chore: version packages

[github-actions]

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

passmint@0.2.0

Minor Changes

• a48448f: Security hardening pass — 28 new tests, 0 regressions.

  New guarantees (some of these tighten existing inputs):

  • ZipAssembler.add() now rejects .. path segments, backslashes, drive-letter prefixes (e.g. C:\), and NUL bytes. Prevents ZIP-Slip-class issues for downstream consumers who use ZipAssembler directly with untrusted filenames. The internal .pkpass pipeline was already safe; this hardens the public API.
  • webService.url must be https://. Previously any URL shape was accepted. Apple PKPass spec requires HTTPS; we now enforce at the schema layer instead of relying on device-side rejection. Same enforcement applies to semantics.homepage, semantics.orderManagementUrl, and all image URLs.
  • applyRaw.apple cannot override identity fields (passTypeIdentifier, teamIdentifier, serialNumber, authenticationToken, webServiceURL). applyRaw.google cannot override id, classId, state. Prevents accidental identity forgery when callers pipe semi-trusted input through the escape hatch.
  • Google save-link JWTs now include an exp claim by default (15 minutes). Override via GoogleSaveOptions.expirySeconds, or opt out with expirySeconds: null. Non-integer / non-positive values throw.
  • classSuffix / objectSuffix validated against Google's allowed charset [A-Za-z0-9._-] with a 100-char cap. Prior behavior silently produced JWTs that Google rejected with an opaque error.
  • Image bytes capped at 5 MiB per source. PEM input capped at 100 KiB. Prevents edge-runtime OOM via attacker-controlled input size.

  Public API additions: DEFAULT_GOOGLE_JWT_EXPIRY_SECONDS, MAX_IMAGE_BYTE_LENGTH, MAX_PEM_LENGTH, GoogleSaveOptions.expirySeconds, GoogleSaveJwtClaims.exp.

  Other: Added SECURITY.md and .github/dependabot.yml.

  Breaking for:

  • Anyone passing http:// to webService.url, image URLs, or semantic URLs (now errors at schema time — switch to https://).
  • Anyone passing image bytes > 5 MiB (resize before adding to the pass).
  • Anyone who was relying on applyRaw to override identity fields (use the validated top-level fields instead).
  • Anyone using ZipAssembler.add() with .. or backslashes in paths (rarely legitimate).

[greptile-apps]

Greptile Summary

This is an automated "version packages" PR from the Changesets release action, bumping passmint from 0.1.0 to 0.2.0 following the security hardening work merged to main.

Changes in this PR:

• packages/passmint/package.json — version field updated from 0.1.0 to 0.2.0
• packages/passmint/CHANGELOG.md — new 0.2.0 entry added with full description of the security hardening changes
• .changeset/security-hardening-pass.md — consumed and deleted by changeset version (expected behaviour)

Notable about the version strategy:
The bump is classified as a minor change (0.1.0 → 0.2.0) despite several breaking changes being listed. This is correct: under semver for pre-1.0 packages the minor component absorbs breaking changes, and the changelog explicitly calls out all breaking scenarios for consumers to act on before upgrading.

Confidence Score: 5/5

Safe to merge — purely automated version bookkeeping with no logic changes.

All three file changes are exactly what the Changesets action is supposed to produce: version field bumped in package.json, changelog entry prepended, and the source changeset file deleted. The minor-version bump for a pre-1.0 package with breaking changes follows semver convention correctly. No code, logic, or configuration beyond release metadata is modified.

No files require special attention.

Important Files Changed

Filename	Overview
packages/passmint/CHANGELOG.md	Changesets-generated changelog entry for 0.2.0; accurately describes all new guarantees, public API additions, and breaking changes from the security hardening pass.
packages/passmint/package.json	Version bumped from 0.1.0 to 0.2.0 by Changesets; no other fields modified. publishConfig retains provenance: true.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[security-hardening-pass.md\nchangeset added to main] --> B[Changesets Action\ndetects pending changeset]
    B --> C[Opens / updates\n'chore: version packages' PR]
    C --> D{PR merged?}
    D -- Yes --> E[changeset version\nconsumes .md, bumps package.json\nupdates CHANGELOG.md]
    E --> F[npm publish\npassmint@0.2.0\nwith provenance]
    D -- Not yet --> G[More changesets\nmerged to main]
    G --> C

Loading

_{Reviews (1): Last reviewed commit: "chore: version packages" | Re-trigger Greptile}