Commit f9eae58
authored
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4&size=40){kind=avatar}
chore(deps): bump github.com/xdg-go/scram from 1.1.2 to 1.2.0 in /examples/sasl_scram_client (#3394)
Bumps [github.com/xdg-go/scram](https://github.com/xdg-go/scram) from
1.1.2 to 1.2.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/xdg-go/scram/releases">github.com/xdg-go/scram's
releases</a>.</em></p>
<blockquote>
<h2>v1.2.0</h2>
<h3>Added</h3>
<ul>
<li><strong>Channel binding support for SCRAM-PLUS variants</strong>
(RFC 5929, RFC 9266)</li>
<li><code>GetStoredCredentialsWithError()</code> method that returns
errors from PBKDF2
key derivation instead of panicking.</li>
<li>Support for Go 1.24+ stdlib <code>crypto/pbkdf2</code> package,
which provides
FIPS 140-3 compliance when using SHA-256 or SHA-512 hash functions.</li>
</ul>
<h3>Changed</h3>
<ul>
<li>Minimum Go version bumped from 1.11 to 1.18.</li>
<li>Migrated from <code>github.com/xdg-go/pbkdf2</code> to stdlib
<code>crypto/pbkdf2</code> on
Go 1.24+. Legacy Go versions (<1.24) continue using the external
library via build tags for backward compatibility.</li>
<li>Internal error handling improved for PBKDF2 key derivation
failures.</li>
</ul>
<h3>Deprecated</h3>
<ul>
<li><code>GetStoredCredentials()</code> is deprecated in favor of
<code>GetStoredCredentialsWithError()</code>. The old method panics on
PBKDF2
errors to maintain backward compatibility but will be removed in a
future major version.</li>
</ul>
<h3>Notes</h3>
<ul>
<li>FIPS 140-3 compliance is available on Go 1.24+ when using
SCRAM-SHA-256
or SCRAM-SHA-512 with appropriate salt lengths (≥16 bytes). SCRAM-SHA-1
is not FIPS-approved.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/xdg-go/scram/blob/master/CHANGELOG.md">github.com/xdg-go/scram's
changelog</a>.</em></p>
<blockquote>
<h2>v1.2.0 - 2025-11-24</h2>
<h3>Added</h3>
<ul>
<li><strong>Channel binding support for SCRAM-PLUS variants</strong>
(RFC 5929, RFC 9266)</li>
<li><code>GetStoredCredentialsWithError()</code> method that returns
errors from PBKDF2
key derivation instead of panicking.</li>
<li>Support for Go 1.24+ stdlib <code>crypto/pbkdf2</code> package,
which provides
FIPS 140-3 compliance when using SHA-256 or SHA-512 hash functions.</li>
</ul>
<h3>Changed</h3>
<ul>
<li>Minimum Go version bumped from 1.11 to 1.18.</li>
<li>Migrated from <code>github.com/xdg-go/pbkdf2</code> to stdlib
<code>crypto/pbkdf2</code> on
Go 1.24+. Legacy Go versions (<1.24) continue using the external
library via build tags for backward compatibility.</li>
<li>Internal error handling improved for PBKDF2 key derivation
failures.</li>
</ul>
<h3>Deprecated</h3>
<ul>
<li><code>GetStoredCredentials()</code> is deprecated in favor of
<code>GetStoredCredentialsWithError()</code>. The old method panics on
PBKDF2
errors to maintain backward compatibility but will be removed in a
future major version.</li>
</ul>
<h3>Notes</h3>
<ul>
<li>FIPS 140-3 compliance is available on Go 1.24+ when using
SCRAM-SHA-256
or SCRAM-SHA-512 with appropriate salt lengths (≥16 bytes). SCRAM-SHA-1
is not FIPS-approved.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/xdg-go/scram/commit/b6d6a0b27c123984bef7d14cdb7f487bdbdd68d2"><code>b6d6a0b</code></a>
Bump version in CHANGELOG</li>
<li><a
href="https://github.com/xdg-go/scram/commit/eb4bcac1e88ea79b22138fb272e3559315121079"><code>eb4bcac</code></a>
Add error handling to xorBytes for unequal length arguments</li>
<li><a
href="https://github.com/xdg-go/scram/commit/711c747ce82666b482ba75783a0de05a6d6ad2a3"><code>711c747</code></a>
Implement channel binding support for SCRAM-PLUS</li>
<li><a
href="https://github.com/xdg-go/scram/commit/d58dc75423f7f750e8c20a79944bbac67c05ae51"><code>d58dc75</code></a>
Replace server error strings with typed RFC-compliant constants</li>
<li><a
href="https://github.com/xdg-go/scram/commit/753038a625c5bfb06fa0e111cd83b20dfe70bb3e"><code>753038a</code></a>
Further modernize GH actions CI</li>
<li><a
href="https://github.com/xdg-go/scram/commit/17fcfe4138b5d77bb0df2ada3da8340b675c5a37"><code>17fcfe4</code></a>
go mod tidy</li>
<li><a
href="https://github.com/xdg-go/scram/commit/4dc71f3b26dadac39402794e214890793ba6e6cf"><code>4dc71f3</code></a>
Bump minimum Go version to 1.18</li>
<li><a
href="https://github.com/xdg-go/scram/commit/b85dd84a3a554babd720289083f186c8f2210421"><code>b85dd84</code></a>
Update Github action versions</li>
<li><a
href="https://github.com/xdg-go/scram/commit/8dff94cf86a0f638962574cf4978ed58bb40e78f"><code>8dff94c</code></a>
Restore backward-compatible error handling</li>
<li><a
href="https://github.com/xdg-go/scram/commit/6891e94ddcff40c01b093217c06e937b669dc5da"><code>6891e94</code></a>
Use stdlib pbkdf2 in go 1.24</li>
<li>Additional commits viewable in <a
href="https://github.com/xdg-go/scram/compare/v1.1.2...v1.2.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
You can trigger a rebase of this PR by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
> **Note**
> Automatic rebases have been disabled on this pull request as it has
been open for over 30 days.
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>1 parent 65cf6e1 commit f9eae58
2 files changed
+3
-3
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
4 | 4 | | |
5 | 5 | | |
6 | 6 | | |
7 | | - | |
| 7 | + | |
8 | 8 | | |
9 | 9 | | |
10 | 10 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
47 | 47 | | |
48 | 48 | | |
49 | 49 | | |
50 | | - | |
51 | | - | |
| 50 | + | |
| 51 | + | |
52 | 52 | | |
53 | 53 | | |
54 | 54 | | |
| |||
0 commit comments