Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build(deps): bump openpgp from 5.0.1 to 5.1.0 #636

Merged
merged 1 commit into from Feb 16, 2022

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented Jan 25, 2022

Bumps openpgp from 5.0.1 to 5.1.0.

Release notes

Sourced from openpgp's releases.

v5.1.0

  • Add support for constant-time decryption of PKCS#1 v1.5-encoded session keys (#1445)

    Implement optional constant-time decryption flow to hinder Bleichenbacher-like attacks against RSA- and ElGamal public-key encrypted session keys.

    Changes:

    • Add config.constantTimePKCS1Decryption to enable the constant-time processing (defaults to false). The constant-time option is off by default since it has measurable performance impact on message decryption, and it is only helpful in specific application scenarios (more info below).
    • Add config.constantTimePKCS1DecryptionSupportedSymmetricAlgorithms (defaults to the AES algorithms). The set of supported ciphers is restricted by default since the number of algorithms negatively affects performance.

    Bleichenbacher-like attacks are of concern for applications where both of the following conditions are met:

    1. New/incoming messages are automatically decrypted (without user interaction);
    2. An attacker can determine how long it takes to decrypt each message (e.g. due to decryption errors being logged remotely).
  • Check key requirements in PrivateKey.addSubkey() (#1423)

    Breaking change: when generating new subkeys through key.addSubkey(), we now check config.rejectCurves and prevent adding subkeys using the corresponding curves. By default, config.rejectCurves includes the brainpool curves (brainpoolP256r1, brainpoolP384r1, brainpoolP512r1) and the Bitcoin curve (secp256k1).

    This is a follow up to #1395, which introduced the same check to openpgp.generateKey.

  • Initial Deno support (#1448)

  • Replace strings with integer algorithm identifiers in packet classes (#1410)

    In several packet classes, we used to store string identifiers for public-key, aead, cipher or hash algorithms. To make the code consistent and to avoid having to convert to/from string values, we now always store integer values instead, e.g. enums.symmetric.aes128 is used instead of 'aes128'.

    This is not expected to be a breaking change for most library users. Note that the type of Key.getAlgorithmInfo() and of the session key objects returned and accepted by top-level functions remain unchanged.

    Affected classes (type changes for some properties and method's arguments):

    • PublicKeyPacket, PublicSubkeyPacket, SecretKeyPacket, SecretSubkeyPacket
    • SymEncryptedIntegrityProtectedDataPacket, AEADEncryptedDataPacket, SymmetricallyEncryptedDataPacket
    • LiteralDataPacket, CompressedDataPacket
    • PublicKeyEncryptedSessionKey, SymEncryptedSessionKeyPacket
    • SignaturePacket

    Other potentially breaking changes:

    • Removed property AEADEncryptedDataPacket.aeadAlgo, since it was redudant given .aeadAlgorithm.
    • Renamed AEADEncryptedDataPacket.cipherAlgo -> .cipherAlgorithm
  • CI: create annotations on performance regression warnings/errors (#1441)

  • CI: use Node v16 instead of v15

  • Update documentation link (#1455)

  • Rename master branch to main

Commits
  • bd13edf 5.1.0
  • 22a6887 Add support for constant-time decryption of PKCS#1 v1.5-encoded session keys ...
  • a6c8491 Update documentation link (#1455)
  • ce5174d Initial Deno support (#1448)
  • d6139da CI: use Node v16 instead of v15
  • 6fc005f Check key requirements in PrivateKey.addSubkey() (#1423)
  • 2894b35 Create CNAME
  • 9e547bf Rename master branch to main
  • 6da1c53 Replace strings with integer algorithm identifiers in packet classes (#1410)
  • 03fa68d CI: create annotations on performance regression warnings/errors (#1441)
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot added dependencies javascript labels Jan 25, 2022
@codecov
Copy link

@codecov codecov bot commented Jan 25, 2022

Codecov Report

Merging #636 (bcaaa7b) into master (d170178) will increase coverage by 0.65%.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #636      +/-   ##
==========================================
+ Coverage   94.73%   95.39%   +0.65%     
==========================================
  Files           4        4              
  Lines         152      152              
  Branches       43       43              
==========================================
+ Hits          144      145       +1     
+ Misses          8        7       -1     
Flag Coverage Δ
demo 80.00% <ø> (ø)
macos-latest 95.39% <ø> (+0.65%) ⬆️
script 97.08% <ø> (+0.72%) ⬆️
ubuntu-latest 95.39% <ø> (+0.65%) ⬆️
version 80.00% <ø> (ø)
windows-latest 95.39% <ø> (+0.65%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
src/buildExec.ts 99.02% <0.00%> (+0.97%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d170178...bcaaa7b. Read the comment docs.

Bumps [openpgp](https://github.com/openpgpjs/openpgpjs) from 5.0.1 to 5.1.0.
- [Release notes](https://github.com/openpgpjs/openpgpjs/releases)
- [Commits](openpgpjs/openpgpjs@v5.0.1...v5.1.0)

---
updated-dependencies:
- dependency-name: openpgp
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/openpgp-5.1.0 branch from 4b0b8ed to bcaaa7b Compare Feb 16, 2022
@drazisil-codecov drazisil-codecov merged commit a485989 into master Feb 16, 2022
15 checks passed
@drazisil-codecov drazisil-codecov deleted the dependabot/npm_and_yarn/openpgp-5.1.0 branch Feb 16, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies javascript
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

1 participant