Fetch upstream#4
Open
rimzici wants to merge 239 commits into
Open
Conversation
Addresses issue #72 where SecItemCOpyMatching doesn't return data and doesn't give an error when the protected files are not yet available. This will now give an error instead of empty results, allowing the caller to retry after some delay.
Bumps [acorn](https://github.com/acornjs/acorn) from 5.7.3 to 5.7.4. - [Release notes](https://github.com/acornjs/acorn/releases) - [Commits](acornjs/acorn@5.7.3...5.7.4) Signed-off-by: dependabot[bot] <support@github.com>
Bumps [acorn](https://github.com/acornjs/acorn) from 7.1.0 to 7.1.1. - [Release notes](https://github.com/acornjs/acorn/releases) - [Commits](acornjs/acorn@7.1.0...7.1.1) Signed-off-by: dependabot[bot] <support@github.com>
Allow kSecAttrSynchronizable to be set from deleteItem
Return error if isProtectedDataAvailable = false
…corn-5.7.4 Bump acorn from 5.7.3 to 5.7.4 in /example
Bump acorn from 7.1.0 to 7.1.1
Feature/website improvements
docs: add mcodex as a contributor
The import reference is wrong.
Remove the parenthetical “(DRY · KISS · SRP)” from the “Hook architecture” heading in README.md to simplify the heading and reduce visual clutter.
Update package.json version from 6.0.0-rc.12 to 6.0.0 to mark the stable release (remove release-candidate tag).
Introduce fine-grained biometry detection and related UX helpers. Adds a new biometryStatus enum to SecurityAvailability (available | notEnrolled | notAvailable | lockedOut | unknown) while keeping the legacy biometry boolean as an alias. Wire biometryStatus through native probes on Android and iOS, add classify logic on both platforms, and surface it to JS. Provide policy precheck helpers: canUseAccessControl and canUseAccessControlSync (pure TS mapping over SecurityAvailability) so callers can predict whether a given AccessControl will succeed without a native round-trip. Add refreshOnForeground option to useSecurityAvailability to auto-refetch on app foreground (debounced), and introduce useBiometryStatusWatcher — a transition-only hook that fires only on real biometry status changes. Also: update docs and README (biometrics section), example app (BiometryStatusCard + App), diagnostics UI, tests (unit and hook tests, mocks for AppState), and exports. Changes are non-breaking for consumers that continue to use the biometry boolean.
…ompatibility with React Compiler Co-authored-by: Copilot <copilot@github.com>
Avoids a second biometric prompt by skipping lazy re-encryption for entries that require biometric/user authentication (Android and iOS). Adds helpers (requiresBiometricAuth / isBiometricallyProtected) to detect such entries so upgrades only occur via explicit setItem or eager rotateKeys. Replaces direct SecItemAdd/delete flows with upsertKeychainEntry + forceDeleteExisting on iOS to wipe any synchronizable sibling (uses kSecAttrSynchronizableAny) and absorb iCloud restore races with a single bounded retry, preventing errSecDuplicateItem when iosSynchronizable toggles or iCloud restores entries. Also updates CHANGELOG with fixes and refreshes example iOS Podfile.lock (SensitiveInfo -> 6.0.0 and related React binaries).
Clarify canUseAccessControl semantics in CHANGELOG and README (sync variant requires a snapshot; async will fetch one if none supplied) and improve wording around biometry/secure-enclave semantics. Update Android Kotlin docs in HybridSensitiveInfo to explain requiresBiometricAuth behavior, lazy refresh skipping, and legacy-entry handling. Make useBiometryStatusWatcher test deterministic by advancing Date.now via a jest spy instead of sleeping. Tweak SecurityAvailability.secureEnclave doc to describe cross-platform meaning and relation to StrongBox.
Publish the v6.1.0 changelog entry (2026-04-28) and add documentation clarifications: explain SecurityAvailability.secureEnclave cross-platform semantics (Secure Enclave on iOS / mirrors strongBox on Android), clarify canUseAccessControl(snapshot vs fetch behavior), and update the Android requiresBiometricAuth doc comment to match actual classification and lazy-refresh behavior.
Feat/biometry status
Bumps the nitro group with 2 updates in the / directory: [nitrogen](https://github.com/mrousavy/nitro) and [react-native-nitro-modules](https://github.com/mrousavy/nitro). Bumps the nitro group with 1 update in the /example directory: [react-native-nitro-modules](https://github.com/mrousavy/nitro). Updates `nitrogen` from 0.35.5 to 0.35.6 - [Release notes](https://github.com/mrousavy/nitro/releases) - [Commits](mrousavy/nitro@v0.35.5...v0.35.6) Updates `react-native-nitro-modules` from 0.35.5 to 0.35.6 - [Release notes](https://github.com/mrousavy/nitro/releases) - [Commits](mrousavy/nitro@v0.35.5...v0.35.6) Updates `react-native-nitro-modules` from 0.35.5 to 0.35.6 - [Release notes](https://github.com/mrousavy/nitro/releases) - [Commits](mrousavy/nitro@v0.35.5...v0.35.6) --- updated-dependencies: - dependency-name: nitrogen dependency-version: 0.35.6 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: nitro - dependency-name: react-native-nitro-modules dependency-version: 0.35.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: nitro - dependency-name: react-native-nitro-modules dependency-version: 0.35.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: nitro ... Signed-off-by: dependabot[bot] <support@github.com>
…e2dc2e9 chore(deps): bump the nitro group across 2 directories with 2 updates
Replace semantic-release with release-it and update the release workflow. Removed legacy semantic-release configs (.release-it.json and release.config.cjs) and embed a release-it configuration in package.json; updated the npm "release" script to run release-it and adjusted devDependencies accordingly. Updated .github/workflows/release.yml to add workflow_dispatch inputs (increment, dry-run), configure Node registry, persist credentials, set git author identity, install dependencies, and run yarn release with CI flags and forwarded args (including NODE_AUTH_TOKEN and NPM_CONFIG_PROVENANCE). Regenerated yarn.lock to reflect dependency changes.
Fix/ts error
Define the `cause` property with Object.defineProperty in SensitiveInfoError and HookError so it remains non-enumerable (matching native ES2022 Error semantics) while keeping compatibility with TS libs predating ES2022. Add tests to verify cause chaining, non-enumerability, and omission when not provided. Also update CI workflow triggers to use the 'master' branch for android, ios and test workflows.
Declare a type-only readonly `cause?: unknown` on HookError and SensitiveInfoError so TS configs that predate ES2022 type-check. Update HookError to accept an options object, install the `cause` property via Object.defineProperty when `'cause' in options` (so passing { cause: undefined } still creates a non-enumerable own property), and wire up operation/hint from the options. Add tests for HookError and SensitiveInfoError that assert a non-enumerable own `cause` is defined when explicitly passed as undefined. Also remove react-native-specific exports from package.json.
Make Error 'cause' non-enumerable and add tests
Replace class-level `declare readonly cause?: unknown` fields with exported interface merges for SensitiveInfoError and HookError (src/errors.ts, src/hooks/types.ts). This keeps the `cause` annotation type-only for consumers targeting pre-ES2022 lib targets, avoids emitting an enumerable own property when transpiled (Babel/SWC), and preserves the runtime/non-enumerable installation of the cause by the constructors.
Add pre-release verification and smoke-test tooling plus compatibility proxy package.json files. New scripts: `scripts/verify-release-artifacts.js` checks that generated native bindings and compiled JS artifacts exist before publishing; `scripts/smoke-test-release.js` packs the tarball into a temporary project and verifies tarball entries, exports subpath resolution, legacy main/module/react-native proxy targets, and Ruby syntax for podspec/autolinking. Add lightweight proxy package.json shims under `hooks/` and `errors/` so bundlers that ignore `exports` can still resolve subpaths. Update root package.json to include `hooks` and `errors` in the published files, add a `release:prepare` script that runs codegen and the new verification steps, and replace the release hook commands to run `release:prepare` before publishing. These changes catch missing build or packaging issues early in the release flow.
Add release verification scripts and proxy shims
Make the smoke-test-release script more robust and safer: import execFileSync and use it to list tarball entries, add a missing generated C++ header to required entries, and use PKG.name for subpaths. Change failure handling to throw/catch errors and set process.exitCode instead of exiting immediately, move sandbox removal into a finally block (declare sandbox in outer scope), and ensure the tarball and sandbox are always cleaned up. These changes improve error reporting and guarantee cleanup on failure.
Avoid double Face ID / Touch ID prompts and keep metadata-only operations silent on iOS. Native Swift changes add an allowAuthentication flag, an itemExists fast-path, and set kSecUseAuthenticationUIFail for non-auth probes so hasItem and metadata enumeration never trigger authentication. JS API separates option normalization into storage-scope vs prompted-read helpers (normalizeStorageScopeOptions, normalizePromptedReadOptions) and updates core storage functions and hooks to only forward prompts when values are explicitly requested. Tests, docs, README and example iOS lockfile updated to reflect behavior and API clarifications.
Stop normalizing storage options in useHasSecret and pass the provided SensitiveInfoOptions straight to hasItem. Update unit tests to assert the forwarded options and the native getAllItems call signature. On iOS, remove the early-return that suppressed errSecInteractionNotAllowed/errSecAuthFailed when allowAuthentication was false so those statuses now raise the runtime error instead of returning nil.
Prevent duplicate iOS biometric prompts & silent reads
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
15 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Has some breaking changes!!