs require comprehensive JSDoc documentation.

📜 Review details

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between d85646a and 2bb5640.

📒 Files selected for processing (3)

• .changeset/curly-hornets-argue.md (1 hunks)
• integration/testUtils/usersService.ts (1 hunks)
• packages/backend/src/api/endpoints/UserApi.ts (2 hunks)

🧰 Additional context used

📓 Path-based instructions (10)

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

All code must pass ESLint checks with the project's configuration

Files:

• packages/backend/src/api/endpoints/UserApi.ts
• integration/testUtils/usersService.ts

**/*.{js,jsx,ts,tsx,json,md,yml,yaml}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use Prettier for consistent code formatting

Files:

• packages/backend/src/api/endpoints/UserApi.ts
• integration/testUtils/usersService.ts

packages/**/src/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

TypeScript is required for all packages

Files:

• packages/backend/src/api/endpoints/UserApi.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Follow established naming conventions (PascalCase for components, camelCase for variables)

Files:

• packages/backend/src/api/endpoints/UserApi.ts
• integration/testUtils/usersService.ts

packages/**/src/**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

packages/**/src/**/*.{ts,tsx,js,jsx}: Maintain comprehensive JSDoc comments for public APIs
Use tree-shaking friendly exports
Validate all inputs and sanitize outputs
All public APIs must be documented with JSDoc
Use dynamic imports for optional features
Provide meaningful error messages to developers
Include error recovery suggestions where applicable
Log errors appropriately for debugging
Lazy load components and features when possible
Implement proper caching strategies
Use efficient data structures and algorithms
Implement proper logging with different levels

Files:

• packages/backend/src/api/endpoints/UserApi.ts

**/*.ts?(x)

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use proper TypeScript error types

Files:

• packages/backend/src/api/endpoints/UserApi.ts
• integration/testUtils/usersService.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/typescript.mdc)

**/*.{ts,tsx}: Always define explicit return types for functions, especially public APIs
Use proper type annotations for variables and parameters where inference isn't clear
Avoid any type - prefer unknown when type is uncertain, then narrow with type guards
Implement type guards for unknown types using the pattern function isType(value: unknown): value is Type
Use interface for object shapes that might be extended
Use type for unions, primitives, and computed types
Prefer readonly properties for immutable data structures
Use private for internal implementation details in classes
Use protected for inheritance hierarchies
Use public explicitly for clarity in public APIs
Use mixins for shared behavior across unrelated classes in TypeScript
Use generic constraints with bounded type parameters like <T extends { id: string }>
Use utility types like Omit, Partial, and Pick for data transformation instead of manual type construction
Use discriminated unions instead of boolean flags for state management and API responses
Use mapped types for transforming object types
Use conditional types for type-level logic
Leverage template literal types for string manipulation at the type level
Use ES6 imports/exports consistently
Use default exports sparingly, prefer named exports
Document functions with JSDoc comments including @param, @returns, @throws, and @example tags
Create custom error classes that extend Error for specific error types
Use the Result pattern for error handling instead of throwing exceptions
Use optional chaining (?.) and nullish coalescing (??) operators for safe property access
Let TypeScript infer obvious types to reduce verbosity
Use const assertions with as const for literal types
Use satisfies operator for type checking without widening types
Declare readonly arrays and objects for immutable data structures
Use spread operator and array spread for immutable updates instead of mutations
Use lazy loading for large types...

Files:

• packages/backend/src/api/endpoints/UserApi.ts
• integration/testUtils/usersService.ts

**/*.{js,ts,jsx,tsx}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Use ESLint with custom configurations tailored for different package types

Files:

• packages/backend/src/api/endpoints/UserApi.ts
• integration/testUtils/usersService.ts

**/*.{js,ts,jsx,tsx,json,md,yml,yaml}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Use Prettier for code formatting across all packages

Files:

• packages/backend/src/api/endpoints/UserApi.ts
• integration/testUtils/usersService.ts

**/*

⚙️ CodeRabbit configuration file

If there are no tests added or modified as part of the PR, please suggest that tests be added to cover the changes.

**/*: Only comment on issues that would block merging, ignore minor or stylistic concerns.
Restrict feedback to errors, security risks, or functionality-breaking problems.
Do not post comments on code style, formatting, or non-critical improvements.
Keep reviews short: flag only issues that make the PR unsafe to merge.
Group similar issues into a single comment instead of posting multiple notes.
Skip repetition: if a pattern repeats, mention it once at a summary level only.
Do not add general suggestions, focus strictly on merge-blocking concerns.
If there are no critical problems, respond with minimal approval (e.g., 'Looks good'). Do not add additional review.
Avoid line-by-line commentary unless it highlights a critical bug or security hole.
Highlight only issues that could cause runtime errors, data loss, or severe maintainability issues.
Ignore minor optimization opportunities, focus solely on correctness and safety.
Provide a top-level summary of critical blockers rather than detailed per-line notes.
Comment only when the issue must be resolved before merge, otherwise remain silent.
When in doubt, err on the side of fewer comments, brevity and blocking issues only.
Avoid posting any refactoring issues.

Files:

• packages/backend/src/api/endpoints/UserApi.ts
• integration/testUtils/usersService.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (25)

• GitHub Check: Integration Tests (billing, chrome)
• GitHub Check: Integration Tests (nextjs, chrome, 16)
• GitHub Check: Integration Tests (quickstart, chrome, 15)
• GitHub Check: Integration Tests (nextjs, chrome, 16, RQ)
• GitHub Check: Integration Tests (billing, chrome, RQ)
• GitHub Check: Integration Tests (quickstart, chrome, 16)
• GitHub Check: Integration Tests (machine, chrome, RQ)
• GitHub Check: Integration Tests (nextjs, chrome, 15)
• GitHub Check: Integration Tests (machine, chrome)
• GitHub Check: Integration Tests (handshake, chrome)
• GitHub Check: Integration Tests (react-router, chrome)
• GitHub Check: Integration Tests (localhost, chrome)
• GitHub Check: Integration Tests (tanstack-react-start, chrome)
• GitHub Check: Integration Tests (ap-flows, chrome)
• GitHub Check: Integration Tests (handshake:staging, chrome)
• GitHub Check: Integration Tests (astro, chrome)
• GitHub Check: Integration Tests (sessions, chrome)
• GitHub Check: Integration Tests (vue, chrome)
• GitHub Check: Integration Tests (custom, chrome)
• GitHub Check: Integration Tests (nuxt, chrome)
• GitHub Check: Integration Tests (generic, chrome)
• GitHub Check: Integration Tests (express, chrome)
• GitHub Check: Integration Tests (sessions:staging, chrome)
• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (2)

integration/testUtils/usersService.ts (1)

239-241: LGTM!

The update correctly uses the new stable API method.

.changeset/curly-hornets-argue.md (1)

1-5: LGTM!

The changelog accurately documents the API stabilization.

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@7504

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@7504

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@7504

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@7504

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@7504

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@7504

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@7504

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@7504

@clerk/express

npm i https://pkg.pr.new/@clerk/express@7504

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@7504

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@7504

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@7504

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@7504

@clerk/react

npm i https://pkg.pr.new/@clerk/react@7504

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@7504

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@7504

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@7504

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@7504

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@7504

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@7504

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@7504

commit: 77e18a4