refactor: Bump otpauth from 8.0.3 to 9.5.0

[mtrezza]

Bumps otpauth from 8.0.3 to 9.5.0.

This is a major version bump (8 → 9). Changelog analysis confirms the API surface used by Parse Dashboard is fully backward compatible:

Breaking change assessment:

• Exports: Identical between v8 and v9 (HOTP, TOTP, URI, Secret, version)
• TOTP constructor: All existing parameters unchanged; v9 adds two new optional params (issuerInLabel, hmac)
• TOTP methods: generate(), validate(), toString() signatures unchanged; v9 adds new counter() and remaining() methods
• Secret class: fromBase32(), base32 getter, constructor unchanged; buffer property deprecated but still available via getter
• Internal change: Crypto backend switched from jssha to @noble/hashes (v9.3.0) — no API impact

Codebase usage verified (3 files):

• Parse-Dashboard/Authentication.js — new OTPAuth.TOTP(), OTPAuth.Secret.fromBase32(), totp.validate() ✅
• Parse-Dashboard/CLI/mfa.js — new OTPAuth.Secret(), new OTPAuth.TOTP(), totp.toString(), secret.base32 ✅
• src/dashboard/Settings/DashboardSettings/DashboardSettings.react.js — new OTPAuth.Secret(), new OTPAuth.TOTP(), secret.base32, totp.toString(), totp.algorithm, totp.digits, totp.period ✅

Build: npm run build passes.

Risk: Low.

Closes #3310

Summary by CodeRabbit

• Chores
  • Updated otpauth dependency to version 9.5.0 with updated transitive dependencies.

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

• Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
• Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
• Group code into logical blocks. Add a short comment before each block to explain its purpose.
• We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
• Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
• Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c95f005d-6327-4836-9278-af5045ca9aba

📥 Commits

Reviewing files that changed from the base of the PR and between b463735 and 42871a8.

📒 Files selected for processing (2)

• package-lock.json
• package.json

---

📝 Walkthrough

Walkthrough

Updates the otpauth package dependency from version 8.0.3 to 9.5.0 in both package.json and package-lock.json. The lock file reflects a transitive dependency change, replacing jssha with @noble/hashes as a nested dependency under otpauth.

Changes

Cohort / File(s)	Summary
Dependency Version Update package.json, package-lock.json	Updates otpauth from 8.0.3 to 9.5.0. Lock file changes include: updated resolved tarball URL and integrity hash for otpauth, removal of jssha 3.2.0 transitive dependency, addition of @noble/hashes 2.0.1 as nested dependency under otpauth/node_modules, and metadata additions (license, funding, engines fields).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 6 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Engage In Review Feedback	❓ Inconclusive	Review feedback engagement cannot be verified without access to GitHub PR interface showing review comments and discussions.	Provide access to GitHub PR #3318 interface or transcript of review comments to assess feedback engagement.

✅ Passed checks (6 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title 'refactor: Bump otpauth from 8.0.3 to 9.5.0' begins with 'refactor:' prefix and clearly describes the dependency update change.
Description check	✅ Passed	The description provides detailed changelog analysis, backward compatibility assessment, code usage verification, and build confirmation, exceeding template requirements.
Linked Issues check	✅ Passed	The PR meets all requirements from issue #3310: otpauth bumped to 9.5.0, upstream changes documented with dependency analysis, and release metadata assessed.
Out of Scope Changes check	✅ Passed	All changes are scoped to updating otpauth and its transitive dependencies; no unrelated modifications are present in package.json or package-lock.json.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Security Check	✅ Passed	The otpauth dependency update from 8.0.3 to 9.5.0 introduces no security vulnerabilities and represents a security improvement with backward API compatibility.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 Checkov (3.2.513)

package.json

2026-04-03 18:30:35,906 [MainThread ] [ERROR] Template file not found: package.json
2026-04-03 18:30:35,912 [MainThread ] [ERROR] Template file not found: package.json
2026-04-03 18:30:35,912 [MainThread ] [ERROR] Template file not found: package.json
2026-04-03 18:30:35,970 [MainThread ] [ERROR] Failed to invoke function /usr/local/lib/python3.11/dist-packages/checkov/common/runners/object_runner. with package.json
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/checkov/common/parallelizer/parallel_runner.py", line 88, in func_wrapper
result = original_func(item)
^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/common/runners/object_runner.py", line 74, in
results = parallel_runner.run_function(lambda f: (f, self._parse_file(f)), files_to_load)
^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/ope

... [truncated 2547 characters] ...

[MainThread ] [WARNI] Secret scanning: could not process file package.json
2026-04-03 18:30:36,014 [MainThread ] [ERROR] Exception traceback:
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/checkov/main.py", line 647, in run
self.scan_reports = runner_registry.run(
^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/common/runners/runner_registry.py", line 177, in run
for result in parallel_runner_results:
File "/usr/local/lib/python3.11/dist-packages/checkov/common/parallelizer/parallel_runner.py", line 118, in _run_function_multiprocess_fork
raise v.internal_exception.with_traceback(v.internal_exception.traceback)
FileNotFoundError: [Errno 2] No such file or directory: 'package.json'

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[parseplatformorg]

🎉 This change has been released in version 9.1.0-alpha.12

[parseplatformorg]

🎉 This change has been released in version 9.1.0