search

product-os / katapult

A tool for launching environment variants on different modes and targets, based on kompose format files.
Apache License 2.0
8 stars 1 forks source link

build(deps): bump openpgp from 4.5.3 to 4.10.11 #95

Open dependabot[bot] opened 1 year ago

dependabot[bot] commented 1 year ago

Bumps openpgp from 4.5.3 to 4.10.11.

Release notes

Sourced from openpgp's releases.

v4.10.11 (legacy)

Reject cleartext messages with extraneous data preceeding hash, addressing: https://github.com/openpgpjs/openpgpjs/security/advisories/GHSA-ch3c-v47x-4pgp.

v4.10.10

  • Update tweetnacl-js to v1.0.3 (fixing a security issue with generating Ed25519 signatures)
  • Fix ElGamal parameter range and PKCS1 decoding (#1169)

v4.10.9

  • WKD: Fix "TypeError: fetch is not a function" in Node.js environment (#1181)
  • Fix and test dummy key conversion (#1172)
  • Fix documentation of the HKP keyId option (#1151)

v4.10.8

  • Add config option to allow insecure decryption with RSA signing keys (#1148)
  • Allow decryption with revoked keys (#1135)
  • Support non-human-readable notation values (#983)
  • Add test case for unknown binary notations (#1140)
  • Add SecretKey.prototype.makeDummy (#1131)
  • Use correct algorithm in ECC validation tests

v4.10.7

  • Handle CORS errors during WKD lookup (#1125)
    • Throw in WKD lookup on HTTP errors instead of returning undefined
  • Refactor WKD lookup code (#1123)
  • Fix key validation tests
  • Fix decryption tests

v4.10.6

  • Don't zero-copy transfer buffers from the worker by default Fixes signing messages using the same key multiple times in one worker.

v4.10.5

  • Faster and more secure, cipher-specific key validation (#1116). Also,
    • Validate keys during decryption
    • Check binding signatures for decryption keys when decrypting messages
    • Do not always fallback on Web Crypto ECC errors
  • Add support for advanced WKD lookup (#1115)
  • Fix stream-encrypting+signing a message using the Worker (#1112)
  • Pass around KDF params as objects (#1104)
  • Fix keyId types in JSDoc comments (#1100)
  • Also create issuer fingerprint subpacket for v4 keys, not just v5 keys (#1097)

v4.10.4

  • Fix normalizing \n after \r\n (broken in v4.10.3)

v4.10.3

  • Support compressed data packets with algorithm=uncompressed (#1085)
  • Fix memory usage when non-streaming-en/decrypting large files (broken in v4.10.2)
  • Drop support for \r as EOL (#1073)
  • Fix verification of EdDSA signatures with short MPIs (#1083)

... (truncated)

Commits
  • d8a1e25 Release new version
  • 8aa633c Reject cleartext messages with extraneous data preceeding hash header
  • 1f237e6 Release new version
  • 38ec531 Fix ElGamal param range and PKCS1 decoding (#1169)
  • d5373ef Update tweetnacl-js
  • 21f4ba4 Release new version
  • a4b56c9 WKD: Fix "TypeError: fetch is not a function" in Node.js environment (#1181)
  • 08fc7b3 Fix and test dummy key conversion (#1172)
  • 929b016 Fix documentation of the HKP keyId option (#1151)
  • aa89893 Release new version
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/product-os/katapult/network/alerts).