Skip to content

chore(deps): update dependency openpgpjs/openpgpjs to v5.7.0

Botaniker (Bot) requested to merge renovate/openpgpjs-openpgpjs-5.x into deploy

This MR contains the following updates:

Package Update Change
openpgpjs/openpgpjs minor v5.6.0 -> v5.7.0

Release Notes

openpgpjs/openpgpjs

v5.7.0

Compare Source

  • Add support for creating critical signature subpackets (https://github.com/openpgpjs/openpgpjs/pull/1599)
    • Most subpackets are now assigned a criticality based on whether failing to interpret their meaning would negatively impact security.
    • If subpackets that are now marked as critical (such as signature creation date, issuer Key ID, key expiration time if set, etc.) are not supported by another OpenPGP implementation, it will now be considered invalid by the implementation rather than ignored. However, since these subpackets are fundamental to the functioning of OpenPGP, they should indeed never be ignored. If an implementation doesn't support them, please upgrade or report it to the relevant implementation as well as or instead of here.
    • For Notation Data subpackets, the caller can now set their criticality using the signatureNotations[*].critical property. When set to critical, if the OpenPGP implementation reading the signature doesn't understand their meaning, they will be rejected rather than ignored. This is useful if the notation is indeed critical (🙂) to the functioning of the signature or the key that contains it.
  • Remove default known notations (https://github.com/openpgpjs/openpgpjs/pull/1600)
    • Since OpenPGP.js doesn't interpret any notations, we shouldn't consider any of them "known" by default. Rather, we let the calling application indicate the known notations, and it is then responsible for handling them.
    • Specifically, signatures with a critical notation named "preferred-email-encoding@pgp.com" or "pka-address@gnupg.org" will now be rejected by default. We believe that these are not common "in the wild", but if you encounter them, you can add them to the config.knownNotations array, or (preferably) pass a knownNotations array in the config property when verifying a signature, and then handle the preference indicated by the notation data afterwards by inspecting the signaturePacket.notations or rawNotations property.
  • TypeScript: added selfCertification property to the PrimaryUser interface definition (https://github.com/openpgpjs/openpgpjs/pull/1594)
  • Docs: mark global generateSessionKeys's encryptionKeys parameter as optional (https://github.com/openpgpjs/openpgpjs/pull/1596)
  • CI: Update browser targets (https://github.com/openpgpjs/openpgpjs/pull/1549)
  • Update ESLint and other minor dependencies; clean up linting rules (https://github.com/openpgpjs/openpgpjs/pull/1602)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.


  • If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot. The local configuration can be found in the SI Renovate Bot repository.

Merge request reports