Skip to content

chore(deps): bump @owf/mdoc from 0.7.0-alpha-20260605164430 to 0.7.0#142

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/owf/mdoc-0.7.0
Open

chore(deps): bump @owf/mdoc from 0.7.0-alpha-20260605164430 to 0.7.0#142
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/owf/mdoc-0.7.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps @owf/mdoc from 0.7.0-alpha-20260605164430 to 0.7.0.

Changelog

Sourced from @​owf/mdoc's changelog.

0.7.0

Minor Changes

  • 97425f2: Updated MdocContext.mac.sign to MdocContext.mac.authenticate

  • 21abd59: refactor: only allow CoseKey for sign1.verify callback

  • 4a684ee: Return the documents, trustedIssuanceChains, trustedStatusListChains, trustedIdentifierListChains, statusLists and identifierLists to the user after calling verify.

  • 982e9c7: fix: correctly handle detached payload vs payload on sign1 and mac0. The detached payload is not available on the Sign1 and Mac0 classes anymore, and should be provided to the method classes directly. Detached payload cannot be provided anymore when embedded payload is already present. The mac0 and sign1 structures are not passed anymore to the context, but the already encoded data is provided.

  • 6e82f06: trustedCertificates now has been changed into an array of objects. Where each entry contains {issuance: Uint8Array[], status?: Uint8Array[]}. To migrate, use const newtrustedCertificates = [{issuance: oldTrustedCertificates}]

  • 9008cf5: feat: implement identifier-list revocation (ISO 18013-5 2nd ed § 12.3.6).

    • Adds IdentifierList, IdentifierListCwtPayload, IdentifierListCwt modelling the spec's CDDL with CborStructure + typedMap schemas. IdentifierList carries identifiers: { Identifier => IdentifierInfo } with optional aggregation_uri and RFU keys. includes() uses compareBytes from @owf/identity-common.
    • New enums: IdentifierListCwtClaimKey (claim 65530), CwtClaimKey (Typ = 16, RFC 9596), MediaTypes (IdentifierListCwt = "application/identifierlist+cwt").
    • IdentifierListCwt wraps @owf/cose's Cwt; verifySignature delegates to cwt.asSign1.verifySignature. fromBytes enforces § 12.3.6.4: StatusList claim must be absent; typ claim must equal application/identifierlist+cwt; payload schema requires exp.
    • Wires the identifier-list path into IssuerAuth.verifyStatus alongside the existing status-list path. When the MSO carries both mechanisms, both are verified. The identifier-list branch extracts the x5chain from the CWT's protected header, validates the chain against trustedStatusCertificates, derives the public key via ctx.x509.getPublicKey, verifies the signature via ctx.cose.sign1.verify, and throws when the identifier appears in the list. New error types: UnableToExtractX5ChainFromIdentifierListError, InvalidIdentifierListSignatureError.
    • IssuerAuth.verifyStatus now returns Promise<void> (was Promise<Uint8Array | undefined>) — the matched-cert concept doesn't carry meaning for the status / identifier list paths the way it does for the mdoc issuer chain. IssuerAuth.verify / IssuerSigned.verify / Holder.verify / DeviceResponse.verify drop trustedStatusCertificate from their return values for the same reason. Returning the full verified chain for audit / compliance is left as a future enhancement.
  • d09d284: feat: add IsoMdocDcApiHandover for the ISO 18013-7 Annex C org-iso-mdoc DC API protocol, with a SessionTranscript.forIsoMdocDcApi factory. Shape: [ "dcapi", SHA-256(CBOR([encInfoB64u, origin])) ]. Distinct from the OpenID4VP DC API handover; needed when verifying responses from a wallet that answered an org-iso-mdoc request (the only protocol Safari on iOS 26 supports).

  • 21abd59: only allow CoseKey as return value for getPublicKey

Patch Changes

  • cde2491: Fix deviceSignature emitting a malformed kid header ({ 4: undefined }) when the device signing key has no keyId. DeviceResponse.create now only sets the kid unprotected header when a keyId is present, matching DeviceSignedBuilder.
  • 6dc5052: Constrain generated DigestID values to [0, 2^31 - 1] as mandated by ISO/IEC 18013-5 §12.3.4. randomUnsignedInteger previously used >>> 0, producing values in [0, 2^32 - 1]; the most significant bit is now masked off so parsers that deserialize digestID into a signed/u31 range no longer fail with a CBOR decoding error.
  • 5f0b6b6: feat: add support for Node 26
  • d22e526: - Check signature on CWT status list, jwt is not checked yet.
    • Allow to pass in trustedRevocationCertificates to verify the leaf cert for the status list
    • X5Chain is now added to the protectedheaders instead of the unprotectedheaders
  • f1cd55f: fix: resolve bug in selecting status cert based on issuance cert
  • d0575f0: Bump @owf/cose, @owf/identity-common, and @owf/token-status-list to 0.3.0-alpha-20260605053037, and encode the COSE kid header (label 4) as a byte string per RFC 8152. The new @owf/cose typed-header schema rejects the text-string form previously emitted; bytes was always the spec-compliant encoding.
  • cfbf104: chore: update to stable 0.3.x versions of @​owf libraries

0.6.0

Minor Changes

  • f79518c: feat: support more than one certificate in the certificate chain when signing an mdoc. The certificate parameter has been renamed to certificates and now expects an array with at least one certificate.

  • 153111e: - Major rework of the library, primairly the underlying CBOR structures

    • Includes an Issuer, Holder and Verifier class that should make it easier to issue, hold and verify mDocs
    • More aligned with the specification, w.r.t. naming conventions
    • Simplified additions/modifitcations, so adding newer features will be a lot simpler
  • fd7cc00: feat: add new openid4vp session transcript calculation methods.

    NOTE that this introduces breaking chnages since calculateSessionTranscriptBytesForOid4VpDcApi has been renamed to calculateSessionTranscriptBytesForOid4VpDcApiDraft24. The calculateSessionTranscriptBytesForOid4VpDcApi method is now used for the latest (draft29/1.0) session transcript structure.

    In addtion, calculateSessionTranscriptBytesForOid4Vp has been renamed to calculateSessionTranscriptBytesForOid4VpDraft18. The calculateSessionTranscriptBytesForOid4Vp method is now used for the latest (draft29/1.0) session transcript structure.

  • 2d5163f: The library has been rewritten to stay closer to the original encoding of cbor structures, which allows for more deterministic re-encoding, and prevents issues with using e.g. numbers in Maps (will become strings). The biggest change is that the constructor of all cbor structures should not be used anymore, and instead you should call Class.create. This will properly handle the transformation from user-facing options into the CBOR structure. The constructor is also used for decoding from different formats (e.g. after cborDecode, after validation, etc..), so you SHOULD NOT use these directly as it bypasses validation.

    The output of created mDOCs might be slightly different, but parsing has been implemented with some backwards compatibility in mind to ensure interoperability with 0.5 of this library. Due to the improved validation, there is stricter checking whether the CBOR matches the COSE and mDOC specification. This might cause small issues with other implementations, but the test vectors in this repository compare against several other implementations. Please raise issues if you do encounter any issues.

... (truncated)

Commits
  • f180670 chore(release): new version (#190)
  • 79c9ed4 ci: bump actions/checkout from 6 to 7 (#220)
  • c70034f chore(deps): bump the patch-updates group across 1 directory with 50 updates ...
  • 6dc5052 fix: digest generation (#222)
  • 4a684ee docs(changeset): Return the documents, trustedIssuanceChains, `trustedSta...
  • 86672d7 feat: return information about the verification process to the user
  • 4bbbe0d chore(verify): return more info to the user
  • cfbf104 chore: update to stable identity common libraries (#217)
  • f1cd55f fix: status cert selection (#216)
  • 673f894 chore(deps): bump the patch-updates group across 1 directory with 27 updates ...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [@owf/mdoc](https://github.com/openwallet-foundation-labs/mdoc-ts) from 0.7.0-alpha-20260605164430 to 0.7.0.
- [Release notes](https://github.com/openwallet-foundation-labs/mdoc-ts/releases)
- [Changelog](https://github.com/openwallet-foundation-labs/mdoc-ts/blob/main/CHANGELOG.md)
- [Commits](openwallet-foundation-labs/mdoc-ts@v0.7.0-alpha-20260605164430...v0.7.0)

---
updated-dependencies:
- dependency-name: "@owf/mdoc"
  dependency-version: 0.7.0
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file npm labels Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file npm

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants