digiid-ts/package-lock.json, branch v2.0.4 [MIRROR] A modern TypeScript implementation of the Digi-ID authentication protocol https://git.zelu.dev/digiid-ts/atom?h=v2.0.4 2026-05-15T16:55:55Z chore: patch fast-uri security vulnerabilities 2026-05-15T16:55:55Z Pawel Zelawski pawel@pzelawski.com 2026-05-15T16:55:55Z urn:sha1:3f3521cf5dad43dc537e6a56e469ccf73ae41927 chore: bump version to 2.0.3, patch security vulnerabilities in vite and lodash 2026-04-18T15:03:41Z Pawel Zelawski pawel@pzelawski.com 2026-04-18T15:03:41Z urn:sha1:c333c7daecb0bb6a026d26844dbf57c2665051d7 fix: resolve Rollup path traversal vulnerability (CVE) 2026-03-01T12:29:50Z Pawel Zelawski pawel.zelawski@outlook.com 2026-03-01T12:29:50Z urn:sha1:49f83b48196fbc260979f4a808328a34992b12c5 - Upgrade rollup from 4.40.0 to 4.59.0 via npm override - Fix Rollup arbitrary file write vulnerability via path traversal - Upgrade minimatch to 10.2.3 to fix ReDoS vulnerabilities - All security vulnerabilities resolved (0 vulnerabilities) - Tests and build verified working chore: release v2.0.1 2026-01-23T11:29:59Z Pawel Zelawski pawel.zelawski@outlook.com 2026-01-23T11:29:59Z urn:sha1:aee3b086b739c7256c33a8a8ddcf50fa96188cd0 - Fixed signature verification by correcting message hash calculation - Removed extra length byte before DigiBytes message prefix - Enhanced public key recovery with all 4 recovery IDs - Resolved all security vulnerabilities (removed elliptic dependency) - All tests passing chore: update package-lock.json 2026-01-23T11:22:10Z Pawel Zelawski pawel.zelawski@outlook.com 2026-01-23T11:22:10Z urn:sha1:611089aa50e1d7301fa66de1aa205c398862634e fix: correct message hashing for signature verification 2026-01-23T11:19:10Z Pawel Zelawski pawel.zelawski@outlook.com 2026-01-23T11:19:10Z urn:sha1:431497920652a37d2bcb9704a6465a7c474922eb - Fixed hashMessage function to not add extra length byte before message prefix - The prefix '\x19DigiByte Signed Message:\n' already contains the length indicator - Enhanced public key recovery to try all 4 recovery IDs for better compatibility - Verified with both beta.0 and beta.1 test data - All tests passing chore: bump to v2.0.0 2026-01-23T09:54:10Z Pawel Zelawski pawel.zelawski@outlook.com 2026-01-23T09:54:10Z urn:sha1:491058ae03ba1f0ae70fe3c684002c9e8e864a53 feat: migrate from bitcoinjs-message to @noble/curves 2026-01-23T09:51:35Z Pawel Zelawski pawel.zelawski@outlook.com 2026-01-23T09:51:35Z urn:sha1:8c32933900e3ed4aa294b6c06403bd406129d349 BREAKING CHANGE: Replace bitcoinjs-message with @noble/curves for signature verification - Remove elliptic vulnerability (all versions <= 6.6.1 affected) - Implement Bitcoin message signing using @noble/curves and @noble/hashes - Support for Legacy (D/S) and Bech32 (dgb1) addresses - Update all dev dependencies to latest stable versions - Remove unnecessary overrides for elliptic and lodash This is a major version update due to dependency changes, though the public API remains unchanged. chore: bump version to 1.1.1 for security fixes 2025-12-20T20:00:45Z Pawel Zelawski pawel.zelawski@outlook.com 2025-12-20T20:00:45Z urn:sha1:0b3e86989397d526d74c084828f9eb18e7749976 fix: resolve security vulnerabilities in dependencies 2025-12-20T19:49:10Z Pawel Zelawski pawel.zelawski@outlook.com 2025-12-20T19:49:10Z urn:sha1:a1a01427183425cc985183e299325dbdea553f02 - Add glob ^10.5.0 override to fix command injection vulnerability (CVE-2024-XXXXX) - Add brace-expansion ^2.0.2 override to fix ReDoS vulnerability - Upgrade vite to 6.4.1 and other dependencies via npm audit fix - All tests passing, build successful, 0 vulnerabilities remaining