chore(deps): bump hexo-blog-encrypt from 3.1.9 to 4.0.1

[dependabot]

Bumps hexo-blog-encrypt from 3.1.9 to 4.0.1.

Release notes

Sourced from hexo-blog-encrypt's releases.

v4.0.1 — decrypt button layout & hidden-state fix

Fixes

• Decrypt button layout — on wide screens the button could land on the same row as the password input and lose centering. The shared decrypt form now uses a flex column layout so the button always renders centered, on its own line, below the input. Long / non-ASCII labels wrap correctly.
• decryptButton.show: false — previously only the label was blanked while the button chrome remained. The button is now actually removed from layout via a new hbe-button-hidden class, and Enter-key form submission still works.

Template contract

A new {{hbeButtonClass}} placeholder was added (10 → 11). All 8 shipped themes (default, blink, flip, shrink, surge, up, wave, xray) and the docs were updated together. Custom themes following the THEMES.md contract should add the placeholder to their button element:

<button class="hbe hbe-button{{hbeButtonClass}}" type="submit">{{hbeButtonText}}</button>

No wire-format change — existing encrypted posts continue to decrypt.

Tests

• Server-side unit test for the new hidden-button class
• Playwright E2E for non-ASCII button text + geometric centering check
• Playwright E2E for decryptButton.show: false + Enter-key fallback

Credits

Closes #231. Fix authored by @​Copilot via PR #232. Thanks @​uncn for the detailed report.

Full Changelog: D0n9X1n/hexo-blog-encrypt@v4.0.0...v4.0.1

v4.0.0 — AES-256-GCM, per-post salts, click-to-decrypt button

hexo-blog-encrypt v4.0.0

A near-complete rewrite of the plugin with stronger crypto, a real e2e test harness, and a per-post click-to-decrypt button that no longer auto-decrypts on every page render.

📦 npm: https://www.npmjs.com/package/hexo-blog-encrypt/v/4.0.0 (published with provenance) 🌐 Live demo: https://d0n9x1n.github.io/hexo-blog-encrypt/ 📖 Wiki: https://github.com/D0n9X1n/hexo-blog-encrypt/wiki 🔁 Migration guide (v3 → v4): https://github.com/D0n9X1n/hexo-blog-encrypt/wiki/Migration-v3-to-v4

---

Highlights

• AES-256-GCM replaces AES-256-CBC. GCM is authenticated; tampering is detected during decryption.
• Per-post random salt + nonce. No more single global salt across the whole blog.
• Configurable PBKDF2 iterations (default 600 000, floor 310 000 enforced — OWASP-aligned).
• Click-to-decrypt button (opt-in via decrypt_button: true, with decrypt_button per-post override).
• Modular architecture. Server code split into src/server/{config,crypto,template,generator,logger,index}.js. Browser code is a single ESBuild bundle (lib/hbe.bundle.js).
• Real Hexo + Playwright e2e harness (npm test) covering all 8 themes plus callback / MathJax / autosave flows.
• Tarball trim. Published package shrunk from 75 → 22 files, 222 → 112 kB unpacked.

... (truncated)

Changelog

Sourced from hexo-blog-encrypt's changelog.

[4.0.1] — 2026-05-19

Fixed

• Decrypt button layout — on wide screens the button could land on the same row as the password input and lose centering. The shared decrypt form now uses a flex column layout so the button always renders centered, on its own line, below the input. Long / non-ASCII labels wrap correctly.
• decryptButton.show: false — previously only the label was blanked while the button chrome remained clickable. The button is now actually removed from layout via a new hbe-button-hidden class, while Enter-key form submission still works.

Template contract

• Added {{hbeButtonClass}} placeholder (10 → 11). All 8 shipped themes and the docs were updated together. Custom themes following https://github.com/D0n9X1n/hexo-blog-encrypt/blob/master/docs/THEMES.md should add the placeholder to their button element:

  <button class="hbe hbe-button{{hbeButtonClass}}" type="submit">{{hbeButtonText}}</button>

  No wire-format change — existing encrypted posts continue to decrypt.

Tests

• Server-side unit test for the new hidden-button class.
• Playwright e2e for non-ASCII button text + geometric centering check.
• Playwright e2e for decryptButton.show: false + Enter-key fallback.

Closes #231. PR #232.

---

[4.0.0] — 2026-05-03

Highlights

• AES-256-GCM replaces AES-CBC + HMAC-SHA-256 — one round-trip encrypt-and-authenticate, no more ciphertext-then-MAC composition. GCM's authentication tag fails closed: a wrong password and a tampered ciphertext are now indistinguishable to the user (see Breaking changes).
• Per-post salt + per-encryption nonce. Two posts with the same password produce different ciphertexts; rebuilding the same post produces a fresh nonce every time. Previously, all posts shared the same salt by default and produced byte-identical ciphertext.
• Optional decrypt button. Themes now expose a click-to-decrypt

... (truncated)

Commits

• df70bc5 docs: slim docs/, drop feature-crew references, add 4.0.1 CHANGELOG
• 4943637 chore(release): v4.0.1
• 341f63e fix: decrypt button layout and hidden-state rendering across themes (#232)
• 30cf23e chore: remove feature-crew submodule (installed globally)
• 0301a00 docs: promote docs/ to source of truth, slim copilot-instructions
• a866f5f ci: add GitHub Packages mirror publish workflow
• caafe3a ci(release): switch to npm OIDC trusted publishing
• f3595a2 release(v4.0.0): pre-flight — date CHANGELOG, swap demo to ^4.0.0
• 7660c7f feat(v4): AES-256-GCM, per-post salts, click-to-decrypt button, modular archi...
• 4af3169 feat(demo): live demo site auto-deployed to GitHub Pages (#229)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for hexo-blog-encrypt since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)