Skip to content

build(deps): bump @simplewebauthn/server from 13.3.1 to 13.3.2#807

Merged
jthrilly merged 1 commit into
nextfrom
dependabot/npm_and_yarn/next/simplewebauthn/server-13.3.2
Jul 2, 2026
Merged

build(deps): bump @simplewebauthn/server from 13.3.1 to 13.3.2#807
jthrilly merged 1 commit into
nextfrom
dependabot/npm_and_yarn/next/simplewebauthn/server-13.3.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps @simplewebauthn/server from 13.3.1 to 13.3.2.

Release notes

Sourced from @​simplewebauthn/server's releases.

v13.3.2

This update fixes a CVSS v4 Low (2.0) security vulnerability identified in @​simplewebauthn/server. See the security advisory linked below for more information.

Changes:

  • [server] Fixed an issue with verifyRegistrationResponse() allowing a maliciously-crafted attestation statement's x5c to contain a self-signed "root certificate" instead of chaining back to an RP-specified trust anchor (GHSA-6hxq-p678-4hr2)
Changelog

Sourced from @​simplewebauthn/server's changelog.

v13.3.2

This update fixes a CVSS v4 Low (2.0) security vulnerability identified in @​simplewebauthn/server. See the security advisory linked below for more information.

Changes:

  • [server] Fixed an issue with verifyRegistrationResponse() allowing a maliciously-crafted attestation statement's x5c to contain a self-signed "root certificate" instead of chaining back to an RP-specified trust anchor (GHSA-6hxq-p678-4hr2)
Commits
  • 84656ff Update version to 13.3.2
  • dd0d73c Fail cert path validation closed instead
  • 213e9ba Add test for failure to chain to trust anchor
  • 989507a Add tests for notAfter enforcement
  • b55f4b9 Move explanation into test
  • 7bed04c Update comments around cert chain validity
  • 6ee9644 Add new tests
  • c23890a Update existing test to use helpers
  • 8d02ed4 Add X.509 cert helpers for tests
  • 8a53d70 Use X509ChainBuilder for chain validation
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [@simplewebauthn/server](https://github.com/MasterKale/SimpleWebAuthn/tree/HEAD/packages/server) from 13.3.1 to 13.3.2.
- [Release notes](https://github.com/MasterKale/SimpleWebAuthn/releases)
- [Changelog](https://github.com/MasterKale/SimpleWebAuthn/blob/master/CHANGELOG.md)
- [Commits](https://github.com/MasterKale/SimpleWebAuthn/commits/v13.3.2/packages/server)

---
updated-dependencies:
- dependency-name: "@simplewebauthn/server"
  dependency-version: 13.3.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 29, 2026
@github-actions

Copy link
Copy Markdown

⚠️ Branch preview setup failed

Check the workflow run for details.

@jthrilly jthrilly merged commit bec9f17 into next Jul 2, 2026
5 of 7 checks passed
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/next/simplewebauthn/server-13.3.2 branch July 2, 2026 08:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant