Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build(dev-deps): update dependency openpgp to v6 #175

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Dec 1, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
openpgp (source) 5.11.2 -> 6.0.1 age adoption passing confidence

Release Notes

openpgpjs/openpgpjs (openpgp)

v6.0.1

Compare Source

What's Changed

  • Fix ES imports for webpack: declare exports.browser entrypoint as higher priority than import
  • Fix openpgp.verify/decrypt with expectSigned: true and format: 'binary' (#​1805)
  • TS: fix generateKey (options.type) and PrivateKey.getDecryptionKeys() type declarations (#​1807)
  • Update hash algorithm preferences order by (#​1804)

Full Changelog: openpgpjs/openpgpjs@v6.0.0...v6.0.1

v6.0.0

Compare Source

What's Changed

OpenPGP.js v6 adds support for the new version of the OpenPGP specification, RFC 9580. It also increases compliance with the specification, as demonstrated by the OpenPGP interoperability test suite.

OpenPGP.js v6 only makes minor API changes.
This is the first stable release of OpenPGP.js v6: no more breaking changes to the high-level API will be made until the next major release.

For the changes since the previous pre-release (v6.0.0-beta.3.patch.1), see the end of this message.
Here we list a summary of the main changes since v5:

Platform support changes
  • The library is now declared as a module (type: module in package.json), and declares exports, alongside the legacy package.json entrypoints, which should ensure backwards compatibility. Still, bundlers might be affected by the package.json changes depending on how they load the library.
  • Node.js:
    • Drop support for Node.js versions below 18 (OpenPGP.js v5 supported Node.js v14 and above).
    • Streaming: drop support for native Node Readable stream: require passing Node Web Streams (#​1716)
  • Web:
    • Require availability of the Web Crypto API's SubtleCrypto (insecure contexts are no longer supported, as SubtleCrypto is not available there)
    • Require availability of the Web Streams API, since it's now supported in all browsers (applications can load a polyfill if they need to support older browser versions: see README)
    • Require availability of native BigInts (not supported by e.g. Safari 13 and below, see full compatibility table)
    • Argon2 has been added as S2K algorithm (on all platforms). For performance reasons, the implementation relies on a WASM module, thus web apps might need to make changes to their CSP policy in order to use the feature. Alternatively, since the Argon2 WASM module is only loaded if needed, apps can manually reject password-encrypted messages and private keys which use Argon2 by checking e.g. SymEncryptedSessionKeyPacket.s2k?.type === 'argon2' or SecretKeyPacket|SecretSubkeyPacket.keyPacket.s2k?.type === 'argon2'.
Breaking API changes
  • Ensure primary key meets strength and algo requirements when encrypting/verifying/signing using subkeys (#​1719)
  • read[Private]Key: support parsing key blocks (return first parsable key); previously, parsing would fail if a block with more than one key was given in input (#​1755)
  • PrivateKey.getDecryptionKeys will now throw if no decryption key is found (#​1789). Previously, an empty array was returned. As a consequence of this change, some openpgp.decrypt errors will be more specific.
  • Refuse to use keys without key flags (see config.allowMissingKeyFlags below)
  • Randomize v4 and v5 signatures via custom notation (#​1737): while this notation solution is interoperable, it will reveal that the signature has been generated using OpenPGP.js, which may not be desirable in some cases. For this reason, the option config.nonDeterministicSignaturesViaNotation (defaulting to true) has been added to turn off the feature.
  • AEAD-encrypted v4 keys from OpenPGP.js v5 or older (namely keys generated without .v5Keys flag and encrypted with config.aeadProtect = true) cannot be decrypted by OpenPGP.js v6 (via decryptKey) out-of-the-box (see config.parseAEADEncryptedV4KeysAsLegacy below) (#​1672)
  • Parsing of v5 keys and v5 signatures now requires turning on the corresponding config flag (see config.enableParsingV5Entities below). The affected entities are non-standard, and in the RFC 9580 they have been superseded by v6 keys, v6 signatures and SEIPDv2 encrypted data, respectively. However, generation of v5 entities was supported behind config flags in OpenPGP.js v5, and some other libraries, hence parsing them might be necessary in some cases. (#​1774 , #​1779)
Configuration changes
  • RFC 9580 has updated parts of the draft RFC 4880bis as implemented by OpenPGP.js v4 and v5. Related changes in v6 are:
    • Drop the config.v5Keys flag and corresponding key generation. The flag is replaced by .v6Keys, and results in a different key format.
    • The config.aeadProtect flag has a different effect than in v5:
    • Add config.parseAEADEncryptedV4KeysAsLegacy to allow decrypting AEAD-encrypted v4 keys from OpenPGP.js v5 or older (namely keys generated without .v5Keys flag and encrypted with config.aeadProtect = true) (#​1672).
    • Add config.enableParsingV5Entities to enable parsing support for v5 entities (https://github.com/openpgpjs/openpgpjs/pull/1774 , #​1779)
  • Add config.allowMissingKeyFlags to bypass the missing key flag check (see https://github.com/openpgpjs/openpgpjs/pull/1677)
  • Drop config.minBytesForWebCrypto, and always use WebCrypto if available, since there is no longer a performance overhead for small messages.
  • Rename EdDSA-related enums following the standardization of new key formats:
    • Drop enums.publicKey.eddsa in favour of enums.publicKey.eddsaLegacy
    • Rename string value of enums.curve.ed25519Legacy to 'ed25519Legacy' (was: 'ed25519')
    • Rename string value of enums.curve.curve25519Legacy to 'curve25519Legacy' (was: 'curve25519')
  • Rename config.useIndutnyElliptic to .useEllipticFallback, to reflect the change of underlying library.
  • Remove enums.symmetric.plaintext (internally unused)
  • Rename NIST curves to disambiguate the names with the Brainpool curves (#​1721).:
    • the identifiers enums.curve.p256, .p384, .p521 are now marked as @deprecated (to be dropped in the main release)
    • the new identifiers are, respectively: enums.curve.nistP256, .nistP384, .nistP521.
    • the corresponding values have been changed from 'p256','p384','p521' to 'nistP256', 'nistP384', 'nistP521' (these new values are expected by generateKey, for the options.curve argument).
  • Remove config.deflateLevel (#​1717)
  • Drop config.revocationsExpire, always honor revocation expiration (#​1736): the option used to default to false, and ignore revocation expirations. We now honor those expirations, namely match the behavior resulting from setting the option to true.
  • Change the default preferred hash algorithm (config.preferredHashAlgorithm) to SHA512 (#​1801)
New API options
  • In openpgp.sign, recipientKeys and recipientUserIDs options have been added. These can be used to influence the selection of the hash algorithm via the algorithm preferences of the recipient keys, to ensure that the recipients will support the selected hash algorithm.
    Similarly, when signing+encrypting using openpgp.encrypt, the encryptionKeys are now used to determine the preferred hash algorithms, instead of the signingKeys. (https://github.com/openpgpjs/openpgpjs/pull/1802)

Full Changelog: openpgpjs/openpgpjs@v5.11.0...v6.0.0.

For additional context about the changes introduced by OpenPGP.js v6, you can also refer to the changelog of the various prereleases, starting from v6.0.0-alpha.0.

Changes since v6.0.0-beta.3.patch.1: the main changes since the previous pre-release are the changes to the handling of preferred hash algorithms mentioned above (#​1801 and #​1802). For the full changelog, see openpgpjs/openpgpjs@v6.0.0-beta.3.patch.1...v6.0.0.


Configuration

📅 Schedule: Branch creation - "before 4am on the first day of the month" in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the internal Internal issues and tasks. No direct impact on end-user. label Dec 1, 2024
@codecov-commenter
Copy link

codecov-commenter commented Dec 1, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 32.29%. Comparing base (117c2ca) to head (4afff5e).

Additional details and impacted files
@@           Coverage Diff           @@
##             main     #175   +/-   ##
=======================================
  Coverage   32.29%   32.29%           
=======================================
  Files          33       33           
  Lines         870      870           
  Branches       15       15           
=======================================
  Hits          281      281           
  Misses        589      589           
Flag Coverage Δ
core 33.58% <ø> (ø)
webview 20.68% <ø> (ø)

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
internal Internal issues and tasks. No direct impact on end-user.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant