[Snyk] Security upgrade openpgp from 5.2.1 to 5.10.1

[TheJ-Erk400]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	501/1000 Why? Recently disclosed, Has a fix available, CVSS 4.3	Improper Verification of Cryptographic Signature SNYK-JS-OPENPGP-5871276	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: openpgp

The new version differs by 86 commits.

• 5d02e3a 5.10.1
• 6b43e02 Merge pull request from GHSA-ch3c-v47x-4pgp
• 11b5999 Reject cleartext messages with extraneous data preceeding hash header
• 4df86e5 5.10.0
• 8d4dd34 Merge pull request #1620
• 5ae2846 CI: test on iOS Safari 14 instead of 15 to have access to SubtleCrypto
• b164190 Internal: rename `Curves` to `CurvesWithOID`
• ef953ce Add `HKDF` fallback for Node 14, where SubtleCrypto is not available
• ee4ad89 Enforce AES with PKESK v3 using x25519 (new format)
• 1c07d26 `crypto-refresh`: add support for new X25519 key and PKESK format
• 3f44082 `crypto-refresh`: add support for new Ed25519 key and signature format
• b6170aa Merge pull request #1656
• 32caf41 Fix parsing of ECDH with unknown KDFParam version
• f5b5b73 Fix parsing of messages with unsupported SKESK s2k type
• 9ed1135 Fix verification of cleartext signatures that include unknown signature packet versions
• de2ffaf Fix verification of detached signatures that include unknown signature packet versions
• d72cece Support parsing encrypted key with unknown s2k types or cipher algos (#1658)
• 400b163 5.9.0
• 33c1954 Allow email addresses with trailing numbers in domain (#1642)
• 1eb0b42 TS: add declaration for `verify` with `CleartextMessage` input (#1640)
• 29d2b70 Add support for verifying User Attributes in `verifyAllUsers` (#1637)
• 785d24d Add `revoke` to `Subkey` in type definition (#1639)
• 726ee55 5.8.0
• ac223bb Fix shorthand check on user revoked status in getPrimaryUser method (#1623)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

[stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[guardrails]

⚠️ We detected 12 security issues in this pull request:

Vulnerable Libraries (12)

Severity	Details
Medium	pkg:npm/[email protected] (t) upgrade to: > 8.32.0
Medium	pkg:npm/[email protected] (t) upgrade to: > 27.5.1
Medium	pkg:npm/@babel/[email protected] (t) upgrade to: > 7.20.12
Medium	pkg:npm/@babel/[email protected] (t) upgrade to: > 7.20.2
Informational	pkg:npm/[email protected] (t) upgrade to: > 6.6.0
Critical	pkg:npm/[email protected] (t) - no patch available
Medium	pkg:npm/@babel/[email protected] (t) upgrade to: > 7.19.6
Medium	pkg:npm/@babel/[email protected] (t) upgrade to: > 7.19.1
Medium	pkg:npm/[email protected] (t) upgrade to: > 7.32.1
Medium	pkg:npm/[email protected] (t) upgrade to: > 26.9.0
High	pkg:npm/[email protected] (t) upgrade to: > 2.27.5
Medium	pkg:npm/[email protected] (t) upgrade to: > 8.3.0

More info on how to fix Vulnerable Libraries in JavaScript.

---

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

[socket-security]

Removed dependencies detected. Learn more about Socket for GitHub ↗︎

🚮 Removed packages: [email protected]