Sourced from openpgp's releases.

v4.9.1

• Binary signatures on text messages: sign and verify text as UTF-8 instead of UTF-16
• Add inline sourceMap in minified files in grunt build --dev
• Fix typo in symmetric encryption example in README.md (#1042)

Note: this release might change signature verification results in rare cases if you verify detached signatures on binary documents by doing something like:

const message = await openpgp.message.fromText(binaryString);
const result = await openpgp.verify({ message, signature, publicKeys });

Instead, you should do:

const message = await openpgp.message.fromBinary(openpgp.util.str_to_Uint8Array(binaryString));
const result = await openpgp.verify({ message, signature, publicKeys });

v4.9.0

• Fix Blowfish encryption and decryption (#1041)
• Fix streaming non-AES encryption and decryption
• Use native Node crypto for non-AES encryption and decryption
• Don't use Node symmetric crypto when openpgp.config.use_native == false
• Clean up README.md (#1040)
• Update setup instructions
• Add example code for piping unarmored encrypted data on Node.js

Note: if you previously used OpenPGP.js to encrypt messages using a public key that specified Blowfish as its preferred symmetric algorithm, or if you set openpgp.config.encryption_cipher = openpgp.enums.symmetric.blowfish, those messages would have been broken and undecryptable by any OpenPGP library other than OpenPGP.js. From this version, OpenPGP.js won't be able to decrypt such messages anymore either, since Blowfish encryption and decryption has been fixed to match the specification. If you have to decrypt such messages anyway, see openpgpjs/openpgpjs@dc9660f for a code example (but note that this breaks encryption again, too).

v4.8.1

• Don't keep entire decrypted message in memory while streaming (#1033)
  (When config.allow_unauthenticated_stream is set or the message is AEAD-encrypted.)
• Test loading OpenPGP.js from a Worker in the application (#1032)
• Properly detect and use Web Crypto when using OpenPGP.js from a Worker in the application.
• Terminate workers in openpgp.destroyWorker() (#1031)
• Allow calling clearPrivateParams on decrypted keys
  (Calling it on unencrypted keys was already allowed, so this safety check didn't do much.)
• Zero out private key parameters in clearPrivateParams
• Implement Key.prototype.clearPrivateParams
• Implement openpgp.getWorker().clearKeyCache()
• Clear worker key caches in openpgp.destroyWorker()
• Switch code coverage reporter to nyc (#1005)

Note: openpgp.destroyWorker() now returns a Promise (to indicate when the worker's key caches have been cleared and the workers have been terminated) but it still immediately stops OpenPGP.js from using the worker, thus should be backwards compatible in that respect.
However, this release is backwards incompatible if you were relying on the fact that openpgp.destroyWorker() didn't terminate the workers, for example by using streaming encryption / decryption with a worker active and then continuing to read from a stream of data that was returned by openpgp.encrypt/decrypt after calling openpgp.destroyWorker().

v4.8.0

• Cache key objects in Workers by armor (#1030)
  This improves performance when repeatedly using the same private/public keys with a Worker (using openpgp.initWorker). Note: this may pose a security risk since private keys are cached in memory indefinitely (as long as the application is open). If your threat model includes an attacker inspecting memory, be sure to clear keys from memory manually.

... (truncated)

• 3af8e32 Release new version
• 92eda27 Binary signature on text message: sign and verify text as UTF-8
• de6ab1d Add inline sourceMap in minified files in grunt build --dev
• 21c7d69 Fix typo in symmetric encryption example in README.md (#1042)
• 93c5bed Release new version
• dc9660f Add tests with old and new Blowfish encrypted messages
• 84a1287 Fix Blowfish block size
• 801b44f Don't use Node symmetric crypto when !config.use_native
• fc0052e Implement streaming non-AES encryption and decryption
• 2ec8831 Use native Node crypto for non-AES encryption and decryption
• Additional commits viewable in compare view

This version was pushed to npm by twiss, a new releaser for openpgp since your current version.

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.