All notable changes to the SchemaPin project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Go:
NewSchemaVerificationWorkflownow validates that pinning database path is not empty - Rust: Fixed
cargo fmtformatting issues in core and crypto modules - CI: Fixed version consistency check in release-combined workflow (grep for
var Versionnotconst Version) - CI: Fixed GitHub Release race condition where parallel release workflows would fail trying to create duplicate releases
- python-multipart: Updated from 0.0.18 to 0.0.22 to fix HIGH severity CVE (dependabot alert #18)
- js-yaml transitive CVE: Eliminated by migrating ESLint from v8 to v9 flat config, removing the vulnerable transitive dependency (dependabot alert #17, MEDIUM severity)
- brace-expansion: Updated to fix low severity ReDoS vulnerability
- cryptography: Updated from 44.0.1 to 45.0.5 in server requirements to align with main Python package
- ESLint 9 migration: Replaced legacy
.eslintrc.cjswitheslint.config.js(flat config format) in JavaScript package - Version alignment: Server and integration demo versions now aligned with core library versions
python-multipart0.0.18 → 0.0.22 (server)cryptography44.0.1 → 45.0.5 (server)eslint^8.57.0 → ^9.0.0 (JavaScript devDependencies)- Added
@eslint/js^9.0.0 andglobals^16.0.0 (JavaScript devDependencies)
- Schema Version 1.1: Enhanced
.well-known/schemapin.jsonformat withrevoked_keysarray - Key Revocation Support: Automatic checking of revoked keys during verification
- Backward Compatibility: Full support for schema v1.0 endpoints
- Revocation Validation: Comprehensive validation of revoked key entries
- Interactive Pinning: User prompts for key pinning decisions with detailed information
- Domain Policies: Configurable policies for automatic vs. interactive pinning
- Enhanced UX: Rich terminal output with colored status indicators and clear prompts
- Key Management: Advanced key pinning with metadata and policy enforcement
- schemapin-keygen: Complete key generation tool with ECDSA/RSA support
- schemapin-sign: Schema signing tool with batch processing and metadata
- schemapin-verify: Verification tool with interactive pinning and discovery
- Comprehensive Options: Full CLI interface with extensive configuration options
- Integration Demo: Complete cross-language compatibility demonstration
- Production Server: Docker-ready
.well-knownendpoint server - Real-world Examples: Practical usage scenarios and deployment guides
- Cross-language Testing: Validation of Python/JavaScript interoperability
- Python Package: Complete PyPI-ready package with modern packaging standards
- JavaScript Package: npm-ready package with comprehensive metadata
- Build Scripts: Automated building and testing infrastructure
- Distribution Tools: Publishing workflows and validation scripts
- ECDSA P-256 Signatures: Industry-standard cryptographic verification
- Schema Canonicalization: Deterministic JSON serialization for consistent hashing
- Trust-On-First-Use (TOFU): Secure key pinning with user control
- Public Key Discovery: RFC 8615 compliant
.well-knownendpoint discovery
- Key Revocation: Comprehensive revocation checking and validation
- Signature Verification: Robust cryptographic signature validation
- Key Pinning Storage: Secure local storage of pinned keys with metadata
- Domain Validation: Proper domain-based key association and verification
- High-level APIs: Simple workflows for both developers and clients
- Comprehensive Testing: Full test suites with security validation
- Rich Documentation: Complete API documentation and usage examples
- Cross-platform Support: Works on Linux, macOS, and Windows
- Modern Packaging: Uses pyproject.toml and latest npm standards
- Comprehensive Metadata: Rich package information for discoverability
- Development Tools: Integrated linting, testing, and quality checks
- Security Compliance: Bandit security scanning and vulnerability checks
- Signature Algorithm: ECDSA with P-256 curve (secp256r1)
- Hash Algorithm: SHA-256 for schema integrity
- Key Format: PEM encoding for interoperability
- Signature Format: Base64 encoding for transport
- RFC 8615:
.well-knownURI specification compliance - JSON Schema: Structured schema validation and canonicalization
- HTTP Standards: Proper HTTP headers and status codes
- Cross-language: Full Python and JavaScript compatibility
- Python: PEP 517/518 compliant with pyproject.toml
- JavaScript: Modern ES modules with comprehensive exports
- Semantic Versioning: Proper version management and compatibility
- License Compliance: MIT license with proper attribution
cryptography>=41.0.0- ECDSA cryptographic operationsrequests>=2.31.0- HTTP client for key discovery- Python 3.8+ support with type hints
- Node.js 18.0.0+ - Modern JavaScript runtime
- Zero external dependencies - Uses built-in crypto module
- ES modules with proper exports configuration
- None - Full backward compatibility maintained
- All cryptographic operations use industry-standard algorithms
- Key revocation checking prevents use of compromised keys
- Interactive pinning provides user control over trust decisions
- Secure storage of pinned keys with proper metadata
- Existing v1.0 implementations continue to work without changes
- New features are opt-in and backward compatible
- CLI tools provide migration assistance for existing workflows
- Initial release of SchemaPin protocol
- Basic ECDSA P-256 signature verification
- Simple key pinning mechanism
- Python and JavaScript reference implementations
- Core cryptographic operations and schema canonicalization
For more details on any release, see the GitHub releases page.