Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build(deps): bump openpgp from 5.11.2 to 6.1.0 #215

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

build(deps): bump openpgp from 5.11.2 to 6.1.0 #215

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jan 31, 2025

Bumps openpgp from 5.11.2 to 6.1.0.

Release notes

Sourced from openpgp's releases.

v6.1.0

What's Changed

  • Fix decryption support for non-standard, legacy AEAD-encrypted messages and keys that used experimentalGCM from OpenPGP.js v5 (openpgpjs/openpgpjs#1811)
  • Throw on encryption using the non-standard experimentalGCM AEAD algorithm (The enums.aead.gcm ID standardized by RFC9580 should be used instead.)
  • Improve internal tree-shaking and lazy load md5 (openpgpjs/openpgpjs#1812)
  • Fix signing using keys without preferred hash algorithms (openpgpjs/openpgpjs#1820)

Full Changelog: openpgpjs/openpgpjs@v6.0.1...v6.1.0

v6.0.1

What's Changed

  • Fix ES imports for webpack: declare exports.browser entrypoint as higher priority than import
  • Fix openpgp.verify/decrypt with expectSigned: true and format: 'binary' (#1805)
  • TS: fix generateKey (options.type) and PrivateKey.getDecryptionKeys() type declarations (#1807)
  • Update hash algorithm preferences order by (#1804)

Full Changelog: openpgpjs/openpgpjs@v6.0.0...v6.0.1

v6.0.0

What's Changed

OpenPGP.js v6 adds support for the new version of the OpenPGP specification, RFC 9580. It also increases compliance with the specification, as demonstrated by the OpenPGP interoperability test suite.

OpenPGP.js v6 only makes minor API changes. This is the first stable release of OpenPGP.js v6: no more breaking changes to the high-level API will be made until the next major release.

For the changes since the previous pre-release (v6.0.0-beta.3.patch.1), see the end of this message. Here we list a summary of the main changes since v5:

Platform support changes

  • The library is now declared as a module (type: module in package.json), and declares exports, alongside the legacy package.json entrypoints, which should ensure backwards compatibility. Still, bundlers might be affected by the package.json changes depending on how they load the library.
  • Node.js:
    • Drop support for Node.js versions below 18 (OpenPGP.js v5 supported Node.js v14 and above).
    • Streaming: drop support for native Node Readable stream: require passing Node Web Streams (#1716)
  • Web:
    • Require availability of the Web Crypto API's SubtleCrypto (insecure contexts are no longer supported, as SubtleCrypto is not available there)
    • Require availability of the Web Streams API, since it's now supported in all browsers (applications can load a polyfill if they need to support older browser versions: see README)
    • Require availability of native BigInts (not supported by e.g. Safari 13 and below, see full compatibility table)
    • Argon2 has been added as S2K algorithm (on all platforms). For performance reasons, the implementation relies on a WASM module, thus web apps might need to make changes to their CSP policy in order to use the feature. Alternatively, since the Argon2 WASM module is only loaded if needed, apps can manually reject password-encrypted messages and private keys which use Argon2 by checking e.g. SymEncryptedSessionKeyPacket.s2k?.type === 'argon2' or SecretKeyPacket|SecretSubkeyPacket.keyPacket.s2k?.type === 'argon2'.

Breaking API changes

  • Ensure primary key meets strength and algo requirements when encrypting/verifying/signing using subkeys (#1719)
  • read[Private]Key: support parsing key blocks (return first parsable key); previously, parsing would fail if a block with more than one key was given in input (#1755)
  • PrivateKey.getDecryptionKeys will now throw if no decryption key is found (#1789). Previously, an empty array was returned. As a consequence of this change, some openpgp.decrypt errors will be more specific.
  • Refuse to use keys without key flags (see config.allowMissingKeyFlags below)
  • Randomize v4 and v5 signatures via custom notation (#1737): while this notation solution is interoperable, it will reveal that the signature has been generated using OpenPGP.js, which may not be desirable in some cases. For this reason, the option config.nonDeterministicSignaturesViaNotation (defaulting to true) has been added to turn off the feature.
  • AEAD-encrypted v4 keys from OpenPGP.js v5 or older (namely keys generated without .v5Keys flag and encrypted with config.aeadProtect = true) cannot be decrypted by OpenPGP.js v6 (via decryptKey) out-of-the-box (see config.parseAEADEncryptedV4KeysAsLegacy below) (#1672)
  • Parsing of v5 keys and v5 signatures now requires turning on the corresponding config flag (see config.enableParsingV5Entities below). The affected entities are non-standard, and in the RFC 9580 they have been superseded by v6 keys, v6 signatures and SEIPDv2 encrypted data, respectively. However, generation of v5 entities was supported behind config flags in OpenPGP.js v5, and some other libraries, hence parsing them might be necessary in some cases. (#1774 , #1779)

... (truncated)

Commits
  • 96b13a4 6.1.0
  • 432856f Fix signing using keys without preferred hash algorithms (#1820)
  • b2bd8a0 Merge pull request #1812
  • 6db98f1 Internal: improve tree-shaking in armor module
  • 8e5da78 Internal: improve tree-shaking of web-stream-tools
  • a5d894f Internal: avoid importing enums in legacy_cipher chunk
  • a16160f Use noble-hashes for md5
  • abe750c Lightweight build: lazy load md5 hashing module
  • 2a8969b Internal: improve tree-shaking for crypto modules
  • bf85dee Merge pull request #1811
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
build(deps): bump openpgp from 5.11.2 to 6.1.0
818442c 
Bumps [openpgp](https://github.com/openpgpjs/openpgpjs) from 5.11.2 to 6.1.0.
- [Release notes](https://github.com/openpgpjs/openpgpjs/releases)
- [Commits](openpgpjs/openpgpjs@v5.11.2...v6.1.0)

---
updated-dependencies:
- dependency-name: openpgp
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot requested a review from crazy-max as a code owner January 31, 2025 05:21
@dependabot dependabot bot mentioned this pull request Jan 31, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@crazy-max crazy-max Awaiting requested review from crazy-max crazy-max is a code owner

Assignees
No one assigned
Labels
bot kind/dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants