Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build(deps): bump openpgp from 5.0.0-5 to 5.0.0 #508

Merged
merged 1 commit into from Sep 9, 2021

Conversation

@dependabot @github
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Sep 3, 2021

Bumps openpgp from 5.0.0-5 to 5.0.0.

Release notes

Sourced from openpgp's releases.

v5.0.0

This is the first stable release of OpenPGP.js v5 (no more breaking changes to the high-level API will be made). There are no changes since the last prerelease (v5.0.0-6). The changelog since OpenPGP.js v4 is:

Security improvements

  • Improve the security of newly generated keys:
    • Generate ECC keys by default (#1065)
    • RSA keys can still be generated with the new type parameter of generateKey: (#1179)
      import { generateKey } from 'openpgp';
      const { privateKey } = await generateKey({
        userIDs: [{ name: 'Test', email: 'test@email' }],
        type: 'rsa'
      });
    • Newly generated RSA keys are now 4096-bits by default
    • Remove SHA-1 from the default preferred hash algorithms (#1067)
    • Remove 3DES and CAST5 from the default preferred symmetric algorithms (#1068)
  • Reject certain insecure keys by default:
    • Add config.rejectPublicKeyAlgorithms, and default to disallowing the use of ElGamal and DSA for encrypting new messages and signing and verifying signatures, respectively (#1264)
    • Reject RSA keys with fewer than config.minRSABits bits (defaulting to 2048) when encrypting new messages and signing and verifying signatures, not just on key generation (#1264)
    • If you want to make an exception for a certain key or algorithm, rather than adjusting the global openpgp.config, you can now pass a config to a single function call, perhaps after warning the user / confirming that they want to allow this; for example:
      import { createMessage, encrypt } from 'openpgp';
      const message = await createMessage('Hello world!');
      try {
        await encrypt({
          message,
          encryptionKeys: publicKeys
        });
      } catch (err) {
        if (err.message.includes('...') && confirm('Warning: keys are insecure. Use anyway?')) {
          await encrypt({
            message,
            encryptionKeys: publicKeys,
            config: { minRSABits: 1024, rejectPublicKeyAlgorithms: new Set() }
          });
        } else {
          throw err;
        }
      }
      Of course, if at all possible, it's better to (ask users to) generate new keys, instead.
  • … and a few smaller configuration changes

Library size reductions

  • openpgp.HKP has been moved to a separate package: openpgpjs/hkp-client
  • openpgp.WKD has been moved to a separate package: openpgpjs/wkd-client
  • openpgp.Keyring and LocalStore have been removed, because keyring handling and storage should be handled in the application, as localStorage may not meet the durability requirements of the application.

... (truncated)

Commits
  • acafb28 5.0.0
  • 4f1c474 5.0.0-6
  • a599638 Docs: clarify content of returned signatures value in openpgp.verify and ...
  • 3fa778a Add config.rejectCurves and prevent generating keys using blacklisted algor...
  • f57d352 Set default config.minRSABits to 2047 (#1392)
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
@codecov
Copy link

@codecov codecov bot commented Sep 3, 2021

Codecov Report

Merging #508 (c071c70) into master (f6d4366) will increase coverage by 0.68%.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #508      +/-   ##
==========================================
+ Coverage   95.23%   95.91%   +0.68%     
==========================================
  Files           4        4              
  Lines         147      147              
  Branches       40       40              
==========================================
+ Hits          140      141       +1     
+ Misses          7        6       -1     
Flag Coverage Δ
demo 85.71% <ø> (ø)
macos-latest 95.91% <ø> (+0.68%) ⬆️
script 96.99% <ø> (+0.75%) ⬆️
ubuntu-latest 95.91% <ø> (+0.68%) ⬆️
windows-latest 95.91% <ø> (+0.68%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
src/buildExec.ts 99.00% <0.00%> (+1.00%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f6d4366...c071c70. Read the comment docs.

Bumps [openpgp](https://github.com/openpgpjs/openpgpjs) from 5.0.0-5 to 5.0.0.
- [Release notes](https://github.com/openpgpjs/openpgpjs/releases)
- [Commits](openpgpjs/openpgpjs@v5.0.0-5...v5.0.0)

---
updated-dependencies:
- dependency-name: openpgp
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/openpgp-5.0.0 branch from 1024b80 to c071c70 Sep 9, 2021
@thomasrockhu-codecov thomasrockhu-codecov merged commit b6fd8cc into master Sep 9, 2021
14 checks passed
@thomasrockhu-codecov thomasrockhu-codecov deleted the dependabot/npm_and_yarn/openpgp-5.0.0 branch Sep 9, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

1 participant