Skip to content

chore(deps): bump otplib from 12.0.1 to 13.4.1#27

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/otplib-13.4.1
Closed

chore(deps): bump otplib from 12.0.1 to 13.4.1#27
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/otplib-13.4.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 9, 2026

Copy link
Copy Markdown
Contributor

Bumps otplib from 12.0.1 to 13.4.1.

Release notes

Sourced from otplib's releases.

v13.4.1

What's Changed

New Contributors

Full Changelog: yeojz/otplib@v13.4.0...v13.4.1

v13.4.0

What's Changed

... (truncated)

Commits
  • 1d997b0 release(packages): v13.4.1 (#854)
  • 0e9566f docs(otplib): note 16-byte minimum and fix broken secret-handling link (#851)
  • e01b4f1 chore(deps-dev): bump the dev-dependencies-patch group across 1 directory wit...
  • 212534b chore(deps-dev): bump the dev-dependencies-minor group with 4 updates (#828)
  • b54adad refactor(testing): rename test secret constants for semantic clarity (#832)
  • 4898252 refactor(testing): centralize test secrets and normalize naming (#831)
  • e5490bb release(packages): v13.4.0 (#819)
  • 3352eeb docs(totp): add string secrets and authenticator compatibility notes to READM...
  • 9038272 feat: add IIFE/CDN build support to otplib (#810)
  • 4fd86b5 chore: update readme tip/important blocks
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for otplib since your current version.


@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 9, 2026
Bumps [otplib](https://github.com/yeojz/otplib/tree/HEAD/packages/otplib) from 12.0.1 to 13.4.1.
- [Release notes](https://github.com/yeojz/otplib/releases)
- [Commits](https://github.com/yeojz/otplib/commits/v13.4.1/packages/otplib)

---
updated-dependencies:
- dependency-name: otplib
  dependency-version: 13.4.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@Jesssullivan

Copy link
Copy Markdown
Contributor

Superseded by #31 (real otplib v13 migration: rewrites otplib-compat.ts against v13 functional exports, preserves the ±1-step window + P0-SEC replay/single-use invariants, keeps the 128-bit secret floor; 398/398 tests green). Dependabot's bare bump left the v12 compat shim broken (7 failing TOTP tests).

Jess Sullivan (Jesssullivan) added a commit that referenced this pull request Jul 10, 2026
Supersedes the broken dependabot bump (#27). otplib v13 removed the
stateful `authenticator` singleton (checkDelta/verify/keyuri) in favour
of stateless functional exports backed by @otplib/core / @otplib/totp,
and now enforces a 128-bit (16-byte) minimum secret length via
SecretTooShortError. Both broke the v12-era shim.

- Rewrite src/totp/otplib-compat.ts against the v13 functional exports
  (generateSecret/generateSync/generateURI/verify/verifySync). Replace
  v12's mutable authenticator.options with module-level config; derive
  epochTolerance from step*window to preserve the +/-1-step window.
- Recover the exact match delta from verifySync's { valid, delta } result
  so the replay-guard primitive (getAuthenticatorCheckDelta) keeps working
  with no lossy fallback; verifyTokenWithStep replay/single-use invariants
  are unchanged.
- Enforce the 128-bit floor without weakening it: freshly generated
  secrets stay 160-bit, and sub-floor legacy secrets get a clear,
  actionable migration error on the crypto paths instead of otplib's
  low-level error or silent padding.
- Bump the constant-time unknown-user dummy secret to a 160-bit value so
  it clears the floor instead of throwing SecretTooShortError.
- Bump otplib to ^13.4.1 and refresh pnpm-lock.yaml.

Relates to tinyland.dev #692. Reaching prod still needs the separate
tag -> registry-promote -> pin-bump wave.
@dependabot @github

dependabot Bot commented on behalf of github Jul 10, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/otplib-13.4.1 branch July 10, 2026 13:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant