Skip to content

Bump github.com/privacybydesign/irmago from 0.18.1 to 0.19.2#4051

Merged
reinkrul merged 3 commits intomasterfrom
dependabot/go_modules/github.com/privacybydesign/irmago-0.19.2
Mar 26, 2026
Merged

Bump github.com/privacybydesign/irmago from 0.18.1 to 0.19.2#4051
reinkrul merged 3 commits intomasterfrom
dependabot/go_modules/github.com/privacybydesign/irmago-0.19.2

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 5, 2026
edited
Loading

Bumps github.com/privacybydesign/irmago from 0.18.1 to 0.19.2.

Release notes

Sourced from github.com/privacybydesign/irmago's releases.

v0.19.2

Changed

  • Add wildcard support for authorized credentials and attributes in relying party and attestation provider certificates

Fix

  • Bug that caused HTTP request body to not be sent upon retransmission

v0.19.1

Fix

  • Bug in irmaclient that caused attributes to be stored in the wrong order in credential removal logs

v0.19.0

Changed

  • Remove legacy storage from irmaclient
  • Add support for issuing SD-JWT VC together with Idemix over the IRMA protocol to irmaclient and irmaserver
    • Irma servers can opt-in to SD-JWT VC issuance by configuring issuer certificates and private keys for SD-JWT VC
    • SD-JWT VCs are issued in batches of which the size is specified in the issuance request
    • SD-JWT VCs contain key binding public keys for which the private key is stored securely on the client
      • These holder/key binding public keys are provided to the issuer's irma server by the client during the commitments POST request
    • SD-JWT VC issuers are verified via certificates on the new Yivi trust lists, permissions are checked on the client via a custom json field in the certificates
    • Old Client was renamed to IrmaClient and was wrapped in new Client struct together with new OpenID4VPClient
  • Add support for disclosing SD-JWT VC credentials over the OpenID4VP 1.0 protocol to irmaclient
    • Supports both direct_post and direct_post.jwt response modes
    • Supports DCQL queries for credentials that can be found in the schemes, specified by vct_values
    • Supports x509_san_dns client identifier prefix
    • Verifiers are trusted via x509 certificates on the new Yivi trust lists, attribute permissions are checked on the client via a custom json field in these certificates

Fix

  • Solve issue that made log logo paths invalid on iOS after each update/recompilation

Security

  • Fix for CVE GHSA-pv8v-c99h-c5q4 (Next session functionality can be used to do sessions on irma server without proper permissions)
Changelog

Sourced from github.com/privacybydesign/irmago's changelog.

[0.19.2] - 2026-02-26

Fix

  • Bug that caused HTTP request body to not be sent upon retransmission

Changed

  • Add wildcard support for authorized credentials and attributes in relying party and attestation provider certificates

[0.19.1] - 2025-10-13

Fix

  • Bug in irmaclient that caused attributes to be stored in the wrong order in credential removal logs

[0.19.0] - 2025-09-30

Changed

  • Remove legacy storage from irmaclient
  • Add support for issuing SD-JWT VC together with Idemix over the IRMA protocol to irmaclient and irmaserver
    • Irma servers can opt-in to SD-JWT VC issuance by configuring issuer certificates and private keys for SD-JWT VC
    • SD-JWT VCs are issued in batches of which the size is specified in the issuance request
    • SD-JWT VCs contain key binding public keys for which the private key is stored securely on the client
      • These holder/key binding public keys are provided to the issuer's irma server by the client during the commitments POST request
    • SD-JWT VC issuers are verified via certificates on the new Yivi trust lists, permissions are checked on the client via a custom json field in the certificates
    • Old Client was renamed to IrmaClient and was wrapped in new Client struct together with new OpenID4VPClient
  • Add support for disclosing SD-JWT VC credentials over the OpenID4VP 1.0 protocol to irmaclient
    • Supports both direct_post and direct_post.jwt response modes
    • Supports DCQL queries for credentials that can be found in the schemes, specified by vct_values
    • Supports x509_san_dns client identifier prefix
    • Verifiers are trusted via x509 certificates on the new Yivi trust lists, attribute permissions are checked on the client via a custom json field in these certificates

Fix

  • Solve issue that made log logo paths invalid on iOS after each update/recompilation

Security

  • Fix for CVE GHSA-pv8v-c99h-c5q4 (Next session functionality can be used to do sessions on irma server without proper permissions)
Commits
  • b5eddd2 Merge pull request #521 from privacybydesign/release-0.19.2
  • 9462836 add to changelog
  • b5042f8 prepare release of 0.19.2
  • b093c60 Merge pull request #520 from awesterb/master
  • c6b830d go fmt
  • 7af7f55 fixes transport.go omitting bodies in retries
  • ef27924 adds test showing bug in transport.go: body is omitted from retries
  • cc64c38 Add wildcard support for authorized credentials for RP + AP (#517)
  • 2265f47 Extend SD-JWT validation (#508)
  • b8557d8 Merge pull request #504 from privacybydesign/fix-credential-removal-logs
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Mar 5, 2026
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Mar 5, 2026
@dependabot dependabot bot mentioned this pull request Mar 5, 2026
Closed
@dependabot dependabot bot force-pushed the dependabot/go_modules/github.com/privacybydesign/irmago-0.19.2 branch from 669b9fb to d02692e Compare March 17, 2026 14:48
@dependabot
Bump github.com/privacybydesign/irmago from 0.18.1 to 0.19.2
3952a75 
Bumps [github.com/privacybydesign/irmago](https://github.com/privacybydesign/irmago) from 0.18.1 to 0.19.2.
- [Release notes](https://github.com/privacybydesign/irmago/releases)
- [Changelog](https://github.com/privacybydesign/irmago/blob/master/CHANGELOG.md)
- [Commits](privacybydesign/irmago@v0.18.1...v0.19.2)

---
updated-dependencies:
- dependency-name: github.com/privacybydesign/irmago
  dependency-version: 0.19.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/go_modules/github.com/privacybydesign/irmago-0.19.2 branch from d02692e to 3952a75 Compare March 22, 2026 08:23
@qltysh
Copy link

qltysh bot commented Mar 25, 2026

Qlty

Coverage Impact

This PR will not change total coverage.

Modified Files with Diff Coverage (1)

RatingFile% DiffUncovered Line #s
Coverage rating: D Coverage rating: D
auth/services/irma/signer.go0.0%108
Total0.0%
🤖 Increase coverage with AI coding...

In the `dependabot/go_modules/github.com/privacybydesign/irmago-0.19.2` branch, add test coverage for this new code:

- `auth/services/irma/signer.go` -- Line 108

🚦 See full report on Qlty Cloud »

🛟 Help

  • Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

  • Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

  • File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

    • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.

@reinkrul reinkrul merged commit 1abf53a into master Mar 26, 2026
9 checks passed
@reinkrul reinkrul deleted the dependabot/go_modules/github.com/privacybydesign/irmago-0.19.2 branch March 26, 2026 07:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@reinkrul reinkrul reinkrul approved these changes

@woutslakhorst woutslakhorst Awaiting requested review from woutslakhorst woutslakhorst is a code owner

@gerardsn gerardsn Awaiting requested review from gerardsn gerardsn is a code owner

@stevenvegt stevenvegt Awaiting requested review from stevenvegt stevenvegt is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@reinkrul