1.1.0 is a minor release for hashavatar focused on dependency,
sanitization, tooling, source layout, and documentation freshness.
- Replaced direct
zeroizeusage with the nativesanitizationcrate API. - Added
sanitization1.2.2withallocsupport. - Added
sanitization-crypto-interop1.2.2so SHA-512 and optional BLAKE3 hashing use the crypto crates' own hasher-state cleanup hooks through thesanitizationsister crate. - Removed direct
zeroizedependency usage and thesha2/blake3zeroize feature hooks. - Updated the fuzz harness
libfuzzer-sysdependency to0.4.13. - Refreshed Cargo lockfiles with the latest compatible crate versions.
- Fixed-size digest and renderer seed copies now use
sanitization::Secret. - SHA-512 identity hashing and cache-key hashing now route through the
sanitization-crypto-interopSHA-512 helper. - The crate's direct
sha2dependency is now dev-only; production SHA-512 hashing reachessha2throughsanitization-crypto-interop. - Removed a redundant SHA-512 digest
Secretwrapper now that the interop helper owns hasher-state cleanup and the caller already guards the returned digest. - Optional BLAKE3 XOF output now uses the
sanitization-crypto-interopfill helper with asanitization::Secretoutput buffer. - Optional XXH3 digest accumulation now uses a
sanitization::Secretguard for the 64-byte accumulator. - Hash-preimage capacity checks now use release-mode assertions, so future size-accounting drift cannot silently bypass temporary buffer cleanup.
- Optional XXH3 chunk capacity and length checks are collapsed into one release assertion per chunk.
- Hash preimage vectors, encoded-output buffers, temporary JPEG RGB buffers,
and owned RGBA buffers are cleared through
sanitizationvolatile clearing helpers. - Security controls now document the
sanitization-crypto-interopcleanup boundary for SHA-512 and optional BLAKE3. cargo-denynow denies duplicate crate versions instead of only warning.
- Updated pinned GitHub Actions:
actions/checkouttov7.0.0taiki-e/install-actiontov2.82.3
- Confirmed
Swatinem/rust-cacheremains current atv2.9.1.
- Updated README installation snippets and compatibility wording to
1.1.0. - Updated the changelog for the
1.1.0release. - Split the former monolithic
src/lib.rsinto focused source files, including per-avatar raster and SVG renderer files, without changing the public API. - Clarified that preimage-capacity assertions are active in all builds as an intentional fail-secure sanitization guard.
- Made starry-background seed rotation precedence explicit without changing the generated visuals.
- Hardened internal gradient color interpolation against future oversized
max_positioncallers. - Added consistent
identity()accessors to hashed dog and robot renderer structs, matching the existing hashed cat renderer.
- No intentional avatar visual fingerprint changes.
- No public API removals.