This PR contains the following updates:
Release Notes
MasterKale/SimpleWebAuthn (@simplewebauthn/server)
Compare Source
This update fixes a CVSS v4 Low (2.0) security vulnerability identified in
@simplewebauthn/server . See the security advisory linked below for more information.
Changes:
- [server] Fixed an issue with
verifyRegistrationResponse() allowing a maliciously-crafted
attestation statement's x5c to contain a self-signed "root certificate" instead of chaining back
to an RP-specified trust anchor
(GHSA-6hxq-p678-4hr2)
Compare Source
Changes:
- [server] Fixed an issue with
verifyRegistrationResponse() failing to verify some Packed and
SafetyNet statements (#767)
Configuration
📅 Schedule: (in timezone UTC)
- Branch creation
- At any time (no schedule defined)
- Automerge
- At any time (no schedule defined)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate.
This PR contains the following updates:
| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [@simplewebauthn/server](https://github.com/MasterKale/SimpleWebAuthn/tree/master/packages/server#readme) ([source](https://github.com/MasterKale/SimpleWebAuthn/tree/HEAD/packages/server)) | [`13.3.0` → `13.3.2`](https://renovatebot.com/diffs/npm/@simplewebauthn%2fserver/13.3.0/13.3.2) |  |  |
---
### Release Notes
<details>
<summary>MasterKale/SimpleWebAuthn (@​simplewebauthn/server)</summary>
### [`v13.3.2`](https://github.com/MasterKale/SimpleWebAuthn/blob/HEAD/CHANGELOG.md#v1332)
[Compare Source](https://github.com/MasterKale/SimpleWebAuthn/compare/v13.3.1...v13.3.2)
This update fixes a CVSS v4 Low (2.0) security vulnerability identified in
**[@​simplewebauthn/server](https://github.com/simplewebauthn/server)**. See the security advisory linked below for more information.
**Changes:**
- **\[server]** Fixed an issue with `verifyRegistrationResponse()` allowing a maliciously-crafted
attestation statement's `x5c` to contain a self-signed "root certificate" instead of chaining back
to an RP-specified trust anchor
([GHSA-6hxq-p678-4hr2](https://github.com/MasterKale/SimpleWebAuthn/security/advisories/GHSA-6hxq-p678-4hr2))
### [`v13.3.1`](https://github.com/MasterKale/SimpleWebAuthn/blob/HEAD/CHANGELOG.md#v1331)
[Compare Source](https://github.com/MasterKale/SimpleWebAuthn/compare/v13.3.0...v13.3.1)
**Changes:**
- **\[server]** Fixed an issue with `verifyRegistrationResponse()` failing to verify some Packed and
SafetyNet statements ([#​767](https://github.com/MasterKale/SimpleWebAuthn/pull/767))
</details>
---
### Configuration
📅 **Schedule**: (in timezone UTC)
- Branch creation
- At any time (no schedule defined)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNTQuMCIsInVwZGF0ZWRJblZlciI6IjQzLjI1NC4wIiwidGFyZ2V0QnJhbmNoIjoiZGV2ZWxvcCIsImxhYmVscyI6WyJLaW5kL0RlcGVuZGVuY2llcyJdfQ==-->