fix(deps): update minor-updates-npm

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@babel/preset-typescript (source)	^7.28.5 → ^7.29.7
@credo-ts/core (source)	^0.6.1 → ^0.7.0
@credo-ts/openid4vc (source)	^0.6.1 → ^0.7.0
@eudiplo/sdk-core (source)	^4.1.0 → ^4.4.0
@noble/ciphers (source)	^2.0.1 → ^2.2.0
jose	^6.1.1 → ^6.2.3
ws	^8.18.3 → ^8.21.0

---

Release Notes

babel/babel (@​babel/preset-typescript)

v7.29.7

Compare Source

openwallet-foundation/credo-ts (@​credo-ts/core)

v0.7.0

Compare Source

Minor Changes

• b75f0bf: - Updated the LogLevel enum to use the correct casing
  For migration, use LogLevel.Trace, etc, instead of LogLevel.trace

• cc65c27: - Removed buffer dependency and replaced with @scure/base for base-x encoding/decoding

  • Updated DIDComm attachments to use base64url, not base64
  • Updated tests to make sure urland base64 encoded items use base64url
  • Added fromBase64Url to TypedArrayEncoder and JsonEncoder

  Breaking changes:

  1. TypedArrayEncoder.fromBase64 does not support base64url anymore, please use TypedArrayEncoder.fromBase64Url for that. Same for JsonEncoder
  2. TypedArrayEncoder.fromString has been replaced by TypedArrayEncoder.fromUtf8String to be consistent with TypedArrayEncoder.toUtf8String
  3. Every place where we accepted Buffer as input we now only support Uint8Array as input
  4. TypedArrayEncoder.equals is now constant-time, however I would still hesitate to use it for any private crypto operation 5. Removed Uint8ArrayBuffer type, not used anymore

Patch Changes

• 5056b97: Improved RSA support in X509 certificate chain validation.
• 120cee8: fix: set lowS to false for noble curves after updating to v2
• c1ab9be: feat: support SHA-512 for certificates signed with P-256/P384 keys
• 10a3ce5: fix: typo in asymmetric
• b7aec4e: Fix the parsing of RSA-signed X509 certificates.

v0.6.3

Compare Source

Patch Changes

• 73d2d59: Introduced cursor-based pagination for Drizzle-backed storage with support for before and after cursors. This ensures stable ordering using (createdAt, id) and enables efficient bidirectional pagination for large number of records.

v0.6.2

Compare Source

Patch Changes

• b9bd214: feat: add a (configurable) 30 seconds skew to JWT-based credentials and other JWT object verification. This is to prevent verification errors based on slight deviations in server time. This does not affect non-JWT credentials yet (mDOC, JSON-LD)
• 69acbc3: feat: add a method to create an x509 certificate signing request
• 4a4473c: chore: use sub export for kms module
• 2c15356: fix: correctly extract authority of vc when verifying presentations against DCQL query
• 4989dd9: fix(pex): use found signature suite proof type instead of default
• 0f7171a: chore: updates sd-jwt-js to 0.18.x
• e441cc1: fix: improve did key id resolving. We used startsWith to match, but that has loopholes, and did not correctly handle all relative key ids. We now 'compact' each key id (remove the did prefix) but only if the keyId starts with the did document id, and compares them.
• 1969c67: feat: fetch updated sd-jwt-vc type metadata path for sd-jwt-vc. There is also a new fetchTypeMetadata method in the SdJwtVcApi, allowing to resolve the type metadata for an SD-JWT VC. It will also verify the vct#integrity if available on the credential. Only HTTPS urls are supported at the moment.
• 620bb38: chore: update @sd-jwt/* dependencies to 0.19.x. If you're only using Credo for SD-JWT this has no impact, but if you're using @​sd-jwt directly in your project, it's good to update
• 2073110: fix: correctly extract and store the kms key id for JWK-bound sd-jwt credentials received over openid4vc
• 620bb38: feat: resolve, merge and store type metadata chain for SD-JWT VC

openwallet-foundation/credo-ts (@​credo-ts/openid4vc)

v0.7.0

Compare Source

Minor Changes

• cc65c27: - Removed buffer dependency and replaced with @scure/base for base-x encoding/decoding

  • Updated DIDComm attachments to use base64url, not base64
  • Updated tests to make sure urland base64 encoded items use base64url
  • Added fromBase64Url to TypedArrayEncoder and JsonEncoder

  Breaking changes:

  1. TypedArrayEncoder.fromBase64 does not support base64url anymore, please use TypedArrayEncoder.fromBase64Url for that. Same for JsonEncoder
  2. TypedArrayEncoder.fromString has been replaced by TypedArrayEncoder.fromUtf8String to be consistent with TypedArrayEncoder.toUtf8String
  3. Every place where we accepted Buffer as input we now only support Uint8Array as input
  4. TypedArrayEncoder.equals is now constant-time, however I would still hesitate to use it for any private crypto operation 5. Removed Uint8ArrayBuffer type, not used anymore

Patch Changes

• 944358e: Fix query to find session when using authorization server.
• 0bd4bd0: Set issuance error message based on error, similarly to other places.
• Updated dependencies [5056b97]
• Updated dependencies [b75f0bf]
• Updated dependencies [120cee8]
• Updated dependencies [c1ab9be]
• Updated dependencies [10a3ce5]
• Updated dependencies [cc65c27]
• Updated dependencies [b7aec4e]
  • @​credo-ts/core@​0.7.0

v0.6.3

Compare Source

Patch Changes

• d7c08a1: Adds support for setting a custom expiration for individual credential offers and authorization requests.

• 8f1b343: The state of the issuance session is now correctly updated to 'Error' if an error happens while creating a credential response.

• e2cbb15: Introduces a new callback in the issuer configuration (getChainedAuthorizationRequestParameters),
  which can be used to dynamically provide:

  • The scopes to request to the chained authorization server.
  • Any additional payload to add to the request to the chained authorization server.
  • An allowed list of redirect URIs, if you want to limit to which wallets you're issuing to.

  The following has been changed in OpenId4VciChainedAuthorizationServerConfig:

  • The scopesMapping option is now optional. Either scopesMapping or the new callback
    must be defined in order to fullfil a chained authorization request.
  • A new redirectUris option has been added. This can be used when you want to statically
    define the allowed redirectUris, instead of using the callback. If the callback is
    provided, this option will not be used.

  The option getVerificationSessionForIssuanceSessionAuthorization has been deprecated and replaced with getVerificationSession. Please update your usage.

• 7a79b99: fix: update @​openid4vci package to fix an issue where did-based proofs would not work in OpenID4VCI authorization code flow

• 55389c4: The state of the issuance session is now correctly updated to 'Error' if an error happens while creating a deferred credential response.

• 7f24d03: For new credential deferrals, Credo keeps track of until when the transaction is deferred.
  If the wallet calls the endpoint before the interval has passed by, we automatically
  return a new deferral response with the remaining interval.

• 5358453: Adds an holderBinding object to the OpenId4VcIssuanceSessionRecordTransaction,
  allowing you to easily use the holder binding in the deferred credential response
  endpoint.

  In addition, we now pass the respective transaction to OpenId4VciDeferredCredentialRequestToCredentialMapperOptions
  when called. This simplifies the user logic, since you no longer need to retrieve the transaction manually.

• 020c864: You can now customize the grace period during which an issuance session is kept alive after the deferral interval has passed by defining deferralIntervalGracePeriodInSeconds (default is 7 days).

  Note that this only applies to deferrals happening after upgrading Credo. For sessions deferred before updating Credo, the previous expiry date will remain unless the issuance is deferred once more.

• Updated dependencies [73d2d59]

  • @​credo-ts/core@​0.6.3

v0.6.2

Compare Source

Patch Changes

• df82d40: fix: add alg to OpenID4VP client_metadata jwk for encryption
• b9bd214: feat: add a (configurable) 30 seconds skew to JWT-based credentials and other JWT object verification. This is to prevent verification errors based on slight deviations in server time. This does not affect non-JWT credentials yet (mDOC, JSON-LD)
• 2c15356: fix: correctly extract authority of vc when verifying presentations against DCQL query
• 657ec73: chore: update @​openid4vc package to ^0.4.3. This includes several transformation logic fixes for transforming between drafts, that caused issues for projects updating from Credo 0.5
• 8f63ac3: feat: add support for RFC 9207 OAuth 2.0 Authorization Server Issuer Identification, as required by HAIP/FAPI. For the Credo authorization server this is automatically handled (chained authorization). For external authorization servers this needs to be done manually. For wallets you need to parse the oid4vci authorization response using the new agent.openid4vc.holder.parseAuthorizationCodeFromAuthorizationResponse method.
• 2073110: fix: correctly extract and store the kms key id for JWK-bound sd-jwt credentials received over openid4vc
• 620bb38: feat: resolve, merge and store type metadata chain for SD-JWT VC
• Updated dependencies [b9bd214]
• Updated dependencies [69acbc3]
• Updated dependencies [4a4473c]
• Updated dependencies [2c15356]
• Updated dependencies [4989dd9]
• Updated dependencies [0f7171a]
• Updated dependencies [e441cc1]
• Updated dependencies [1969c67]
• Updated dependencies [620bb38]
• Updated dependencies [2073110]
• Updated dependencies [620bb38]
  • @​credo-ts/core@​0.6.2

openwallet-foundation/eudiplo (@​eudiplo/sdk-core)

v4.4.0

Compare Source

Bug Fixes

• add PostgreSQL SSL cert-path support and SSL e2e coverage (#​702) (9f15ddc)
• move token endpoint under admin api (#​701) (a02bfab)

Features

• audit-log docs cleanup and migrate org references (v2) (#​707) (6c10d5a)

---

This release is also available on:

• v4.4.0
• npm package (@​latest dist-tag)

v4.3.0

Compare Source

Features

• issuer: Add schema metadata management UI and documentation (#​699) (68a3f6c)
• enforce single-use validation for presentation and issuance offers (#​695) (f4a1a01), closes #​503 openwallet-foundation-labs/eudiplo#503
• improve schema metadata workflows and registrar integration (#​700) (91b9b8c)

---

This release is also available on:

• v4.3.0
• npm package (@​latest dist-tag)

v4.2.0

Compare Source

Bug Fixes

• fixing oidf tests (#​683) (b8c5d75)
• improve dashboard and check AC availability (#​690) (d7e73d1)
• mdoc validation (#​689) (a4bf740)
• oid4vp: use accessKeyChainId when building client_id in offer URI (#​691) (8d03d92), closes #​687

Features

• auth: Add external OIDC user management with temporary password onboarding (#​680) (d493708)
• add max retry counter for tx_code validation in OID4VCI pre-authorized code flow (#​692) (cdb79da), closes #​673

---

This release is also available on:

• v4.2.0
• npm package (@​latest dist-tag)

paulmillr/noble-ciphers (@​noble/ciphers)

v2.2.0

Compare Source

• March 2026 self-audit (all files): no major issues found
  • Audited for spec compliance and security
  • Fix: ctr from webcrypto submodule used wrong counter wrapping
  • Fix: MAC no longer corrupts oversized outputs
  • Align CMAC API to other MACs
• Fix all Byte Array types, to ensure proper work in both TypeScript 5.6 & TypeScript 5.9+
  • TS 5.6 has Uint8Array, while TS 5.9+ made it generic Uint8Array<ArrayBuffer>
  • This creates incompatibility of code between versions
  • Previously, it was hard to use and constantly emitted errors similar to TS2345
  • See typescript#62240 for more context
• Fix compilation issues on TypeScript v6
• Zeroization improvements by @​ChALkeR in #​67, #​68
• Make package Big Endian friendly. All tests pass on s390x
• Improve tree-shaking, reduce bundle sizes
• Add massive amounts of documentation everywhere

Full Changelog: paulmillr/noble-ciphers@2.1.1...2.2.0

v2.1.1

Compare Source

• Implement AES-SIV by @​overheadhunter in #​62
  • AES-SIV (RFC 5297) is different from AES-GCM-SIV (RFC 8452)
  • Deprecate old siv export in aes.js because it was an alias to gcmsiv
• Publish provenance statement, missed in 2.0.1 due to GitHub bugs

New Contributors

• @​overheadhunter made their first contribution in #​62

Full Changelog: paulmillr/noble-ciphers@2.0.1...2.1.0

panva/jose (jose)

v6.2.3

Compare Source

Refactor

• cleanly reject invalid PBES2 p2c (0cdb851)

v6.2.2

Compare Source

Fixes

• reject failed decompression with JWEInvalid error (043b181)

v6.2.1

Compare Source

Refactor

• reorganize internals, less files, smaller footprint (d4231f9)

v6.2.0

Compare Source

Features

• re-introduce JWE "zip" (Compression Algorithm) Header Parameter support (b13b446)

Documentation

• clarify return of general jws and jwe (56682b4)

v6.1.3

Compare Source

Refactor

• avoid export * as for google closure's compiler sake (6303d98), closes #​832

v6.1.2

Compare Source

Refactor

• fallback to checking instanceof for CryptoKey (901cd90), closes #​765 #​803 #​821 #​827 #​828

websockets/ws (ws)

v8.21.0

Compare Source

v8.20.1

Compare Source

Bug fixes

• Fixed an uninitialized memory disclosure issue in websocket.close()
  (c0327ec).

Providing a TypedArray (e.g. Float32Array) as the reason argument for
websocket.close(), rather than the supported string or Buffer types, caused
uninitialized memory to be disclosed to the remote peer.

import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';

const wss = new WebSocketServer(
  { port: 0, skipUTF8Validation: true },
  function () {
    const { port } = wss.address();
    const ws = new WebSocket(`ws://localhost:${port}`, {
      skipUTF8Validation: true
    });

    ws.on('close', function (code, reason) {
      deepStrictEqual(reason, Buffer.alloc(80));
    });
  }
);

wss.on('connection', function (ws) {
  ws.close(1000, new Float32Array(20));
});

The issue was privately reported by Nikita Skovoroda.

v8.20.0

Compare Source

Features

• Added exports for the PerMessageDeflate class and utilities for the
  Sec-WebSocket-Extensions and Sec-WebSocket-Protocol headers (d3503c1).

v8.19.0

Compare Source

Features

• Added the closeTimeout option (#​2308).

Bug fixes

• Handled a forthcoming breaking change in Node.js core (1998485).

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "after 10pm every weekday,before 5am every weekday,every weekend"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.