All notable changes to initphp/encryption will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
This is the first development entry of the upcoming 2.0 release. The 2.x line is a deliberate hard reset of the public surface; ciphertexts produced by 1.x cannot be decrypted by 2.x and vice versa. A migration guide will ship with the final release.
- Tooling: PHPUnit 10, PHPStan level 8, PHP-CS-Fixer (PSR-12), GitHub Actions CI
matrix across PHP 8.1–8.4,
composer auditworkflow. composer.jsonscripts:test,test-coverage,phpstan,cs-check,cs-fix,qa.- Package-level
CONTRIBUTING.md,SECURITY.md,CHANGELOG.md.
- BREAKING: Minimum PHP version raised to
^8.1.
- BREAKING: New self-describing ciphertext format (versioned header) — v1 ciphertexts will not be readable by 2.x.
- BREAKING: Default payload serialization switches from
serialize()/unserialize()to JSON. PHP serialization remains available as an opt-in. - Sodium handler derives a 32-byte key from any-length user-supplied key
material via
sodium_crypto_generichash, fixing the silent failure when a short key was provided. - OpenSSL handler uses
random_bytes()for IV generation. - OpenSSL handler computes the HMAC length from the actual hash output instead of parsing the algorithm name as a numeric suffix.
- Mandatory key validation with a descriptive
EncryptionExceptioninstead of obscureTypeErrors deep inside the extensions. - Drop runtime dependency on
ext-mbstring. - PSR-12 compliance across the codebase.
- Removal of
Encrypt::create()(alias ofEncrypt::use()).
Initial release.