fix: expired and redacted doc checks

[RishabhS7]

Summary

Fixing expired document date check
Adding proof check for redacted document

Jira Ticket

Summary by CodeRabbit

• New Features

  • Added support for the "jsonld-signatures" dependency in the context package.
  • Added TypeScript type definitions for the "uuid" package in development dependencies.

• Bug Fixes

  • Expired credentials now trigger a warning instead of stopping the verification process.

• Chores

  • Minor formatting adjustments to package files (removal of trailing newlines).

[coderabbitai]

Walkthrough

Several package.json files across various packages were updated, primarily to remove trailing newline characters. Additionally, new dependencies were added: @types/uuid to the root package.json and jsonld-signatures to @trustvc/w3c-context. In the Verifiable Credential helper, the expiration check was changed to log a warning instead of throwing an error.

Changes

File(s)	Change Summary
apps/w3c-cli/package.json packages/w3c-credential-status/package.json packages/w3c-issuer/package.json packages/w3c-vc/package.json packages/w3c/package.json	Removed trailing newline characters; no functional or structural changes.
package.json	Added @types/uuid as a new development dependency.
packages/w3c-context/package.json	Added jsonld-signatures as a new dependency; no other changes.
packages/w3c-vc/src/lib/helper/index.ts	Changed expired credential handling from error throw to warning log, allowing verification to continue.

Sequence Diagram(s)

sequenceDiagram
    participant Verifier
    participant Helper

    Verifier->>Helper: verifyCredential(credential)
    Helper->>Helper: Check expirationDate
    alt Credential expired
        Helper->>Verifier: Log warning "Credential has expired."
        Note right of Helper: Continue verification process
    else Credential valid
        Helper->>Verifier: Continue verification process
    end

Loading

Poem

A hop, a skip, a tidy sweep,
New types and deps, all neat and deep.
Expired creds now just warn, not cry,
While newline tails wave goodbye.
The codebase grows, the garden’s bright—
Carrots for all, and bugs in flight! 🥕✨

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

npm error code ERR_SSL_WRONG_VERSION_NUMBER
npm error errno ERR_SSL_WRONG_VERSION_NUMBER
npm error request to https://10.0.0.28:4873/npm/-/npm-8.19.4.tgz failed, reason: C06CC25FC37F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:354:
npm error
npm error A complete log of this run can be found in: /.npm/_logs/2025-06-13T02_29_05_461Z-debug-0.log

✨ Finishing Touches

• 📝 Generate Docstrings

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

package.json (1)

57-57: Remove redundant @types/uuid; the uuid package bundles its own typings since v9

Adding a separate @types/uuid brings no benefit and may even cause type-resolution conflicts when the major versions diverge.
Recommend deleting the entry and relying on the built-in types shipped with uuid@10.

-    "@types/uuid": "^10.0.0",

packages/w3c-context/package.json (1)

36-38: Align jsonld-signatures version spec with the root workspace to avoid duplicate installs

The root package.json pins jsonld-signatures to 7.0.0 (exact), whereas this workspace uses a caret range.
Yarn/NPM will hoist two copies when a 7.x update appears, bloating node-modules and risking subtle runtime mismatches.

-    "jsonld-signatures": "^7.0.0"
+    "jsonld-signatures": "7.0.0"

Alternatively, omit the dependency here and let the hoisted root version satisfy the import.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f194d7b and 565c9ab.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (8)

• apps/w3c-cli/package.json (1 hunks)
• package.json (1 hunks)
• packages/w3c-context/package.json (2 hunks)
• packages/w3c-credential-status/package.json (1 hunks)
• packages/w3c-issuer/package.json (1 hunks)
• packages/w3c-vc/package.json (1 hunks)
• packages/w3c-vc/src/lib/helper/index.ts (1 hunks)
• packages/w3c/package.json (1 hunks)

🔇 Additional comments (5)

packages/w3c/package.json (1)

53-53: No functional changes. Removal of trailing newline; formatting-only update.

apps/w3c-cli/package.json (1)

59-59: No functional changes. Removal of trailing newline; formatting-only update.

packages/w3c-issuer/package.json (1)

51-51: No functional changes. Removal of trailing newline; formatting-only update.

packages/w3c-vc/package.json (1)

64-64: No functional changes. Removal of trailing newline; formatting-only update.

packages/w3c-credential-status/package.json (1)

50-50: No functional changes. Removal of trailing newline; formatting-only update.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Turning expiry failure into a warning silently accepts invalid credentials – likely a security regression

Verification now proceeds even when now > expirationDate, merely logging a console.warn.
Any consumer that relied on _checkCredential to reject expired VCs will unknowingly accept them, enabling replay or misuse.

-        console.warn('Credential has expired.');
-        // throw new Error('Credential has expired.');
+        if (process.env.W3C_ALLOW_EXPIRED !== 'true') {
+          throw new Error('Credential has expired.');
+        }
+        console.warn('Credential has expired – proceeding because W3C_ALLOW_EXPIRED=true');

This keeps existing strict behaviour by default while allowing an explicit escape hatch.

At a minimum, remove the commented‐out throw to avoid dead code clutter.

---

🏁 Script executed:

#!/bin/bash
# Display lines 160-200 around the expirationDate check for full context
sed -n '160,200p' packages/w3c-vc/src/lib/helper/index.ts

Length of output: 1454

---

🏁 Script executed:

#!/bin/bash
# Search for test references to expirationDate to assess impact
rg -n "expirationDate" packages/w3c-vc

Length of output: 942

---

🏁 Script executed:

#!/bin/bash
# Show the first 200 lines of the main test file to inspect how expirationDate is tested
sed -n '1,200p' packages/w3c-vc/src/lib/w3c-vc.test.ts

# Show occurrences of "expirationDate" with context in the test file
rg -n "expirationDate" -C3 packages/w3c-vc/src/lib/w3c-vc.test.ts

Length of output: 7870

---

🏁 Script executed:

#!/bin/bash
# Search for occurrences of “expired” to see if any tests expect error behavior
rg -n "expired" -C2 packages/w3c-vc

Length of output: 501

---

🏁 Script executed:

#!/bin/bash
# Display top 100 lines of helper/index.ts to locate "now" initialization and function context
sed -n '1,100p' packages/w3c-vc/src/lib/helper/index.ts

Length of output: 3639

---

Reinstate strict expiry checks by default with an escape hatch

Silent warnings for expired credentials pose a security risk—expired VCs should be rejected by default. Update the check in packages/w3c-vc/src/lib/helper/index.ts to throw unless an explicit override is set, and remove the dead‐code comment:

• File: packages/w3c-vc/src/lib/helper/index.ts
• Lines: ~178–185

Suggested diff:

-        console.warn('Credential has expired.');
-        // throw new Error('Credential has expired.');
+        if (process.env.W3C_ALLOW_EXPIRED !== 'true') {
+          throw new Error('Credential has expired.');
+        }
+        console.warn('Credential has expired – proceeding because W3C_ALLOW_EXPIRED=true');

• Remove the commented-out throw to eliminate dead code.
• Add a unit test covering an expired credential to ensure the default strict behavior (and override) works as intended.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	assertDateString({ credential, prop: 'expirationDate' });
	if (mode === 'verify') {
	if (now > new Date(credential.expirationDate)) {
	throw new Error('Credential has expired.');
	console.warn('Credential has expired.');
	// throw new Error('Credential has expired.');
	}
	assertDateString({ credential, prop: 'expirationDate' });
	if (mode === 'verify') {
	if (now > new Date(credential.expirationDate)) {
	if (process.env.W3C_ALLOW_EXPIRED !== 'true') {
	throw new Error('Credential has expired.');
	}
	console.warn('Credential has expired – proceeding because W3C_ALLOW_EXPIRED=true');
	}

🤖 Prompt for AI Agents

In packages/w3c-vc/src/lib/helper/index.ts around lines 178 to 185, the current
code only logs a warning when a credential is expired, which silently accepts
invalid credentials and poses a security risk. Remove the commented-out throw
statement to clean dead code and modify the logic to throw an error by default
if the credential is expired, unless an explicit override option is provided to
allow expired credentials. Additionally, add a unit test to verify that expired
credentials are rejected by default and that the override works correctly.

[nghaninn]

🎉 This PR is included in version 1.2.4 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀

[nghaninn]

🎉 This PR is included in version 1.2.13 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀

[nghaninn]

🎉 This PR is included in version 1.2.13 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀

[nghaninn]

🎉 This PR is included in version 1.2.17 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀

[nghaninn]

🎉 This PR is included in version 1.2.18 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀

[nghaninn]

🎉 This PR is included in version 1.2.17 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀