Thank you for your interest in contributing to sodium_compat. This document should help you get up and running.
This project maintains two main branches:
master: This is the active development branch for the latest major version of sodium_compat.
It only supports PHP 8.1 and newer..v1.x: This branch supports a wider range of PHP versions, from 5.2.x up to the latest. Many projects that need to
support older version of PHP, such as WordPress, depend on the releases cut from the v1.x branch.This is a cryptography library, so security is of the utmost importance.
We follow the principles of Cryptographically Secure PHP Development. Before contributing, please read the linked blog post.
This library is a polyfill for libsodium. Therefore, we will only consider contributions that implement features already present in libsodium proper.
Please email security at paragonie dot com to disclose a security issue with sodium_compat. If you are reporting a
cryptographic weakness that also applies to libsodium, please disclose it upstream to libsodium first.
Before submitting a pull request, please ensure that all unit tests pass.
You can run the tests using Composer:
composer test
If you want to go the extra mile (at the cost of a longer test runtime), run the pedantic tests too:
vendor/bin/phpunit --bootstrap=autoload-pedantic.php
Paragon Initiative Enterprises runs the pedantic tests before every release is cut.
We use Infection for mutation testing.
composer mutation-test
Please be aware that this command can take a long time to complete, and will generate some false positives.
We use Nikita Popov’s PHP-Fuzzer for fuzz testing. To run the fuzz tests, use the following command:
composer fuzz-test
This command runs for a long time. To limit the fuzzer to 1000 runs:
vendor/bin/php-fuzzer --max-runs 1000 fuzz fuzzing/FuzzSodiumCompat.php