feat: publish SSR under deprecated auth-helpers package names

[mandarini]

What kind of change does this PR introduce?

Feature - Package consolidation and multi-package publishing

What is the current behavior?

Currently, @supabase/ssr is only published under its own package name. Meanwhile, the deprecated @supabase/auth-helpers-* packages continue to receive thousands of weekly downloads, probably due to LLMs recommending them in code suggestions despite being deprecated for a long time.

The deprecated packages:

• @supabase/auth-helpers-nextjs (159k weekly downloads)
• @supabase/auth-helpers-react
• @supabase/auth-helpers-remix
• @supabase/auth-helpers-sveltekit

What is the new behavior?

This PR enables @supabase/ssr to be published under multiple package names simultaneously:

1. Multi-package publishing: The release workflow now publishes the same codebase under 5 different npm package names:

   • @supabase/ssr (primary package)
   • @supabase/auth-helpers-nextjs
   • @supabase/auth-helpers-react
   • @supabase/auth-helpers-remix
   • @supabase/auth-helpers-sveltekit

2. Console warnings: When imported as a deprecated auth-helpers package, users see a prominent warning.

3. Updated documentation: README clearly explains the package consolidation and lists all deprecated packages.

Additional context

Users of the old auth-helpers packages will experience breaking changes when updating, as the APIs are not backward compatible. This is intentional - as discussed internally, we want to "break it loudly" to force users to notice and migrate.

Why this approach?

• LLMs continue to recommend deprecated packages despite deprecation warnings
• Traditional deprecation methods have proven ineffective
• Publishing SSR under the old names ensures users get the maintained, working code
• Console warnings guide users to the correct package

Related: supabase/auth-helpers#811

[j4w8n]

I assume that if we're going to "break it loudly" then we're also going to shout it from the rooftops loudly one last time?? If I recall from past discussions, posts, etc, there are devs using the deprecated packages for targeted reasons - the react one specifically comes to mind but I may be mistaking it for the nextjs version.

Perhaps the "pre-LLM" devs have all migrated away by now, but if we're gonna up-and-break folks then I'd recommend treading empathetically on this one.

[hf]

LGTM!

[mandarini]

@j4w8n thank you for your comment! What would your suggestion be in this case? Along with merging this PR, to create a new discussion post, or?

[j4w8n]

Hi @mandarini. Thanks for the follow-up.

I think we have two audiences here: developers and community support. I'd consider these:

• a Changelog discussion post on the supabase repo
• a post in the Discord server Announcements channel
• a post on the teams-contributors Slack channel
• a change to the below note on the SSR docs page (https://supabase.com/docs/guides/auth/server-side)

[j4w8n]

Maybe it won't be as bad as I think; especially if the published versions of the auth helpers stays the same.

[mandarini]

@j4w8n the auth-helpers-* packages will be published with new versions, but the new versions will actually be the ssr code. The existing old versions for these packages will still be available on npm, as always. Does this make sense to you?

[j4w8n]

Absolutely. But that confirms why I think it would be good to give people a heads-up.

At the end of the day, it's Supabase's call; I just wanted to make sure I expressed my concern.