Mirroristas/openpgpjs
2
0
Fork 0
mirror of https://github.com/openpgpjs/openpgpjs.git synced 2025-09-13 12:40:13 +00:00
Code Issues Packages Projects Releases Wiki Activity
2,616 Commits 17 Branches 188 Tags 63 MiB
Commit Graph

2616 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
dependabot[bot]
3685b3902d
Bump sinon from 20.0.0 to 21.0.0 
Bumps [sinon](https://github.com/sinonjs/sinon) from 20.0.0 to 21.0.0.
- [Release notes](https://github.com/sinonjs/sinon/releases)
- [Changelog](https://github.com/sinonjs/sinon/blob/main/docs/changelog.md)
- [Commits](https://github.com/sinonjs/sinon/commits)

---
updated-dependencies:
- dependency-name: sinon
  dependency-version: 21.0.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-09-11 15:44:05 +00:00
larabr
296dd2724a
Dependabot: fix "CI" prefix config 2025-09-11 17:41:21 +02:00
larabr
f3b4bf920a
Merge pull request #1897 
Dependabot: setup for dev dependencies and CI actions
 2025-09-11 17:39:45 +02:00
larabr
4bc772623e
CI: Dependabot: also update Github actions 2025-09-11 13:19:28 +02:00
larabr
cf7382a7f6
Dependabot: update all dev dependencies on a monthly basis 
Patch and minor updates will be grouped in the same MRs.
Major updates will result in standalone MRs.

Also, since only two schedules are currently supported for each package-ecosystem,
the update frequency of noble and fflate has been changed to a daily one
(same as playwright).
 2025-09-11 13:17:10 +02:00
larabr
6f9584d13f
6.2.2 v6.2.2 2025-09-02 14:45:07 +02:00
larabr
93d9df7724
Fix zlib compression for data larger than 65KB (#1894) 
Regression introduced in https://github.com/openpgpjs/openpgpjs/pull/1826
(v6.2.0) .
Due to internal fflate lib changes, part of the compressed data ended up being discarded,
leading to a corrupted compressed payload for the encrypted/signed message,
which cannot be decompressed.

Compression is disabled by default in openpgpjs.
Hence, the issue affects only users who enabled zlib compression via e.g.
`config.preferredCompressionAlgorithm = openpgp.enums.compression.zlib`
and encrypted or signed data larger than 65KB.
 2025-09-02 14:40:35 +02:00
larabr
30ce607245
6.2.1 v6.2.1 2025-08-26 14:44:09 +02:00
larabr
2138b80cba
Merge pull request #1886 
Bump dev dependencies to latest versions, and fix TS test setup
 2025-08-25 17:09:13 +02:00
larabr
c5f9ecf3e4
Tests: TS: add back missing type checking 
tsx does not run any type checking, hence a separate
tsc step is needed .

Also, fix resulting type issue caused by external lib types.
 2025-08-25 15:59:50 +02:00
larabr
5027bcd0eb
Tests: TS: temporarily lock @types/node version to v22 
v24 brings breaking changes that will be fixed in the next
minor openpgpjs release
 2025-08-25 15:49:24 +02:00
larabr
bcdb59729c
Run npm update 
Including npm audit
 2025-08-25 15:47:46 +02:00
dependabot[bot]
0a92baf8ba
Tests: bump playwright from 1.54.1 to 1.55.0 (#1883) 
Bumps [playwright](https://github.com/microsoft/playwright) from 1.54.1 to 1.55.0.
- [Release notes](https://github.com/microsoft/playwright/releases)
- [Commits](https://github.com/microsoft/playwright/compare/v1.54.1...v1.55.0)

---
updated-dependencies:
- dependency-name: playwright
  dependency-version: 1.55.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-08-21 11:38:50 +02:00
dependabot[bot]
449ba5bc7a
Build(deps-dev): bump @noble/curves from 1.9.5 to 1.9.6 (#1880) 
Bumps the noble group with 1 update: [@noble/curves](https://github.com/paulmillr/noble-curves).


Updates `@noble/curves` from 1.9.5 to 1.9.6
- [Release notes](https://github.com/paulmillr/noble-curves/releases)
- [Commits](https://github.com/paulmillr/noble-curves/compare/1.9.5...1.9.6)

---
updated-dependencies:
- dependency-name: "@noble/curves"
  dependency-version: 1.9.6
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: noble
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-08-06 14:39:30 +02:00
larabr
ddbd0d72f9
Merge pull request #1873 2025-07-31 19:19:10 +02:00
larabr
c1ea7ca464
Tests: update ECDH negative test expectations to match WebKit Windows behavior 
AES-KW unwrapping failure does not throw an OperationError there,
instead it returns an empty buffer, which then fails to be PKCS5 decoded.
 2025-07-31 19:09:59 +02:00
larabr
faeceec49e
CI: set fail-on-cache-miss for cached build folders 2025-07-31 19:09:59 +02:00
larabr
0f586241e8
CI: run browser tests also on Windows 2025-07-31 19:09:59 +02:00
larabr
6b1da73b97
Merge pull request #1875 2025-07-31 19:08:40 +02:00
larabr
e05ca9e2d2
Internal: switch away from deprecated noble-curve util.randomPrivateKey 2025-07-31 19:07:57 +02:00
dependabot[bot]
29cdf978c4
Build(deps-dev): bump @noble/curves from 1.9.2 to 1.9.5 
Bumps the noble group with 1 update: [@noble/curves](https://github.com/paulmillr/noble-curves).

Updates `@noble/curves` from 1.9.2 to 1.9.5
- [Release notes](https://github.com/paulmillr/noble-curves/releases)
- [Commits](https://github.com/paulmillr/noble-curves/compare/1.9.2...1.9.5)

---
updated-dependencies:
- dependency-name: "@noble/curves"
  dependency-version: 1.9.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: noble
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-07-31 19:07:57 +02:00
larabr
659e3dbbd0
Merge pull request #1877 2025-07-31 18:05:14 +02:00
larabr
ed5554e114
Lightweight build: lazy load tweetnacl dependency module (curve25519 JS fallback) 
Since all major browsers have shipped support for the curve
in WebCrypto, we only load the JS fallback if needed.

Also, add native/non-native ECDH test for Curve25519Legacy.
(The more modern X25519/X448 algo implementations cannot be
tested that way since they include an HKDF step for which
we assume native support and do not implement a fallback.)
 2025-07-31 17:42:37 +02:00
larabr
721b918296
Key validation: use WebCrypto API when available for curve25519 
For Ed25519/Ed25519Legacy native validation code does a sign-verify check over random data.
This is faster than re-deriving the public point using tweetnacl.
If the native implementation is not available, we fall back to re-deriving
the public point only.

For X25519/Curve25519Legacy, both the native and fallback flows do an ecdh exchange;
in the fallback case, this results in slower performance compared to the existing check,
but encryption subkeys are hardly ever validated directly (only in case of gnu-dummy keys),
and this solution keeps the code simpler.

Separately, all validation tests have been updated to use valid params from a different
key, rather than corrupted parameters.
 2025-07-28 15:13:54 +02:00
larabr
4054ff0543
README: add section about how to update to the latest version and deprecation policy (#1876) [skip ci] 
Co-authored-by: Daniel Huigens <d.huigens@protonmail.com>
 2025-07-25 14:47:36 +02:00
larabr
c30404c143
6.2.0 v6.2.0 2025-07-17 18:14:15 +02:00
dependabot[bot]
732f3c88b2
Tests: bump playwright from 1.53.0 to 1.54.1 (#1872) 
Bumps [playwright](https://github.com/microsoft/playwright) from 1.53.0 to 1.54.1.
- [Release notes](https://github.com/microsoft/playwright/releases)
- [Commits](https://github.com/microsoft/playwright/compare/v1.53.0...v1.54.1)

---
updated-dependencies:
- dependency-name: playwright
  dependency-version: 1.54.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-07-14 10:47:42 +02:00
larabr
24f776a9af
Merge pull request #1870 
Add workarounds for WebCrypto X25519 bugs on WebKit Linux

At least some of the errors were found to also affect Epiphany ,
not just the playwright built , unlike previously reported (4762d2c) .
 2025-07-14 10:45:25 +02:00
larabr
9703ab891e
Add workaround for WebCrypto X25519 key generation bug on WebKit Linux 
Similar/same issue was already patched for Ed25519 .

https://bugs.webkit.org/show_bug.cgi?id=279113
 2025-07-10 21:22:20 +02:00
larabr
b9275642e1
Add workaround for WebCrypto X25519 key export bug on WebKit Linux 
https://bugs.webkit.org/show_bug.cgi?id=289693
 2025-07-10 21:21:15 +02:00
larabr
d155da23dd
Revert "CI: do not test Webkit on Linux" 
This reverts commit 4762d2c7623eccaf297a2bf9f4c7aa957aa32c6f.
 2025-07-09 16:00:08 +02:00
dependabot[bot]
448418a6f5
Bump @noble/curves from 1.9.0 to 1.9.2 in the noble group (#1855) 
Bumps the noble group with 1 update: [@noble/curves](https://github.com/paulmillr/noble-curves).


Updates `@noble/curves` from 1.9.0 to 1.9.2
- [Release notes](https://github.com/paulmillr/noble-curves/releases)
- [Commits](https://github.com/paulmillr/noble-curves/compare/1.9.0...1.9.2)

---
updated-dependencies:
- dependency-name: "@noble/curves"
  dependency-version: 1.9.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: noble
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-06-17 16:58:58 +02:00
larabr
208402ebcb
Merge pull request #1850 
Bump dev dependencies to latest versions
 2025-06-17 15:54:00 +02:00
larabr
232da14940 Tests: revert update to chai v5 
Chai v5 broke support for Safari below v16.4;
we delay the update for now, waiting for their fix.
 2025-06-13 16:46:40 +02:00
larabr
cabc91c42c Bump dev dependencies to latest versions 
Only one breaking change with `@rollup/plugin-typescript`,
that enforced a check on the `outDir` location.
 2025-06-13 16:38:12 +02:00
larabr
a51249a964 Run npm update 
as well as npm audit.
 2025-06-13 16:37:41 +02:00
Daniel Huigens
fe58fe9ac0
Improve packet stream & error handling (#1856) 
Refactor & simplify the handling of the packet stream and errors in
packet parsing & grammar validation.

This PR also makes the following observable changes:

- Packet parsing errors in not-yet-authenticated streams (i.e. SEIPDv1
  with `allowUnauthenticatedStream: true`) get delayed until the
  decrypted data stream is authenticated (i.e. the MDC has been
  validated)
- Non-critical unknown packets get turned into `UnparseablePacket`
  objects on the packet stream instead of being ignored
- The grammar validation internals are changed to a state machine where
  each input packet is only checked once, for efficiency (before, the
  entire partial packet sequence was checked for every packet)

Co-authored-by: larabr <larabr+github@protonmail.com>
 2025-06-12 15:49:31 +02:00
martgil
66baa5f57b
Simplify User ID parsing (#1862) 2025-06-12 12:27:42 +02:00
dependabot[bot]
b31bc89854
Tests: bump playwright from 1.52.0 to 1.53.0 (#1861) 
Bumps [playwright](https://github.com/microsoft/playwright) from 1.52.0 to 1.53.0.
- [Release notes](https://github.com/microsoft/playwright/releases)
- [Commits](https://github.com/microsoft/playwright/compare/v1.52.0...v1.53.0)

---
updated-dependencies:
- dependency-name: playwright
  dependency-version: 1.53.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-06-11 16:32:54 +02:00
Kevin Kredit
38c56f84c2
Improve type definition for the User class (#1857) 2025-05-28 20:55:16 +02:00
larabr
88cd1810a3 Implement OpenPGP message grammar validation (add config.enforceGrammar) 
It enforces a message structure as defined in
https://www.rfc-editor.org/rfc/rfc9580.html#section-10.3
(but slightly more permissive with Padding packets allowed in all cases).
Since we are unclear on whether this change might
impact handling of some messages in the wild, generated by
odd use-cases or non-conformant implementations, we
also add the option to disable the grammar check via
`config.enforceGrammar`.

GrammarErrors are only sensitive in the context of
unauthenticated decrypted streams.
 2025-05-20 14:17:13 +02:00
larabr
4c4ebe4a76 Internal: move config TS declaration to standalone file 
To access the types in internally
 2025-05-20 14:17:13 +02:00
larabr
87a72e0ab2 Internal: move enums TS declaration to standalone file 
To access the types in internally.

Also, include internal d.ts files in published npm bundle.
 2025-05-20 14:17:13 +02:00
Daniel Huigens
aba9bb1b69
Prefer subkeys with higher algorithm IDs (#1854) 
In case of equal creation timestamps, pick the signing/encryption subkey
with the highest algorithm ID, on the assumption that that's the most
modern/secure algorithm.
 2025-05-20 14:07:30 +02:00
larabr
45d825c64a
CI: fix "unknown cli/env config" warnings from npm v11 (#1851) 
npm v12 will drop support for unknown config options.
 2025-05-19 17:54:42 +02:00
Daniel Huigens
843a69d0ad
Don't mutate message during verification 2025-05-19 14:47:49 +02:00
dependabot[bot]
16c36f7135
Bump the noble group across 1 directory with 3 updates (#1845) 
* Bump the noble group across 1 directory with 3 updates

Bumps the noble group with 2 updates in the / directory: [@noble/ciphers](https://github.com/paulmillr/noble-ciphers) and [@noble/curves](https://github.com/paulmillr/noble-curves).


Updates `@noble/ciphers` from 1.2.1 to 1.3.0
- [Release notes](https://github.com/paulmillr/noble-ciphers/releases)
- [Commits](https://github.com/paulmillr/noble-ciphers/compare/1.2.1...1.3.0)

Updates `@noble/curves` from 1.8.2 to 1.9.0
- [Release notes](https://github.com/paulmillr/noble-curves/releases)
- [Commits](https://github.com/paulmillr/noble-curves/compare/1.8.2...1.9.0)

Updates `@noble/hashes` from 1.7.2 to 1.8.0
- [Release notes](https://github.com/paulmillr/noble-hashes/releases)
- [Commits](https://github.com/paulmillr/noble-hashes/compare/1.7.2...1.8.0)

---
updated-dependencies:
- dependency-name: "@noble/ciphers"
  dependency-version: 1.3.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: noble
- dependency-name: "@noble/curves"
  dependency-version: 1.9.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: noble
- dependency-name: "@noble/hashes"
  dependency-version: 1.8.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: noble
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump noble-hashes version in package.json

Not applied automatically due to superseded MR: https://github.com/openpgpjs/openpgpjs/pull/1844

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: larabr <7375870+larabr@users.noreply.github.com>
 2025-05-06 16:05:17 +02:00
larabr
4b1bbaff34 CI: increase max retries to 3 on Browserstack testsStartTimeout 
Follow up to #1822, that hardcoded a max retry value of 2.
 2025-05-06 15:47:11 +02:00
dependabot[bot]
5a763a11b5
Tests: bump playwright from 1.51.1 to 1.52.0 (#1843) 
Bumps [playwright](https://github.com/microsoft/playwright) from 1.51.1 to 1.52.0.
- [Release notes](https://github.com/microsoft/playwright/releases)
- [Commits](https://github.com/microsoft/playwright/compare/v1.51.1...v1.52.0)

---
updated-dependencies:
- dependency-name: playwright
  dependency-version: 1.52.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-05-05 18:48:15 +02:00
dependabot[bot]
65df27d15b
Bump the noble group with 2 updates (#1842) 
Bumps the noble group with 2 updates: [@noble/curves](https://github.com/paulmillr/noble-curves) and [@noble/hashes](https://github.com/paulmillr/noble-hashes).


Updates `@noble/curves` from 1.8.1 to 1.8.2
- [Release notes](https://github.com/paulmillr/noble-curves/releases)
- [Commits](https://github.com/paulmillr/noble-curves/compare/1.8.1...1.8.2)

Updates `@noble/hashes` from 1.7.1 to 1.7.2
- [Release notes](https://github.com/paulmillr/noble-hashes/releases)
- [Commits](https://github.com/paulmillr/noble-hashes/compare/1.7.1...1.7.2)

---
updated-dependencies:
- dependency-name: "@noble/curves"
  dependency-version: 1.8.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: noble
- dependency-name: "@noble/hashes"
  dependency-version: 1.7.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: noble
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-04-15 10:49:54 +02:00