fix(deps): update dependency @simplewebauthn/browser to v13

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@simplewebauthn/browser (source)	11.0.0 → 13.2.2

---

Release Notes

MasterKale/SimpleWebAuthn (@​simplewebauthn/browser)

v13.2.2

Compare Source

Changes

• [browser] [server] In the spirit of contributing to
  increased software supply chain transparency, both
  libraries are now published via GitHub Actions workflows. Package listings on
  JSR and
  NPM feature build transparency logs at the
  bottom of their respective pages (#​725,
  #​726,
  #​727)

v13.2.0

Compare Source

Changes

• [server] The return value from verifyRegistrationResponse() has been defined more strictly
  to communicate that registrationInfo will only ever be present if verified is true
  (#​715)
• [server] verifyRegistrationResponse() can now verify attestations containing SHA256 hashes
  by using EC public keys with the P-384 curve
  (#​721)
• [server] The Android SafetyNet "CTS profile match" system integrity check can now be disabled
  by setting attestationSafetyNetEnforceCTSCheck: false when calling
  verifyRegistrationResponse(). This check remains enforced by default
  (#​722)
• [browser] [server] These libraries now have better support in Deno 2.2+ projects which use
  generic typing for Uint8Array via TypeScript 5.7.
  SimpleWebAuthn values of type Uint8Array_ are equivalent to Uint8Array in Deno 2.1 and
  earlier, and Uint8Array<ArrayBuffer> in Deno 2.2 and later.
  (#​717)

v13.1.2

Compare Source

Changes

• [browser] [server] Exported the ResidentKeyRequirement type to help with type inference
  (#​704)

v13.1.0

Compare Source

Changes:

• [server] The cross-fetch dependency has been removed from the project to silence in the
  console DeprecationWarning's about a "punycode" module
  (#​661)
• [browser] startRegistration() and startAuthentication() will now warn about calls made
  using the pre-v11 call structure to encourage refactoring to use the current call structure, but
  still try to handle such calls the best they can
  (#​664)

v13.0.0

Compare Source

Hot on the heels of the last major release, v13 introduces support for registration hints! Refined
types and improved attestation trust anchor verification are also included. Last but not least, we
say goodbye to one of the project's packages for better docs and fewer dependencies to install. Read
on for more information, including refactor advice for dealing with the retirement of
@​simplewebauthn/types.

Changes:

• [server] A new preferredAuthenticatorType argument can be set when calling
  generateRegistrationOptions() to generate options that encourage the browser to direct the user
  to register one of three types of authenticators: 'securityKey', 'localDevice', or
  'remoteDevice' (a.k.a. opinionated
  WebAuthn hints
  support) (#​653)
• [browser] startRegistration() will recognize hints if specified in optionsJSON
  (#​652)
• [server] Attestation verification now recognizes intermediate certificates as trust anchors
  (#​650)
• [browser] [server] The types previously maintained in the types package are now included
  within the browser and server packages. See Breaking Changes below for more info
  (#​655)

Breaking Changes

@​typescript/types is being retired

Its types will now be included directly in @​simplewebauthn/browser and
@​simplewebauthn/server.

To refactor existing imports from /types, simply import them from /browser or /server
instead:

Before:

import type {
  AuthenticationResponseJSON,
  RegistrationResponseJSON,
  WebAuthnCredential,
} from '@&#8203;simplewebauthn/types'; // <--

After:

import type {
  AuthenticationResponseJSON,
  RegistrationResponseJSON,
  WebAuthnCredential,
} from '@&#8203;simplewebauthn/server'; // <--

---

[server] attestationType no longer accepts 'indirect'

The benefits of indirect attestation are too minimal to be useful for Relying Parties. In practice
it is almost never used over ignoring the concept completely with 'none' or needing to be
intentional and setting 'direct'.

RP's that have been specifying attestationType: 'indirect' when calling
generateRegistrationOptions() will need to refactor their code to either omit
attestationType (generateRegistrationOptions() will default to attestationType: 'none') or set
attestationType: 'direct' instead:

Before:

const options = await generateRegistrationOptions({
  // ...
  attestationType: 'indirect',
});

After:

const options = await generateRegistrationOptions({
  // ...
});

-or-

const options = await generateRegistrationOptions({
  // ...
  attestationType: 'direct',
});

v12.0.0

Compare Source

All SimpleWebAuthn packages are now available for installation from the
JavaScript Registry (JSR)! JSR is an "open-source package registry
for modern JavaScript and TypeScript" - you can read more about this new package registry and its
ESM-centric capabilities here.

All packages in v12.0.0 are functionally identical to v11.0.0! And JSR package hosting is in
addition to existing package hosting on NPM. Nothing changes about package installation via
npm install. Read on for more information.

Packages

• @​simplewebauthn/browser@​12.0.0
• @​simplewebauthn/server@​12.0.0
• @​simplewebauthn/types@​12.0.0

Changes

• [browser] [server] [types] All packages can now be installed from JSR wherever JSR
  imports are supported (#​634)
• [browser] Deno projects using frameworks like Fresh can now import and use
  @​simplewebauthn/browser (#​634)

To install from JSR, use npx jsr add @​simplewebauthn/... or deno add jsr:@​simplewebauthn/...
depending on which package manager is available.

Projects using npm for package management:

npx jsr add @​simplewebauthn/browser

npx jsr add @​simplewebauthn/server

npx jsr add @​simplewebauthn/types

Projects using deno for package management:

deno add jsr:@​simplewebauthn/browser

deno add jsr:@​simplewebauthn/server

deno add jsr:@​simplewebauthn/types

Projects using HTTPS modules via deno.land/x:

v12.0.0 officially deprecates importing SimpleWebAuthn from deno.land/x. See Breaking Changes
below for refactor guidance.

Breaking Changes

Importing SimpleWebAuthn packages from "https://deno.land/x/simplewebauthn/..." URLs is no longer
supported. Please use Deno's native support for JSR imports instead, available in projects running
Deno v1.42 and higher.

Before:

import { generateAuthenticationOptions } from 'https://deno.land/x/simplewebauthn/deno/server.ts';

After:

import { generateAuthenticationOptions } from 'jsr:@​simplewebauthn/server';

Alternatively, use deno add to install these packages from
JSR:

---

Configuration

📅 Schedule: Branch creation - "every weekday after 2:00 am before 6:00 am,every weekend" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
opencollective-frontend	Ready	Preview, Comment	Dec 31, 2025 2:33pm