Bump the dev-dependencies group with 3 updates

[dependabot]

Bumps the dev-dependencies group with 3 updates: com.codeheadsystems:hofmann-dropwizard, com.fasterxml.jackson.core:jackson-core and com.fasterxml.jackson.core:jackson-databind.

Updates com.codeheadsystems:hofmann-dropwizard from 1.4.1 to 2.0.0

Release notes

Sourced from com.codeheadsystems:hofmann-dropwizard's releases.

Release 2.0.0

Hofmann Elimination 2.0.0

Maven Central

Sample dependency for Maven:

<dependency>
  <groupId>com.codeheadsystems</groupId>
  <artifactId>hofmann-rfc</artifactId>
  <version>2.0.0</version>
</dependency>

implementation("com.codeheadsystems:hofmann-rfc:2.0.0")

Modules Published

• com.codeheadsystems:hofmann-rfc:2.0.0
• com.codeheadsystems:hofmann-server:2.0.0
• com.codeheadsystems:hofmann-client:2.0.0
• com.codeheadsystems:hofmann-dropwizard:2.0.0
• com.codeheadsystems:hofmann-springboot:2.0.0

What's Changed

See commits since last release for details.

Note: Artifacts may take up to 2 hours to appear in Maven Central after release.

What's Changed

• Bump the dev-dependencies group in /hofmann-typescript with 2 updates by @​dependabot[bot] in codeheadsystems/hofmann-elimination#35
• Bump gradle-wrapper from 9.5.0 to 9.5.1 in the dev-dependencies group by @​dependabot[bot] in codeheadsystems/hofmann-elimination#36
• Bump @​types/node from 25.6.2 to 25.7.0 in /hofmann-typescript in the dev-dependencies group by @​dependabot[bot] in codeheadsystems/hofmann-elimination#37
• Bump org.slf4j:slf4j-api from 2.0.17 to 2.0.18 in the dev-dependencies group by @​dependabot[bot] in codeheadsystems/hofmann-elimination#38
• Bump the dev-dependencies group in /hofmann-typescript with 2 updates by @​dependabot[bot] in codeheadsystems/hofmann-elimination#39
• Bump @​types/node from 25.8.0 to 25.9.0 in /hofmann-typescript in the dev-dependencies group by @​dependabot[bot] in codeheadsystems/hofmann-elimination#40
• Bump org.junit.jupiter:junit-jupiter from 6.0.3 to 6.1.0 in the dev-dependencies group by @​dependabot[bot] in codeheadsystems/hofmann-elimination#41
• Bump the dev-dependencies group in /hofmann-typescript with 2 updates by @​dependabot[bot] in codeheadsystems/hofmann-elimination#42
• Bump vitest from 4.1.6 to 4.1.7 in /hofmann-typescript in the dev-dependencies group by @​dependabot[bot] in codeheadsystems/hofmann-elimination#43
• Bump vite from 8.0.13 to 8.0.14 in /hofmann-typescript in the dev-dependencies group by @​dependabot[bot] in codeheadsystems/hofmann-elimination#44
• Bump the dev-dependencies group with 2 updates by @​dependabot[bot] in codeheadsystems/hofmann-elimination#45
• Security fixes: side-channels, account-takeover, and recovery hardening by @​wolpert in codeheadsystems/hofmann-elimination#46
• Security review fixes: Rust & TypeScript hardening (2.0.0) by @​wolpert in codeheadsystems/hofmann-elimination#47

Full Changelog: codeheadsystems/hofmann-elimination@v1.4.1...v2.0.0

Changelog

Sourced from com.codeheadsystems:hofmann-dropwizard's changelog.

[2.0.0] - 2026-06-01

Breaking change (Rust + TypeScript only). The Rust crate (hofmann-rfc) and the TypeScript package (@codeheadsystems/hofmann-typescript) change several public signatures to harden against malformed input — see Changed for the migration. The Java artifacts (hofmann-*) have no breaking API changes; the major version bump keeps all artifacts on one version line.

Security

Java server (hofmann-rfc, hofmann-server, hofmann-springboot, hofmann-dropwizard)

• Timing side-channel in ristretto255 scalar multiplication — replaced the variable-time right-to-left double-and-add (which branched on each secret-key bit and looped over the scalar's bit length) with a constant-time Montgomery ladder. The routine runs server-side with the long-term OPRF/OPAQUE key, so the previous leak was remotely exploitable to recover that key.
• Account takeover via registration overwrite — unauthenticated registrationFinish no longer overwrites an existing credential (last-write-wins). An attacker who knew a victim's credential identifier could previously replace their record. Existing credentials must be updated through the authenticated change-password or recovery flow.
• User enumeration via recoveryVerify timing — recoveryVerify now enforces a minimum wall-clock time (RECOVERY_VERIFY_MIN_NANOS, 250 ms) on both success and failure paths, closing the latency oracle that distinguished existing from non-existing accounts.
• Server-side identity (neutral) element rejection — the OPRF blindEvaluate paths and each OPAQUE AKE DH output now reject the all-zero/identity element, matching the existing client-side checks (RFC 9497 §3.3.2, RFC 9807).
• Recovery token no longer logged — InMemoryRecoveryTokenStore no longer writes the raw single-use recovery token to the DEBUG log.
• Recovery-token consumption rate-limited — registrationFinish (where the recovery token is consumed) is now throttled by the per-credential recovery rate limiter; RateLimitExceededException maps to HTTP 429, and a token supplied when recovery is unconfigured is treated as invalid instead of throwing.

TypeScript client (@codeheadsystems/hofmann-typescript)

• Identity (neutral) element rejection — CipherSuite.finalize rejects an identity OPRF evaluated element (RFC 9497 §2.1) and CipherSuite.dhMultiply rejects an identity peer DH contribution and result (RFC 9807 §6.3), for both the NIST and ristretto255 suites. @noble/curves already rejects the identity for the NIST suites, but accepts the all-zero ristretto255 encoding, so a malicious server could previously collapse the OPRF output to a fixed, key-independent value (degrading the OPRF to an unsalted hash of the input) or strip its contribution from the OPAQUE-3DH transcript.

Rust library (hofmann-rfc)

• No panics on malformed/identity elements — point decoding and GroupSpec::scalar_multiply now return errors instead of panicking on attacker-controlled bytes (a wrong-length or off-curve encoding, or the identity element). The OPRF/OPAQUE server paths feed the client-supplied blinded element and AKE public key straight into scalar_multiply, so a

... (truncated)

Commits

• 8d4d37d Security review fixes: Rust & TypeScript hardening (2.0.0) (#47)
• 9f2b39d Security fixes: side-channels, account-takeover, and recovery hardening (#46)
• c1439bd Bump the dev-dependencies group with 2 updates (#45)
• 68e6d52 Bump vite in /hofmann-typescript in the dev-dependencies group (#44)
• ec11735 Bump vitest in /hofmann-typescript in the dev-dependencies group (#43)
• c1966e8 Bump the dev-dependencies group in /hofmann-typescript with 2 updates (#42)
• b36b29e Bump org.junit.jupiter:junit-jupiter in the dev-dependencies group (#41)
• 40e311d Bump @​types/node in /hofmann-typescript in the dev-dependencies group (#40)
• 15330c4 Bump the dev-dependencies group in /hofmann-typescript with 2 updates (#39)
• a5e11d0 Bump org.slf4j:slf4j-api in the dev-dependencies group (#38)
• Additional commits viewable in compare view

Updates com.fasterxml.jackson.core:jackson-core from 2.21.4 to 2.22.0

Commits

• d763562 [maven-release-plugin] prepare release jackson-core-2.22.0
• e5c69fe Re-do 2.22.0 release
• 0ba6a36 Bump version after release
• b106011 [maven-release-plugin] prepare for next development iteration
• 18a7fe4 [maven-release-plugin] prepare release jackson-core-2.22.0
• 503a14f Re-do 2.22.0 release
• ab95bc0 ...
• 0a4b8de Post-release dep version bump
• 719a42f [maven-release-plugin] prepare for next development iteration
• 9248848 [maven-release-plugin] prepare release jackson-core-2.22.0
• Additional commits viewable in compare view

Updates com.fasterxml.jackson.core:jackson-databind from 2.21.4 to 2.22.0

Commits

• See full diff in compare view

Updates com.fasterxml.jackson.core:jackson-databind from 2.21.4 to 2.22.0

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions