Track coordinated RustCrypto 0.10 → 0.11 stack migration

[proggeramlug]

Background

Dependabot PR #1157 (bump sha1 from 0.10.6 → 0.11.0) failed to compile with 13 trait-bound errors because sha1 0.11 moved to the digest 0.11 trait crate, while the rest of Perry's RustCrypto deps still pin digest 0.10. Cargo pulls both digest-0.10.7 and digest-0.11.3 into the graph; Sha1::digest(...) and Hmac<Sha1>::new_from_slice(...) in perry-stdlib/src/webcrypto.rs then fail to resolve because the trait impls live in two different crates.

Closing #1157 in favor of this coordinated tracking issue.

Affected crates (current versions on digest 0.10)

Workspace root Cargo.toml shared deps:

• `hmac = "0.12"`
• `md-5 = "0.10"`
• `sha1 = "0.10"`
• `sha2 = "0.10"`
• `pbkdf2 = "0.12"` (features = ["simple"])
• `hkdf = "0.12"`
• `aes = "0.8"`
• `aes-gcm = "0.10"`
• `aes-kw = "0.3.0"`

Per-crate pins:

• `perry-updater`: sha2 0.10
• `perry-jsruntime`: sha1 0.10, sha2 0.10, md-5 0.10, hmac 0.12 (ops.rs:544 uses Sha1::new)
• `perry-stdlib`: sha1 / sha2 / md-5 / hmac / aes / aes-gcm / aes-kw / pbkdf2 / hkdf (all optional via feature = \"webcrypto\" etc.; crypto.rs + webcrypto.rs are the hot call sites)
• `perry`: sha2 0.10

Target versions (RustCrypto 0.11 series — when whole stack is available)

When all of these have stable 0.11 releases, bump together in one PR:

• digest → 0.11
• sha1 → 0.11 (already released)
• sha2 → 0.11 (already released)
• sha3 → 0.11 (already released, we don't currently use it)
• md-5 → 0.11 (status: check crates.io)
• hmac → 0.13 (status: check crates.io — typically pairs with digest 0.11)
• pbkdf2 → next (depends on hmac/digest)
• hkdf → next (depends on hmac/digest)
• aes-gcm / aes / aes-kw / cipher — these are the RustCrypto/AEADs and RustCrypto/block-ciphers repos, separate release cadence

API breakage to expect in 0.11

• `Digest::digest()` and `Update::update()` trait signatures changed
• `new_from_slice` may have moved or changed return types (`MacError` vs new `InvalidLength`)
• `Hmac::new_from_slice` works via `KeyInit` blanket impl from digest 0.11 — needs verification
• `FixedOutput::finalize_fixed()` and `finalize_into()` ergonomics
• `generic-array` → `hybrid-array` transition in some sub-crates

Call sites to update

• `crates/perry-stdlib/src/crypto.rs` (HashState enum dispatch around L715)
• `crates/perry-stdlib/src/webcrypto.rs` (Sha1::digest L274, Hmac::new_from_slice L284)
• `crates/perry-jsruntime/src/ops.rs` L544 (`use sha1::Sha1; let mut h = Sha1::new();`)
• `crates/perry-updater/` (sha2 usage for update verification)

Action items

• Wait for entire RustCrypto stack to land on 0.11 (track upstream: md-5, hmac, pbkdf2, hkdf)
• Bump all crates together in one PR (workspace root + per-crate Cargo.tomls)
• Update call sites for new `Digest` / `Update` / `KeyInit` signatures
• Verify cargo tree shows only one digest version
• Run full webcrypto + crypto parity tests
• Set Dependabot to `ignore minor` on individual RustCrypto crates until then (or group them via dependabot.yml `groups:`) so we stop getting one-at-a-time bump PRs that can't merge

Related

• Closes-via-supersede: deps(deps): bump sha1 from 0.10.6 to 0.11.0 #1157