Release/965.0.0 (MetaMask#8728)

tanguyenvn · web-flow · commit a83b774c2cb1 · 2026-05-06T15:42:44.000Z
## Explanation **Current state** `PasskeyController` verifies registration and authentication with `requireUserVerification: true`, so the server expects the WebAuthn **user verification (UV)** flag on assertions. For enrollment-time `get()` options, `generatePostRegistrationAuthenticationOptions` already used `userVerification: 'required'`, but **`generateAuthenticationOptions`** (unlock / enrolled passkey) still used `userVerification: 'preferred'`. With `'preferred'`, the client may allow authenticators to skip UV, producing assertions **without** UV that the server then rejects—wasted ceremonies and confusing failures. **Solution** Set `userVerification: 'required'` on the object returned by `generateAuthenticationOptions`, matching the post-registration path and server verification. Add a unit test that enrolled flows emit `'required'`. Document the fix in `packages/passkey-controller/CHANGELOG.md` under the appropriate **Unreleased** or release section. **Not obvious** This is a client/server **hint alignment** fix, not a new API. Behavior may be stricter at `navigator.credentials.get()` (UV required), which matches what verification already enforced. **Scope** Changes are limited to `@metamask/passkey-controller` (implementation, tests, changelog). No dependency upgrades. ## References - Related: [MetaMask#8696](MetaMask#8696) *(replace or extend with your issue/PR links)* ## Checklist - [x] I've updated the test suite for new or updated code as appropriate - [ ] I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate *(optional: JSDoc on `generateAuthenticationOptions` if you want to mention UV)* - [x] I've communicated my changes to consumers by [updating changelogs for packages I've changed](https://github.com/MetaMask/core/tree/main/docs/processes/updating-changelogs.md) - [ ] I've introduced [breaking changes](https://github.com/MetaMask/core/tree/main/docs/processes/breaking-changes.md) in this PR and have prepared draft pull requests for clients and consumer packages to resolve them *(N/A—patch-level behavior fix, no breaking API changes)*  --- > [!NOTE] > **Low Risk** > Low risk release bookkeeping only (version bumps and changelog updates) with no functional code changes in this diff. > > **Overview** > Updates release metadata by bumping the root monorepo version to `965.0.0` and `@metamask/passkey-controller` to `2.0.1`. > > Adds a `passkey-controller` `2.0.1` changelog entry documenting stricter WebAuthn user verification requirements and the `generateAuthenticationOptions` alignment to `userVerification: 'required'`, and updates the changelog compare links accordingly. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit 8891f9b. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup>
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@metamask/core-monorepo",
-  "version": "964.0.0",
+  "version": "965.0.0",
   "private": true,
   "description": "Monorepo for packages shared between MetaMask clients",
   "repository": {
diff --git a/packages/passkey-controller/CHANGELOG.md b/packages/passkey-controller/CHANGELOG.md
@@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [2.0.1]
+
 ### Changed
 
 - `PasskeyController` verifies registration and authentication responses with `requireUserVerification: true`, so the WebAuthn user verification (UV) flag must be set; assertions with user presence only no longer pass verification ([#8696](https://github.com/MetaMask/core/pull/8696))
@@ -51,6 +53,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Registration verification requires the credential `id`/`rawId` to match the credential id in authenticator data; vault wrapping key derivation uses that verified credential id so enrollment keys align with the stored credential.
 - Registration options request attestation conveyance `'none'` so clients are not asked for direct attestation formats the verifier does not implement (`none` and self-attested `packed` only).
 
-[Unreleased]: https://github.com/MetaMask/core/compare/@metamask/passkey-controller@2.0.0...HEAD
+[Unreleased]: https://github.com/MetaMask/core/compare/@metamask/passkey-controller@2.0.1...HEAD
+[2.0.1]: https://github.com/MetaMask/core/compare/@metamask/passkey-controller@2.0.0...@metamask/passkey-controller@2.0.1
 [2.0.0]: https://github.com/MetaMask/core/compare/@metamask/passkey-controller@1.0.0...@metamask/passkey-controller@2.0.0
 [1.0.0]: https://github.com/MetaMask/core/releases/tag/@metamask/passkey-controller@1.0.0
diff --git a/packages/passkey-controller/package.json b/packages/passkey-controller/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@metamask/passkey-controller",
-  "version": "2.0.0",
+  "version": "2.0.1",
   "description": "Controller and utilities for passkey-based wallet unlock",
   "keywords": [
     "Ethereum",

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@metamask/core-monorepo",`
`3`		`- "version": "964.0.0",`
	`3`	`+ "version": "965.0.0",`
`4`	`4`	`"private": true,`
`5`	`5`	`"description": "Monorepo for packages shared between MetaMask clients",`
`6`	`6`	`"repository": {`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@metamask/passkey-controller",`
`3`		`- "version": "2.0.0",`
	`3`	`+ "version": "2.0.1",`
`4`	`4`	`"description": "Controller and utilities for passkey-based wallet unlock",`
`5`	`5`	`"keywords": [`
`6`	`6`	`"Ethereum",`