Bump paragonie/random_compat from 1.4.1 to 2.0.0

[dependabot]

Bumps paragonie/random_compat from 1.4.1 to 2.0.0.

Release notes

Sourced from paragonie/random_compat's releases.

Version 2.0.0

Due to downstream errors, the OpenSSL removal now belongs in version 2.0.0.

Version 1.4.3

• Fix version number in constant in lib/random.php
• Upgrade your dependency from ^1 to ^1|^2 if you want other changes (i.e. better compatibility with type-safety), because the v2 branch is where most of the development effort is focused. Continued support for v1.x is considered "only for emergencies".

Version 1.4.2

Backported changes from version 2:

• Version 2.0.10 - 2017-03-13
  • Mcrypt can now be used on PHP < 5.3.7 if you're not on Windows.
• Version 2.0.9 - 2017-03-03
  • More Psalm integration fixes.
• Version 2.0.8 - 2017-03-03
  • Prevent function already declared error for random_int() caused by misusing the library (really you should only ever include lib/random.php and never any of the other files). See #125.
• Version 2.0.6, 2.0.7 - 2017-02-27
  • Just updates to psalm.xml to silence false positives.
• Version 2.0.5 - 2017-02-27
  • Run random_compat through the static analysis tool, psalm, as part of our continuous integration process.
  • Minor readability enhancements (#122 and several docblock changes).
• Version 2.0.4 - 2016-11-07
  • Don't unnecessarily prevent mcrypt_create_iv() from being used. See #111.
• Version 2.0.3 - 2016-10-17
  • Updated lib/error_polyfill.php to resolve corner cases.
  • The README was updated to help users troubleshoot and fix insecure environments.
  • Tags will now be signed by the GnuPG key used by the security team at Paragon Initiative Enterprises, LLC.
• Version 2.0.2 - 2016-04-03
  • Added a consistency check (discovered by Taylor Hornby in his PHP encryption library). It wasn't likely causing any trouble for us.

Changelog

Sourced from paragonie/random_compat's changelog.

Version 2.0.0 - 2016-03-18

Due to downstream errors, the OpenSSL removal now belongs in version 2.0.0.

Version 1.3.1 - 2016-03-18

• Add more possible values to open_basedir check.

Version 1.3.0 - 2016-03-17

• Removed openssl_random_pseudo_bytes() entirely. If you are using random_compat in PHP on a Unix-like OS but cannot access /dev/urandom, version 1.3+ will throw an Exception. If you want to trust OpenSSL, feel free to write your own fallback code. e.g.

  try {
      $bytes = random_bytes(32);
  } catch (Exception $ex) {
      $strong = false;
      $bytes = openssl_random_pseudo_bytes(32, $strong);
      if (!$strong) {
          throw $ex;
      }
  }

Version 1.2.2 - 2016-03-11

• To prevent applications from hanging, if /dev/urandom is not accessible to PHP, skip mcrypt (which just fails before giving OpenSSL a chance and was morally equivalent to not offering OpenSSL at all).

Version 1.2.1 - 2016-02-29

• PHP 5.6.10 - 5.6.12 will hang when mcrypt is used on Unix-based operating systems (PHP bug 69833). If you are running one of these versions, please upgrade (or make sure /dev/urandom is readable) otherwise you're relying on OpenSSL.

Version 1.2.0 - 2016-02-05

• Whitespace and other cosmetic changes

• Added a changelog.

• We now ship with a command line utility to build a PHP Archive from the command line.

  Every time we publish a new release, we will also upload a .phar to Github. Our public key is signed by our GPG key.

... (truncated)

Commits

• 321a59f Prepare for 2.0.0
• 7088908 Prepare for 1.3.1
• 60f3a93 Add even more possible values for open_basedir
• ff76e1a Update documentation for 1.3
• 4663262 Since open_basedir no longer falls through to OpenSSL, expect a failure.
• 1c435ec Prepare for 1.3
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.