deps(deps): bump sha2 from 0.10.9 to 0.11.0#41
Conversation
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
c04a43f to
4a047af
Compare
Bumps [sha2](https://github.com/RustCrypto/hashes) from 0.10.9 to 0.11.0. - [Commits](RustCrypto/hashes@sha2-v0.10.9...sha2-v0.11.0) --- updated-dependencies: - dependency-name: sha2 dependency-version: 0.11.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
4a047af to
47cf1ea
Compare
|
Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting |
3 similar comments
|
Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting |
|
Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting |
|
Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting |
Dependabot opened #40 (hmac 0.12→0.13) and #41 (sha2 0.10→0.11) as independent PRs, but these bumps are coupled through the `digest` trait: hmac 0.13 and sha2 0.11 both require `digest` 0.11, while our pbkdf2 0.12 and aes-gcm 0.10 sit on `digest` 0.10. `Hmac::<Sha256>` requires matching `digest` trait versions across all three crates, so a lone hmac or sha2 bump fails to compile. pbkdf2 0.13 and aes-gcm 0.11 (the coupled counterparts on digest 0.11) are currently only released as pre-release versions (0.13.0-rc.10 and 0.11.0-rc.3). Taking pre-release crypto crates in a security-relevant path isn't a good trade. Add dependabot ignore rules for hmac/sha2/pbkdf2/aes-gcm minor bumps so the tracker doesn't re-open these stale PRs weekly. Re-enable by deleting these ignore entries once pbkdf2 0.13 and aes-gcm 0.11 ship as stable releases.
|
Closing as blocked on RustCrypto ecosystem. This bump is coupled to the
Accepting pre-release crypto crates in a security-relevant path isn't a good trade. Our current pins (hmac 0.12, sha2 0.10) have no open security advisories. PR #147 adds dependabot ignore rules for the four coupled deps so this doesn't get re-opened weekly. Re-enable by deleting those ignore entries once pbkdf2 0.13 and aes-gcm 0.11 ship as stable releases. |
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
…#147) Dependabot opened #40 (hmac 0.12→0.13) and #41 (sha2 0.10→0.11) as independent PRs, but these bumps are coupled through the `digest` trait: hmac 0.13 and sha2 0.11 both require `digest` 0.11, while our pbkdf2 0.12 and aes-gcm 0.10 sit on `digest` 0.10. `Hmac::<Sha256>` requires matching `digest` trait versions across all three crates, so a lone hmac or sha2 bump fails to compile. pbkdf2 0.13 and aes-gcm 0.11 (the coupled counterparts on digest 0.11) are currently only released as pre-release versions (0.13.0-rc.10 and 0.11.0-rc.3). Taking pre-release crypto crates in a security-relevant path isn't a good trade. Add dependabot ignore rules for hmac/sha2/pbkdf2/aes-gcm minor bumps so the tracker doesn't re-open these stale PRs weekly. Re-enable by deleting these ignore entries once pbkdf2 0.13 and aes-gcm 0.11 ship as stable releases.
Bumps sha2 from 0.10.9 to 0.11.0.
Commits
ffe0939Release sha2 0.11.0 (#806)8991b65Use the standard order of the[package]section fields (#807)3d2bc57sha2: refactor backends (#802)faa55fbsha3: bumpkeccakto v0.2 (#803)d3e6489sha3 v0.11.0-rc.9 (#801)bbf6f51sha2: tweak backend docs (#800)155dbbfsha3: add default value for theDSgeneric parameter onTurboShake128/256...ed514f2Use published version ofkeccakv0.2 (#799)702bcd8Migrate to closure-basedkeccak(#796)827c043sha3 v0.11.0-rc.8 (#794)