Bump openpgp from 5.6.0 to 5.7.0 #17

2023-03-01T21:00:43Z

dependabot[bot] commented

2023-03-01 21:00:43 +00:00

(Migrated from github.com)

Bumps openpgp from 5.6.0 to 5.7.0.

Release notes

v5.7.0

Add support for creating critical signature subpackets (openpgpjs/openpgpjs#1599)

Most subpackets are now assigned a criticality based on whether failing to interpret their meaning would negatively impact security.

If subpackets that are now marked as critical (such as signature creation date, issuer Key ID, key expiration time if set, etc.) are not supported by another OpenPGP implementation, it will now be considered invalid by the implementation rather than ignored. However, since these subpackets are fundamental to the functioning of OpenPGP, they should indeed never be ignored. If an implementation doesn't support them, please upgrade or report it to the relevant implementation as well as or instead of here.

For Notation Data subpackets, the caller can now set their criticality using the signatureNotations[*].critical property. When set to critical, if the OpenPGP implementation reading the signature doesn't understand their meaning, they will be rejected rather than ignored. This is useful if the notation is indeed critical (🙂) to the functioning of the signature or the key that contains it.

Remove default known notations (openpgpjs/openpgpjs#1600)

Since OpenPGP.js doesn't interpret any notations, we shouldn't consider any of them "known" by default. Rather, we let the calling application indicate the known notations, and it is then responsible for handling them.

Specifically, signatures with a critical notation named "preferred-email-encoding@pgp.com" or "pka-address@gnupg.org" will now be rejected by default. We believe that these are not common "in the wild", but if you encounter them, you can add them to the config.knownNotations array, or (preferably) pass a knownNotations array in the config property when verifying a signature, and then handle the preference indicated by the notation data afterwards by inspecting the signaturePacket.notations or rawNotations property.

TypeScript: added selfCertification property to the PrimaryUser interface definition (openpgpjs/openpgpjs#1594)

Docs: mark global generateSessionKeys's encryptionKeys parameter as optional (openpgpjs/openpgpjs#1596)

CI: Update browser targets (openpgpjs/openpgpjs#1549)

Update ESLint and other minor dependencies; clean up linting rules (openpgpjs/openpgpjs#1602)

Commits

c60f2e3 5.7.0
bb0c1f8 Merge pull request #1602 from larabr/update-deps-feb23
8ffd7aa Remove import cycles
94868e6 ESLint: drop unnecessary rules
705f238 Update ESlint
1b17132 Update deps
080b49a Merge pull request #1549 from larabr/test-update-karma-browsers
0ffcc49 Remove default known notations (#1600)
6684482 Skip native Crypto tests if native lib is not available
dcd28fa CI: test latest Safari
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [openpgp](https://github.com/openpgpjs/openpgpjs) from 5.6.0 to 5.7.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/openpgpjs/openpgpjs/releases">openpgp's releases</a>.</em></p> <blockquote> <h2>v5.7.0</h2> <ul> <li>Add support for creating critical signature subpackets (<a href="https://github-redirect.dependabot.com/openpgpjs/openpgpjs/pull/1599">openpgpjs/openpgpjs#1599</a>) <ul> <li>Most subpackets are now assigned a criticality based on whether failing to interpret their meaning would negatively impact security.</li> <li>If subpackets that are now marked as critical (such as signature creation date, issuer Key ID, key expiration time if set, etc.) are not supported by another OpenPGP implementation, it will now be considered invalid by the implementation rather than ignored. However, since these subpackets are fundamental to the functioning of OpenPGP, they should indeed never be ignored. If an implementation doesn't support them, please upgrade or report it to the relevant implementation as well as or instead of here.</li> <li>For Notation Data subpackets, the caller can now set their criticality using the <code>signatureNotations[*].critical</code> property. When set to critical, if the OpenPGP implementation reading the signature doesn't understand their meaning, they will be rejected rather than ignored. This is useful if the notation is indeed critical (:slightly_smiling_face:) to the functioning of the signature or the key that contains it.</li> </ul> </li> <li>Remove default known notations (<a href="https://github-redirect.dependabot.com/openpgpjs/openpgpjs/pull/1600">openpgpjs/openpgpjs#1600</a>) <ul> <li>Since OpenPGP.js doesn't interpret any notations, we shouldn't consider any of them "known" by default. Rather, we let the calling application indicate the known notations, and it is then responsible for handling them.</li> <li>Specifically, signatures with a critical notation named "<a href="mailto:preferred-email-encoding@pgp.com">preferred-email-encoding@pgp.com</a>" or "<a href="mailto:pka-address@gnupg.org">pka-address@gnupg.org</a>" will now be rejected by default. We believe that these are not common "in the wild", but if you encounter them, you can add them to the <code>config.knownNotations</code> array, or (preferably) pass a <code>knownNotations</code> array in the <code>config</code> property when verifying a signature, and then handle the preference indicated by the notation data afterwards by inspecting the <code>signaturePacket.notations</code> or <code>rawNotations</code> property.</li> </ul> </li> <li>TypeScript: added <code>selfCertification</code> property to the <code>PrimaryUser</code> interface definition (<a href="https://github-redirect.dependabot.com/openpgpjs/openpgpjs/pull/1594">openpgpjs/openpgpjs#1594</a>)</li> <li>Docs: mark global <code>generateSessionKeys</code>'s <code>encryptionKeys</code> parameter as optional (<a href="https://github-redirect.dependabot.com/openpgpjs/openpgpjs/pull/1596">openpgpjs/openpgpjs#1596</a>)</li> <li>CI: Update browser targets (<a href="https://github-redirect.dependabot.com/openpgpjs/openpgpjs/pull/1549">openpgpjs/openpgpjs#1549</a>)</li> <li>Update ESLint and other minor dependencies; clean up linting rules (<a href="https://github-redirect.dependabot.com/openpgpjs/openpgpjs/pull/1602">openpgpjs/openpgpjs#1602</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/openpgpjs/openpgpjs/commit/c60f2e3490c83b7c5499bf0e29124b668bbae4dd"><code>c60f2e3</code></a> 5.7.0</li> <li><a href="https://github.com/openpgpjs/openpgpjs/commit/bb0c1f8a08586ab83e0bdca57771e4c29c199b88"><code>bb0c1f8</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/openpgpjs/openpgpjs/issues/1602">#1602</a> from larabr/update-deps-feb23</li> <li><a href="https://github.com/openpgpjs/openpgpjs/commit/8ffd7aa1d4c3fe975b34973c4dc0cbc2a0a1a440"><code>8ffd7aa</code></a> Remove import cycles</li> <li><a href="https://github.com/openpgpjs/openpgpjs/commit/94868e606a183b7dbc1dfaacbe10a80348a903f0"><code>94868e6</code></a> ESLint: drop unnecessary rules</li> <li><a href="https://github.com/openpgpjs/openpgpjs/commit/705f238e1eaf013aacf6caa18c561f078ee3b5c3"><code>705f238</code></a> Update ESlint</li> <li><a href="https://github.com/openpgpjs/openpgpjs/commit/1b171326317a58e59c40a2c886ecd419ee0847c0"><code>1b17132</code></a> Update deps</li> <li><a href="https://github.com/openpgpjs/openpgpjs/commit/080b49a4ce2e6ae5914eb920181708b48b977e5a"><code>080b49a</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/openpgpjs/openpgpjs/issues/1549">#1549</a> from larabr/test-update-karma-browsers</li> <li><a href="https://github.com/openpgpjs/openpgpjs/commit/0ffcc4970f4fe013315197329d7838a6d8a28225"><code>0ffcc49</code></a> Remove default known notations (<a href="https://github-redirect.dependabot.com/openpgpjs/openpgpjs/issues/1600">#1600</a>)</li> <li><a href="https://github.com/openpgpjs/openpgpjs/commit/66844826c6eedc16c9f28063423e3ebeff316d81"><code>6684482</code></a> Skip native Crypto tests if native lib is not available</li> <li><a href="https://github.com/openpgpjs/openpgpjs/commit/dcd28fadc6f39a679c6ba012237b5a13a39b72ab"><code>dcd28fa</code></a> CI: test latest Safari</li> <li>Additional commits viewable in <a href="https://github.com/openpgpjs/openpgpjs/compare/v5.6.0...v5.7.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=openpgp&package-manager=npm_and_yarn&previous-version=5.6.0&new-version=5.7.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>

dependabot[bot] commented

2023-03-02 00:01:54 +00:00

(Migrated from github.com)

Looks like openpgp is up-to-date now, so this is no longer needed.

Pull request closed

This pull request cannot be reopened because the branch was deleted.

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: utils/node-apt#17