chore(deps): bump otplib from 12.0.1 to 13.4.1#27
Conversation
Bumps [otplib](https://github.com/yeojz/otplib/tree/HEAD/packages/otplib) from 12.0.1 to 13.4.1. - [Release notes](https://github.com/yeojz/otplib/releases) - [Commits](https://github.com/yeojz/otplib/commits/v13.4.1/packages/otplib) --- updated-dependencies: - dependency-name: otplib dependency-version: 13.4.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
a254333 to
d7d92e7
Compare
|
Superseded by #31 (real otplib v13 migration: rewrites otplib-compat.ts against v13 functional exports, preserves the ±1-step window + P0-SEC replay/single-use invariants, keeps the 128-bit secret floor; 398/398 tests green). Dependabot's bare bump left the v12 compat shim broken (7 failing TOTP tests). |
Supersedes the broken dependabot bump (#27). otplib v13 removed the stateful `authenticator` singleton (checkDelta/verify/keyuri) in favour of stateless functional exports backed by @otplib/core / @otplib/totp, and now enforces a 128-bit (16-byte) minimum secret length via SecretTooShortError. Both broke the v12-era shim. - Rewrite src/totp/otplib-compat.ts against the v13 functional exports (generateSecret/generateSync/generateURI/verify/verifySync). Replace v12's mutable authenticator.options with module-level config; derive epochTolerance from step*window to preserve the +/-1-step window. - Recover the exact match delta from verifySync's { valid, delta } result so the replay-guard primitive (getAuthenticatorCheckDelta) keeps working with no lossy fallback; verifyTokenWithStep replay/single-use invariants are unchanged. - Enforce the 128-bit floor without weakening it: freshly generated secrets stay 160-bit, and sub-floor legacy secrets get a clear, actionable migration error on the crypto paths instead of otplib's low-level error or silent padding. - Bump the constant-time unknown-user dummy secret to a 160-bit value so it clears the floor instead of throwing SecretTooShortError. - Bump otplib to ^13.4.1 and refresh pnpm-lock.yaml. Relates to tinyland.dev #692. Reaching prod still needs the separate tag -> registry-promote -> pin-bump wave.
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
Bumps otplib from 12.0.1 to 13.4.1.
Release notes
Sourced from otplib's releases.
... (truncated)
Commits
1d997b0release(packages): v13.4.1 (#854)0e9566fdocs(otplib): note 16-byte minimum and fix broken secret-handling link (#851)e01b4f1chore(deps-dev): bump the dev-dependencies-patch group across 1 directory wit...212534bchore(deps-dev): bump the dev-dependencies-minor group with 4 updates (#828)b54adadrefactor(testing): rename test secret constants for semantic clarity (#832)4898252refactor(testing): centralize test secrets and normalize naming (#831)e5490bbrelease(packages): v13.4.0 (#819)3352eebdocs(totp): add string secrets and authenticator compatibility notes to READM...9038272feat: add IIFE/CDN build support to otplib (#810)4fd86b5chore: update readme tip/important blocksMaintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for otplib since your current version.