Skip to content

Bump openpgp from 4.10.10 to 5.0.1 in /src #77

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Bump openpgp from 4.10.10 to 5.0.1 in /src #77

wants to merge 3 commits into from

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Nov 18, 2021
edited
Loading

Bumps openpgp from 4.10.10 to 5.0.1.

Release notes

Sourced from openpgp's releases.

v5.0.1

  • Remove stream from type definitions (#1413) It was removed in v5.0.0; the type definition was left behind.
  • Try to use process.env.NODE_ENV directly (#1402) Properly detect development / production mode when using tools like webpack or Vite, but don't throw an error if it's not available.
  • CI: Add performance and memory usage regression monitoring for pull requests (#1411)
  • Add config.allowInsecureVerificationWithReformattedKeys (#1231) Allows verifying signatures using keys that have been reformatted after the signature was created. To avoid this issue entirely, we recommend passing the key creation date to reformatKey.
  • Do not include checksum values in error messages when armor integrity check fails (#1428)
  • Update web stream tools and improve performance (#1439)
  • Remove line terminators from randomly generated test messages (#1440)

v5.0.0

This is the first stable release of OpenPGP.js v5 (no more breaking changes to the high-level API will be made). There are no changes since the last prerelease (v5.0.0-6). The changelog since OpenPGP.js v4 is:

Security improvements

  • Improve the security of newly generated keys:
    • Generate ECC keys by default (#1065)
    • RSA keys can still be generated with the new type parameter of generateKey: (#1179) 
      import { generateKey } from 'openpgp';
const { privateKey } = await generateKey({
  userIDs: [{ name: 'Test', email: 'test@email' }],
  type: 'rsa'
});
    • Newly generated RSA keys are now 4096-bits by default
    • Remove SHA-1 from the default preferred hash algorithms (#1067)
    • Remove 3DES and CAST5 from the default preferred symmetric algorithms (#1068)
  • Reject certain insecure keys by default:
    • Add config.rejectPublicKeyAlgorithms, and default to disallowing the use of ElGamal and DSA for encrypting new messages and signing and verifying signatures, respectively (#1264)
    • Reject RSA keys with fewer than config.minRSABits bits (defaulting to 2048) when encrypting new messages and signing and verifying signatures, not just on key generation (#1264)
    • If you want to make an exception for a certain key or algorithm, rather than adjusting the global openpgp.config, you can now pass a config to a single function call, perhaps after warning the user / confirming that they want to allow this; for example: 
      import { createMessage, encrypt } from 'openpgp';
const message = await createMessage('Hello world!');
try {
  await encrypt({
    message,
    encryptionKeys: publicKeys
  });
} catch (err) {
  if (err.message.includes('...') && confirm('Warning: keys are insecure. Use anyway?')) {
    await encrypt({
      message,
      encryptionKeys: publicKeys,
      config: { minRSABits: 1024, rejectPublicKeyAlgorithms: new Set() }
    });
  } else {

... (truncated)

Commits
  • 05e435a 5.0.1
  • 1d2093a Update web stream tools and improve performance (#1439)
  • a17a720 Remove line terminators from randomly generated test messages (#1440)
  • cfeef41 Do not include checksum values in error messages when armor integrity check f...
  • 88b1380 Add config.allowInsecureVerificationWithReformattedKeys (#1422)
  • b7527f7 CI: Add memory usage regression monitoring for pull requests (#1415)
  • 421733e CI: Add performance regression monitoring for pull requests (#1411)
  • df7e690 Try to use process.env.NODE_ENV directly (#1402)
  • fc42c38 Remove stream from type definitions (#1413)
  • acafb28 5.0.0
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Nov 18, 2021
@dependabot dependabot bot requested a review from a team November 18, 2021 17:09
@dependabot dependabot bot mentioned this pull request Nov 18, 2021
Closed
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/src/openpgp-5.0.1 branch 2 times, most recently from 9e85337 to 521d165 Compare December 21, 2021 23:07
@dependabot
Bump openpgp from 4.10.10 to 5.0.1 in /src
5f8799d 
Bumps [openpgp](https://github.com/openpgpjs/openpgpjs) from 4.10.10 to 5.0.1.
- [Release notes](https://github.com/openpgpjs/openpgpjs/releases)
- [Commits](openpgpjs/openpgpjs@v4.10.10...v5.0.1)

---
updated-dependencies:
- dependency-name: openpgp
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/src/openpgp-5.0.1 branch from 521d165 to 5f8799d Compare December 21, 2021 23:12
@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Jan 25, 2022

A newer version of openpgp exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mathisonryan