Release Notes for 5.3.5

5.3.x bugfix release (patch)

Security Fix

• Hardened SimpleFakeCredentialGenerator against predictable fake credentials (GHSA-gq4g-fpc9-vjfq, CWE-330/CWE-204, severity: low). When the generator is constructed without a secret, the decoy credential list derives only from the username and becomes reproducible by an unauthenticated requester, weakening the username enumeration protection. The generator now emits a deprecation when no secret is provided; a non-empty secret will be required in 6.0.0. The Symfony bundle already injects kernel.secret, so default deployments are unaffected.

Published @web-auth/webauthn-stimulus to NPM: https://www.npmjs.com/package/@web-auth/webauthn-stimulus/v/5.3.5

Release Notes for 5.3.4

5.3.x bugfix release (patch)

5.3.4

• Total issues resolved: 1
• Total pull requests resolved: 1
• Total contributors: 2

bug

• 901: fix(top-origin): reject cross-origin responses when no validator is configured thanks to @Spomky and @abcang

Published @web-auth/webauthn-stimulus to NPM: https://www.npmjs.com/package/@web-auth/webauthn-stimulus/v/5.3.4

Release Notes for 5.3.3

5.3.x bugfix release (patch)

5.3.3

• Total issues resolved: 3
• Total pull requests resolved: 3
• Total contributors: 4

DX

• 896: fix(creation-profiles): default rp.name to rp.id when empty (#893) thanks to @Spomky and @ehymel

enhancement

• 895: feat(stimulus): ship TypeScript type declarations (.d.ts) thanks to @Spomky and @skmedix

bug

• 888: How should integrators support android:apk-key-hash:... origins in 5.3+? thanks to @LauJosefsen

• 874: fix(stimulus): drop assets/controllers.json from the install path thanks to @Spomky

Published @web-auth/webauthn-stimulus to NPM: https://www.npmjs.com/package/@web-auth/webauthn-stimulus/v/5.3.3

Release Notes for 5.3.2

5.3.x bugfix release (patch)

5.3.2

• Total issues resolved: 0
• Total pull requests resolved: 1
• Total contributors: 1

bug

• 872: Remove length specification from publicKeyCredentialId thanks to @fritzmg

Published @web-auth/webauthn-stimulus to NPM: https://www.npmjs.com/package/@web-auth/webauthn-stimulus/v/5.3.2

Release Notes for 5.3.1

5.3.x bugfix release (patch)

5.3.1

• Total issues resolved: 1
• Total pull requests resolved: 2
• Total contributors: 2

DX

• 844: docs(stimulus): recommend the npm package install path thanks to @Spomky

bug

• 843: fix(stimulus): restore AssetMapper path + add canonical importmap name (#842) thanks to @Spomky and @ehymel

Published @web-auth/webauthn-stimulus to NPM: https://www.npmjs.com/package/@web-auth/webauthn-stimulus/v/5.3.1

Release Notes for 5.3.0

Feature release (minor)

5.3.0

• Total issues resolved: 19
• Total pull requests resolved: 32
• Total contributors: 16

compliance,feature

• 839: feat: support Conditional Create mediation for auto-register flows (#831) thanks to @Spomky and @andyexeter
• 745: feat: deprecate PublicKeyCredentialRpEntity name property and update related tests thanks to @Spomky

bug

• 838: fix: complete CredentialRecord migration and restore 5.2.x BC (#827, #832, #833) thanks to @Spomky

• 771: fix: update asset folder path in WebauthnStimulusBundle configuration thanks to @Spomky

• 828: fix: remove duplicate Doctrine XML mapping for deprecated PublicKeyCredentialSource thanks to @yoav-ebp and @developeregrem

• 819: fix: derive compound attestation type from nested types thanks to @Spomky

• 765: refactor: improve test method names and update PHPUnit configuration thanks to @Spomky

• 741: Remove unused functions and enhance PHPQA integration thanks to @Spomky

enhancement

• 815: fix: harden ClientOverridePolicy defaults thanks to @Spomky
• 787: feat: expose hide_existing_credentials in bundle registration section (#786) thanks to @tomasz-kusy
• 779: Most denormalisers do not validate input thanks to @driskell
• 777: chore: simplify metadata statement check thanks to @zll600
• 770: feat: add nullable request parameter to creation and request options handlers thanks to @Spomky
• 767: feat: implement passkey endpoints with controller and configuration thanks to @Spomky and @94noni
• 762: feat: add backup eligibility and status events to authenticator response validation thanks to @Spomky
• 761: feat: add requireResidentKey property for backward compatibility with WebAuthn Level 3 spec thanks to @Spomky
• 760: feat: initialize NPM package and add publishing workflow thanks to @Spomky and @skmedix
• 751: PKCS => Credential Record thanks to @Spomky and @kopeboy
• 750: feat: add hints support to PublicKeyCredential options and update related tests thanks to @Spomky and @tgr
• 748: Conditional create thanks to @Spomky and @joostdebruijn
• 720: feat: add webauthn signal api serializers thanks to @joostdebruijn
• 507: Secure Payment Request thanks to @Spomky

DX,enhancement,feature

• 805: feat: Add granular client override policy system for WebAuthn options thanks to @Spomky and @AlbertShtein

DX,enhancement

• 804: refactor: make PublicKeyCredentialSource extend CredentialRecord thanks to @Spomky
• 747: New Stimulus Controllers thanks to @Spomky

DX

• 769: feat: add workflow to auto-switch default branch on new tags thanks to @Spomky
• 746: feat: deprecate createFormJson method with no replacement thanks to @Spomky and @JotJunior
• 743: Remove TS in favor of JS thanks to @Spomky

dependencies

• 766: feat: update doctrine bundle configuration and dependencies for compatibility thanks to @Spomky
• 764: feat: update doctrine/doctrine-bundle requirement to support version 3.0 thanks to @Spomky
• 763: feat: update Symfony dependencies to support version 8.0 thanks to @Spomky

feature

• 749: feat: implement Compound Attestation Statement support and related interfaces thanks to @Spomky

compliance,enhancement

• 744: feat: add new authenticator transport constants and deprecate AUTHENTICATOR_TRANSPORT_CABLE thanks to @Spomky

DX,dependencies

• 729: Fix Symfony 7.3 depreciation of VoterInterface thanks to @simonsolutions

Published @web-auth/webauthn-stimulus to NPM: https://www.npmjs.com/package/@web-auth/webauthn-stimulus/v/5.3.0

Release Notes for 5.2.6

5.2.x bugfix release (patch)

5.2.6

• Total issues resolved: 2
• Total pull requests resolved: 2
• Total contributors: 3

bug

• 822: fix: normalize host-only allowed origins to https:// scheme thanks to @Spomky and @zll600
• 821: fix: pass topOriginValidator to CheckTopOrigin in requestCeremony() thanks to @Spomky and @wnnawalaniec

Release Notes for 5.2.5

5.2.x bugfix release (patch)

5.2.5

• Total issues resolved: 0
• Total pull requests resolved: 1
• Total contributors: 1

bug

• 820: fix: enforce HTTPS scheme check in CheckAllowedOrigins fallback path thanks to @Spomky

Release Notes for 5.2.4

Security Fix

• Fixed origin validation bypass in CheckAllowedOrigins (GHSA-f7pm-6hr8-7ggm, CWE-346, CVSS 5.4)

  When allowed_origins was configured, CheckAllowedOrigins reduced URL origins to their host component only, ignoring scheme and port. This allowed a request from a different port (or scheme) to pass origin validation, violating the WebAuthn Level 2 spec requirement for exact origin matching.

  CheckAllowedOrigins now performs full origin comparison (scheme + host + port) with default port normalization (443 for HTTPS, 80 for HTTP). Origins configured without a scheme are still matched by host only for backward compatibility.

  Reported by @dorakemon.

Upgrade

composer update web-auth/webauthn-framework
# or
composer update web-auth/webauthn-lib web-auth/webauthn-symfony-bundle

Release Notes for 4.9.3

4.9.x bugfix release (patch)

4.9.3

• Total issues resolved: 0

• Total pull requests resolved: 1

• Total contributors: 1

• 807: AuthenticatorAssertionResponseValidator: Add missing word from deprecation message thanks to @reedy