deps: bump pbkdf2 from 0.13.0-rc.10 to 0.13.0#109
Closed
dependabot[bot] wants to merge 1 commit intomainfrom
Closed
deps: bump pbkdf2 from 0.13.0-rc.10 to 0.13.0#109dependabot[bot] wants to merge 1 commit intomainfrom
dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
Bumps [pbkdf2](https://github.com/RustCrypto/password-hashes) from 0.13.0-rc.10 to 0.13.0. - [Commits](RustCrypto/password-hashes@pbkdf2-v0.13.0-rc.10...pbkdf2-v0.13.0) --- updated-dependencies: - dependency-name: pbkdf2 dependency-version: 0.13.0 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
Member
|
Closing in favour of the coordinated batch tracked in #117. The RustCrypto family (aes / cbc / hmac / pbkdf2) shares digest 0.11 traits, so they need to land together rather than as four separate PRs that each fail trait bounds. Reopen / new dependabot run will be picked up when the batch is harvested for v1.6.7. |
Contributor
Author
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
davekempe
added a commit
that referenced
this pull request
Apr 25, 2026
Headline changes since v1.6.5:
- Fix zombie WebSocket: wire tunnel.onerror / onstatechange in
client.html so a mid-path WS drop surfaces the disconnected
overlay instead of leaving the tab frozen.
- Reconnect button now relaunches the original Connections entry
via /api/addressbook/.../connect rather than reloading a
Completed session URL. Ad-hoc and shareToken paths fall back
cleanly. Bonus: client.onerror clears the thumbnail upload
interval so the secondary leak (XHR 404s against a dead session)
stops the moment the overlay shows.
- v1.6.6 polish (already on main): OIDC discovery error wrapping
for trailing-slash mismatches, contrib/setup-xrdp-gfx.sh adds
xrdp to ssl-cert and normalises key.pem perms, aurora theme
applies when [theme] is absent (not just empty), new
docs/reverse-proxies.md covering nginx / Caddy / Apache /
Traefik with the %2F-decoding gotcha.
- Dependency bumps: rustls-webpki 0.103.13 (RUSTSEC-2026-0104,
CRL-parse panic + URI excluded-subtree fix), rustls 0.23.39,
russh 0.60.1, libc 0.2.186, plus matching /fuzz mirrors.
- Test cleanup: drop format!("{}", ...) and field-reassign-after-
Default patterns flagged by clippy 1.93.
Deferred to v1.6.7:
- RustCrypto batch (aes 0.9 + cbc 0.2 + hmac 0.13 + pbkdf2 0.13)
tracked in #117. They share digest 0.11 traits and have to land
together; individual dependabot PRs (#107/#109/#111/#113) closed
in favour of one coordinated commit.
- rand 0.10 (#108): API breaking, no security pressure, will get
picked up next time token generation paths are touched.
davekempe
added a commit
that referenced
this pull request
Apr 29, 2026
Coordinated bump of the RustCrypto stack and rand. These crates share digest 0.11 traits and could not be bumped one at a time; pbkdf2 0.13.0 shipping stable was the trigger to harvest the group. Cargo.toml: - aes 0.8 -> 0.9 - cbc 0.1 -> 0.2 - hmac 0.12 -> 0.13 - pbkdf2 0.12 -> 0.13 - sha1 0.10 -> 0.11 - rand 0.9 -> 0.10 API call-site fixes: - src/browser.rs (Chromium password encryption pipeline): cbc 0.2 renamed the BlockEncryptMut trait to BlockModeEncrypt and the encrypt_padded_mut method to encrypt_padded (now takes self by value). - src/db.rs and src/session.rs: rand 0.10 renamed the Rng trait to RngExt; swap the import. fill() and random() call sites are otherwise unchanged. The Chromium password encryption tests (5) all pass after the bump, confirming the v10/PBKDF2/AES-128-CBC pipeline is bytewise unchanged. cargo test (207 tests), clippy --all-targets -D warnings, and cargo audit all clean. Closes #107 (aes), #109 (pbkdf2), #111 (hmac), #113 (cbc), #117 (tracking), #108 (rand).
davekempe
added a commit
that referenced
this pull request
Apr 29, 2026
Headline changes since v1.6.6: - Connections quick-find search. New search input in the entries header bar searches across every connection the user has access to (not just the selected folder). Tokenised substring matching with simple scoring (name-prefix > name-substring > host > folder-path), match highlighting, and a Folder breadcrumb column in results. Press / to focus, Esc to clear. The "open folder" link on each result expands ancestors, selects the target, and scrolls it into view. Backed by a new GET /api/addressbook/ search-index endpoint that walks the full visible tree once and returns a flat list (entries credential-stripped via EntryInfo). Thanks to JSC for raising the request. - RustCrypto family + rand 0.10 batch upgrade. aes 0.8 -> 0.9, cbc 0.1 -> 0.2, hmac 0.12 -> 0.13, pbkdf2 0.12 -> 0.13, sha1 0.10 -> 0.11, rand 0.9 -> 0.10. These crates share digest 0.11 traits across the family and could not be bumped individually; pbkdf2 0.13.0 shipping stable was the trigger. Closes #107, #108, #109, #111, #113, #117. API call-site fixes in src/browser.rs (Chromium password encryption: BlockEncryptMut -> BlockModeEncrypt, encrypt_padded_mut -> encrypt_padded) and src/db.rs / src/session.rs (rand Rng trait -> RngExt). The five Chromium password encryption tests pass after the bump, confirming the v10/PBKDF2/AES-128-CBC pipeline is bytewise unchanged.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps pbkdf2 from 0.13.0-rc.10 to 0.13.0.
Commits
eba9411pbkdf2 v0.13.0 (#885)3b43bd6bcrypt-pbkdf: bumpblowfishto v0.10 (#887)8f703a9Adopt Trusted Publishing (#886)8f0ced5pbkdf2: apply workspace-level lints (#884)267d901Cargo.lock: bump dependencies (#881)e698b38argon2: add regression test for RustCrypto/traits#2352 (#879)22ca09ebuild(deps): bump the all-deps group with 10 updates (#878)1bcae95pbkdf2: remove outdatedSyncbounds (#876)57d89c4Bumpsalsa20dependency to v0.11 (#875)4db687cpbkdf2: bumpbelt-hashto v0.2 (#874)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)