Version 1.0.9

There is an outstanding issue mcrypt_create_iv() and PHP 7's random_bytes() on Windows reported by @nicolas-grekas caused by proc_open() and environment variable handling (discovered by Appveyor when developing Symfony).

Since the break is consistent, it's not our responsibility to fix it, but we should fail the same way PHP 7 will (i.e. throw an Exception rather than raise an error and then throw an Exception).

Version 1.0.8

• Fix usability issues with Windows (new COM('CAPICOM.Utilities.1') is not always available).
• You can now test all the possible drivers by running phpunit.sh each in the tests directory.

Version 1.0.7

Several large integer handling bugfixes were contributed by @oittaa.

Version 1.0.6

Don't let the version number fool you, this was a pretty significant change.

1. Added support for ext-libsodium, if it exists on the system. This is morally equivalent to adding getrandom(2) support without having to expose the syscall interface in PHP-land.
2. Relaxed open_basedir restrictions. In previous versions, if open_basedir was set, PHP wouldn't even try to read from /dev/urandom. Now it will still do so if you can.
3. Fixed integer casting inconsistencies between random_compat and PHP 7.
4. Handle edge cases where an integer overflow turns one of the parameters into a float.

One change that we discussed was making random_bytes() and random_int() strict typed; meaning you could only pass integers to either function. While most veteran programmers are probably only doing this already (we strongly encourage it), it wouldn't be consistent with how these functions behave in PHP 7. Please use these functions responsibly.

We've had even more of the PHP community involved in this release; the contributors list has been updated. If I forgot anybody, I promise you it's not because your contributions (either code or ideas) aren't valued, it's because I'm a bit overloaded with information at the moment. Please let me know immediately and I will correct my oversight.

Thanks everyone for helping make random_compat better.

Version 1.0.5

Got rid of the methods in the Throwable interface, which was causing problems on PHP 5.2. While we would normally not care about 5.2 (since 5.4 and earlier are EOL'd), we do want to encourage widespread adoption (e.g. Wordpress).

Version 1.0.4

Removed redundant if() checks, since lib/random.php is the entrypoint people should use.

Version 1.0.3

This release contains bug fixes contributed by the community.

• Avoid a PHP Notice when PHP is running without the mbstring extension
• Use a compatible version of PHPUnit for testing on older versions of PHP

Although none of these bugs were outright security-affecting, updating ASAP is still strongly encouraged.

Version 1.0.2

Less strict input validation on random_int() parameters. PHP 7's random_int() accepts strings and floats that look like numbers, so we should too.

Thanks @dd32 for correcting this oversight.

Version 1.0.1

I'll stop prefixing version tags with the letter v to fix composer.

Version 1.0.1- Exceptions Only

Changed the usability a bit. See v1.0.1.

You want v1.0.1 (below) unless you have compatibility issues.