This is a prerelease of v5.0.0. The full changelog since OpenPGP.js v4 can be found here. The changelog since v5.0.0-1 is:

• Remove Key.prototype.encrypt and Key.prototype.decrypt in favor of openpgp.encryptKey and openpgp.decryptKey (#1285)
• Fix encoded length in unencrypted v5 secret key packets (#1278)
• Add expectSigned option to openpgp.decrypt and openpgp.verify (#1275)
• Fix streaming verification example in README (#1269)
• Fix createMessage return type in type definitions (#1276)
• Test type definitions in Continuous Integration
• Disallow passing streams to readKey[s], readSignature and readCleartextMessage
• Remove top-level streaming options, and only return a stream if a stream was passed
• Replace Message.fromText and Message.fromBinary with createMessage, and replace CleartextMessage.fromText with createCleartextMessage
• Fetch Streams ponyfill on demand in lightweight build
• Internally use ArrayStreams instead of real streams when not streaming
• Use consistent name casing (#1268)
  • Use PascalCase for classes (with uppercase acronyms)
  • Use camelCase for function and variables (first word/acronym is always lowercase, otherwise acronyms are uppercase)
• Make the packet classes' tag properties static
• Add config.rejectPublicKeyAlgorithms (#1264)
  • Default to disallowing the use of ElGamal and DSA for verifying and signing or encrypting new messages
  • When verifying a message, if the verification key is not found or too weak, the corresponding signature will have signature.valid=false (instead of signature.valid=null); signature.error will explain whether the key was missing/too weak/etc
• Take config.minRsaBits into account when signing, verifying and encrypting messages, not just on key generation
• Drop support for verification of detached cleartext signatures (#1265)
• Add key.write() and update type definitions (#1267)
• Simplify algorithm preference selection and normalize config names (#1262)
  • Rename config.compression to config.preferredCompressionAlgorithm
  • Rename config.encryptionCipher to config.preferredSymmetricAlgorithm
  • Rename config.preferHashAlgorithm to config.preferredHashAlgorithm
  • Rename config.aeadMode to config.preferredAeadAlgorithm
  • When encrypting to public keys, the compression/aead/symmetric algorithm is selected by:
    • taking the preferred algorithm specified in config, if it is supported by all recipients
    • otherwise, taking the "MUST implement" algorithm specified by rfc4880bis
  • When encrypting to passphrases only (no public keys), the preferred algorithms from config are always used
  • EdDSA signing with a hash algorithm weaker than sha256 is explicitly disallowed (https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2)

This is a prerelease of v5.0.0. The full changelog since OpenPGP.js v4 can be found here. The changelog since v5.0.0-0 is:

• Fix unhandled promise rejection when stream-decrypting non-MDC messages (#1260)
• Rename config.ignoreMdcError to config.allowUnauthenticatedMessages (#1261)
• Do not support creating symmetrically encrypted message packets without integrity protection
• Use config.aeadProtect to determine private key encryption mode
• Check critical notations during signature verification instead of during parsing (#1259)
• Remove KeyRing class (keyring handling and storage should be handled in the application, as localStorage may not meet the durability requirements of the application, for example)
• Move WKD client to openpgpjs/wkd-client
• Move HKP client to openpgpjs/hkp-client
• Switch packages installed from git to @openpgp npm scope
• Update web-stream-tools
• Default to empty filename when creating messages
• Update documentation
• Update TypeScript definitions

This is a prerelease of v5.0.0. The changelog can be found here.

• Update tweetnacl-js to v1.0.3 (fixing a security issue with generating Ed25519 signatures)
• Fix ElGamal parameter range and PKCS1 decoding (#1169)

• WKD: Fix "TypeError: fetch is not a function" in Node.js environment (#1181)
• Fix and test dummy key conversion (#1172)
• Fix documentation of the HKP keyId option (#1151)

• Add config option to allow insecure decryption with RSA signing keys (#1148)
• Allow decryption with revoked keys (#1135)
• Support non-human-readable notation values (#983)
• Add test case for unknown binary notations (#1140)
• Add SecretKey.prototype.makeDummy (#1131)
• Use correct algorithm in ECC validation tests

• Handle CORS errors during WKD lookup (#1125)
  • Throw in WKD lookup on HTTP errors instead of returning undefined
• Refactor WKD lookup code (#1123)
• Fix key validation tests
• Fix decryption tests

• Don't zero-copy transfer buffers from the worker by default
  Fixes signing messages using the same key multiple times in one worker.

• Faster and more secure, cipher-specific key validation (#1116). Also,
  • Validate keys during decryption
  • Check binding signatures for decryption keys when decrypting messages
  • Do not always fallback on Web Crypto ECC errors
• Add support for advanced WKD lookup (#1115)
• Fix stream-encrypting+signing a message using the Worker (#1112)
• Pass around KDF params as objects (#1104)
• Fix keyId types in JSDoc comments (#1100)
• Also create issuer fingerprint subpacket for v4 keys, not just v5 keys (#1097)

• Fix normalizing \n after \r\n (broken in v4.10.3)