The http-signature package, a reference implementation of Joyent's HTTP Signature scheme, saw a notable update moving from version 1.2.0 to 1.3.0. This update, released on November 5, 2019, builds upon the foundation laid by the earlier version released on August 25, 2017. While the core functionality remains consistent, several key changes warrant the attention of developers utilizing this library for securing HTTP communication.
A significant difference lies within the dependencies. Version 1.3.0 updates the sshpk dependency to ^1.14.1, a considerable jump from the ^1.7.0 used in version 1.2.0. This likely incorporates security updates and bug fixes present in later sshpk releases, implying improved security and stability for http-signature users. The versions of jsprim and assert-plus remain fixed, indicating a focus on security and underlying library maintenance rather than new feature introduction in these areas.
While the "devDependencies" remain the same which could mean minimal tests updates, the increased "unpackedSize" (48683) in 1.3.0 compared with version 1.2.0 confirms more changes than just the update to sshpk. Developers should investigate the sshpk changelog to fully understand the implications of this dependency update. The core functionality of signing and verifying HTTP requests remains consistent, making the upgrade path relatively smooth for existing users, however, testing of the impact to the dependent application is recommended. This allows developers to confidently utilize the latest security enhancements in their HTTP signature implementation.
The are not vulnerabilities for the version 1.3.0 of the package http-signature
