fix(expo): Fix expo-auth-session import leak and env var detection

[chriscanin]

Summary

ClerkProvider previously called require('expo-web-browser') synchronously inside an isWeb() runtime gate. Metro's static analyzer resolves literal-string require() calls regardless of runtime gates or try/catch, so production bundling failed for native consumers who don't install expo-web-browser (an optional peer dependency).

Reported by Sam Aubin on Plain (per the MOBILE-401/402 attachment thread). MOBILE-401 covered the React peer-dep angle; MOBILE-402 covers the bundle-time crash.

What changed

• New packages/expo/src/provider/maybeCompleteAuthSession.ts — native no-op
• New packages/expo/src/provider/maybeCompleteAuthSession.web.ts — moves the require('expo-web-browser') + WebBrowser.maybeCompleteAuthSession() call into a web-only file
• packages/expo/src/provider/ClerkProvider.tsx now imports and calls the helper instead of inlining the require()
• Patch changeset for @clerk/clerk-expo only

Metro / Expo's platform resolver picks the .web.ts file for web bundles and the base .ts (no-op) for native. Native dist no longer references expo-web-browser.

Behavior at runtime

• Web: identical. Same require, same call, same try/catch fallback.
• Native: identical. The require was already unreachable at runtime via the isWeb() gate; the fix is purely at bundle time.

Why not the other half of MOBILE-402?

The ticket title also references "env var detection" — Sam's complaint that EXPO_PUBLIC_CLERK_PUBLISHABLE_KEY auto-detection fails in EAS prod. That was already resolved in #7655: publishableKey is now a required prop, env-var fallbacks were removed entirely, and the JSDoc explains why (env vars in node_modules aren't inlined in production builds). Sam's workaround is now the official path.

Test plan

• Fresh Expo app without expo-web-browser installed, install @clerk/clerk-expo from this branch, run npx expo export --platform ios — bundling should complete (previously failed)
• Existing web Expo app — verify OAuth/SSO redirect still completes (the redirect URL must still be caught synchronously before children mount)
• Existing native Expo app with expo-web-browser installed — verify SSO/OAuth flow still works

Linear

MOBILE-402

[changeset-bot]

🦋 Changeset detected

Latest commit: fa2e094

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	May 20, 2026 11:36pm