feat!(deps): bump golang.org/x/crypto from 0.13.0 to 0.16.0 (#26)

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Matthew Hartstonge <matt@mykro.co.nz> With the moving to a major version, as the go versions of `golang.org/x/crypto` get upgraded and force a requirement on a given version of Go I will make these minor version upgrades. For example: - `1.1.0` will require `go@1.19` instead of `go@1.18` - A non-go-version-forced update for `x/crypto` in relation to security patches will become `v1.0.1`.
matthewhartstonge · Dec 3, 2023 · 8dbc527 · 8dbc527
1 parent 7551bcc
commit 8dbc527
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 13 deletions.
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -34,16 +34,10 @@ jobs:
     strategy:
       matrix:
         go-version:
-          - '1.11.4'
-          - '1.12'
-          - '1.13'
-          - '1.14'
-          - '1.15'
-          - '1.16'
-          - '1.17'
           - '1.18'
           - '1.19'
           - '1.20'
+          - '1.21'
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v4

diff --git a/README.md b/README.md
@@ -101,3 +101,15 @@ BenchmarkSecureZeroMemory1048576-8         52404             22442 ns/op       4
 PASS
 ok      github.com/matthewhartstonge/argon2     18.481s
 ```
+
+## Versioning Strategy
+
+The API is stable and has been running in production for many years now, therefore won't be changing.
+
+This library has a single dependency on `golang.org/x/crypto`. This means that as the version of Go is updated there, this library will roll up it's version to a new minor.
+Any CVEs/security patches that come through via dependabot, without a resulting Go version update, will become a patch release.
+
+For example:
+
+- If a version of `/x/crypto` now requires `go@1.28`, `argon2` will go from `v1.0.0` -> `v1.1.0`.
+- If `x/crypto` releases a version that resolves CVEs with no requirement to upgrade Go, then `argon2` will go from `v1.0.0` -> `v1.0.1`.
diff --git a/go.mod b/go.mod
@@ -2,6 +2,6 @@ module github.com/matthewhartstonge/argon2
 
 go 1.18
 
-require golang.org/x/crypto v0.13.0
+require golang.org/x/crypto v0.16.0
 
-require golang.org/x/sys v0.12.0 // indirect
+require golang.org/x/sys v0.15.0 // indirect
diff --git a/go.sum b/go.sum
@@ -1,4 +1,4 @@
-golang.org/x/crypto v0.13.0 h1:mvySKfSWJ+UKUii46M40LOvyWfN0s2U+46/jDd0e6Ck=
-golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
-golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o=
-golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/crypto v0.16.0 h1:mMMrFzRSCF0GvB7Ne27XVtVAaXLrPmgPC7/v0tkwHaY=
+golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
+golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=