Skip to content

fix(deps): update dependency @simplewebauthn/server to v13#862

Closed
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/simplewebauthn-server-13.x
Closed

fix(deps): update dependency @simplewebauthn/server to v13#862
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/simplewebauthn-server-13.x

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Oct 24, 2025

This PR contains the following updates:

Package Change Age Confidence
@simplewebauthn/server (source) ^7.0.1 -> ^13.0.0 age confidence

Release Notes

MasterKale/SimpleWebAuthn (@​simplewebauthn/server)

v13.2.2

Compare Source

Changes

v13.2.1

Compare Source

Changes:

  • [server] generateRegistrationOptions() will now correctly encoded the userID argument to
    base64url when it is an instance of Node's Buffer
    (#​724)

v13.2.0

Compare Source

Changes

  • [server] The return value from verifyRegistrationResponse() has been defined more strictly
    to communicate that registrationInfo will only ever be present if verified is true
    (#​715)
  • [server] verifyRegistrationResponse() can now verify attestations containing SHA256 hashes
    by using EC public keys with the P-384 curve
    (#​721)
  • [server] The Android SafetyNet "CTS profile match" system integrity check can now be disabled
    by setting attestationSafetyNetEnforceCTSCheck: false when calling
    verifyRegistrationResponse(). This check remains enforced by default
    (#​722)
  • [browser] [server] These libraries now have better support in Deno 2.2+ projects which use
    generic typing for Uint8Array via TypeScript 5.7.
    SimpleWebAuthn values of type Uint8Array_ are equivalent to Uint8Array in Deno 2.1 and
    earlier, and Uint8Array<ArrayBuffer> in Deno 2.2 and later.
    (#​717)

v13.1.2

Compare Source

Changes

  • [browser] [server] Exported the ResidentKeyRequirement type to help with type inference
    (#​704)

v13.1.1

Compare Source

Changes:

  • [server] "android-key" attestation statement verification has been modernized
    (#​675)
  • [server] More TPM manufacturers are recognized while verifying "tpm" attestation statements
    (#​673)

v13.1.0

Compare Source

Changes:

  • [server] The cross-fetch dependency has been removed from the project to silence in the
    console DeprecationWarning's about a "punycode" module
    (#​661)
  • [browser] startRegistration() and startAuthentication() will now warn about calls made
    using the pre-v11 call structure to encourage refactoring to use the current call structure, but
    still try to handle such calls the best they can
    (#​664)

v13.0.0

Compare Source

Hot on the heels of the last major release, v13 introduces support for registration hints! Refined
types and improved attestation trust anchor verification are also included. Last but not least, we
say goodbye to one of the project's packages for better docs and fewer dependencies to install. Read
on for more information, including refactor advice for dealing with the retirement of
@​simplewebauthn/types.

Changes:

  • [server] A new preferredAuthenticatorType argument can be set when calling
    generateRegistrationOptions() to generate options that encourage the browser to direct the user
    to register one of three types of authenticators: 'securityKey', 'localDevice', or
    'remoteDevice' (a.k.a. opinionated
    WebAuthn hints
    support) (#​653)
  • [browser] startRegistration() will recognize hints if specified in optionsJSON
    (#​652)
  • [server] Attestation verification now recognizes intermediate certificates as trust anchors
    (#​650)
  • [browser] [server] The types previously maintained in the types package are now included
    within the browser and server packages. See Breaking Changes below for more info
    (#​655)
Breaking Changes
@​typescript/types is being retired

Its types will now be included directly in @​simplewebauthn/browser and
@​simplewebauthn/server.

To refactor existing imports from /types, simply import them from /browser or /server
instead:

Before:

import type {
  AuthenticationResponseJSON,
  RegistrationResponseJSON,
  WebAuthnCredential,
} from '@&#8203;simplewebauthn/types'; // <--

After:

import type {
  AuthenticationResponseJSON,
  RegistrationResponseJSON,
  WebAuthnCredential,
} from '@&#8203;simplewebauthn/server'; // <--
[server] attestationType no longer accepts 'indirect'

The benefits of indirect attestation are too minimal to be useful for Relying Parties. In practice
it is almost never used over ignoring the concept completely with 'none' or needing to be
intentional and setting 'direct'.

RP's that have been specifying attestationType: 'indirect' when calling
generateRegistrationOptions() will need to refactor their code to either omit
attestationType (generateRegistrationOptions() will default to attestationType: 'none') or set
attestationType: 'direct' instead:

Before:

const options = await generateRegistrationOptions({
  // ...
  attestationType: 'indirect',
});

After:

const options = await generateRegistrationOptions({
  // ...
});

-or-

const options = await generateRegistrationOptions({
  // ...
  attestationType: 'direct',
});

v12.0.0

Compare Source

All SimpleWebAuthn packages are now available for installation from the
JavaScript Registry (JSR)! JSR is an "open-source package registry
for modern JavaScript and TypeScript" - you can read more about this new package registry and its
ESM-centric capabilities here.

All packages in v12.0.0 are functionally identical to v11.0.0! And JSR package hosting is in
addition to existing package hosting on NPM. Nothing changes about package installation via
npm install. Read on for more information.

Packages
Changes
  • [browser] [server] [types] All packages can now be installed from JSR wherever JSR
    imports are supported (#​634)
  • [browser] Deno projects using frameworks like Fresh can now import and use
    @​simplewebauthn/browser (#​634)

To install from JSR, use npx jsr add @&#8203;simplewebauthn/... or deno add jsr:@&#8203;simplewebauthn/...
depending on which package manager is available.

Projects using npm for package management:
npx jsr add @&#8203;simplewebauthn/browser
npx jsr add @&#8203;simplewebauthn/server
npx jsr add @&#8203;simplewebauthn/types
Projects using deno for package management:
deno add jsr:@&#8203;simplewebauthn/browser
deno add jsr:@&#8203;simplewebauthn/server
deno add jsr:@&#8203;simplewebauthn/types
Projects using HTTPS modules via deno.land/x:

v12.0.0 officially deprecates importing SimpleWebAuthn from deno.land/x. See Breaking Changes
below for refactor guidance.

Breaking Changes

Importing SimpleWebAuthn packages from "https://deno.land/x/simplewebauthn/..." URLs is no longer
supported. Please use Deno's native support for JSR imports instead, available in projects running
Deno v1.42 and higher.

Before:

import { generateAuthenticationOptions } from 'https://deno.land/x/simplewebauthn/deno/server.ts';

After:

import { generateAuthenticationOptions } from 'jsr:@&#8203;simplewebauthn/server';

Alternatively, use deno add to install these packages from
JSR:



v11.0.0


Compare Source


Say hello to support for automatic passkey registration, support for valid conditional UI <input>

elements stashed away in web components, and to the new WebAuthnCredential type that modernizes

some logic within.


There are some breaking changes in this release! Please see Breaking Changes below for refactor

guidance.


Packages



Changes


    

  • [browser] [server] A new useAutoRegister argument has been added to startRegistration() to
    
support attempts to automatically register passkeys for users who just completed non-passkey auth.
    
verifyRegistrationResponse() has gained a new requireUserPresence option that can be set to
    
false when verifying responses from startRegistration({ useAutoRegister: true, ... })
    
(#​623)
    • 

  • [browser] A new verifyBrowserAutofillInput argument has been added to
    
startAuthentication() to disable throwing an error when a correctly configured <input> element
    
cannot be found (but perhaps a valid one is present in a web component shadow's DOM)
    
(#​621)
    • 

  • [server] [types] The AuthenticatorDevice type has been renamed to WebAuthnCredential and
    
has had its properties renamed. The return value out of verifyRegistrationResponse() and
    
corresponding inputs into verifyAuthenticationResponse() have been updated accordingly. See
    
Breaking Changes below for refactor guidance
    
(#​625)
    • 

  • [server] verifyRegistrationResponse() now verifies that the authenticator data AAGUID
    
matches the leaf cert's id-fido-gen-ce-aaguid extension AAGUID when it is present
    
(#​609)
    • 

  • [server] TPM attestation verification recognizes the corrected TPM manufacturer identifier for
    
IBM (#​610)
    • 

  • [server] Types for the defunct authenticator extensions uvm and dpk have been removed
    
(#​611)
    • 



Breaking Changes


[browser] Positional arguments in startRegistration() and startAuthentication() have been replaced by a single object


Property names in the object match the names of the previously-positional arguments. To update

existing implementations, wrap existing options in an object with corresponding properties:


Before:


startRegistration(options);
startAuthentication(options, true);


After:


startRegistration({ optionsJSON: options });
startAuthentication({ optionsJSON: options, useBrowserAutofill: true });


[server] [types] The AuthenticatorDevice type has been renamed to WebAuthnCredential


AuthenticatorDevice.credentialID and AuthenticatorDevice.credentialPublicKey have been shortened

to WebAuthnCredential.id and WebAuthnCredential.publicKey respectively.


verifyRegistrationResponse() has been updated accordingly to return a new credential value of

type WebAuthnCredential. Update code that stores credentialID, credentialPublicKey, and

counter out of verifyRegistrationResponse() to store credential.id, credential.publicKey,

and credential.counter instead:


Before:


const { registrationInfo } = await verifyRegistrationResponse({...});

storeInDatabase(
  registrationInfo.credentialID,
  registrationInfo.credentialPublicKey,
  registrationInfo.counter,
  body.response.transports,
);


After:


const { registrationInfo } = await verifyRegistrationResponse({...});

storeInDatabase(
  registrationInfo.credential.id,
  registrationInfo.credential.publicKey,
  registrationInfo.credential.counter,
  registrationInfo.credential.transports,
);


Update calls to verifyAuthenticationResponse() to match the new credential argument that

replaces the authenticator argument:


Before:


import { AuthenticatorDevice } from '@&#8203;simplewebauthn/types';

const authenticator: AuthenticatorDevice = {
  credentialID: ...,
  credentialPublicKey: ...,
  counter: 0,
  transports: [...],
};

const verification = await verifyAuthenticationResponse({
  // ...
  authenticator,
});


After:


import { WebAuthnCredential } from '@&#8203;simplewebauthn/types';

const credential: WebAuthnCredential = {
  id: ...,
  publicKey: ...,
  counter: 0,
  transports: [...],
};

const verification = await verifyAuthenticationResponse({
  // ...
  credential,
});


v10.0.1


Compare Source


Packages



Changes


    

  • [server] isoCrypto.verify() now has better support for signature verification with ECC
    
public keys using P-256, P-385, and P-521 curves
    
(#​594, with thanks to @​nlordell)
    • 



v10.0.0


Compare Source


Thanks for everything, Node 16 and Node 18, but it's time to move on! The headlining change of this

release is the targeting of Node LTS v20+ as the minimum Node runtime. Additional developer-centric

quality-of-life changes have also been made in the name of streamlining use of SimpleWebAuthn on

both the back end and front end.


This release is packed with updates, so buckle up! Refactor advice for breaking changes is, as

always, offered below.


Packages



Changes


    

  • [server] The minimum supported Node version has been raised to Node v20
    
(#​531)
    • 

  • [server] user.displayName now defaults to an empty string if a value is not specified for
    
userDisplayName when calling generateRegistrationOptions()
    
(#​538)
    • 

  • [browser] The browserSupportsWebAuthnAutofill() helper will no longer break in environments
    
in which PublicKeyCredential is not present
    
(#​557, with thanks to @​clarafitzgerald)
    • 



Breaking Changes


    

  • [server] The following breaking changes were made in PR
    
#​529:

      

    • generateRegistrationOptions() now expects Base64URLString for excluded credential IDs
      • 

    • generateAuthenticationOptions() now expects Base64URLString for allowed credential IDs
      • 

    • credentialID returned from response verification methods is now a Base64URLString
      • 

    • AuthenticatorDevice.credentialID is now a Base64URLString
      • 

    • isoBase64URL.isBase64url() is now called isoBase64URL.isBase64URL()
      • 

    

    • 

  • [browser, server] The following breaking changes were made in PR
    
#​552:

      

    • generateRegistrationOptions() now accepts an optional Uint8Array instead of a string for
      
userID
      • 

    • isoBase64URL.toString() and isoBase64URL.fromString() have been renamed
      • 

    • generateRegistrationOptions() will now generate random user IDs
      • 

    • user.id is now treated like a base64url string in startRegistration()
      • 

    • userHandle is now treated like a base64url string in startAuthentication()
      • 

    

    • 

  • [server] rpID is now a required argument when calling generateAuthenticationOptions()
    
(#​555)
    • 





[server] generateRegistrationOptions() now expects Base64URLString for excluded credential IDs


The isoBase64URL helper can be used to massage Uint8Array credential IDs into base64url strings:


Before


const opts = await generateRegistrationOptions({
  // ...
  excludeCredentials: devices.map((dev) => ({
    id: dev.credentialID, // type: Uint8Array
    type: 'public-key',
    transports: dev.transports,
  })),
});


After


import { isoBase64URL } from '@&#8203;simplewebauthn/server/helpers';

const opts = await generateRegistrationOptions({
  // ...
  excludeCredentials: devices.map((dev) => ({
    id: isoBase64URL.fromBuffer(dev.credentialID), // type: string
    transports: dev.transports,
  })),
});


The type argument is no longer needed either.




[server] generateAuthenticationOptions() now expects Base64URLString for allowed credential IDs


Similarly, the isoBase64URL helper can also be used during auth to massage Uint8Array credential

IDs into base64url strings:


Before


const opts = await generateAuthenticationOptions({
  // ...
  allowCredentials: devices.map((dev) => ({
    id: dev.credentialID, // type: Uint8Array
    type: 'public-key',
    transports: dev.transports,
  })),
});


After


import { isoBase64URL } from '@&#8203;simplewebauthn/server/helpers';

const opts = await generateAuthenticationOptions({
  // ...
  allowCredentials: devices.map((dev) => ({
    id: isoBase64URL.fromBuffer(dev.credentialID), // type: Base64URLString (a.k.a string)
    transports: dev.transports,
  })),
});


The type argument is no longer needed either.




[server] credentialID returned from response verification methods is now a Base64URLString


It is no longer necessary to manually stringify credentialID out of response verification methods:


Before


import { isoBase64URL } from '@&#8203;simplewebauthn/server/helpers';

// Registration
const { verified, registrationInfo } = await verifyRegistrationResponse({ ... });
if (verified && registrationInfo) {
  const { credentialID } = registrationInfo;
  await storeInDatabase({ credIDString: isoBase64URL.fromBuffer(credentialID), ... });
}

// Authentication
const { verified, authenticationInfo } = await verifyAuthenticationResponse({ ... });
if (verified && authenticationInfo) {
  const { newCounter, credentialID } = authenticationInfo;
  dbAuthenticator.counter = authenticationInfo.newCounter;
  await updateCounterInDatabase({
    credIDString: isoBase64URL.fromBuffer(credentialID),
    newCounter,
  });
}


After


// Registration
const { verified, registrationInfo } = await verifyRegistrationResponse({ ... });
if (verified && registrationInfo) {
  const { credentialID } = registrationInfo;
  await storeInDatabase({ credIDString: credentialID, ... });
}

// Authentication
const { verified, authenticationInfo } = await verifyAuthenticationResponse({ ... });
if (verified && authenticationInfo) {
  const { newCounter, credentialID } = authenticationInfo;
  dbAuthenticator.counter = authenticationInfo.newCounter;
  await updateCounterInDatabase({ credIDString: credentialID, newCounter });
}




[server] AuthenticatorDevice.credentialID is now a Base64URLString


Calls to verifyAuthenticationResponse() will need to be updated to encode the credential ID to a

base64url string:


Before


const verification = await verifyAuthenticationResponse({
  // ...
  authenticator: {
    // ...
    credentialID: credIDBytes,
  },
});


After


import { isoBase64URL } from '@&#8203;simplewebauthn/server/helpers';

const verification = await verifyAuthenticationResponse({
  // ...
  authenticator: {
    // ...
    credentialID: isoBase64URL.fromBuffer(credIDBytes),
  },
});




[server] isoBase64URL.isBase64url() is now called isoBase64URL.isBase64URL()


Note the capitalization change from "url" to "URL" in the method name. Update calls to this method

accordingly.




[server] generateRegistrationOptions() will now generate random user IDs


[browser] user.id is now treated like a base64url string in startRegistration()


[browser] userHandle is now treated like a base64url string in startAuthentication()


A random identifier will now be generated when a value is not provided for the now-optional userID

argument when calling generateRegistrationOptions(). This identifier will be base64url-encoded

string of 32 random bytes. RPs that wish to take advantage of this can simply omit this

argument.


Additionally, startRegistration() will base64url-decode user.id before calling WebAuthn. During

auth startAuthentication() will base64url-encode userHandle in the returned credential. This

should be a transparent change for RP's that simply feed @​simplewebauthn/server options output

into the corresponding @​simplewebauthn/browser methods.


However, RP's that wish to continue generating their own user identifiers will need to take

additional steps to ensure they get back user IDs in the expected format after authentication.


Before (SimpleWebAuthn v9)


// @&#8203;simplewebauthn/server v9.x
const opts = generateRegistrationOptions({
  // ...
  userID: 'randomUserID',
});


// @&#8203;simplewebauthn/browser v9.x
const credential = await startAuthentication(...);
sendToServer(credential);


// @&#8203;simplewebauthn/server v9.x
const credential = await receiveFromBrowser();
console.log(
  credential.response.userhandle, // 'randomUserID'
);


After (SimpleWebAuthn v10)


// @&#8203;simplewebauthn/server v10.x
import { isoUint8Array } from '@&#8203;simplewebauthn/server/helpers';

const opts = generateRegistrationOptions({
  // ...
  userID: isoUint8Array.fromUTF8String('randomUserID'),
});


// @&#8203;simplewebauthn/browser v10.x
const credential = await startAuthentication(...);
sendToServer(credential);


// @&#8203;simplewebauthn/server v10.x
import { isoBase64URL } from '@&#8203;simplewebauthn/server/helpers';

const credential = await receiveFromBrowser();
console.log(
  isoBase64URL.toUTF8String(credential.response.userhandle), // 'randomUserID'
);




[server] isoBase64URL.toString() and isoBase64URL.fromString() have been renamed


The method names have been updated to reflect the use of UTF-8 string encoding:


Before:


const foo = isoBase64URL.toString('...');
const bar = isoBase64URL.fromString('...');


After:


const foo = isoBase64URL.toUTF8String('...');
const bar = isoBase64URL.fromUTF8String('...');




[server] rpID is now a required argument when calling generateAuthenticationOptions()


Update calls to this method to specify the same rpID as passed into

generateRegistrationOptions():


Before


  generateRegistrationOptions({ rpID: 'example.com', ... });
generateAuthenticationOptions();


After


  generateRegistrationOptions({ rpID: 'example.com', ... });
generateAuthenticationOptions({ rpID: 'example.com' });


v9.0.3


Compare Source


Packages



Changes


    

  • [server] Fixed
    
"Cannot find module 'cbor-x/index-no-eval' or its corresponding type declarations" build errors
    
when transpiling TypeScript projects using @​simplewebauthn/server
    
(#​521)
    • 



v9.0.2


Compare Source


Packages



Changes



v9.0.1


Compare Source


Packages



Changes


    

  • [server] Fixed an issue with use with CBOR handling in runtime environments that restrict use
    
of eval() (#​511, with thanks to
    
@​Maronato)
    • 

  • [browser, types] Monorepo version sync
    • 



v9.0.0


Compare Source


Packages



Changes


    

  • [types] The @simplewebauthn/typescript-types package has been renamed to
    
@simplewebauthn/types (#​508)
    • 



Breaking Changes


    

  • Any reference to @simplwebauthn/typescript-types will need to be replaced with the new package
    
name @simplewebauthn/types:
    • 



Before:


import { ... } from '@&#8203;simplwebauthn/typescript-types';


After:


$> npm uninstall @&#8203;simplewebauthn/typescript-types
$> npm install -D @&#8203;simplewebauthn/types


import { ... } from '@&#8203;simplwebauthn/types';


v8.3.7


Compare Source


Packages



Changes


    

  • [browser] The WebAuthnError class can now be imported from @simplewebauthn/browser for
    
simpler error detection and handling when calling startRegistration() and
    
startAuthentication() (#​505, with
    
thanks to @​zoontek)
    • 

  • [server] The COSEPublicKeyEC2, COSEPublicKeyOKP, and COSEPublicKeyRSA types can now be
    
imported from @simplwebauthn/server/helpers to help type possible return values from
    
decodeCredentialPublicKey() (#​504, with
    
thanks to @​mmv08)
    • 

  • [server] Custom challenge strings passed to generateRegistrationOptions() will now be
    
treated as UTF-8 strings to align with the existing behavior of generateAuthenticationOptions()
    
(#​507)
    • 



v8.3.6


Compare Source


Packages



Changes


    

  • [server] Updated dependencies to fix an issue with ASN.1 parsing when calling
    
verifyAuthenticationResponse() (#​499)
    • 



v8.3.5


Compare Source


Packages



Changes


    

  • [server] Use of the Web Crypto API in edge runtimes has been improved
    
(#​472)
    • 



v8.3.4


Compare Source


Packages



Changes


    

  • [server] The library will now try to use globalThis.crypto first before trying to import
    
Node's node:crypto as a fallback (#​468)
    • 

  • [browser, types] Version sync
    • 



v8.3.3


Compare Source


Packages



Changes


    

  • [server, types] deno vendor will no longer error out because typescript-types/src/dom.ts
    
is missing (#​466)
    • 

  • [server] Authenticator data will now be preserved after bad CBOR encoding is detected and
    
temporarily fixed when handling security key responses from Firefox
    
(#​465)
    • 

  • [browser] Version sync due to changes in typescript-types
    • 



v8.3.2


Compare Source


Packages



Changes


    

  • [server] The cbor-x dependency is now used without pulling in the Node-specific stream API
    
for better Web API environment compatibility
    
(#​455, with thanks to @​Maronato)
    • 



v8.2.0


Compare Source


Packages



Changes


    

  • [browser] startRegistration() will no longer error out on registration responses generated
    
by the 1Password browser extension (#​443,
    
with thanks to @​unix)
    • 

  • [browser] Helper methods base64URLStringToBuffer() and bufferToBase64URLString() are now
    
exported from @simplewebauthn/browser
    
(#​444)
    • 

  • [server] verifyRegistrationResponse() and verifyAuthenticationResponse() now accept a new
    
expectedType argument that can be used to, for example, verify Secure Payment Confirmation
    
responses (#​436, with thanks to
    
@​fabiancook)
    • 

  • [server] Responses containing malformed authenticator data returned from Firefox 117 will no
    
longer raise an error (#​441)
    • 



v8.1.1


Compare Source


Packages



Changes


    

  • [server] Debug logger output from MetadataService has been disabled
    
(#​434)
    • 



v8.1.0


Compare Source


Packages



Changes


    

  • [server] The expectedChallenge argument for verifyRegistrationResponse() and
    
verifyAuthenticationResponse() methods now also accept asynchronous methods
    
(#​432, with thanks to @​jordanbtucker)
    • 



v8.0.1


Compare Source


Packages



Changes


    

  • [server] Node projects with "type": "module" in their package.json will no longer error
    
out when trying to use methods that leverage the Crypto APIs
    
(#​428)
    • 



v8.0.0


Compare Source


This major release marks the completion of a long journey that started with the release of v7.0.0:

SimpleWebAuthn is now available for use in non-Node projects! 🎉


SimpleWebAuthn debuted in mid-2020 as a combination of libraries aiming to make WebAuthn simpler to

use across browsers and "NodeJS + CommonJS" applications. Since then NodeJS has evolved to gain ESM

support, and additional JavaScript and TypeScript runtimes have debuted that offer ESM-centric,

TypeScript-first alternatives while also implementing Web APIs to offer a more consistent and

capable execution environment for developers.


I've wanted to make this project available to developers using these Node alternatives to help them

get past some of WebAuthn's rough spots. Today I'm happy to announce that this goal has been

achieved! 😌


See the Changes below for more information, as well as additional information on breaking

changes made in this release.


Packages



Changes


    

  • [server] [typescript-types] SimpleWebAuthn can now also be used in runtimes other than Node.
    
Deno is now a first-class runtime for this project alongside Node
    
(#​425)

      

    • The following list of runtimes are officially supported:


      • 

    • The following list of runtimes are periodically tested but unofficially supported:

        

      • (New) CloudFlare Workers
        • 

      • (New) Bun
        • 

      

      • 

    

    • 

  • [browser] Version sync
    • 



Breaking Changes


    

  • [server] generateRegistrationOptions() and generateAuthenticationOptions() are now
    
asynchronous methods. Refactor calls to these methods to handle the Promise that's now returned
    
in whatever way is appropriate for your project.
    • 

  • [server] generateChallenge() (in @simplewebauthn/server/helpers) is now an asynchronous
    
method. Refactor calls to this method to handle the Promise that's now returned in whatever way
    
is appropriate for your project.
    • 







Configuration


📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).


🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.


Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.


🔕 Ignore: Close this PR and you won't be reminded about this update again.




    

  •  If you want to rebase/retry this PR, check this box
    • 





This PR was generated by Mend Renovate. View the repository job log.


    

  
  



      


          

          
  
  

    
  
    
    

  

  

  



                    

          
        





  





    



      

  
      



  

  @graphite-app






  



    

      

  

    

      

          
    
    

  


        
            
  
      
              Copy link

  

        
      

    


    

        



        

    

  


  

    

      
          
      

      
            graphite-app
  bot

      

      

      commented


        Oct 24, 2025


      
    


  





      


        



  
    

      
          
How to use the Graphite Merge Queue


Add either label to this PR to merge it via the merge queue:


    

  • MQ - adds this PR to the back of the merge queue
    • 

  • Hotfix - for urgent hot fixes, skip the queue and merge this PR next
    • 



You must have a Graphite account in order to use the merge queue. Sign up using this link.





An organization admin has enabled the Graphite Merge Queue in this repository.




Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.



      		
    

  





        


            

            
            

              
            

        

      


      

            
  
  

    
  
    
    

  

  

  


    












      

  
      



  

  @coderabbitai






  



    

      

  

    

      

          
    
    

  


        
            
  
      
              Copy link

  

        
      

    


    

        

  
    Contributor


        

    

  


  

    

      
          
      

      
            coderabbitai
  bot

      

      

      commented


        Oct 24, 2025


      
    


  





      


        



  
    

      
          


Important


Review skipped


Bot user detected.


To trigger a single review, invoke the @coderabbitai review command.


You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.








Comment @coderabbitai help to get the list of available commands and usage tips.



      		
    

  





        


            

            
            

              
            

        

      


      

            
  
  

    
  
    
    

  

  

  


    












      

  
      



  

  @socket-security






  



    

      

  

    

      

          
    
    

  


        
            
  
      
              Copy link

  

        
      

    


    

        



        

    

  


  

    

      
          
      

      
            socket-security
  bot

      

      

      commented


        Oct 24, 2025


      
  

  

    
      

        
          edited
          
        
        
      

    
    
      
  
        
      Loading


  
    
  



    


  





      


        



  
    

      
          
Review the following changes in direct dependencies. Learn more about Socket for GitHub.






Diff
Package
Supply Chain
Security		
Vulnerability
Quality
Maintenance
License





Updated@​simplewebauthn/​server@​7.4.0 ⏵ 13.2.2100 +110088 +491 +1100





View full report



      		
    

  





        


            

            
            

              
            

        

      


      

            
  
  

    
  
    
    

  

  

  


    












      

  
        





      

  
          

  
  

  
      @renovate
  renovate
bot

        force-pushed
    the
        
      
  renovate/simplewebauthn-server-13.x


    
 branch
    from
    6248df5    to
    80cd23e      
    Compare
  



    October 28, 2025 14:18    
    




    

    

      
    

    


      


          @fengmk2
fengmk2




          closed this


      Oct 28, 2025

    

  


    







      

  
      



  

  @renovate






  



    

      

  

    

      

          
    
    

  


        
            
  
      
              Copy link

  

        
      

    


    

        

  
    Contributor


        

  Author


    

  


  

    

      
          
      

      
            renovate
  bot

      

      

      commented


        Oct 28, 2025


      
    


  





      


        



  
    

      
          
Renovate Ignore Notification


Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 13.x releases. But if you manually upgrade to 13.x then Renovate will re-enable minor and patch updates automatically.


If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.


      		
    

  





        


            

            
            

              
            

        

      


      

            
  
  

    
  
    
    

  

  

  


    












      

  
          

  
  

  
      @renovate
  renovate
bot

    
    deleted the
    
      
        renovate/simplewebauthn-server-13.x
    
    branch

    October 28, 2025 14:19    
    













  
  

    

      

  










  








  
      

  
    Sign up for free
    to join this conversation on GitHub.
    Already have an account?
    Sign in to comment


  










      

  

    
    

    

  

    Reviewers
  


    

    No reviews






    
    

    

  


      
  

    Assignees
  



        


    No one assigned







      


  


  

    Labels
  



    

    None yet







      

  

    

        

    Projects
  


        




    None yet




  



      


  

    
  

    Milestone
  


      No milestone





    
      
          


  

    

      
        

          
  

    Development
  



            


Successfully merging this pull request may close these issues.





  
  



      
    

  




      

    

  
      

  

    

      1 participant
    

    

        
          @fengmk2