Page MenuHomePhabricator

Security review of WebAuthn library dependencies
Closed, ResolvedPublic

Assigned To
Authored By
Reedy
Jul 4 2019, 12:18 AM
Referenced Files
F30209991: webauthn215.png
Sep 3 2019, 11:36 AM
F29989860: webauthn203.png
Aug 7 2019, 3:27 PM
F29920063: webauthn203.png
Jul 31 2019, 2:48 PM
F29920060: webauthn.png
Jul 31 2019, 2:46 PM
Subscribers

Description

For web-auth/webauthn-lib v2.1.5

  • beberlei/assert (v3.2.3)
  • fgrosse/phpasn1 (v2.1.1)
  • nyholm/psr7 (1.2.0)
  • paragonie/random_compat (v9.99.99) (replaced away)
  • php-http/message-factory (v1.0.2)
  • psr/http-client (1.0.0)
  • psr/http-factory (1.0.1)
  • psr/http-message (1.0.1)
  • ramsey/uuid (3.8.0)
  • spomky-labs/base64url (v2.0.1)
  • spomky-labs/cbor-php (v1.0.7)
  • symfony/polyfill-ctype (v1.12.0) (replaced in mediawiki/vendor)
  • web-auth/cose-lib (v2.1.5)
  • web-auth/metadata-service (v2.1.5)
  • web-auth/webauthn-lib (v2.1.5)

webauthn215.png (645×2 px, 281 KB)

Related Objects

Event Timeline

Reedy updated the task description. (Show Details)
Reedy renamed this task from Security review of WebAuthn dependancies to Security review of WebAuthn library dependancies.Jul 4 2019, 12:28 AM
Reedy changed the task status from Open to Stalled.

Doesn't seem to want to draw me an updated graph :(

As an aside, I'm poking the various dependancies to add/update their .gitattributes to reduce the number of files we're bringing in with this

reedy@ubuntu64-web-esxi:/var/www/wiki/mediawiki/extensions/WebAuthn$ composer install --no-dev
Loading composer repositories with package information
Updating dependencies
Package operations: 12 installs, 0 updates, 0 removals
  - Installing symfony/polyfill-ctype (v1.12.0): Loading from cache
  - Installing paragonie/random_compat (v9.99.99): Loading from cache
  - Installing ramsey/uuid (3.8.0): Loading from cache
  - Installing beberlei/assert (v3.2.3): Loading from cache
  - Installing thecodingmachine/safe (v0.1.16): Loading from cache
  - Installing fgrosse/phpasn1 (v2.1.1): Loading from cache
  - Installing web-auth/cose-lib (v2.0.3): Loading from cache
  - Installing spomky-labs/base64url (v2.0.1): Loading from cache
  - Installing spomky-labs/cbor-php (v1.0.7): Loading from cache
  - Installing psr/http-message (1.0.1): Loading from cache
  - Installing psr/http-factory (1.0.1): Loading from cache
  - Installing web-auth/webauthn-lib (v2.0.3): Loading from cache
Writing lock file
Generating autoload files

Latest

reedy@ubuntu64-web-esxi:/var/www/wiki/mediawiki/extensions/WebAuthn$ composer install --no-dev
Loading composer repositories with package information
Updating dependencies
Package operations: 15 installs, 0 updates, 0 removals
  - Installing psr/http-message (1.0.1): Loading from cache
  - Installing psr/http-factory (1.0.1): Loading from cache
  - Installing psr/http-client (1.0.0): Loading from cache
  - Installing web-auth/metadata-service (v2.1.5): Loading from cache
  - Installing beberlei/assert (v3.2.3): Loading from cache
  - Installing fgrosse/phpasn1 (v2.1.1): Loading from cache
  - Installing web-auth/cose-lib (v2.1.5): Loading from cache
  - Installing spomky-labs/base64url (v2.0.1): Loading from cache
  - Installing spomky-labs/cbor-php (v1.0.7): Loading from cache
  - Installing symfony/polyfill-ctype (v1.12.0): Loading from cache
  - Installing paragonie/random_compat (v9.99.99): Loading from cache
  - Installing ramsey/uuid (3.8.0): Loading from cache
  - Installing php-http/message-factory (v1.0.2): Loading from cache
  - Installing nyholm/psr7 (1.2.0): Loading from cache
  - Installing web-auth/webauthn-lib (v2.1.5): Loading from cache
Writing lock file
Generating autoload files

paragonie/random_compat shouldn't be needed, we should be able to replace it out (comment to be left in gerrit)

Reedy changed the task status from Stalled to Open.Sep 4 2019, 4:51 PM

Not sure why it was marked as stalled for so long... Stuff is definitely going on behind the scenes ;)

Hmm. We already have guzzlehttp/psr7 and this brings in nyholm/psr7 :(

Krinkle renamed this task from Security review of WebAuthn library dependancies to Security review of WebAuthn library dependencies.Oct 12 2019, 4:50 PM