diff --git a/CHANGELOG.md b/CHANGELOG.md index 528cce0..5f485e5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,65 @@ The 0.x line is treated as a single pre-stable development series — see 1.0.0 stabilisation cut; for 0.x history consult `git log` against the relevant tags. +## [1.3.1] — 2026-06-06 + +Patch release: a browser-SDK build fix, a Micronaut admin toggle, and +supply-chain hardening. No wire-format or API-breaking changes. + +### Added + +- **Micronaut: the admin endpoints can now be disabled.** A new + configuration toggle lets a Micronaut host opt out of mounting + `PkAuthAdminController` (passkey list/rename/delete, etc.) while keeping + the core auth endpoints, mirroring the disable switch the other framework + integrations already expose. See `docs/operator-guide.md`. + +### Fixed + +- **Browser SDK builds under TypeScript 6.0.** The dev-dependency bump to + TypeScript 6.0 broke the `tsup` `.d.ts` pipeline with `TS5101` + (the injected `baseUrl` is now a deprecation error). Adding + `ignoreDeprecations: "6.0"` to the SDK `tsconfig.json` restores the build; + the ESM/CJS/DTS bundle, `tsc --noEmit`, and all vitest tests pass under + TS 6.0. + +### Security + +- **Dependency and CI/CD supply-chain hardening.** + - Every GitHub Actions `uses:` is pinned to a full commit SHA (version in a + trailing comment) instead of a mutable `@vN` tag — most importantly the + third-party `softprops/action-gh-release` in the privileged release job. + - The Gradle distribution is pinned via `distributionSha256Sum` in the + wrapper, with a `wrapper-validation` step in CI verifying + `gradle-wrapper.jar`. + - `actions/dependency-review-action` runs as a PR gate + (`fail-on-severity: high`) to block newly introduced dependencies with + known high-severity advisories. + - Dependabot now covers the npm ecosystem (the published browser SDK and + each demo's Playwright e2e suite) and gates auto-merge on update type, so + only patch/minor bumps are auto-approved and Actions updates never + auto-merge. + - The build/distribution trust boundary and these mitigations are + documented. + +### Changed + +- **Gradle dependency verification (`verification-metadata.xml`) was not + retained.** It was introduced during the supply-chain work and then + removed: with Dependabot auto-merging Gradle bumps, the checksum file would + have to be regenerated unattended from whatever was just downloaded + (notarizing rather than vetting), and it broke the build on every bump + because a version-catalog bump cannot update the checksums. Protection + against malicious dependency *releases* is provided by + `dependency-review-action`'s advisory database instead. The SHA-pinned + Actions, pinned Gradle distribution, and dependency-review gate above are + retained. + +### Dependencies + +- Routine Dependabot bumps across the dev/runtime dependency groups (Gradle + and npm) and GitHub Actions. + ## [1.3.0] — 2026-06-03 Security-review follow-ups (hardening; no known exploit in the items below). @@ -209,7 +268,8 @@ Security-review follow-ups (hardening; no known exploit in the items below). First stable release. Captures the surface produced by the 0.x development series; see `git log` for the full history. -[Unreleased]: https://github.com/codeheadsystems/pk-auth/compare/v1.3.0...HEAD +[Unreleased]: https://github.com/codeheadsystems/pk-auth/compare/v1.3.1...HEAD +[1.3.1]: https://github.com/codeheadsystems/pk-auth/compare/v1.3.0...v1.3.1 [1.3.0]: https://github.com/codeheadsystems/pk-auth/compare/v1.2.0...v1.3.0 [1.2.0]: https://github.com/codeheadsystems/pk-auth/compare/v1.1.0...v1.2.0 [1.1.0]: https://github.com/codeheadsystems/pk-auth/compare/v1.0.0...v1.1.0 diff --git a/clients/passkeys-browser/package-lock.json b/clients/passkeys-browser/package-lock.json index c582701..260439b 100644 --- a/clients/passkeys-browser/package-lock.json +++ b/clients/passkeys-browser/package-lock.json @@ -1,12 +1,12 @@ { "name": "@pk-auth/passkeys-browser", - "version": "1.3.0", + "version": "1.3.1", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@pk-auth/passkeys-browser", - "version": "1.3.0", + "version": "1.3.1", "license": "MIT", "devDependencies": { "@types/node": "^25.9.2", diff --git a/clients/passkeys-browser/package.json b/clients/passkeys-browser/package.json index 0931093..9840331 100644 --- a/clients/passkeys-browser/package.json +++ b/clients/passkeys-browser/package.json @@ -1,6 +1,6 @@ { "name": "@pk-auth/passkeys-browser", - "version": "1.3.0", + "version": "1.3.1", "description": "pk-auth browser SDK: WebAuthn ceremonies + admin operations against the pk-auth wire contract.", "license": "MIT", "author": "Ned Wolpert", diff --git a/gradle.properties b/gradle.properties index b759cf4..0777b2d 100644 --- a/gradle.properties +++ b/gradle.properties @@ -21,4 +21,4 @@ org.gradle.jvmargs=-Xmx2g \ # Project identity group=com.codeheadsystems -version=1.3.0-SNAPSHOT +version=1.3.1-SNAPSHOT diff --git a/site/index.html b/site/index.html index 53b2f41..9d8441e 100644 --- a/site/index.html +++ b/site/index.html @@ -1098,7 +1098,7 @@
- v1.3.0 + v1.3.1 JDK 21 MIT WebAuthn4J @@ -1146,9 +1146,9 @@ 

// One adapter, one persistence module, done.
 dependencies {
-  implementation("com.codeheadsystems:pk-auth-spring-boot-starter:1.3.0")
-  implementation("com.codeheadsystems:pk-auth-persistence-jdbi:1.3.0")
-  implementation("com.codeheadsystems:pk-auth-admin-api:1.3.0")
+  implementation("com.codeheadsystems:pk-auth-spring-boot-starter:1.3.1")
+  implementation("com.codeheadsystems:pk-auth-persistence-jdbi:1.3.1")
+  implementation("com.codeheadsystems:pk-auth-admin-api:1.3.1")
 }
@@ -1332,9 +1332,9 @@

Add the adapter, persistence, and admin API.

dependencies {
-  implementation("com.codeheadsystems:pk-auth-spring-boot-starter:1.3.0")
-  implementation("com.codeheadsystems:pk-auth-persistence-jdbi:1.3.0")
-  implementation("com.codeheadsystems:pk-auth-admin-api:1.3.0")
+  implementation("com.codeheadsystems:pk-auth-spring-boot-starter:1.3.1")
+  implementation("com.codeheadsystems:pk-auth-persistence-jdbi:1.3.1")
+  implementation("com.codeheadsystems:pk-auth-admin-api:1.3.1")
 }
@@ -1343,7 +1343,7 @@

Add the adapter, persistence, and admin API.

<dependency>
   <groupId>com.codeheadsystems</groupId>
   <artifactId>pk-auth-spring-boot-starter</artifactId>
-  <version>1.3.0</version>
+  <version>1.3.1</version>
 </dependency>
 <!-- + pk-auth-persistence-jdbi, pk-auth-admin-api -->
@@ -1754,7 +1754,7 @@

pk-auth

A passkey credential layer for the JVM. MIT-licensed. Three adapters, one wire contract, your user table.

-

v1.3.0 · JDK 21 · WebAuthn4J

+

v1.3.1 · JDK 21 · WebAuthn4J

Read first

@@ -1814,7 +1814,7 @@

Project

/* ---- Live latest version (Maven Central via shields, CORS-enabled) ---- Keeps the page in sync with releases without editing the site; the - hardcoded "1.3.0" in the markup is only a fallback if the fetch fails. */ + hardcoded "1.3.1" in the markup is only a fallback if the fetch fails. */ var pkv = document.querySelectorAll(".pkv"); if (pkv.length && window.fetch) { fetch("https://img.shields.io/maven-central/v/com.codeheadsystems/pk-auth-core.json") diff --git a/site/og-image.svg b/site/og-image.svg index 442abf5..0d3a240 100644 --- a/site/og-image.svg +++ b/site/og-image.svg @@ -52,6 +52,6 @@ · Micronaut 4 - v1.3.0 · JDK 21 · MIT · github.com/codeheadsystems/pk-auth + v1.3.1 · JDK 21 · MIT · github.com/codeheadsystems/pk-auth