Make WordPress Core

Opened 3 months ago

Closed 3 months ago

Last modified 3 months ago

#61686 closed task (blessed) (fixed)

Update Sodium Compat to 1.21.1

Reported by: jrf's profile jrf Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 6.7 Priority: normal
Severity: normal Version: 6.3
Component: External Libraries Keywords: needs-patch
Focuses: php-compatibility Cc:

Description

Sodium_Compat 1.21.0 and 1.21.1 were released a few months ago and contain support for AEGIS and more importantly from a WP point of view: preliminary support for PHP 8.4.
Additionally the PHP 8.2+ SensitiveParameter attribute is now applied where appropriate to functions in the Public API.

The version included with WP should be updated.

Full details:

I've done a cursory review of the diff and would recommend an update at the earliest convenience.


Note: Sodium Compat has also released a v2.0 version. As that version has a minimum PHP version of PHP 8.1 and drops support for 32-bit PHP installs, it is not a viable upgrade path for WordPress at this time.
Also see this release announcement: https://paragonie.com/blog/2024/04/release-sodium-compat-v2-and-future-our-polyfill-libraries

The maintainer of Sodium Compat has been in touch with me about this and shared the following:

We think WordPress will want to continue using v1.x for the foreseeable future. We will continue to support it for as long as it's needed.

Previously: #48371, #51399, #51925, #53274, #53907, #55453, #56564, #56642, #56653, #58224

Change History (4)

#1 @dd32
3 months ago

I took a quick read through the diff and do not see any reason to hold off on updating.

#2 @SergeyBiryukov
3 months ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 58752:

Upgrade/Install: Update sodium_compat to v1.21.1.

The latest version of sodium_compat includes support for AEGIS and preliminary support for PHP 8.4.

Additionally, the PHP 8.2+ SensitiveParameter attribute is now applied where appropriate to functions in the public API. This attribute is used to mark parameters that are sensitive and should be redacted from stack traces.

References:

Follow-up to [49741], [51002], [51591], [52988], [54150], [54310], [55699].

Props jrf, dd32, paragoninitiativeenterprises.
Fixes #61686.

#3 @SergeyBiryukov
3 months ago

In 58753:

Upgrade/Install: Add missing files from the sodium_compat v1.21.1 update.

Follow-up to [58752].

Props paulkevan.
See #61686.

#4 @jrf
3 months ago

Thanks @dd32 and @SergeyBiryukov !

Note: See TracTickets for help on using tickets.