Upstream security: LINE webhook signature timing-attack fix by adolago · Pull Request #157 · adolago/zee

adolago · 2026-01-28T12:53:23Z

Fixes #111.

What changed

Use constant-time comparison (crypto.timingSafeEqual) for LINE webhook signature validation.
Factor validation into packages/personas/zee/src/line/signature.ts and add focused unit tests.
Expand LINE webhook middleware tests to cover invalid signatures and wrong secrets.

Tests

pnpm -C packages/personas/zee vitest run src/line/webhook.test.ts src/line/signature.test.ts
pnpm -C packages/personas/zee build

LINE: fix webhook signature timing comparison

ba08dcc

adolago merged commit 18e9473 into dev Jan 28, 2026
1 of 2 checks passed

adolago deleted the issue/111-line-signature-timing-safe branch January 28, 2026 21:46

Provide feedback