Snyk has created this PR to upgrade tweetnacl from 1.0.0 to 1.0.3.
:information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
The recommended version is 3 versions ahead of your current version.
The recommended version was released a year ago, on 2020-02-10.
IMPORTANT BUG FIX. Due to a bug in calculating carry in
modulo reduction that used bit operations on integers larger than
32 bits, nacl.sign or nacl.sign.detached could have created
incorrect signatures.
This only affects signing, not verification.
Thanks to @ valerini on GitHub for finding and reporting the bug.
Exported more internal undocumented functions for
third-party projects that rely on low-level interface,
(something users of TweetNaCl shouldn't care about).
IMPORTANT! In previous versions, nacl.secretbox.open, nacl.box.open, and nacl.box.after returned false when opening failed (for example, when using incorrect key, nonce, or when input was maliciously or accidentally modified after encryption). This version instead returns null.
The usual way to check for this condition:
if (!result) { ... }
is correct and will continue to work.
However, direct comparison with false:
if (result == false) { ... }
it will no longer work and will not detect failure. Please check your code for this condition.
(nacl.sign.open always returned null, so it is not affected.)
Arguments type check now uses instanceof Uint8Array instead of Object.prototype.toString.
Removed deprecation checks for nacl.util (moved to a separate package in v0.14.0).
Removed deprecation checks for the old signature API (changed in v0.10.0).
Snyk has created this PR to upgrade tweetnacl from 1.0.0 to 1.0.3.
:information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
Release notes
Package name: tweetnacl
IMPORTANT BUG FIX. Due to a bug in calculating carry in
modulo reduction that used bit operations on integers larger than
32 bits,
nacl.sign
ornacl.sign.detached
could have createdincorrect signatures.
This only affects signing, not verification.
Thanks to @ valerini on GitHub for finding and reporting the bug.
Exported more internal undocumented functions for
third-party projects that rely on low-level interface,
(something users of TweetNaCl shouldn't care about).
Changes since v1.0.0-rc.1
No code changes
Changes since v0.14.5:
IMPORTANT! In previous versions,
nacl.secretbox.open
,nacl.box.open
, andnacl.box.after
returnedfalse
when opening failed (for example, when using incorrect key, nonce, or when input was maliciously or accidentally modified after encryption). This version instead returnsnull
.The usual way to check for this condition:
if (!result) { ... }
is correct and will continue to work.
However, direct comparison with
false
:if (result == false) { ... }
it will no longer work and will not detect failure. Please check your code for this condition.
(
nacl.sign.open
always returnednull
, so it is not affected.)Arguments type check now uses
instanceof Uint8Array
instead ofObject.prototype.toString
.Removed deprecation checks for
nacl.util
(moved to aseparate package in v0.14.0).
Removed deprecation checks for the old signature API (changed in v0.10.0).
Improved benchmarking.
Commit messages
Package name: tweetnacl
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information:
🧐 View latest project report
🛠 Adjust upgrade PR settings
🔕 Ignore this dependency or unsubscribe from future upgrade PRs