fix(deps): update dependency paragonie/halite to v5

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
paragonie/halite	^4.0 → ^5.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

paragonie/halite (paragonie/halite)

v5.1.4

Compare Source

• Add PHPStan analysis, level 5 by @​spaze in #​195
• Replace all http:// links with the https:// URL they redirect to by @​GrahamCampbell in #​196
• Use Psalm 6 by @​spaze in #​198
• Remove access modifier final from private methods by @​junaidbinfarooq in #​204
• Ignore tests, workflows and .MD docs with "export-ignore" on .gitattr… by @​erikn69 in #​205
• Expand test coverage by @​paragonie-security in #​206
• Fixed the broken test coverage badge (#​207 and #​208)

v5.1.3

Compare Source

• Merged #​184, which fixes PHP 8.4 deprecations with nullable types.

v5.1.2

Compare Source

• Use #[SensitiveParameter] annotation on some inputs
  • This is defense in depth; we already wrapped most in HiddenString
• Updated dependencies

v5.1.1

Compare Source

• Support both sodium_compat v1 and v2.
  Learn more here.

v5.1.0

Compare Source

• Dropped PHP 8.0 support, increased minimum PHP version to 8.1.
  • This is due to the significant performance difference between ext/sodium
    and sodium_compat, and the functions we use in 5.x aren't available until
    PHP 8.1. See #​178.
• The 5.0.x branch will continue to function on PHP 8.0 but performance is
  not guaranteed.

v5.0.0

Compare Source

• Increased minimum PHP version to 8.0.
• Security: Asymmetric encryption now uses HKDF-BLAKE2b to extract a 256-bit uniformly random bit string for the
  encryption key, rather than using the raw X25519 output directly as an encryption key. This is important because
  Elliptic Curve Diffie-Hellman results in a random group element, but that isn't necessarily a uniformly random bit
  string.
  • Because Halite v4 and earlier did not perform this step, it's superficially susceptible to
    Cheon's attack. This reduces the effective security
    from 125 bits (Pollard's rho) to 123 bits, but neither is a practical concern today.
• Security: Halite v5 uses the PAE
  strategy from PASETO to prevent canonicalization attacks.
• Security: Halite v5 appends the random salt to HKDF's info parameter instead of
  the salt parameter. This allows us to meet the KDF Security Definition (which is
  stronger than a mere Pseudo-Random Function).
• Encryption now uses XChaCha20 instead of XSalsa20.
• The File class no longer supports the resource type. To migrate code, wrap your
  resource arguments in a ReadOnlyFile or MutableFile object.
• Added File::asymmetricEncrypt() and File::asymmetricDecrypt().

---

Configuration

📅 Schedule: Branch creation - "on the 15th day of the month before 12pm" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[greptile-apps]

Greptile Overview

Greptile Summary

• Updates paragonie/halite in composer.json from ^4.0 to ^5.0.
• This library major bump raises Halite’s minimum supported PHP version (v5 targets PHP 8.x), which must align with this package’s own php constraint and CI/runtime expectations.
• No other code changes are included, so merge safety depends on updating PHP constraints/CI or confirming Halite v5 is actually installable in supported environments.

Confidence Score: 2/5

• Not safe to merge as-is due to likely dependency resolution failures on currently-declared supported PHP versions.
• The only change bumps Halite to v5 while the root composer.json still allows PHP >=7.3.0; Halite v5 requires PHP 8.x, so installs/CI on 7.3–7.4 (and potentially 8.0/8.1 depending on exact Halite constraints) will fail. Once the PHP constraint (and CI matrix) is updated to match, risk is low.
• composer.json

Important Files Changed

Filename	Overview
composer.json	Bumps paragonie/halite requirement from ^4.0 to ^5.0 while leaving PHP requirement at >=7.3.0; this creates an unsatisfiable dependency set since halite v5 requires PHP 8.x.

Sequence Diagram

sequenceDiagram
    participant Dev as Developer/CI
    participant Composer as Composer
    participant Repo as Packagist/Dependency Resolver
    participant Halite as paragonie/halite v5

    Dev->>Composer: composer update paragonie/halite
    Composer->>Repo: Resolve dependencies (^5.0)
    Repo-->>Composer: Select halite v5.x + transitive deps
    Composer-->>Dev: Update composer.lock + install vendor
    Dev->>Dev: Run tests/static analysis
    note over Dev,Halite: Runtime behavior depends on how Halite APIs are used
    Dev-->>Dev: Merge once compatibility verified

Loading

[greptile-apps]

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Additional Comments (1)

composer.json
Unsatisfiable PHP constraint

paragonie/halite v5 requires PHP 8.x (per its v5.1.0 release notes), but this repo still declares "php": ">=7.3.0". With "paragonie/halite": "^5.0" this makes the dependency set impossible to resolve for PHP 7.3–7.4/8.0, and CI/users on those versions will fail composer install/update. Update the root PHP requirement (and any CI matrix) to a compatible minimum (e.g., >=8.1 if you intend to follow Halite’s supported range) or keep Halite on v4.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 5.x releases. But if you manually upgrade to 5.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.