Skip to content

chore(deps): bump github.com/azrod/cryptio from 1.0.0 to 1.1.0 in /encrypt in the all-deps group#7

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/encrypt/all-deps-da3e1d6a78
Open

chore(deps): bump github.com/azrod/cryptio from 1.0.0 to 1.1.0 in /encrypt in the all-deps group#7
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/encrypt/all-deps-da3e1d6a78

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jan 12, 2026

Copy link
Copy Markdown

Bumps the all-deps group in /encrypt with 1 update: github.com/azrod/cryptio.

Updates github.com/azrod/cryptio from 1.0.0 to 1.1.0

Release notes

Sourced from github.com/azrod/cryptio's releases.

v1.1.0

This release consolidates recent robustness, concurrency, and documentation improvements.

Summary

This release improves the security and robustness of cryptio by:

  • Strengthening input validation and error handling around encryption/decryption.
  • Reducing sensitive material exposure by zeroing derived keys and passphrases.
  • Making Client safe for concurrent use and adding a thread-safe Client.Wipe() method.
  • Adding edge tests (truncated/tampered ciphertext, empty plaintext, concurrency).
  • Making exhaustive benchmarks optional and adding CI-friendly guidance.

Notable Changes

Added

  • Client.Wipe() — a thread-safe method that clears the client's passphrase from memory. After calling Wipe(), the client MUST NOT be used again.

Changed

  • DecryptRaw input validation:
    • Validate header length (salt + nonce) before processing.
    • Ensure params.NonceSize matches gcm.NonceSize().
    • Verify ciphertext length is at least gcm.Overhead().
    • Improve error messages with context (use fmt.Errorf("...: %w", err)).
  • Key handling and zeroization:
    • deriveKey now operates on a snapshot copy of the passphrase under a read-lock and returns the derived key.
    • Derived keys are zeroed (overwritten with zeros) after use in both EncryptRaw and DecryptRaw.
  • Concurrency safety:
    • Client now embeds a sync.RWMutex to protect the passphrase during derive operations and wipe.
    • deriveKey copies the passphrase under a read-lock to avoid races.

Security Notes

  • Key zeroization is best-effort: Go's runtime may copy slices in ways that zeroization cannot fully eliminate. However, explicit zeroing of derived key slices and passphrases reduces exposure windows and is a useful defense-in-depth step.
  • Client.Wipe() clears the passphrase slice and sets it to nil. Callers must ensure no other goroutines are using the client after wipe.

Migration & Compatibility

  • No breaking changes to existing public APIs except:
    • Client.Wipe() has been added — this is a non-breaking addition.
    • Behavior changes: DecryptRaw now performs stricter validation and returns more explicit errors for malformed inputs; callers should handle these errors (they are returned as wrapped errors).
Commits
  • 123257c Merge pull request #5 from azrod/feat/docs-bench-ci
  • 45d4217 chore(release): add release notes for next release
  • 28992e0 test: mark benchmark helper with b.Helper()
  • 73ccdc6 test: refactor benchmark to reduce cognitive complexity
  • 050ff4c feat: apply robustness fixes (validation, zeroing, thread-safe wipe) and add ...
  • e5b20aa docs: add benchmark and CI recommendations to AGENTS.md
  • 87c19a3 docs: clarify units and benchmark guidance in README
  • f5368a9 Merge pull request #4 from azrod/dependabot/go_modules/golang.org/x/crypto-0....
  • 9878a4c build(deps): bump golang.org/x/crypto from 0.42.0 to 0.46.0
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the all-deps group in /encrypt with 1 update: [github.com/azrod/cryptio](https://github.com/azrod/cryptio).


Updates `github.com/azrod/cryptio` from 1.0.0 to 1.1.0
- [Release notes](https://github.com/azrod/cryptio/releases)
- [Changelog](https://github.com/azrod/cryptio/blob/main/RELEASE.md)
- [Commits](azrod/cryptio@v1.0.0...v1.1.0)

---
updated-dependencies:
- dependency-name: github.com/azrod/cryptio
  dependency-version: 1.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-deps
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Jan 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants