Bump hexo-blog-encrypt from 3.1.9 to 4.0.2

[dependabot]

Bumps hexo-blog-encrypt from 3.1.9 to 4.0.2.

Release notes

Sourced from hexo-blog-encrypt's releases.

v4.0.2

[4.0.2] — 2026-06-07

Tests

• stableSalt clean-rebuild e2e regression — added end-to-end coverage for the headline stableSalt guarantee that previously had none. With stableSalt: true + autoSave: true, a clean static rebuild re-emits the same permalink-derived salt but a fresh nonce and ciphertext. A new Playwright test seeds the localStorage key cache from one build, then simulates a rebuild (re-encrypting the same plaintext under the same salt via the server crypto, yielding a new nonce/ciphertext) and asserts the cached key still auto-decrypts the new payload (mode="cached", no re-prompt). A companion self-heal test proves that when the salt itself changes (permalink change / stableSalt off), storage.load() drops the stale entry and the visitor is re-prompted. New fixture templates/stablesalt-post.md → stablesalt-default.md. No runtime or crypto behavior changed — tests and docs only.

Docs

• Refreshed the wiki and in-repo docs to describe stableSalt, correct the per-post salt size (32 bytes), and note the deterministic-salt tradeoff.

---

Commits since v4.0.1

• test: add stableSalt clean-rebuild e2e regression; bump v4.0.2 (#236) (8613cc7)
• Feat/stable salt (#234) (b88fa11)
• chore(claude): add CHANGELOG-gate hook for version tags (53cf48f)

Full changelog: D0n9X1n/hexo-blog-encrypt@v4.0.1...v4.0.2

v4.0.1 — decrypt button layout & hidden-state fix

Fixes

• Decrypt button layout — on wide screens the button could land on the same row as the password input and lose centering. The shared decrypt form now uses a flex column layout so the button always renders centered, on its own line, below the input. Long / non-ASCII labels wrap correctly.
• decryptButton.show: false — previously only the label was blanked while the button chrome remained. The button is now actually removed from layout via a new hbe-button-hidden class, and Enter-key form submission still works.

Template contract

A new {{hbeButtonClass}} placeholder was added (10 → 11). All 8 shipped themes (default, blink, flip, shrink, surge, up, wave, xray) and the docs were updated together. Custom themes following the THEMES.md contract should add the placeholder to their button element:

<button class="hbe hbe-button{{hbeButtonClass}}" type="submit">{{hbeButtonText}}</button>

No wire-format change — existing encrypted posts continue to decrypt.

... (truncated)

Changelog

Sourced from hexo-blog-encrypt's changelog.

[4.0.2] — 2026-06-07

Tests

• stableSalt clean-rebuild e2e regression — added end-to-end coverage for the headline stableSalt guarantee that previously had none. With stableSalt: true + autoSave: true, a clean static rebuild re-emits the same permalink-derived salt but a fresh nonce and ciphertext. A new Playwright test seeds the localStorage key cache from one build, then simulates a rebuild (re-encrypting the same plaintext under the same salt via the server crypto, yielding a new nonce/ciphertext) and asserts the cached key still auto-decrypts the new payload (mode="cached", no re-prompt). A companion self-heal test proves that when the salt itself changes (permalink change / stableSalt off), storage.load() drops the stale entry and the visitor is re-prompted. New fixture templates/stablesalt-post.md → stablesalt-default.md. No runtime or crypto behavior changed — tests and docs only.

Docs

• Refreshed the wiki and in-repo docs to describe stableSalt, correct the per-post salt size (32 bytes), and note the deterministic-salt tradeoff.

---

[4.0.1] — 2026-05-19

Fixed

• Decrypt button layout — on wide screens the button could land on the same row as the password input and lose centering. The shared decrypt form now uses a flex column layout so the button always renders centered, on its own line, below the input. Long / non-ASCII labels wrap correctly.
• decryptButton.show: false — previously only the label was blanked while the button chrome remained clickable. The button is now actually removed from layout via a new hbe-button-hidden class, while Enter-key form submission still works.

Template contract

• Added {{hbeButtonClass}} placeholder (10 → 11). All 8 shipped themes and the docs were updated together. Custom themes following https://github.com/D0n9X1n/hexo-blog-encrypt/blob/master/docs/THEMES.md should add the placeholder to their button element:

  <button class="hbe hbe-button{{hbeButtonClass}}" type="submit">{{hbeButtonText}}</button>

  No wire-format change — existing encrypted posts continue to decrypt.

... (truncated)

Commits

• 8613cc7 test: add stableSalt clean-rebuild e2e regression; bump v4.0.2 (#236)
• b88fa11 Feat/stable salt (#234)
• 53cf48f chore(claude): add CHANGELOG-gate hook for version tags
• df70bc5 docs: slim docs/, drop feature-crew references, add 4.0.1 CHANGELOG
• 4943637 chore(release): v4.0.1
• 341f63e fix: decrypt button layout and hidden-state rendering across themes (#232)
• 30cf23e chore: remove feature-crew submodule (installed globally)
• 0301a00 docs: promote docs/ to source of truth, slim copilot-instructions
• a866f5f ci: add GitHub Packages mirror publish workflow
• caafe3a ci(release): switch to npm OIDC trusted publishing
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for hexo-blog-encrypt since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)