Skip to content

Bump pbkdf2 from 3.0.17 to 3.1.6#5

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/pbkdf2-3.1.6
Open

Bump pbkdf2 from 3.0.17 to 3.1.6#5
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/pbkdf2-3.1.6

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 17, 2026

Copy link
Copy Markdown
Contributor

Bumps pbkdf2 from 3.0.17 to 3.1.6.

Changelog

Sourced from pbkdf2's changelog.

v3.1.6 - 2026-05-26

Commits

  • [New] add TypeScript type declarations fb1f747
  • [Fix] coerce -0 keylen to +0 7c4a495
  • [Dev Deps] update @ljharb/eslint-config, @types/node, eslint, npmignore e3cce16
  • [eslint] fix an error f6b0e42
  • [Tests] fix npm run postlint b729629
  • [Dev Deps] update @ljharb/eslint-config, @types/node, auto-changelog 5e0cf51
  • [Deps] update to-buffer 1c3b1f5
  • [readme] replace runkit CI badge with shields.io check-runs badge 528bd38

v3.1.5 - 2025-09-23

Commits

  • [Fix] only allow finite iterations 67bd94d
  • [Fix] restore node 0.10 support 8f59d96
  • [Fix] check parameters before the "no Promise" bailout d2dc5f0

v3.1.4 - 2025-09-22

Commits

  • [Deps] update create-hash, ripemd160, sha.js, to-buffer 8dbf49b
  • [meta] update repo URLs d15bc35
  • [Dev Deps] update @ljharb/eslint-config aaf870b

v3.1.3 - 2025-06-20

Commits

  • Only apps should have lockfiles 8b06730
  • [lint] fix whitespace 9a76e2f
  • [lint] fix parens/curlies/semis/etc 6fd84bf
  • [meta] add auto-changelog 796c38d
  • [Tests] fix tests in node 17 3661fb0
  • Revert "[Tests] fix tests in node < 3" 7431b57
  • [Tests] fix tests in node < 3 eb9f97a
  • [Fix] ensure unknown algorithms throw + known ones match node 26d4fd3
  • [Tests] add GHA, always run nyc 513906a
  • [lint] fix a few more rules ab04da8
  • [lint] switch to eslint 89694cf
  • [Tests] add coverage d0d534b
  • [Refactor] use to-buffer e3102a8
  • [readme] improve badges fca0c9d
  • [Tests] remove unused travis file a2c7d93
  • [meta] switch from files to npmignore 7f31fbc
  • [Tests] use .nycrc 8d628e8

... (truncated)

Commits
  • ea4768b v3.1.6
  • b729629 [Tests] fix npm run postlint
  • 7c4a495 [Fix] coerce -0 keylen to +0
  • 5e0cf51 [Dev Deps] update @ljharb/eslint-config, @types/node, auto-changelog
  • 1c3b1f5 [Deps] update to-buffer
  • e3cce16 [Dev Deps] update @ljharb/eslint-config, @types/node, eslint, npmignore
  • f6b0e42 [eslint] fix an error
  • fb1f747 [New] add TypeScript type declarations
  • 528bd38 [readme] replace runkit CI badge with shields.io check-runs badge
  • 3687905 v3.1.5
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by ljharb, a new releaser for pbkdf2 since your current version.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [pbkdf2](https://github.com/browserify/pbkdf2) from 3.0.17 to 3.1.6.
- [Changelog](https://github.com/browserify/pbkdf2/blob/master/CHANGELOG.md)
- [Commits](browserify/pbkdf2@v3.0.17...v3.1.6)

---
updated-dependencies:
- dependency-name: pbkdf2
  dependency-version: 3.1.6
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 17, 2026
@joostfaassen

Copy link
Copy Markdown
Member

🤖 Dependabot PR processing skill — risk assessment

Acting on behalf of Joost Faassen.

Decision

Do not merge automatically — assessed risk: medium

What changed

Title Bump pbkdf2 from 3.0.17 to 3.1.6
Semver minor (3.0.173.1.6)
Files (1) package-lock.json
Diff size +3603 / −2210

Why this was not merged automatically

  1. The diff is large (+3603 / −2210) without a clear patch-only semver signal.
  2. Large lockfile churn can still hide behaviour changes across many transitive packages.
  3. Left open for human review.

Checks considered

  • Pull request is mergeable with a clean merge state
  • No failing / timed-out / cancelled required checks observed
  • Diff inspected for manifests/lockfiles only vs unexpected paths
  • Package/path screened against sensitive dependency patterns

Automated assessment by the Dependabot PR processing skill. Detail stays in this comment; the merge commit message is kept short on purpose.

1 similar comment
@joostfaassen

Copy link
Copy Markdown
Member

🤖 Dependabot PR processing skill — risk assessment

Acting on behalf of Joost Faassen.

Decision

Do not merge automatically — assessed risk: medium

What changed

Title Bump pbkdf2 from 3.0.17 to 3.1.6
Semver minor (3.0.173.1.6)
Files (1) package-lock.json
Diff size +3603 / −2210

Why this was not merged automatically

  1. The diff is large (+3603 / −2210) without a clear patch-only semver signal.
  2. Large lockfile churn can still hide behaviour changes across many transitive packages.
  3. Left open for human review.

Checks considered

  • Pull request is mergeable with a clean merge state
  • No failing / timed-out / cancelled required checks observed
  • Diff inspected for manifests/lockfiles only vs unexpected paths
  • Package/path screened against sensitive dependency patterns

Automated assessment by the Dependabot PR processing skill. Detail stays in this comment; the merge commit message is kept short on purpose.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant