This project follows the Semantic Versioning principles and, contrary to upgrade a minor version (where the middle number changes) where no difficulty should be encountered, upgrade a major version (where the first number changes) is subject to significant modifications.

Update the libraries

First of all, you have to make sure you are using the last 4.x release (4.6.0 at the time of writing).

In addition, you have to make sure you are using PHP 8.2+.

Spot deprecations

Next, you have to verify you don’t use any deprecated class, interface, method or property. If you have PHPUnit tests, you can easily get the list of deprecation used in your application.

Token Binding

All references to token binding are deprecated. This functionality is not supported anymore as removed from the latest Webauthn spectification versions.

ECDAA

All references to the ECDAA Attestation Statement type are deprecated. This functionality is not supported anymore as removed from the latest Webauthn spectification versions.

Webauthn\AuthenticatorSelectionCriteria

• Constant AuthenticatorSelectionCriteria::RESIDENT_KEY_REQUIREMENT_NONE: please use AuthenticatorSelectionCriteria::RESIDENT_KEY_REQUIREMENT_NO_PREFERENCE instead

• Method

Webauthn\CertificateToolbox

This class is now deprecated. Please use Webauthn\MetadataService\CertificateChainChecker\PhpCertificateChainValidator instead or a class that implements Webauthn\MetadataService\CertificateChain\CertificateChainValidator.

Webauthn\PublicKeyCredentialSourceRepository

Dependency Changes:

• Added:

  • symfony/clock: ^6.3

• Bumped:

  • PHP: >=8.2

  • symfony/*: ^6.3

• Removed:

  • lcobucci/clock

Configuration Files

No modification required.

Upgrade the libraries

When deprecations are removed, you can upgrade the libraries. In your composer.json, change all web-auth/* dependencies from ^4.x.y to ^5.0.0. When done, execute composer update.

All Modifications In A Row

If you want to see all modifications at once, please have a look at this page.