digiid-ts-demo, branch main

digiid-ts-demo, branch main [MIRROR] Digi-ID TypeScript Integration Demo https://git.zelu.dev/digiid-ts-demo/atom?h=main 2026-04-18T14:58:37Z chore: update digiid-ts to 2.0.3 and fix security vulnerabilities 2026-04-18T14:58:37Z Pawel Zelawski pawel@pzelawski.com 2026-04-18T14:58:37Z urn:sha1:3fc37e6338bb6c6054739578088ca638f08fceca - Bump digiid-ts from 2.0.2 to 2.0.3 (security patch release) - Fix 5 vulnerabilities via npm audit fix: - brace-expansion (moderate): ReDoS / process hang - flatted (high): prototype pollution + unbounded recursion DoS - path-to-regexp (high): ReDoS via route parameters - picomatch (high): ReDoS + method injection - vite (high): path traversal + arbitrary file read via dev server Fix multiple security vulnerabilities (March 2026) 2026-03-01T12:41:23Z Pawel Zelawski pawel.zelawski@outlook.com 2026-03-01T12:41:23Z urn:sha1:00e7e4fbf5a6fc41b88631fd34e98e48eeb9fc6a Security Updates: - digiid-ts: 2.0.1-beta.2 → 2.0.2 (fixes internal dependency vulnerability) - rollup: 4.58.0 → 4.59.0 (fixes arbitrary file write via path traversal - GHSA-mw96-cpmx-2vgc) - qs: 6.14.1 → 6.14.2 (fixes arrayLimit bypass in comma parsing DoS - GHSA-w7fw-mjwx-w883) - express: 4.21.2 → 4.22.1 (updated with qs dependency) - minimatch: multiple updates (fixes ReDoS vulnerabilities) - ajv: updated to 6.14.0+ (fixes ReDoS with $data option) Impact: - Rollup: Prevented arbitrary file write through path traversal sequences - qs: Fixed denial-of-service via comma-separated array limit bypass - digiid-ts: Resolved vulnerability in @noble/curves dependency Result: 0 vulnerabilities (npm audit clean) Update to digiid-ts v2.0.1-beta.2 - Fix message hash signature verification 2026-01-23T11:25:08Z Pawel Zelawski pawel.zelawski@outlook.com 2026-01-23T11:25:08Z urn:sha1:31bf3e64ce084b5410ce90a36039009bf9258e15 - Fixed hashMessage removing extra length byte encoding before message prefix - Message prefix '\x19DigiByte Signed Message:\n' now used correctly - Enhanced public key recovery to try all 4 recovery IDs - Returns both compressed/uncompressed public keys for better compatibility - Should fix 'Invalid signature' errors with DigiBytes wallet Update to digiid-ts v2.0.1-beta.1 - Fix bech32 address verification 2026-01-23T11:00:38Z Pawel Zelawski pawel.zelawski@outlook.com 2026-01-23T11:00:38Z urn:sha1:88f6391e87c2fdfb427f23564f5a83e351d04cd5 - Fixed "Invalid signature" error for bech32 addresses (dgb1q...) - Added automatic compression of public keys for bech32 P2WPKH verification - Bech32 now correctly uses hash160(compressed_pubkey) - Should fix authentication with DigiBytes mobile wallet using bech32 addresses Test digiid-ts v2.0.1-beta.0 - Fix public key recovery 2026-01-23T10:43:33Z Pawel Zelawski pawel.zelawski@outlook.com 2026-01-23T10:43:33Z urn:sha1:30136dafc868e6e06d5e762a50d1c646d9f5bb3e - Install digiid-ts@2.0.1-beta.0 for testing signature verification fix - Fixed point.toRawBytes() -> point.toBytes() API change - Added .addRecoveryBit() for proper ECDSA public key recovery - Testing with real DigiBytes mobile wallet required Update digiid-ts to v2.0.0 - Fix ECDSA cryptanalysis vulnerability 2026-01-23T10:08:47Z Pawel Zelawski pawel.zelawski@outlook.com 2026-01-23T10:08:47Z urn:sha1:4cc77ab44157764e003e0db242962384945dc2ad - Upgraded digiid-ts from v1.1.1 to v2.0.0 - Resolved critical vulnerability in elliptic package (CVE for ECDSA signature cryptanalysis) - Library now uses @noble/curves instead of bitcoinjs-message (removed elliptic dependency) - Fixed additional low severity vulnerability in diff package - All npm audit vulnerabilities now resolved (0 vulnerabilities) - API unchanged, all existing code continues to work Fix security vulnerability: upgrade qs to 6.14.1 2026-01-03T17:18:50Z Pawel Zelawski pawel.zelawski@outlook.com 2026-01-03T17:18:50Z urn:sha1:23f12a7fe7ed29b527ab0a31819255a1114b8acf - Resolved CVE in qs library where arrayLimit bypass allowed DoS via memory exhaustion - Updated qs from 6.13.0 to 6.14.1 via npm audit fix - All security vulnerabilities now resolved chore: update dependencies and fix security vulnerabilities 2025-12-20T20:16:50Z Pawel Zelawski pawel.zelawski@outlook.com 2025-12-20T20:16:50Z urn:sha1:1beb8c214c3d5c914ebdb1778804bbfa3901fe18 - Update digiid-ts to 1.1.1 with security patches - Fix brace-expansion, vite, sha.js, js-yaml, and eslint vulnerabilities - All npm audit issues resolved chore: Update digiid-ts dependency and regenerate lockfile 2025-04-14T09:48:26Z Pawel Zelawski pawel.zelawski@outlook.com 2025-04-14T09:48:26Z urn:sha1:ba95b414b6707319a2dbec7cfa9f4b23daa119ea Updated the 'digiid-ts' package to the latest version to incorporate its internal dependency change (replacing 'digibyte-message' with 'bitcoinjs-message'). Regenerated package-lock.json, which removed the outdated references to 'digibyte-message' and 'bitcore-message'. Verified the build process completes successfully with the updated dependency. docs: Add live demo link and fix asset tracking 2025-04-11T10:25:01Z Pawel Zelawski pawel.zelawski@outlook.com 2025-04-11T10:25:01Z urn:sha1:3b4531f31e848ecda2c5a3907b34a37c39ddc0c8 - Update README.md to include a new "Live Demo" section linking to https://digi-id.pzelawski.dev/. - Remove the `public` entry from .gitignore to ensure static assets (like the logo) within the public directory are tracked by Git. This resolves issues where assets were missing after cloning the repository for deployment.