Release 2.5.1

Changes:

- Dropped dependency on COSE-Java.
- Fixed incompatibility with Jackson version 2.17.0-rc1.

.github/workflows/coverage.yml

@@ -3,7 +3,9 @@ name: Test coverage
 
 on:
   push:
-    branches: [main]
+    branches:
+    - main
+    - 'release-*'
 
 jobs:
   test:
@@ -45,6 +47,7 @@ jobs:
         sed "s/{shortcommit}/${GITHUB_SHA:0:8}/g;s/{commit}/${GITHUB_SHA}/g;s#{repo}#${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}#g" .github/workflows/coverage/index.html.template > build/gh-pages/index.html
 
     - name: Create coverage badge
+      if: ${{ github.ref == 'refs/heads/main' }}
       # This creates a file that defines a [Shields.io endpoint badge](https://shields.io/endpoint)
       # which we can then include in the project README.
       uses: ./.github/actions/pit-results-badge
@@ -69,6 +72,7 @@ jobs:
         prev-mutations-file: prev-mutations.xml
 
     - name: Push to GitHub Pages
+      if: ${{ github.ref == 'refs/heads/main' }}
       run: |
         git config user.name github-actions
         git config user.email [email protected]

NEWS

@@ -1,3 +1,11 @@
+== Version 2.5.1 ==
+
+Changes:
+
+* Dropped dependency on COSE-Java.
+* Fixed incompatibility with Jackson version 2.17.0-rc1.
+
+
 == Version 2.5.0 ==
 
 `webauthn-server-core`:

build.gradle

@@ -34,7 +34,6 @@ dependencies {
   constraints {
     api(constraintLibs.bundles.jackson)
     api(constraintLibs.cbor)
-    api(constraintLibs.cose)
     api(constraintLibs.guava)
     api(constraintLibs.httpclient5)
     api(constraintLibs.slf4j)

doc/releasing.md

@@ -6,13 +6,22 @@ Release candidate versions
 
  1. Make sure release notes in `NEWS` are up to date.
 
- 2. Run the tests one more time:
+ 2. Review the diff from the previous version for any changes to the public API,
+    and adjust the upcoming version number accordingly.
+
+    If any implementation dependencies have been added to method signatures in
+    the public API, including `throws` declarations, change these dependencies
+    from `implementation` to `api` dependency declarations in the relevant
+    Gradle build script. Conversely, remove or downgrade to `implementation` any
+    dependencies no longer exposed in the public API.
+
+ 3. Run the tests one more time:
 
     ```
     $ ./gradlew clean check
     ```
 
- 3. Update the Java version in the [`release-verify-signatures`
+ 4. Update the Java version in the [`release-verify-signatures`
     workflow](https://github.com/Yubico/java-webauthn-server/blob/main/.github/workflows/release-verify-signatures.yml#L42).
 
     See the `openjdk version` line of output from `java -version`:
@@ -34,21 +43,21 @@ Release candidate versions
 
     Commit this change, if any.
 
- 4. Tag the head commit with an `X.Y.Z-RCN` tag:
+ 5. Tag the head commit with an `X.Y.Z-RCN` tag:
 
     ```
     $ git tag -a -s 1.4.0-RC1 -m "Pre-release 1.4.0-RC1"
     ```
 
     No tag body needed.
 
- 5. Publish to Sonatype Nexus:
+ 6. Publish to Sonatype Nexus:
 
     ```
     $ ./gradlew publishToSonatype closeAndReleaseSonatypeStagingRepository
     ```
 
- 6. Push to GitHub.
+ 7. Push to GitHub.
 
     If the pre-release makes significant changes to the project README, such
     that the README does not accurately reflect the latest non-pre-release
@@ -66,7 +75,7 @@ Release candidate versions
     $ git push origin main 1.4.0-RC1
     ```
 
- 7. Make GitHub release.
+ 8. Make GitHub release.
 
     - Use the new tag as the release tag.
     - Check the pre-release checkbox.
@@ -76,7 +85,7 @@ Release candidate versions
     - Note the JDK version shown by `java -version` in step 3.
       For example: `openjdk version "17.0.7" 2023-04-18`.
 
- 8. Check that the ["Reproducible binary"
+ 9. Check that the ["Reproducible binary"
     workflow](https://github.com/Yubico/java-webauthn-server/actions/workflows/release-verify-signatures.yml)
     runs and succeeds.
 
@@ -86,7 +95,16 @@ Release versions
 
  1. Make sure release notes in `NEWS` are up to date.
 
- 2. Make a no-fast-forward merge from the last (non release candidate) release
+ 2. Review the diff from the previous version for any changes to the public API,
+    and adjust the upcoming version number accordingly.
+
+    If any implementation dependencies have been added to method signatures in
+    the public API, including `throws` declarations, change these dependencies
+    from `implementation` to `api` dependency declarations in the relevant
+    Gradle build script. Conversely, remove or downgrade to `implementation` any
+    dependencies no longer exposed in the public API.
+
+ 3. Make a no-fast-forward merge from the last (non release candidate) release
     to the commit to be released:
 
     ```
@@ -108,13 +126,13 @@ Release versions
     $ git branch -d release-1.4.0
     ```
 
- 3. Remove the "(unreleased)" tag from `NEWS`.
+ 4. Remove the "(unreleased)" tag from `NEWS`.
 
- 4. Update the version in the dependency snippets in the README.
+ 5. Update the version in the dependency snippets in the README.
 
- 5. Update the version in JavaDoc links in the READMEs.
+ 6. Update the version in JavaDoc links in the READMEs.
 
- 6. Update the Java version in the [`release-verify-signatures`
+ 7. Update the Java version in the [`release-verify-signatures`
     workflow](https://github.com/Yubico/java-webauthn-server/blob/main/.github/workflows/release-verify-signatures.yml#L42).
 
     See the `openjdk version` line of output from `java -version`:
@@ -134,40 +152,40 @@ Release versions
         java: ["17.0.7"]
     ```
 
- 7. Amend these changes into the merge commit:
+ 8. Amend these changes into the merge commit:
 
     ```
     $ git add NEWS README */README .github/workflows/release-verify-signatures.yml
     $ git commit --amend --reset-author
     ```
 
- 8. Run the tests one more time:
+ 9. Run the tests one more time:
 
     ```
     $ ./gradlew clean check
     ```
 
- 9. Tag the merge commit with an `X.Y.Z` tag:
+10. Tag the merge commit with an `X.Y.Z` tag:
 
     ```
     $ git tag -a -s 1.4.0 -m "Release 1.4.0"
     ```
 
     No tag body needed since that's included in the commit.
 
-10. Publish to Sonatype Nexus:
+11. Publish to Sonatype Nexus:
 
     ```
     $ ./gradlew publishToSonatype closeAndReleaseSonatypeStagingRepository
     ```
 
-11. Push to GitHub:
+12. Push to GitHub:
 
     ```
     $ git push origin main 1.4.0
     ```
 
-12. Make GitHub release.
+13. Make GitHub release.
 
     - Use the new tag as the release tag.
     - Copy the release notes from `NEWS` into the GitHub release notes; reformat
@@ -176,6 +194,6 @@ Release versions
     - Note the JDK version shown by `java -version` in step 6.
       For example: `openjdk version "17.0.7" 2023-04-18`.
 
-13. Check that the ["Reproducible binary"
+14. Check that the ["Reproducible binary"
     workflow](https://github.com/Yubico/java-webauthn-server/actions/workflows/release-verify-signatures.yml)
     runs and succeeds.

settings.gradle.kts

@@ -15,7 +15,6 @@ dependencyResolutionManagement {
     versionCatalogs {
         create("constraintLibs") {
             library("cbor", "com.upokecenter:cbor:[4.5.1,5)")
-            library("cose", "com.augustcellars.cose:cose-java:[1.0.0,2)")
             library("guava", "com.google.guava:guava:[24.1.1,33)")
             library("httpclient5", "org.apache.httpcomponents.client5:httpclient5:[5.0.0,6)")
             library("slf4j", "org.slf4j:slf4j-api:[1.7.25,3)")

test-dependent-projects/java-dep-webauthn-server-core-and-bouncycastle/build.gradle.kts

@@ -12,9 +12,6 @@ dependencies {
     testImplementation("junit:junit:4.12")
     testImplementation("org.mockito:mockito-core:[2.27.0,3)")
 
-    // Runtime-only internal dependency of webauthn-server-core
-    testImplementation("com.augustcellars.cose:cose-java:[1.0.0,2)")
-
     // Transitive dependencies from coreTestOutput
     testImplementation("org.scala-lang:scala-library:[2.13.1,3)")
 }

test-dependent-projects/java-dep-webauthn-server-core-and-bouncycastle/src/test/java/com/yubico/webauthn/BouncyCastleProviderPresenceTest.java

@@ -2,7 +2,6 @@
 
 import static org.junit.Assert.assertTrue;
 
-import COSE.CoseException;
 import com.yubico.webauthn.data.AttestationObject;
 import com.yubico.webauthn.data.RelyingPartyIdentity;
 import java.io.IOException;
@@ -72,7 +71,7 @@ public void bouncyCastleProviderIsNotLoadedAfterInstantiatingRelyingParty() {
 
   @Test
   public void bouncyCastleProviderIsNotLoadedAfterAttemptingToLoadEddsaKey()
-      throws IOException, CoseException, InvalidKeySpecException {
+      throws IOException, InvalidKeySpecException {
     try {
       WebAuthnCodecs.importCosePublicKey(
           new AttestationObject(
@@ -92,7 +91,7 @@ public void bouncyCastleProviderIsNotLoadedAfterAttemptingToLoadEddsaKey()
 
   @Test(expected = NoSuchAlgorithmException.class)
   public void doesNotFallBackToBouncyCastleAutomatically()
-      throws IOException, CoseException, InvalidKeySpecException, NoSuchAlgorithmException {
+      throws IOException, InvalidKeySpecException, NoSuchAlgorithmException {
     for (Provider prov : Security.getProviders()) {
       Security.removeProvider(prov.getName());
     }

test-dependent-projects/java-dep-webauthn-server-core-and-bouncycastle/src/test/java/com/yubico/webauthn/CryptoAlgorithmsTest.java

@@ -3,7 +3,6 @@
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
 
-import COSE.CoseException;
 import com.yubico.webauthn.data.AttestationObject;
 import com.yubico.webauthn.data.RelyingPartyIdentity;
 import java.io.IOException;
@@ -47,7 +46,7 @@ public void tearDown() {
 
   @Test
   public void importRsa()
-      throws IOException, CoseException, NoSuchAlgorithmException, InvalidKeySpecException {
+      throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
     PublicKey key =
         WebAuthnCodecs.importCosePublicKey(
             new AttestationObject(
@@ -61,7 +60,7 @@ public void importRsa()
 
   @Test
   public void importEcdsa()
-      throws IOException, CoseException, NoSuchAlgorithmException, InvalidKeySpecException {
+      throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
     PublicKey key =
         WebAuthnCodecs.importCosePublicKey(
             new AttestationObject(
@@ -75,7 +74,7 @@ public void importEcdsa()
 
   @Test
   public void importEddsa()
-      throws IOException, CoseException, NoSuchAlgorithmException, InvalidKeySpecException {
+      throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
     PublicKey key =
         WebAuthnCodecs.importCosePublicKey(
             new AttestationObject(

test-dependent-projects/java-dep-webauthn-server-core/build.gradle.kts

@@ -11,9 +11,6 @@ dependencies {
     testImplementation("junit:junit:4.12")
     testImplementation("org.mockito:mockito-core:[2.27.0,3)")
 
-    // Runtime-only internal dependency of webauthn-server-core
-    testImplementation("com.augustcellars.cose:cose-java:[1.0.0,2)")
-
     // Transitive dependencies from coreTestOutput
     testImplementation("org.scala-lang:scala-library:[2.13.1,3)")
 }

test-dependent-projects/java-dep-webauthn-server-core/src/test/java/com/yubico/webauthn/BouncyCastleProviderPresenceTest.java

@@ -2,7 +2,6 @@
 
 import static org.junit.Assert.assertTrue;
 
-import COSE.CoseException;
 import com.yubico.webauthn.data.AttestationObject;
 import com.yubico.webauthn.data.RelyingPartyIdentity;
 import java.io.IOException;
@@ -51,7 +50,7 @@ public void bouncyCastleProviderIsNotLoadedAfterInstantiatingRelyingParty() {
 
   @Test
   public void bouncyCastleProviderIsNotLoadedAfterAttemptingToLoadEddsaKey()
-      throws IOException, CoseException, InvalidKeySpecException {
+      throws IOException, InvalidKeySpecException {
     try {
       WebAuthnCodecs.importCosePublicKey(
           new AttestationObject(

test-dependent-projects/java-dep-webauthn-server-core/src/test/java/com/yubico/webauthn/CryptoAlgorithmsTest.java

@@ -2,7 +2,6 @@
 
 import static org.junit.Assert.assertEquals;
 
-import COSE.CoseException;
 import com.yubico.webauthn.data.AttestationObject;
 import com.yubico.webauthn.data.RelyingPartyIdentity;
 import java.io.IOException;
@@ -45,7 +44,7 @@ public void tearDown() {
 
   @Test
   public void importRsa()
-      throws IOException, CoseException, NoSuchAlgorithmException, InvalidKeySpecException {
+      throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
     PublicKey key =
         WebAuthnCodecs.importCosePublicKey(
             new AttestationObject(
@@ -59,7 +58,7 @@ public void importRsa()
 
   @Test
   public void importEcdsa()
-      throws IOException, CoseException, NoSuchAlgorithmException, InvalidKeySpecException {
+      throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
     PublicKey key =
         WebAuthnCodecs.importCosePublicKey(
             new AttestationObject(