deps(deps): bump hmac from 0.12.1 to 0.13.0#40
Conversation
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
c525f6e to
b4f27ee
Compare
Bumps [hmac](https://github.com/RustCrypto/MACs) from 0.12.1 to 0.13.0. - [Commits](RustCrypto/MACs@hmac-v0.12.1...hmac-v0.13.0) --- updated-dependencies: - dependency-name: hmac dependency-version: 0.13.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
b4f27ee to
d400778
Compare
|
Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting |
3 similar comments
|
Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting |
|
Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting |
|
Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting |
Dependabot opened #40 (hmac 0.12→0.13) and #41 (sha2 0.10→0.11) as independent PRs, but these bumps are coupled through the `digest` trait: hmac 0.13 and sha2 0.11 both require `digest` 0.11, while our pbkdf2 0.12 and aes-gcm 0.10 sit on `digest` 0.10. `Hmac::<Sha256>` requires matching `digest` trait versions across all three crates, so a lone hmac or sha2 bump fails to compile. pbkdf2 0.13 and aes-gcm 0.11 (the coupled counterparts on digest 0.11) are currently only released as pre-release versions (0.13.0-rc.10 and 0.11.0-rc.3). Taking pre-release crypto crates in a security-relevant path isn't a good trade. Add dependabot ignore rules for hmac/sha2/pbkdf2/aes-gcm minor bumps so the tracker doesn't re-open these stale PRs weekly. Re-enable by deleting these ignore entries once pbkdf2 0.13 and aes-gcm 0.11 ship as stable releases.
|
Closing as blocked on RustCrypto ecosystem. This bump is coupled to the
Accepting pre-release crypto crates in a security-relevant path isn't a good trade. Our current pins (hmac 0.12, sha2 0.10) have no open security advisories. PR #147 adds dependabot ignore rules for the four coupled deps so this doesn't get re-opened weekly. Re-enable by deleting those ignore entries once pbkdf2 0.13 and aes-gcm 0.11 ship as stable releases. |
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
…#147) Dependabot opened #40 (hmac 0.12→0.13) and #41 (sha2 0.10→0.11) as independent PRs, but these bumps are coupled through the `digest` trait: hmac 0.13 and sha2 0.11 both require `digest` 0.11, while our pbkdf2 0.12 and aes-gcm 0.10 sit on `digest` 0.10. `Hmac::<Sha256>` requires matching `digest` trait versions across all three crates, so a lone hmac or sha2 bump fails to compile. pbkdf2 0.13 and aes-gcm 0.11 (the coupled counterparts on digest 0.11) are currently only released as pre-release versions (0.13.0-rc.10 and 0.11.0-rc.3). Taking pre-release crypto crates in a security-relevant path isn't a good trade. Add dependabot ignore rules for hmac/sha2/pbkdf2/aes-gcm minor bumps so the tracker doesn't re-open these stale PRs weekly. Re-enable by deleting these ignore entries once pbkdf2 0.13 and aes-gcm 0.11 ship as stable releases.
Bumps hmac from 0.12.1 to 0.13.0.
Commits
0236c8ehmac v0.13.0 (#263)b895e50Migrate tests to the new blobby format (#264)3d1440bWorkspace-level lint configuration (#261)11d4f36hmac: use release versions ofdev-dependencies(#260)c40b82bhmac: bumpsha2dev-dependency to v0.11 (#259)1fa0781Cut rc.5 prereleases (#258)a008265hmac v0.13.0-rc.6 (#256)da485cdUse(Reset)MacTraits(#254)2c51e3bhmac: deriveCloneinstead of relying on(Reset)MacTraits(#253)669d805RelaxClonebounds (#250)