Skip to content

Bump christian-riesen/base32 from 1.6.0 to 2.0.1 in /lam#753

Open
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/composer/lam/christian-riesen/base32-2.0.1
Open

Bump christian-riesen/base32 from 1.6.0 to 2.0.1 in /lam#753
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/composer/lam/christian-riesen/base32-2.0.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 13, 2026

Copy link
Copy Markdown
Contributor

Bumps christian-riesen/base32 from 1.6.0 to 2.0.1.

Release notes

Sourced from christian-riesen/base32's releases.

2.0.1

Due to a mistake, needed to retag this release.

2.0.0 BC Break Stricter Checking

This release brings the library into the present with a 8.1 PHP requirement, some upgraded requirements in general and a stricter checking. Look at the changelog for more details.

Fix package download

There was an issue with the package and thanks to marinhio75 it was fixed.

Changelog

Sourced from christian-riesen/base32's changelog.

Changelog

2.0.0 (unreleased)

Backward-incompatible: PHP 8.1+ required

The minimum supported PHP version is now 8.1. If you need to run on PHP 7.2 – 8.0, stay on the 1.x release line.

Backward-incompatible: strict, RFC 4648-conformant decoding

Base32::decode() and Base32Hex::decode() now reject malformed input instead of silently sanitizing it. This resolves Trail of Bits finding TOB-WIKI2FA-5 (Wikimedia Foundation 2FA review).

Previously the decoder uppercased the input and stripped every character that was not in the alphabet — including padding — which violated RFC 4648 §3.3 ("Implementations MUST reject the encoded data if it contains characters outside the base alphabet") and allowed non-canonical values to decode.

decode() now throws \InvalidArgumentException when the input:

  • has a length that is not a multiple of 8 (padding is required, RFC 4648 §3.2);
  • contains any character outside the alphabet (RFC 4648 §3.3);
  • contains misplaced or an invalid number of = padding characters;
  • is not uppercase — decoding is now case-sensitive (RFC 4648 uses the uppercase alphabet). Lowercase input is no longer accepted.
  • contains non-zero trailing bits, i.e. a non-canonical encoding (RFC 4648 §3.5).

An empty string still decodes to an empty string. encode() is unchanged; it was already conformant, so any string produced by encode() still round-trips.

Migration: if you pass user-supplied Base32 (for example TOTP secrets that may be lowercase or grouped with spaces), normalize it before decoding:

$secret = strtoupper(preg_replace('/\s+/', '', $userInput));
$bytes  = Base32::decode($secret); // throws on anything still invalid

Removed

  • The BASE32HEX_PATTERN protected constant (was misnamed — it held the standard Base32 pattern, not the extended-hex one) and the '=' entry in the MAPPING constant. Both were implementation details of the old lenient decoder and are no longer used.
Commits
  • be07b4a Upgrade github actions
  • 81ac565 Full overhaul to 8.1 minimum
  • 9646693 Add additional testing
  • 357cc91 Stricter validations
  • 03082b9 Merge pull request #37 from MarcoRemy/patch-1
  • 2cf6364 Remove composer.json from .gitattributes export-ignore to include it in dist ...
  • e8b7d85 Merge pull request #32 from afk11/code-style-1
  • 70d6ab3 Merge pull request #33 from georgringer/patch-1
  • bdeb2c6 Use https instead of http in Readme
  • d49c69f Code style: if/else instead of continue. Makes it clearer the blocks are mutu...
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [christian-riesen/base32](https://github.com/ChristianRiesen/base32) from 1.6.0 to 2.0.1.
- [Release notes](https://github.com/ChristianRiesen/base32/releases)
- [Changelog](https://github.com/ChristianRiesen/base32/blob/master/CHANGELOG.md)
- [Commits](ChristianRiesen/base32@1.6.0...2.0.1)

---
updated-dependencies:
- dependency-name: christian-riesen/base32
  dependency-version: 2.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file php Pull requests that update php code labels Jul 13, 2026
@deepsource-io

deepsource-io Bot commented Jul 13, 2026

Copy link
Copy Markdown

DeepSource Code Review

We reviewed changes in f5fb57c...d8c975b on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade   Security  

Reliability  

Complexity  

Hygiene  

Code Review Summary

Analyzer Status Updated (UTC) Details
PHP Jul 13, 2026 5:32p.m. Review ↗

Important

AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file php Pull requests that update php code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants