chore(deps)(deps): bump webauthn from 2.7.1 to 2.8.0 in /backend

[dependabot]

Bumps webauthn from 2.7.1 to 2.8.0.

Release notes

Sourced from webauthn's releases.

v2.8.0

Changes:

• "android-key" attestation verification is more tolerant of X.509 leaf certificates with values that violate ASN.1 DER parsing rules (#277)
• Dependencies have been updated, including cbor2>=5.6.5,<6.0.0 (#269, h/t @​typestring; #272), and cryptography>=46.0.0 and pyOpenSSL>=26.0.0 (#278)
• Two expired trust anchors have been retired (#279)
• A new trust anchor for "android-key" attestation has been added (#268)
• TPM manufacturer IDs are now normalized during "tpm" attestation verification to prevent casing-related lookup issues (#275)
• Registration verification will more consistently raise webauthn.helpers.exceptions.InvalidRegistrationResponse when encountering bad data. Likewise, authentication verification will more consistently raise webauthn.helpers.exceptions.InvalidAuthenticationResponse when encountering bad data (#271, #273, #276, #280)
• A docstring typo in verify_authentication_response() has been fixed (#266, h/t @​Densaugeo)

v2.8.0-alpha1

Changes:

• verify_registration_response() and verify_authentication_response() now support use of ML-DSA public keys for authenticators with PQC support. Run pip install dilithium-py to enable this capability (#260)

Changelog

Sourced from webauthn's changelog.

v2.8.0

Changes:

• "android-key" attestation verification is more tolerant of X.509 leaf certificates with values that violate ASN.1 DER parsing rules (#277)
• Dependencies have been updated, including cbor2>=5.6.5,<6.0.0 (#269, h/t @​typestring; #272), and cryptography>=46.0.0 and pyOpenSSL>=26.0.0 (#278)
• Two expired trust anchors have been retired (#279)
• A new trust anchor for "android-key" attestation has been added (#268)
• TPM manufacturer IDs are now normalized during "tpm" attestation verification to prevent casing-related lookup issues (#275)
• Registration verification will more consistently raise webauthn.helpers.exceptions.InvalidRegistrationResponse when encountering bad data. Likewise, authentication verification will more consistently raise webauthn.helpers.exceptions.InvalidAuthenticationResponse when encountering bad data (#271, #273, #276, #280)
• A docstring typo in verify_authentication_response() has been fixed (#266, h/t @​Densaugeo)

Commits

• 4a4295f Update CHANGELOG for v2.8.0 (addendum 1)
• 748f6f2 Merge pull request #280 from duo-labs/more-exception-handling-auth
• f02a707 Add some tests around parse error handling
• 6c35856 Handle clientDataJSON and authData auth errors
• 99c5256 Update CHANGELOG for v2.8.0
• 755bf0f Bump version to v2.8.0
• b416811 Merge pull request #279 from duo-labs/retire-expired-trust-anchors
• 7840f30 Retire google_hardware_attestation_root_1
• 3ec92d5 Retire globalsign_r2
• cdb96c2 Merge pull request #278 from duo-labs/migrate-dx-to-uv
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)