⬆️ Bump password-hash from 0.5.0 to 0.6.1 in the password-hashing-crates group across 1 directory#2980
Open
dependabot[bot] wants to merge 3 commits intomainfrom
Open
Conversation
dependabot
Bot
added
dependencies
github-actions
Bot
added
lib
dependabot
Bot
changed the title
dependabot
Bot
force-pushed
the
dependabot/cargo/password-hashing-crates-664d59d395
branch
2 times, most recently
from
dde4c02 to
cc2478b
Compare
Bumps the password-hashing-crates group with 1 update in the / directory: [password-hash](https://github.com/RustCrypto/traits). Updates `password-hash` from 0.5.0 to 0.6.1 - [Commits](RustCrypto/traits@password-hash-v0.5.0...password-hash-v0.6.1) --- updated-dependencies: - dependency-name: password-hash dependency-version: 0.6.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: password-hashing-crates ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/cargo/password-hashing-crates-664d59d395
branch
from
cc2478b to
fcae4a4
Compare
Updates `pbkdf2` from 0.12.2 to 0.13.0, which is the rest of the `password-hashing-crates` Dependabot group. Dependabot opened a PR for `password-hash` only because pbkdf2 0.13 dropped the `simple` and `parallel` features in favor of `phc`, and resolution fails before the new feature names are wired up. Notes: - The companion `password-hash` 0.5.0 -> 0.6.1 bump is reverted in this commit. argon2 0.5.3 still pins `password-hash ^0.5`, so upgrading the direct dependency leaves the argon2 path with mismatched `PasswordHash` types and breaks the build. pbkdf2 0.13 pulls in `password-hash 0.6` transitively; libpna keeps `password-hash 0.5` directly and bridges the two ecosystems through PHC strings inside `lib/src/hash.rs`. - pbkdf2 0.13 made `Params` fields private and enforces a 1000-round minimum. `entry::write::hash` now uses `Params::new_with_output_len` with the cipher key size, and the 1-round PBKDF2 fixtures in `archive::tests` are bumped to 1000 rounds. - The `[target.'cfg(not(target_os = "emscripten"))']` override is removed because the `parallel` (rayon) feature was removed upstream and was never actually exercised by the PHC path libpna uses. - Hash helpers now return concrete `(Output, String)` / `Output` values instead of borrowed `PasswordHash<'a>`, removing cross-version type coupling.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| let ps = ph.to_string(); | ||
| let ph = derive_password_hash(&ps, b"pass").unwrap(); | ||
| assert!(ph.hash.is_some()); | ||
| let derived = derive_password_hash(&ps, b"pass").unwrap(); |
| let ps = ph.to_string(); | ||
| let ph = derive_password_hash(&ps, b"pass").unwrap(); | ||
| assert!(ph.hash.is_some()); | ||
| let derived = derive_password_hash(&ps, b"pass").unwrap(); |
pbkdf2 0.13's `Params::new_with_output_len` rejects rounds below `MIN_ROUNDS = 1000`. Update the two CLI integration tests that previously exercised the path with `r=1` so they continue to run under the upgraded crate. Companion fix to the libpna test bumps in 693dd48 — same constraint, this time on the `--pbkdf2 r=N` CLI option.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the password-hashing-crates group with 1 update in the / directory: password-hash.
Updates
password-hashfrom 0.5.0 to 0.6.1Commits
d1954d8password-hash v0.6.1 (#2371)2501d4fpassword-hash: change bounds for PHC verify blanket impl [BREAKING] (#2370)f18bb80digest: adddev::initialized_mac_testfunction (#2367)adcbc44build(deps): bump crate-ci/typos from 1.44.0 to 1.45.0 (#2368)fb3f1eabuild(deps): bump the all-deps group across 1 directory with 11 updates (#2369)23118eakem v0.3.0 (#2356)13beea5kem: add serialization docs (#2355)ea57736kem: add basic usage with example (#2354)1c96506elliptic-curve: bumphkdfdependency to v0.13 (#2349)b7c764aCargo.lock: bumpcrypto-bigintto v0.7.3 (#2346)