Skip to content

deps(deps): bump sha2 from 0.10.9 to 0.11.0#41

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/sha2-0.11.0
Closed

deps(deps): bump sha2 from 0.10.9 to 0.11.0#41
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/sha2-0.11.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Mar 30, 2026

Copy link
Copy Markdown
Contributor

Bumps sha2 from 0.10.9 to 0.11.0.

Commits

@dependabot @github

dependabot Bot commented on behalf of github Mar 30, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: dependencies, rust. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot force-pushed the dependabot/cargo/sha2-0.11.0 branch 12 times, most recently from c04a43f to 4a047af Compare April 15, 2026 08:50
Bumps [sha2](https://github.com/RustCrypto/hashes) from 0.10.9 to 0.11.0.
- [Commits](RustCrypto/hashes@sha2-v0.10.9...sha2-v0.11.0)

---
updated-dependencies:
- dependency-name: sha2
  dependency-version: 0.11.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/cargo/sha2-0.11.0 branch from 4a047af to 47cf1ea Compare April 15, 2026 11:34
@dependabot @github

dependabot Bot commented on behalf of github Apr 18, 2026

Copy link
Copy Markdown
Contributor Author

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

3 similar comments
@dependabot @github

dependabot Bot commented on behalf of github Apr 18, 2026

Copy link
Copy Markdown
Contributor Author

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

@dependabot @github

dependabot Bot commented on behalf of github Apr 18, 2026

Copy link
Copy Markdown
Contributor Author

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

@dependabot @github

dependabot Bot commented on behalf of github Apr 18, 2026

Copy link
Copy Markdown
Contributor Author

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

EffortlessSteven added a commit that referenced this pull request Apr 19, 2026
Dependabot opened #40 (hmac 0.12→0.13) and #41 (sha2 0.10→0.11) as
independent PRs, but these bumps are coupled through the `digest`
trait: hmac 0.13 and sha2 0.11 both require `digest` 0.11, while our
pbkdf2 0.12 and aes-gcm 0.10 sit on `digest` 0.10. `Hmac::<Sha256>`
requires matching `digest` trait versions across all three crates, so
a lone hmac or sha2 bump fails to compile.

pbkdf2 0.13 and aes-gcm 0.11 (the coupled counterparts on digest 0.11)
are currently only released as pre-release versions (0.13.0-rc.10 and
0.11.0-rc.3). Taking pre-release crypto crates in a security-relevant
path isn't a good trade.

Add dependabot ignore rules for hmac/sha2/pbkdf2/aes-gcm minor bumps
so the tracker doesn't re-open these stale PRs weekly. Re-enable by
deleting these ignore entries once pbkdf2 0.13 and aes-gcm 0.11 ship
as stable releases.
@EffortlessSteven

Copy link
Copy Markdown
Member

Closing as blocked on RustCrypto ecosystem.

This bump is coupled to the digest trait version. hmac 0.13 and sha2 0.11 both require digest 0.11. Our other crypto deps (pbkdf2, aes-gcm) also need to bump to the digest 0.11 line for Hmac::<Sha256> and pbkdf2_hmac_array::<Sha256, _> call sites to compile — but as of today:

  • pbkdf2 is only at 0.13.0-rc.10 (pre-release)
  • aes-gcm is only at 0.11.0-rc.3 (pre-release)

Accepting pre-release crypto crates in a security-relevant path isn't a good trade. Our current pins (hmac 0.12, sha2 0.10) have no open security advisories.

PR #147 adds dependabot ignore rules for the four coupled deps so this doesn't get re-opened weekly. Re-enable by deleting those ignore entries once pbkdf2 0.13 and aes-gcm 0.11 ship as stable releases.

@dependabot @github

dependabot Bot commented on behalf of github Apr 19, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@EffortlessSteven EffortlessSteven deleted the dependabot/cargo/sha2-0.11.0 branch April 19, 2026 00:21
EffortlessSteven added a commit that referenced this pull request Apr 19, 2026
…#147)

Dependabot opened #40 (hmac 0.12→0.13) and #41 (sha2 0.10→0.11) as
independent PRs, but these bumps are coupled through the `digest`
trait: hmac 0.13 and sha2 0.11 both require `digest` 0.11, while our
pbkdf2 0.12 and aes-gcm 0.10 sit on `digest` 0.10. `Hmac::<Sha256>`
requires matching `digest` trait versions across all three crates, so
a lone hmac or sha2 bump fails to compile.

pbkdf2 0.13 and aes-gcm 0.11 (the coupled counterparts on digest 0.11)
are currently only released as pre-release versions (0.13.0-rc.10 and
0.11.0-rc.3). Taking pre-release crypto crates in a security-relevant
path isn't a good trade.

Add dependabot ignore rules for hmac/sha2/pbkdf2/aes-gcm minor bumps
so the tracker doesn't re-open these stale PRs weekly. Re-enable by
deleting these ignore entries once pbkdf2 0.13 and aes-gcm 0.11 ship
as stable releases.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant