Update module github.com/go-webauthn/webauthn to v0.17.2#13
Open
renovate[bot] wants to merge 1 commit intomasterfrom
Open
Update module github.com/go-webauthn/webauthn to v0.17.2#13renovate[bot] wants to merge 1 commit intomasterfrom
renovate[bot] wants to merge 1 commit intomasterfrom
Conversation
Contributor
Author
ℹ Artifact update noticeFile name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/github.com-go-webauthn-webauthn-0.x
branch
from
e6cd616 to
9186e4e
Compare
renovate
Bot
force-pushed
the
renovate/github.com-go-webauthn-webauthn-0.x
branch
from
9186e4e to
3f0f598
Compare
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/github.com-go-webauthn-webauthn-0.x
branch
from
3f0f598 to
1ef0b52
Compare
renovate
Bot
force-pushed
the
renovate/github.com-go-webauthn-webauthn-0.x
branch
from
1ef0b52 to
2a97c05
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/github.com-go-webauthn-webauthn-0.x
branch
from
2a97c05 to
da68528
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/github.com-go-webauthn-webauthn-0.x
branch
from
da68528 to
97de505
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/github.com-go-webauthn-webauthn-0.x
branch
from
97de505 to
e14b93b
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/github.com-go-webauthn-webauthn-0.x
branch
from
e14b93b to
4f88a3f
Compare
Contributor
Author
ℹ️ Artifact update noticeFile name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
renovate
Bot
force-pushed
the
renovate/github.com-go-webauthn-webauthn-0.x
branch
from
4f88a3f to
720e8b0
Compare
renovate
Bot
force-pushed
the
renovate/github.com-go-webauthn-webauthn-0.x
branch
from
720e8b0 to
b3da4b3
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/github.com-go-webauthn-webauthn-0.x
branch
from
b3da4b3 to
eeb4149
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/github.com-go-webauthn-webauthn-0.x
branch
from
eeb4149 to
a52f8fd
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/github.com-go-webauthn-webauthn-0.x
branch
from
a52f8fd to
f3ed0cf
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/github.com-go-webauthn-webauthn-0.x
branch
from
f3ed0cf to
3187fa0
Compare
renovate
Bot
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v0.11.2→v0.17.2Release Notes
go-webauthn/webauthn (github.com/go-webauthn/webauthn)
v0.17.2Compare Source
Bug Fixes
v0.17.1Compare Source
Bug Fixes
v0.17.0Compare Source
Bug Fixes
Features
BREAKING CHANGES
A bug with the Credential Record which was
introduced early in the libraries lifecycle has resulted in a
breaking change to the Credential struct. If you are manually
serializing this struct instead of using encoding/json you
will be required to make manual changes; though Integrators
should consider these notes regardless.
protocol.CredentialTypeFIDOU2F has been removed;
replace uses with protocol.AttestationFormatFIDOUniversalSecondFactor
(cast to string where the destination field is a plain string).
The semantics of the AttestationType field on webauthn.Credential
and protocol.CredentialDescriptor have changed. Integrators that
inspect this field to detect a format (typically checking for
"fido-u2f") must switch to the new AttestationFormat field; the
FIDO-U2F AppID and AppIDExclude extension helpers now key on
AttestationFormat, so a descriptor literal constructed with
AttestationType: "fido-u2f" will no longer trigger them.
Stored Credential JSON records are migrated transparently by the
new UnmarshalJSON, but re-marshaled records will carry
attestationFormat rather than a format string in attestationType;
downstream consumers that parsed the legacy shape directly should
be updated.
The Credential.Verify method has been updated and may fail in
previous scenarios where it passed previously. It will also update
the AttestationType value as a side-effect when used.
The Cross-Origin verification semantics have changed
significantly due to the stabilization of the WebAuthn Level 3
specification. It is no longer possible to disable verification, and
Cross-Origin ceremonies must explicitly be allowed in this release.
protocol.TopOriginIgnoreVerificationMode has been removed. Code that
referenced it must switch to one of the other constants as there is
no longer a mode which disables the Top Origin verification such as:
(recommended, and the new coerced default)
RPTopOrigins and RPOrigins
webauthn.Config.validate now rewrites a zero-valued
RPTopOriginVerificationMode to TopOriginExplicitVerificationMode.
Integrators that left the field unset previously got ignore-mode
semantics (any Top Origin accepted); they now get strict matching
against RPTopOrigins and must populate that list, or explicitly
select a different mode; for Cross-Origin flows to succeed.
Cross-Origin ceremonies (those where the authenticator reports
crossOrigin = true in the ClientData) are rejected by default.
Integrators that rely on iframe-embedded or other Cross-Origin WebAuthn
flows must set webauthn.Config.RPAllowCrossOrigin = true. The library
continues to enforce Top Origin verification on accepted Cross-Origin
ceremonies per the configured mode.
protocol.CollectedClientData.Verify no longer accepts
TopOriginIgnoreVerificationMode; callers that pass an unknown mode
receive ErrNotImplemented with detail "unknown Top Origin
verification mode".
v0.16.5Compare Source
Bug Fixes
Features
BREAKING CHANGES
A bug with the Credential Record which was
introduced early in the libraries lifecycle has resulted in a
breaking change to the Credential struct. If you are manually
serializing this struct instead of using encoding/json you
will be required to make manual changes; though Integrators
should consider these notes regardless.
protocol.CredentialTypeFIDOU2F has been removed;
replace uses with protocol.AttestationFormatFIDOUniversalSecondFactor
(cast to string where the destination field is a plain string).
The semantics of the AttestationType field on webauthn.Credential
and protocol.CredentialDescriptor have changed. Integrators that
inspect this field to detect a format (typically checking for
"fido-u2f") must switch to the new AttestationFormat field; the
FIDO-U2F AppID and AppIDExclude extension helpers now key on
AttestationFormat, so a descriptor literal constructed with
AttestationType: "fido-u2f" will no longer trigger them.
Stored Credential JSON records are migrated transparently by the
new UnmarshalJSON, but re-marshaled records will carry
attestationFormat rather than a format string in attestationType;
downstream consumers that parsed the legacy shape directly should
be updated.
The Credential.Verify method has been updated and may fail in
previous scenarios where it passed previously. It will also update
the AttestationType value as a side-effect when used.
The Cross-Origin verification semantics have changed
significantly due to the stabilization of the WebAuthn Level 3
specification. It is no longer possible to disable verification, and
Cross-Origin ceremonies must explicitly be allowed in this release.
protocol.TopOriginIgnoreVerificationMode has been removed. Code that
referenced it must switch to one of the other constants as there is
no longer a mode which disables the Top Origin verification such as:
(recommended, and the new coerced default)
RPTopOrigins and RPOrigins
webauthn.Config.validate now rewrites a zero-valued
RPTopOriginVerificationMode to TopOriginExplicitVerificationMode.
Integrators that left the field unset previously got ignore-mode
semantics (any Top Origin accepted); they now get strict matching
against RPTopOrigins and must populate that list, or explicitly
select a different mode; for Cross-Origin flows to succeed.
Cross-Origin ceremonies (those where the authenticator reports
crossOrigin = true in the ClientData) are rejected by default.
Integrators that rely on iframe-embedded or other Cross-Origin WebAuthn
flows must set webauthn.Config.RPAllowCrossOrigin = true. The library
continues to enforce Top Origin verification on accepted Cross-Origin
ceremonies per the configured mode.
protocol.CollectedClientData.Verify no longer accepts
TopOriginIgnoreVerificationMode; callers that pass an unknown mode
receive ErrNotImplemented with detail "unknown Top Origin
verification mode".
0.16.5 (2026-04-19)
Bug Fixes
0.16.4 (2026-04-09)
0.16.3 (2026-04-05)
Bug Fixes
Features
0.16.2 (2026-03-30)
Bug Fixes
Features
0.16.1 (2026-03-12)
Bug Fixes
v0.16.4Compare Source
Bug Fixes
Features
BREAKING CHANGES
A bug with the Credential Record which was
introduced early in the libraries lifecycle has resulted in a
breaking change to the Credential struct. If you are manually
serializing this struct instead of using encoding/json you
will be required to make manual changes; though Integrators
should consider these notes regardless.
protocol.CredentialTypeFIDOU2F has been removed;
replace uses with protocol.AttestationFormatFIDOUniversalSecondFactor
(cast to string where the destination field is a plain string).
The semantics of the AttestationType field on webauthn.Credential
and protocol.CredentialDescriptor have changed. Integrators that
inspect this field to detect a format (typically checking for
"fido-u2f") must switch to the new AttestationFormat field; the
FIDO-U2F AppID and AppIDExclude extension helpers now key on
AttestationFormat, so a descriptor literal constructed with
AttestationType: "fido-u2f" will no longer trigger them.
Stored Credential JSON records are migrated transparently by the
new UnmarshalJSON, but re-marshaled records will carry
attestationFormat rather than a format string in attestationType;
downstream consumers that parsed the legacy shape directly should
be updated.
The Credential.Verify method has been updated and may fail in
previous scenarios where it passed previously. It will also update
the AttestationType value as a side-effect when used.
The Cross-Origin verification semantics have changed
significantly due to the stabilization of the WebAuthn Level 3
specification. It is no longer possible to disable verification, and
Cross-Origin ceremonies must explicitly be allowed in this release.
protocol.TopOriginIgnoreVerificationMode has been removed. Code that
referenced it must switch to one of the other constants as there is
no longer a mode which disables the Top Origin verification such as:
(recommended, and the new coerced default)
RPTopOrigins and RPOrigins
webauthn.Config.validate now rewrites a zero-valued
RPTopOriginVerificationMode to TopOriginExplicitVerificationMode.
Integrators that left the field unset previously got ignore-mode
semantics (any Top Origin accepted); they now get strict matching
against RPTopOrigins and must populate that list, or explicitly
select a different mode; for Cross-Origin flows to succeed.
Cross-Origin ceremonies (those where the authenticator reports
crossOrigin = true in the ClientData) are rejected by default.
Integrators that rely on iframe-embedded or other Cross-Origin WebAuthn
flows must set webauthn.Config.RPAllowCrossOrigin = true. The library
continues to enforce Top Origin verification on accepted Cross-Origin
ceremonies per the configured mode.
protocol.CollectedClientData.Verify no longer accepts
TopOriginIgnoreVerificationMode; callers that pass an unknown mode
receive ErrNotImplemented with detail "unknown Top Origin
verification mode".
0.16.5 (2026-04-19)
Bug Fixes
0.16.4 (2026-04-09)
0.16.3 (2026-04-05)
Bug Fixes
Features
0.16.2 (2026-03-30)
Bug Fixes
Features
0.16.1 (2026-03-12)
Bug Fixes
v0.16.3Compare Source
Bug Fixes
Features
BREAKING CHANGES
A bug with the Credential Record which was
introduced early in the libraries lifecycle has resulted in a
breaking change to the Credential struct. If you are manually
serializing this struct instead of using encoding/json you
will be required to make manual changes; though Integrators
should consider these notes regardless.
protocol.CredentialTypeFIDOU2F has been removed;
replace uses with protocol.AttestationFormatFIDOUniversalSecondFactor
(cast to string where the destination field is a plain string).
The semantics of the AttestationType field on webauthn.Credential
and protocol.CredentialDescriptor have changed. Integrators that
inspect this field to detect a format (typically checking for
"fido-u2f") must switch to the new AttestationFormat field; the
FIDO-U2F AppID and AppIDExclude extension helpers now key on
AttestationFormat, so a descriptor literal constructed with
AttestationType: "fido-u2f" will no longer trigger them.
Stored Credential JSON records are migrated transparently by the
new UnmarshalJSON, but re-marshaled records will carry
attestationFormat rather than a format string in attestationType;
downstream consumers that parsed the legacy shape directly should
be updated.
The Credential.Verify method has been updated and may fail in
previous scenarios where it passed previously. It will also update
the AttestationType value as a side-effect when used.
The Cross-Origin verification semantics have changed
significantly due to the stabilization of the WebAuthn Level 3
specification. It is no longer possible to disable verification, and
Cross-Origin ceremonies must explicitly be allowed in this release.
protocol.TopOriginIgnoreVerificationMode has been removed. Code that
referenced it must switch to one of the other constants as there is
no longer a mode which disables the Top Origin verification such as:
(recommended, and the new coerced default)
RPTopOrigins and RPOrigins
webauthn.Config.validate now rewrites a zero-valued
RPTopOriginVerificationMode to TopOriginExplicitVerificationMode.
Integrators that left the field unset previously got ignore-mode
semantics (any Top Origin accepted); they now get strict matching
against RPTopOrigins and must populate that list, or explicitly
select a different mode; for Cross-Origin flows to succeed.
Cross-Origin ceremonies (those where the authenticator reports
crossOrigin = true in the ClientData) are rejected by default.
Integrators that rely on iframe-embedded or other Cross-Origin WebAuthn
flows must set webauthn.Config.RPAllowCrossOrigin = true. The library
continues to enforce Top Origin verification on accepted Cross-Origin
ceremonies per the configured mode.
protocol.CollectedClientData.Verify no longer accepts
TopOriginIgnoreVerificationMode; callers that pass an unknown mode
receive ErrNotImplemented with detail "unknown Top Origin
verification mode".
0.16.5 (2026-04-19)
Bug Fixes
0.16.4 (2026-04-09)
0.16.3 (2026-04-05)
Bug Fixes
Features
0.16.2 (2026-03-30)
Bug Fixes
Features
0.16.1 (2026-03-12)
Bug Fixes
v0.16.2Compare Source
Bug Fixes
Features
BREAKING CHANGES
A bug with the Credential Record which was
introduced early in the libraries lifecycle has resulted in a
breaking change to the Credential struct. If you are manually
serializing this struct instead of using encoding/json you
will be required to make manual changes; though Integrators
should consider these notes regardless.
protocol.CredentialTypeFIDOU2F has been removed;
replace uses with protocol.AttestationFormatFIDOUniversalSecondFactor
(cast to string where the destination field is a plain string).
The semantics of the AttestationType field on webauthn.Credential
and protocol.CredentialDescriptor have changed. Integrators that
inspect this field to detect a format (typically checking for
"fido-u2f") must switch to the new AttestationFormat field; the
FIDO-U2F AppID and AppIDExclude extension helpers now key on
AttestationFormat, so a descriptor literal constructed with
AttestationType: "fido-u2f" will no longer trigger them.
Stored Credential JSON records are migrated transparently by the
new UnmarshalJSON, but re-marshaled records will carry
attestationFormat rather than a format string in attestationType;
downstream consumers that parsed the legacy shape directly should
be updated.
The Credential.Verify method has been updated and may fail in
previous scenarios where it passed previously. It will also update
the AttestationType value as a side-effect when used.
The Cross-Origin verification semantics have changed
significantly due to the stabilization of the WebAuthn Level 3
specification. It is no longer possible to disable verification, and
Cross-Origin ceremonies must explicitly be allowed in this release.
protocol.TopOriginIgnoreVerificationMode has been removed. Code that
referenced it must switch to one of the other constants as there is
no longer a mode which disables the Top Origin verification such as:
(recommended, and the new coerced default)
RPTopOrigins and RPOrigins
webauthn.Config.validate now rewrites a zero-valued
RPTopOriginVerificationMode to TopOriginExplicitVerificationMode.
Integrators that left the field unset previously got ignore-mode
semantics (any Top Origin accepted); they now get strict matching
against RPTopOrigins and must populate that list, or explicitly
select a different mode; for Cross-Origin flows to succeed.
Cross-Origin ceremonies (those where the authenticator reports
crossOrigin = true in the ClientData) are rejected by default.
Integrators that rely on iframe-embedded or other Cross-Origin WebAuthn
flows must set webauthn.Config.RPAllowCrossOrigin = true. The library
continues to enforce Top Origin verification on accepted Cross-Origin
ceremonies per the configured mode.
protocol.CollectedClientData.Verify no longer accepts
TopOriginIgnoreVerificationMode; callers that pass an unknown mode
receive ErrNotImplemented with detail "unknown Top Origin
verification mode".
0.16.5 (2026-04-19)
Bug Fixes
0.16.4 (2026-04-09)
0.16.3 (2026-04-05)
Bug Fixes
Features
0.16.2 (2026-03-30)
Bug Fixes
Features
0.16.1 (2026-03-12)
Bug Fixes
v0.16.1Compare Source
Bug Fixes
Features
BREAKING CHANGES
A bug with the Credential Record which was
introduced early in the libraries lifecycle has resulted in a
breaking change to the Credential struct. If you are manually
serializing this struct instead of using encoding/json you
will be required to make manual changes; though Integrators
should consider these notes regardless.
protocol.CredentialTypeFIDOU2F has been removed;
replace uses with protocol.AttestationFormatFIDOUniversalSecondFactor
(cast to string where the destination field is a plain string).
The semantics of the AttestationType field on webauthn.Credential
and protocol.CredentialDescriptor have changed. Integrators that
inspect this field to detect a format (typically checking for
"fido-u2f") must switch to the new AttestationFormat field; the
FIDO-U2F AppID and AppIDExclude extension helpers now key on
AttestationFormat, so a descriptor literal constructed with
AttestationType: "fido-u2f" will no longer trigger them.
Stored Credential JSON records are migrated transparently by the
new UnmarshalJSON, but re-marshaled records will carry
attestationFormat rather than a format string in attestationType;
downstream consumers that parsed the legacy shape directly should
be updated.
The Credential.Verify method has been updated and may fail in
previous scenarios where it passed previously. It will also update
the AttestationType value as a side-effect when used.
The Cross-Origin verification semantics have changed
significantly due to the stabilization of the WebAuthn Level 3
specification. It is no longer possible to disable verification, and
Cross-Origin ceremonies must explicitly be allowed in this release.
protocol.TopOriginIgnoreVerificationMode has been removed. Code that
referenced it must switch to one of the other constants as there is
no longer a mode which disables the Top Origin verification such as:
(recommended, and the new coerced default)
RPTopOrigins and RPOrigins
webauthn.Config.validate now rewrites a zero-valued
RPTopOriginVerificationMode to TopOriginExplicitVerificationMode.
Integrators that left the field unset previously got ignore-mode
semantics (any Top Origin accepted); they now get strict matching
against RPTopOrigins and must populate that list, or explicitly
select a different mode; for Cross-Origin flows to succeed.
Cross-Origin ceremonies (those where the authenticator reports
crossOrigin = true in the ClientData) are rejected by default.
Integrators that rely on iframe-embedded or other Cross-Origin WebAuthn
flows must set webauthn.Config.RPAllowCrossOrigin = true. The library
continues to enforce Top Origin verification on accepted Cross-Origin
ceremonies per the configured mode.
protocol.CollectedClientData.Verify no longer accepts
TopOriginIgnoreVerificationMode; callers that pass an unknown mode
receive ErrNotImplemented with detail "unknown Top Origin
verification mode".
0.16.5 (2026-04-19)
Bug Fixes
0.16.4 (2026-04-09)
0.16.3 (2026-04-05)
Bug Fixes
Features
0.16.2 (2026-03-30)
Bug Fixes
Features
0.16.1 (2026-03-12)
Bug Fixes
v0.16.0Compare Source
Bug Fixes
Features
BREAKING CHANGES
A bug with the Credential Record which was
introduced early in the libraries lifecycle has resulted in a
breaking change to the Credential struct. If you are manually
serializing this struct instead of using encoding/json you
will be required to make manual changes; though Integrators
should consider these notes regardless.
protocol.CredentialTypeFIDOU2F has been removed;
replace uses with protocol.AttestationFormatFIDOUniversalSecondFactor
(cast to string where the destination field is a plain string).
The semantics of the AttestationType field on webauthn.Credential
and protocol.CredentialDescriptor have changed. Integrators that
inspect this field to detect a format (typically checking for
"fido-u2f") must switch to the new AttestationFormat field; the
FIDO-U2F AppID and AppIDExclude extension helpers now key on
AttestationFormat, so a descriptor literal constructed with
AttestationType: "fido-u2f" will no longer trigger them.
Stored Credential JSON records are migrated transparently by the
new UnmarshalJSON, but re-marshaled records will carry
attestationFormat rather than a format string in attestationType;
downstream consumers that parsed the legacy shape directly should
be updated.
The Credential.Verify method has been updated and may fail in
previous scenarios where it passed previously. It will also update
the AttestationType value as a side-effect when used.
The Cross-Origin verification semantics have changed
significantly due to the stabilization of the WebAuthn Level 3
specification. It is no longer possible to disable verification, and
Cross-Origin ceremonies must explicitly be allowed in this release.
protocol.TopOriginIgnoreVerificationMode has been removed. Code that
referenced it must switch to one of the other constants as there is
no longer a mode which disables the Top Origin verification such as:
(recommended, and the new coerced default)
RPTopOrigins and RPOrigins
webauthn.Config.validate now rewrites a zero-valued
RPTopOriginVerificationMode to TopOriginExplicitVerificationMode.
Integrators that left the field unset previously got ignore-mode
semantics (any Top Origin accepted); they now get strict matching
against RPTopOrigins and must populate that list, or explicitly
select a different mode; for Cross-Origin flows to succeed.
Cross-Origin ceremonies (those where the authenticator reports
crossOrigin = true in the ClientData) are rejected by default.
Integrators that rely on iframe-embedded or other Cross-Origin WebAuthn
flows must set webauthn.Config.RPAllowCrossOrigin = true. The library
continues to enforce Top Origin verification on accepted Cross-Origin
ceremonies per the configured mode.
protocol.CollectedClientData.Verify no longer accepts
TopOriginIgnoreVerificationMode; callers that pass an unknown mode
receive ErrNotImplemented with detail "unknown Top Origin
verification mode".
0.16.5 (2026-04-19)
Bug Fixes
0.16.4 (2026-04-09)
0.16.3 (2026-04-05)
Bug Fixes
Features
0.16.2 (2026-03-30)
Bug Fixes
Features
0.16.1 (2026-03-12)
Bug Fixes
v0.15.0Compare Source
BREAKING CHANGES
This release has a very small chance to have a breaking change that was not detected in the automatic or manual tests due to the module replacement of
github.com/mitchellh/mapstructurewithgithub.com/go-viper/mapstructure/v2. This is exclusively used by the metadata implementation and the Android SafetyNet Attestation implementation.It's unlikely anyone will encounter any issues but if they do please report them via normal means and the issue can either be fixed or an addendum to the release notes can be made; whichever is most appropriate.
v0.14.0Compare Source
Bug Fixes
Features
v0.13.4Compare Source
Bug Fixes
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.