digiid-ts, branch main [MIRROR] A modern TypeScript implementation of the Digi-ID authentication protocol https://git.zelu.dev/digiid-ts/atom?h=main 2026-04-18T15:03:41Z chore: bump version to 2.0.3, patch security vulnerabilities in vite and lodash 2026-04-18T15:03:41Z Pawel Zelawski pawel@pzelawski.com 2026-04-18T15:03:41Z urn:sha1:c333c7daecb0bb6a026d26844dbf57c2665051d7 fix: resolve Rollup path traversal vulnerability (CVE) 2026-03-01T12:29:50Z Pawel Zelawski pawel.zelawski@outlook.com 2026-03-01T12:29:50Z urn:sha1:49f83b48196fbc260979f4a808328a34992b12c5 - Upgrade rollup from 4.40.0 to 4.59.0 via npm override - Fix Rollup arbitrary file write vulnerability via path traversal - Upgrade minimatch to 10.2.3 to fix ReDoS vulnerabilities - All security vulnerabilities resolved (0 vulnerabilities) - Tests and build verified working chore: release v2.0.1 2026-01-23T11:29:59Z Pawel Zelawski pawel.zelawski@outlook.com 2026-01-23T11:29:59Z urn:sha1:aee3b086b739c7256c33a8a8ddcf50fa96188cd0 - Fixed signature verification by correcting message hash calculation - Removed extra length byte before DigiBytes message prefix - Enhanced public key recovery with all 4 recovery IDs - Resolved all security vulnerabilities (removed elliptic dependency) - All tests passing chore: update package-lock.json 2026-01-23T11:22:10Z Pawel Zelawski pawel.zelawski@outlook.com 2026-01-23T11:22:10Z urn:sha1:611089aa50e1d7301fa66de1aa205c398862634e chore: bump version to 2.0.1-beta.2 2026-01-23T11:21:11Z Pawel Zelawski pawel.zelawski@outlook.com 2026-01-23T11:21:11Z urn:sha1:f0fc931d178acf5569632234ad3b7b1c5419ebc8 fix: correct message hashing for signature verification 2026-01-23T11:19:10Z Pawel Zelawski pawel.zelawski@outlook.com 2026-01-23T11:19:10Z urn:sha1:431497920652a37d2bcb9704a6465a7c474922eb - Fixed hashMessage function to not add extra length byte before message prefix - The prefix '\x19DigiByte Signed Message:\n' already contains the length indicator - Enhanced public key recovery to try all 4 recovery IDs for better compatibility - Verified with both beta.0 and beta.1 test data - All tests passing fix: correct bech32 address verification to use compressed public key 2026-01-23T10:57:07Z Pawel Zelawski pawel.zelawski@outlook.com 2026-01-23T10:57:07Z urn:sha1:e7250d83ff2793c35c9627f8b5a7ee47057d2c9e - Ensure compressed public key format for bech32 witness v0 addresses - Convert uncompressed (65 bytes) to compressed (33 bytes) when needed - Properly compute hash160 of compressed key for P2WPKH addresses - Fixes signature verification for dgb1 (bech32) addresses fix: correct public key recovery to use toBytes() and addRecoveryBit() 2026-01-23T10:37:56Z Pawel Zelawski pawel.zelawski@outlook.com 2026-01-23T10:37:56Z urn:sha1:fbc80fe79ce823534a58197dd3173f29f81d6bcb - Changed point.toRawBytes() to point.toBytes() to match @noble/curves v2 API - Added .addRecoveryBit(actualRecoveryId) to signature for proper recovery - Returns both compressed/uncompressed public keys for verification - Fixes signature verification regression in v2.0.0 chore: bump to v2.0.0 2026-01-23T09:54:10Z Pawel Zelawski pawel.zelawski@outlook.com 2026-01-23T09:54:10Z urn:sha1:491058ae03ba1f0ae70fe3c684002c9e8e864a53 feat: migrate from bitcoinjs-message to @noble/curves 2026-01-23T09:51:35Z Pawel Zelawski pawel.zelawski@outlook.com 2026-01-23T09:51:35Z urn:sha1:8c32933900e3ed4aa294b6c06403bd406129d349 BREAKING CHANGE: Replace bitcoinjs-message with @noble/curves for signature verification - Remove elliptic vulnerability (all versions <= 6.6.1 affected) - Implement Bitcoin message signing using @noble/curves and @noble/hashes - Support for Legacy (D/S) and Bech32 (dgb1) addresses - Update all dev dependencies to latest stable versions - Remove unnecessary overrides for elliptic and lodash This is a major version update due to dependency changes, though the public API remains unchanged.