fix(clerk-js): Harden useEnabledThirdPartyProviders against missing sso data

[anagstef]

Summary

• Filter out empty strategy values in socialProviderStrategies and authenticatableSocialStrategies getters in UserSettings.ts
• Guard social[s] access in both forEach loops in useEnabledThirdPartyProviders.tsx to prevent crashes when FAPI returns a social provider with an empty strategy

Fixes USER-4991

Summary by CodeRabbit

• Bug Fixes
  • Fixed crashes in social authentication when empty provider strategies were received from the API.
  • Added safeguards to properly handle missing or invalid social provider data.

[changeset-bot]

🦋 Changeset detected

Latest commit: 7026451

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 4 packages

Name	Type
@clerk/clerk-js	Patch
@clerk/ui	Patch
@clerk/chrome-extension	Patch
@clerk/expo	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Mar 19, 2026 3:12pm

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: f4d42f0d-a496-4f01-8f11-87be47800b53

📥 Commits

Reviewing files that changed from the base of the PR and between e00ec97 and 7026451.

📒 Files selected for processing (3)

• .changeset/harden-social-provider-strategies.md
• packages/clerk-js/src/core/resources/UserSettings.ts
• packages/ui/src/hooks/useEnabledThirdPartyProviders.tsx

---

📝 Walkthrough

Walkthrough

A patch release was prepared for @clerk/clerk-js and @clerk/ui to address handling of empty social provider strategies. The UserSettings class filters were tightened to require the strategy property to be truthy when deriving enabled social OAuth strategies. Additionally, defensive guards were added to useEnabledThirdPartyProviders to check whether provider entries exist before accessing their properties, preventing potential crashes when processing strategies received from FAPI.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: hardening useEnabledThirdPartyProviders against missing SSO data, which is the core objective of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}