Bump @simplewebauthn/browser from 9.0.1 to 13.2.0

[dependabot]

Bumps @simplewebauthn/browser from 9.0.1 to 13.2.0.

Release notes

Sourced from @​simplewebauthn/browser's releases.

v13.2.0

• [server] The return value from verifyRegistrationResponse() has been defined more strictly to communicate that registrationInfo will only ever be present if verified is true (#715)
• [server] verifyRegistrationResponse() can now verify attestations containing SHA256 hashes by using EC public keys with the P-384 curve (#721)
• [server] The Android SafetyNet "CTS profile match" system integrity check can now be disabled by setting attestationSafetyNetEnforceCTSCheck: false when calling verifyRegistrationResponse(). This check remains enforced by default (#722)
• [browser] [server] These libraries now have better support in Deno 2.2+ projects which use generic typing for Uint8Array via TypeScript 5.7. SimpleWebAuthn values of type Uint8Array_ are equivalent to Uint8Array in Deno 2.1 and earlier, and Uint8Array<ArrayBuffer> in Deno 2.2 and later. (#717)

v13.1.2

Changes

• [browser] [server] Exported the ResidentKeyRequirement type to help with type inference (#704)

v13.1.1

Changes:

• [server] "android-key" attestation statement verification has been modernized (#675)
• [server] More TPM manufacturers are recognized while verifying "tpm" attestation statements (#673)

v13.1.0

Changes:

• [server] The cross-fetch dependency has been removed from the project to silence in the console DeprecationWarning's about a "punycode" module (#661)
• [browser] startRegistration() and startAuthentication() will now warn about calls made using the pre-v11 call structure to encourage refactoring to use the current call structure, but still try to handle such calls the best they can (#664)

v13.0.0 - The one where they share a type

Hot on the heels of the last major release, v13 introduces support for registration hints! Refined types and improved attestation trust anchor verification are also included. Last but not least, we say goodbye to one of the project's packages for better docs and fewer dependencies to install. Read on for more information, including refactor advice for dealing with the retirement of @​simplewebauthn/types.

Changes:

• [server] A new preferredAuthenticatorType argument can be set when calling generateRegistrationOptions() to generate options that encourage the browser to direct the user to register one of three types of authenticators: 'securityKey', 'localDevice', or 'remoteDevice' (a.k.a. opinionated WebAuthn hints support) (#653)
• [browser] startRegistration() will recognize hints if specified in optionsJSON (#652)
• [server] Attestation verification now recognizes intermediate certificates as trust anchors (#650)
• [browser] [server] The types previously maintained in the types package are now included within the browser and server packages. See Breaking Changes below for more info (#655)

Breaking Changes

@​typescript/types is being retired.

Its types will now be included directly in @​simplewebauthn/browser and @​simplewebauthn/server.

To refactor existing imports from /types, simply import them from /browser or /server instead:

Before:

import type {
  AuthenticationResponseJSON,
  RegistrationResponseJSON,
  WebAuthnCredential,
} from '@simplewebauthn/types'; // <--

... (truncated)

Changelog

Sourced from @​simplewebauthn/browser's changelog.

v13.2.0

Changes

• [server] The return value from verifyRegistrationResponse() has been defined more strictly to communicate that registrationInfo will only ever be present if verified is true (#715)
• [server] verifyRegistrationResponse() can now verify attestations containing SHA256 hashes by using EC public keys with the P-384 curve (#721)
• [server] The Android SafetyNet "CTS profile match" system integrity check can now be disabled by setting attestationSafetyNetEnforceCTSCheck: false when calling verifyRegistrationResponse(). This check remains enforced by default (#722)
• [browser] [server] These libraries now have better support in Deno 2.2+ projects which use generic typing for Uint8Array via TypeScript 5.7. SimpleWebAuthn values of type Uint8Array_ are equivalent to Uint8Array in Deno 2.1 and earlier, and Uint8Array<ArrayBuffer> in Deno 2.2 and later. (#717)

v13.1.2

Changes

• [browser] [server] Exported the ResidentKeyRequirement type to help with type inference (#704)

v13.1.1

Changes:

• [server] "android-key" attestation statement verification has been modernized (#675)
• [server] More TPM manufacturers are recognized while verifying "tpm" attestation statements (#673)

v13.1.0

Changes:

• [server] The cross-fetch dependency has been removed from the project to silence in the console DeprecationWarning's about a "punycode" module (#661)
• [browser] startRegistration() and startAuthentication() will now warn about calls made using the pre-v11 call structure to encourage refactoring to use the current call structure, but still try to handle such calls the best they can (#664)

v13.0.0 - The one where they share a type

... (truncated)

Commits

• 84c61db Publish v13.2.0
• f5f3de7 Refactor Uint8Array to Uint8Array_
• e552884 Codegen another use of Uint8Array_
• e2a3a85 Define Uint8Array_ for Deno backwards compat
• 467f8f1 Publish v13.1.2
• fdbb880 Codegen updated types
• cfd2400 Publish v13.1.0
• 62025dc Test ability to continue from bad call pattern
• 4cbeceb Detect improper call pattern and warn
• 5dc6bfc Remove unused import in NPM build scripts
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #44.