fix(shared): replace custom deepmerge with @fastify/deepmerge

[jacekradko]

Summary

Replace vulnerable custom fastDeepMergeAndReplace and fastDeepMergeAndKeep utilities with the battle-tested @fastify/deepmerge library.

This is an alternative approach to #7621 which fixes the same prototype pollution vulnerability (SEC-252) but by adopting an external library instead of patching the existing code.

Benefits of @fastify/deepmerge

Aspect	Custom Implementation	@fastify/deepmerge
Security	Manual blocklist (added in #7621)	Built-in protection for __proto__, constructor, prototype
Performance	Unknown	~30x faster than standard deepmerge (~605K ops/sec)
Maintenance	Internal burden	Maintained by trusted Fastify team
API	Mutates target object	Returns new object (functional)

Changes

• Add @fastify/deepmerge: ^3.1.0 to @clerk/shared and @clerk/ui
• Update parseLocalization.ts with stripUndefined helper to preserve fallback-to-English behavior
• Update parseAppearance.ts to use functional merge pattern
• Refactor createVariants.ts to functional style (non-mutating)
• Remove custom fastDeepMerge.ts and its tests

Trade-offs vs #7621

	#7621 (Patch existing)	This PR (Use library)
Code changes	Minimal (~10 lines)	More extensive refactor
Dependencies	None added	Adds @fastify/deepmerge
Risk	Lower (smaller change)	Slightly higher (API change)
Long-term maintenance	We maintain security	Library maintains security
Performance	Unknown	Proven fast

Test plan

• All @clerk/shared tests pass (56 files, 912 tests)
• All @clerk/ui tests pass (100 files, 1399 tests)
• Verified undefined values in localization still fall back to English defaults
• Verified prototype pollution is blocked by library

Summary by CodeRabbit

• Chores
  • Updated internal dependencies to enhance code maintainability and consolidate merge utilities.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 8e1d659

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Jan 20, 2026 3:51am

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request replaces custom deep merge utility functions with the @fastify/deepmerge library across the shared and UI packages. The original fastDeepMergeAndReplace and fastDeepMergeAndKeep functions are removed from the utils module, including their tests and exports. The @fastify/deepmerge dependency is added to package.json files in both packages. Usages throughout the UI package are updated to utilize the new library, with modifications to parseAppearance.ts, parseLocalization.ts (including a new stripUndefined helper), and createVariants.ts to accommodate the new merge approach.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: replacing custom deepmerge utilities with the @fastify/deepmerge library.
Linked Issues check	✅ Passed	The PR successfully addresses SEC-252 by replacing the vulnerable custom deepmerge functions with @fastify/deepmerge, which provides built-in prototype pollution protection.
Out of Scope Changes check	✅ Passed	All changes are in-scope: removing custom deepmerge functions, adding @fastify/deepmerge dependency, and updating code to use the new library.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@7622

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@7622

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@7622

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@7622

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@7622

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@7622

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@7622

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@7622

@clerk/express

npm i https://pkg.pr.new/@clerk/express@7622

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@7622

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@7622

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@7622

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@7622

@clerk/react

npm i https://pkg.pr.new/@clerk/react@7622

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@7622

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@7622

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@7622

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@7622

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@7622

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@7622

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@7622

commit: 8e1d659

[jacekradko]

This approach is not preferable. Additional dependencies and @fastify/deepmerge is not a drop-in replacement for the current utilities