I do understand your concerns, however, developers using us do it because they want to offload a big part of their security requirements. This means it’s our responsibility to always be pushing for increased security by default; given security is a moving target this implies that sometimes changes need to be introduced and enforced. We aim at trying to introduce those changes with the minimal disruptions as possible but it’s change nevertheless.
You can follow the Changelog for the most relevant announcements; RSS: Auth0 Changelog