What's Changed

Major Changes

• New GoDaddy.Asherah.AppEncryption.PlugIns.Aws package - AWS-specific implementations moved to separate NuGet package for improved modularity and separation of concerns
• Enhanced KMS configuration - New builder pattern and configuration-based setup with KeyManagementServiceOptions supporting IConfiguration integration and dependency injection
• OptimizeByRegions() extension method - Runtime KMS region prioritization for multi-region deployments, allowing dynamic optimization based on application deployment region to minimize latency
• AwsKeyManagementServiceImpl marked obsolete - Legacy implementation deprecated in favor of new KeyManagementService from PlugIns.Aws package

⚠️ Deprecation Notice & Migration ⚠️

The AwsKeyManagementServiceImpl class is now marked [Obsolete] and will be removed in a future release. Applications should migrate to the new KeyManagementService from the GoDaddy.Asherah.AppEncryption.PlugIns.Aws package.

Key Migration Changes

1. Install new package: GoDaddy.Asherah.AppEncryption.PlugIns.Aws
2. Update namespace: GoDaddy.Asherah.AppEncryption.Kms → GoDaddy.Asherah.AppEncryption.PlugIns.Aws.Kms
3. Change logger type: ILogger → ILoggerFactory
4. Replace dictionary configuration with builder pattern or configuration-based options

Before (v0.9.0):

using GoDaddy.Asherah.AppEncryption.Kms;

var regionDictionary = new Dictionary<string, string>
{
    { "us-east-1", "arn:aws:kms:us-east-1:123456789012:key/abc" },
    { "us-west-2", "arn:aws:kms:us-west-2:234567890123:key/def" }
};

var kms = AwsKeyManagementServiceImpl.NewBuilder(regionDictionary, "us-east-1")
    .WithCredentials(credentials)
    .WithLogger(logger)
    .Build();

After (v0.10.0):

using GoDaddy.Asherah.AppEncryption.PlugIns.Aws.Kms;

var kms = KeyManagementService.NewBuilder()
    .WithLoggerFactory(loggerFactory)
    .WithRegionKeyArn("us-east-1", "arn:aws:kms:us-east-1:123456789012:key/abc")
    .WithRegionKeyArn("us-west-2", "arn:aws:kms:us-west-2:234567890123:key/def")
    .WithCredentials(credentials)
    .Build();

Configuration-based approach (recommended):

// appsettings.json
{
  "AsherahKmsOptions": {
    "regionKeyArns": [
      { "region": "us-east-1", "keyArn": "arn:aws:kms:us-east-1:123456789012:key/abc" }
    ]
  }
}

// Code
var kmsOptions = Configuration.GetValue<KeyManagementServiceOptions>("AsherahKmsOptions");
var kms = KeyManagementService.NewBuilder()
    .WithLoggerFactory(loggerFactory)
    .WithOptions(kmsOptions)
    .WithCredentials(credentials)
    .Build();

See plugins-upgrade-guide.md for complete migration instructions.

Dependency Updates

• AWSSDK.DynamoDBv2 (4.0.9.5 → 4.0.9.6)
• AWSSDK.KeyManagementService (4.0.7 → 4.0.7.1)

Backward Compatibility

Full backward compatibility maintained. The existing AwsKeyManagementServiceImpl continues to function unchanged and can be used alongside the new plugin. Data encrypted with v0.9.0 can be decrypted with v0.10.0 and vice versa—the envelope encryption format is unchanged. Applications can migrate incrementally by suppressing obsolete warnings with #pragma warning disable CS0618 until ready to adopt the new API.

Full Changelog: csharp/AppEncryption/v0.9.0...csharp/AppEncryption/v0.10.0

What's Changed

Major Changes

This release brings modern .NET support and async programming capabilities:

• .NET 10.0 support added to target frameworks (netstandard2.0, net8.0, net9.0, net10.0)
• Async/await API support introduced across all encryption interfaces with new async methods:
  • IEnvelopeEncryption<TD>: DecryptDataRowRecordAsync() and EncryptPayloadAsync()
  • IKeyManagementService: EncryptKeyAsync() and DecryptKeyAsync()
  • Session<TP, TD>: DecryptAsync() and EncryptAsync()
• BouncyCastle migration from unofficial BouncyCastle.NetCore to official BouncyCastle.Cryptography (v2.6.2) for better long-term support
• SecureMemory updated to v0.5.0 with matching .NET 10.0 support and BouncyCastle migration

Dependency Updates

Notable package bumps include:

• BouncyCastle.Cryptography (2.2.1 → 2.6.2, package name changed from BouncyCastle.NetCore)
• GoDaddy.Asherah.SecureMemory (0.4.0 → 0.5.0)
• AWSSDK.DynamoDBv2 (4.0.6.1 → 4.0.9.5)
• AWSSDK.KeyManagementService (4.0.4.1 → 4.0.7)
• Microsoft.Extensions.Caching.Memory (9.0.8 → 10.0.0)
• Microsoft.Extensions.Logging.Abstractions (9.0.8 → 10.0.0)
• System.Text.Encodings.Web (9.0.8 → 10.0.0)
• System.Text.Json (9.0.8 → 10.0.0)
• Newtonsoft.Json (13.0.3 → 13.0.4)

Code Quality Improvements

Comprehensive test coverage expansion with 200+ new async test cases across EnvelopeEncryptionBytesImplTest, EnvelopeEncryptionJsonImplTest, and AwsKeyManagementServiceImplTest. Build configurations updated for .NET 10.0 SDK, Docker images modernized, and obsolete .NET 3.1 scripts removed.

Backward Compatibility

Full backward compatibility maintained—all existing synchronous APIs continue functioning unchanged. Async methods are purely additive and can be adopted incrementally. The BouncyCastle package migration is transparent with no code changes required.

Full Changelog: csharp/AppEncryption/v0.8.0...csharp/AppEncryption/v0.9.0

What's Changed

Major Changes

• Added deprecation notices to aws-v1 plugin components - deprecation comments direct users to migrate to the aws-v2 alternative
• Complete AWS SDK v2 test infrastructure migration - All integration tests now use independent AWS SDK v2 utilities with improved container cleanup and regional suffix compatibility
• Enhanced AWS SDK v1 deprecation handling - Added comprehensive linter exclusions and updated deprecation comments to reflect end-of-life status (July 31, 2025)
• Upgraded Go - Updated to Go 1.23.0

Dependency Updates

• Bump github.com/aws/aws-sdk-go from 1.55.7 to 1.55.8
• Bump github.com/aws/aws-sdk-go-v2 from 1.37.1 to 1.38.3
• Bump github.com/aws/aws-sdk-go-v2/config from 1.30.2 to 1.31.6
• Bump github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue from 1.20.1 to 1.20.9
• Bump github.com/aws/aws-sdk-go-v2/feature/dynamodb/expression from 1.8.1 to 1.8.9
• Bump github.com/aws/aws-sdk-go-v2/service/kms from 1.42.1 to 1.45.1
• Bump github.com/stretchr/testify from 1.10.0 to 1.11.1
• Bump github.com/docker/go-connections from 0.5.0 to 0.6.0
• Bump github.com/godaddy/asherah/go/securememory from 0.1.6 to 0.1.7

Code Quality Improvements

• Updated linting configuration - Added staticcheck exclusions for intentional AWS SDK v1 usage in backward compatibility layers
• Updated deprecation documentation - All AWS SDK v1 components now clearly communicate security urgency and migration paths
• Improved test reliability - Fixed container cleanup timing issues in integration tests
• Eliminated AWS SDK v1 dependencies from v2 infrastructure - Clean separation between v1 and v2 test utilities

Backward Compatibility

This release maintains full backward compatibility. All existing AWS SDK v1 integrations will continue to work unchanged, though users will see deprecation warnings encouraging migration to AWS SDK v2 plugins for security and long-term support.

Full Changelog: https://github.com/godladdy/asherah/compare/go/appencryption/v0.8.0...go/appencryption/v0.9.0

What's Changed

Major Changes

• Added DynamoDB client customization support - New WithDynamoDbClient() method allows providing custom IAmazonDynamoDB client instances
• Enhanced dependency injection compatibility - Improved support for AWSSDK.Extensions.NETCore.Setup and .NET DI containers
• Improved resource management - Fixed disposable pattern implementation in DynamoDbMetastoreImpl.Builder
• Updated documentation - Comprehensive README updates with dependency injection examples and best practices

Dependency Updates

• Bump AWSSDK.SecurityToken from 4.0.1.6 to 4.0.2.1
• Bump AWSSDK.DynamoDBv2 and 5 others
• Bump Microsoft.Extensions.Logging.Console from 9.0.7 to 9.0.8
• Bump xunit.runner.visualstudio from 3.1.3 to 3.1.4
• Bump Microsoft.Extensions.Configuration to 9.0.8

Code Quality Improvements

• Fixed disposable issue and added ability to bring your own client
• Updated comments and code analysis suppressions
• Improved client lifecycle management documentation

Backward Compatibility

This release maintains full backward compatibility. All existing DynamoDbMetastoreImpl configurations will continue to work unchanged. The new WithDynamoDbClient() method is purely additive.

Full Changelog: csharp/AppEncryption/v0.7.0...csharp/AppEncryption/v0.8.0

What's Changed

Major Changes

• GoDaddy.Asherah.Logging Dependency Removed: Eliminated dependency on the internal GoDaddy.Asherah.Logging package across all core classes, replacing it with Microsoft.Extensions.Logging abstractions for better integration with modern .NET logging frameworks
• Microsoft.Extensions.Logging Integration: Updated all core components to use ILogger<T> dependency injection pattern instead of the previous logging system

⚠️ Breaking Changes & Migration ⚠️

While this release maintains API compatibility (existing code will compile), applications using the previous GoDaddy.Asherah.Logging.LogManager will no longer see log entries from Asherah components.

Migration Required for Logging

To continue receiving log output, update your application to use Microsoft.Extensions.Logging:

Before (v0.6.0 and earlier):

// Old approach - setup logger factory - no longer produces logs
ILoggerFactory loggerFactory = new LoggerFactory();
loggerFactory.AddProvider(new ConsoleLoggerProvider((category, level) => level >= LogLevel.Information, true));
LogManager.SetLoggerFactory(loggerFactory);

var sessionFactory = SessionFactoryBuilder
    .NewBuilder("myApp", "myService")
    .WithMetastore(metastore)
    .WithKeyManagementService(kms)
    .Build();

After (v0.7.0+):

// New approach - inject ILogger for proper logging
using Microsoft.Extensions.Logging;

var loggerFactory = LoggerFactory.Create(builder =>
    builder.AddConsole().SetMinimumLevel(LogLevel.Debug));

var sessionFactory = SessionFactoryBuilder
    .NewBuilder("myApp", "myService")
    .WithMetastore(metastore)
    .WithKeyManagementService(kms)
    .WithLogger(loggerFactory.CreateLogger<SessionFactory>())
    .Build();

Backward Compatibility

• Constructor Overloads: Added backward-compatible constructor overloads for EnvelopeEncryptionBytesImpl, EnvelopeEncryptionJsonImpl, SessionBytesImpl, and SessionJsonImpl to maintain API compatibility
• Compilation: Existing code will continue to compile without changes

Testing Improvements

• TestLoggerFactory: Added new test helper class for consistent logging setup in integration tests
• Logger Fixtures: Removed legacy LoggerFixture and LoggerFixtureTestGroup classes
• Updated Test Infrastructure: All integration and unit tests updated to work with the new logging system

Dependencies

• Microsoft.Extensions.Logging: Added as a core dependency for modern logging abstractions
• GoDaddy.Asherah.Logging: Removed dependency

Full Changelog: csharp/AppEncryption/v0.6.0...csharp/AppEncryption/v0.7.0

What's Changed

Publishing Infrastructure

• Maven Central Migration: Migrated from OSSRH (Sonatype OSS Repository Hosting) to the new Maven Central publishing system, providing improved reliability and faster artifact distribution

Dependency Updates

• SecureMemory: Upgraded to v0.1.6
• Apache Commons Lang: Updated to v3.18.0 (from v3.17.0)
• AWS SDK v1: Updated to v1.12.788 (from v1.12.780)
• AWS SDK v2: Updated to v2.32.11 (from v2.30.3)
• BouncyCastle: Updated to v1.81 (from v1.80)
• Build Helper Maven Plugin: Updated to v3.6.1 (from v3.6.0)
• Caffeine: Updated to v3.2.2 (from v3.2.0)
• Checker Framework: Updated to v3.49.5 (from v3.48.4)
• Commons Codec: Updated to v1.19.0 (from v1.17.2)
• Commons Logging: Updated to v1.3.5 (from v1.3.4)
• Commons Text: Updated to v1.14.0 (from v1.13.0)
• Guava: Updated to v33.4.8-jre (from v33.4.0-jre)
• Jackson: Updated to v2.19.2 (from v2.18.2)
• JaCoCo: Updated to v0.8.13 (from v0.8.12)
• JSON: Updated to v20250517 (from v20250107)
• JUnit Jupiter: Updated to v5.13.4 (from v5.11.4)
• Logback: Updated to v1.5.18 (from v1.5.16)
• Maven Compiler Plugin: Updated to v3.14.0 (from v3.13.0)
• Maven GPG Plugin: Updated to v3.2.8 (from v3.2.7)
• Maven Surefire Plugin: Updated to v3.5.3 (from v3.5.2)
• Micrometer: Updated to v1.15.2 (from v1.14.3)
• Mockito: Updated to v5.18.0 (from v5.15.2)
• SLF4J: Updated to v2.0.17 (from v2.0.16)
• HikariCP: Updated to v7.0.0 (from v6.2.1)

Development & Build

• Multiple dependency maintenance updates via Dependabot
• Updated publishing configuration to use Central Publishing Maven Plugin instead of Nexus Staging Maven Plugin

Full Changelog: java/appencryption/v0.3.2...java/appencryption/v0.3.3

What's Changed

Security Improvements

• Enhanced secure memory wiping: Replace manual byte zeroing loop with Go's built-in clear() function (available since Go 1.21) which is guaranteed not to be optimized away by the compiler

Code Quality & Documentation

• Fixed Go deprecation comment blocks: Updated deprecation comments to use the proper Deprecated: format instead of DEPRECATED: to ensure they are properly recognized by Go tooling and IDEs

Dependency Updates

• SecureMemory: Upgraded to v0.1.7
• Go Runtime: Updated to Go 1.23.0
• AWS SDK Go: Updated to v1.55.7
• AWS SDK Go v2: Major version updates across all services:
  • Core SDK: v1.37.1 (from v1.33.0)
  • Config: v1.30.2 (from v1.29.1)
  • DynamoDB: v1.45.1 (from v1.39.5)
  • KMS: v1.42.1 (from v1.37.13)
  • DynamoDB AttributeValue: v1.20.1 (from v1.15.28)
  • DynamoDB Expression: v1.8.1 (from v1.7.63)
• Golang.org/x/crypto: Updated to v0.35.0 (from v0.31.0)
• Golang.org/x/sys: Updated to v0.34.0 (from v0.29.0)
• AWS Smithy-Go: Updated to v1.22.5 (from v1.22.1)

Development & Testing

• Multiple dependency maintenance updates via Dependabot
• Updated integration test dependencies including Docker and TestContainers

Full Changelog: go/appencryption/v0.7.1...go/appencryption/v0.8.0

What's Changed

Major Changes

• Modernized code analysis system
  Migrated from StyleCop to built-in .NET SDK analyzers for cleaner, more maintainable code quality enforcement
• Enhanced development workflow
  Added automated dotnet format pre-commit step and updated solution files to modern .slnx format
• Improved code quality
  Applied updated analyzers with fixes to improve code consistency and follow .NET best practices
• Updated internal dependencies
  Upgraded GoDaddy.Asherah.Logging to v0.3.0 and GoDaddy.Asherah.SecureMemory to v0.4.0 for latest security and performance improvements

Dependency Updates

• Internal Asherah dependencies upgraded:
  • GoDaddy.Asherah.Logging from 0.2.0 to 0.3.0
  • GoDaddy.Asherah.SecureMemory from 0.3.0 to 0.4.0
• AWS SDK packages:
  • AWSSDK.DynamoDBv2 to 4.0.3.1
  • AWSSDK.KeyManagementService to 4.0.3.9
• Core framework packages:
  • LanguageExt.Core to 4.4.9
  • Microsoft.Extensions.Caching.Memory to 9.0.7
  • System.Text.Json and System.Text.Encodings.Web to 9.0.7

Platform Support

• Requires .NET 8+ SDK for development workflow features

Full Changelog: csharp/AppEncryption/v0.5.0...csharp/AppEncryption/v0.6.0

What's Changed

⚠️ BREAKING CHANGES ⚠️

AWS SDK v4 Migration Required - This release upgrades from AWS SDK v3 to v4. If your application directly uses AWS SDK alongside Asherah, you'll need to upgrade your AWS SDK dependencies to v4 to maintain compatibility.

See the AWS SDK Migration Guide for V4 for detailed upgrade instructions.

Major Changes

• Migrated to AWS SDK v4 - Complete upgrade from AWS SDK v3 to v4 for all AWS services (KMS, DynamoDB, SecurityToken)
• Modernized async patterns - Replaced synchronous AWS client methods with async/await throughout
• Updated API usage - Migrated to request/response objects and new SDK patterns (KMS operations, DynamoDB TableBuilder)

Dependency Updates

• AWS SDK packages upgraded to v4:
  • AWSSDK.DynamoDBv2 to 4.0.1.7
  • AWSSDK.KeyManagementService to 4.0.3.1
  • AWSSDK.SecurityToken updated to latest v4
• Test infrastructure:
  • xunit.runner.visualstudio updated across multiple versions
  • DynamoDB test container upgraded to v2.6.0

Platform Support

• Maintained support for .NET Standard 2.0, .NET 8.0, and .NET 9.0
• Enhanced .NET 9.0 runtime support in CI workflows
• Improved caching for C# project builds

Full Changelog: csharp/AppEncryption/v0.4.0...csharp/AppEncryption/v0.5.0

What's Changed

Major Changes

• Upgraded to target .NET 8.0 and .NET 9.0 with continued .NET Standard 2.0 compatibility
• Dropped .NET Standard 2.1 support (maintaining backward compatibility via .NET Standard 2.0)

Dependency Updates

• SecureMemory upgraded from 0.2.6 to 0.3.0
• Logging upgraded from 0.1.7 to 0.2.0
• AWS SDK packages updated:
  • AWSSDK.DynamoDBv2 to 3.7.406.25
  • AWSSDK.KeyManagementService to 3.7.400.137
• Microsoft packages updated to 9.0.4:
  • Microsoft.Extensions.Caching.Memory
  • System.Text.Encodings.Web
  • System.Text.Json

Platform Support

• Added explicit support for .NET 9.0
• Modernized framework targeting strategy per Microsoft recommendations
• Updated MySQL test container from 5.7 to 8.0 ([C#] AppEncryption CI workflow)

Full Changelog: csharp/AppEncryption/v0.3.0...csharp/AppEncryption/v0.4.0