Bump openpgp from 5.11.3 to 6.2.0

[dependabot]

Bumps openpgp from 5.11.3 to 6.2.0.

Release notes

Sourced from openpgp's releases.

v6.2.0

What's Changed

• Implement OpenPGP message grammar validation (add config.enforceGrammar, enabled by default) (#1853)
• Enable using WebCrypto for X25519 when available (#1829)
• Prefer subkeys with higher algorithm IDs (in case of equal creation timestamps), on the assumption that that's the most modern/secure algorithm (#1854)
• Improve packet stream & error handling (#1856):
  • Packet parsing errors in not-yet-authenticated streams (i.e. SEIPDv1 with allowUnauthenticatedStream: true) get delayed until the decrypted data stream is authenticated
  • Non-critical unknown packets get turned into UnparseablePacket` objects on the packet stream instead of being ignored
• Make Issuer Key ID signature subpacket non-critical (#1828)
• Improve type definition for the User class (#1857)

New Contributors

• @​caarlos0 made their first contribution in openpgpjs/openpgpjs#1828
• @​kkredit made their first contribution in openpgpjs/openpgpjs#1857

Full Changelog: openpgpjs/openpgpjs@v6.1.0...v6.2.0

v6.1.1 - Security Patch

• Address CVE-2025-47934 (Message signature verification could be spoofed)

v6.1.0

What's Changed

• Fix decryption support for non-standard, legacy AEAD-encrypted messages and keys that used experimentalGCM from OpenPGP.js v5 (openpgpjs/openpgpjs#1811)
• Throw on encryption using the non-standard experimentalGCM AEAD algorithm (The enums.aead.gcm ID standardized by RFC9580 should be used instead.)
• Improve internal tree-shaking and lazy load md5 (openpgpjs/openpgpjs#1812)
• Fix signing using keys without preferred hash algorithms (openpgpjs/openpgpjs#1820)

Full Changelog: openpgpjs/openpgpjs@v6.0.1...v6.1.0

v6.0.1

What's Changed

• Fix ES imports for webpack: declare exports.browser entrypoint as higher priority than import
• Fix openpgp.verify/decrypt with expectSigned: true and format: 'binary' (#1805)
• TS: fix generateKey (options.type) and PrivateKey.getDecryptionKeys() type declarations (#1807)
• Update hash algorithm preferences order by (#1804)

Full Changelog: openpgpjs/openpgpjs@v6.0.0...v6.0.1

v6.0.0

What's Changed

OpenPGP.js v6 adds support for the new version of the OpenPGP specification, RFC 9580. It also increases compliance with the specification, as demonstrated by the OpenPGP interoperability test suite.

OpenPGP.js v6 only makes minor API changes. This is the first stable release of OpenPGP.js v6: no more breaking changes to the high-level API will be made until the next major release.

... (truncated)

Commits

• c30404c 6.2.0
• 732f3c8 Tests: bump playwright from 1.53.0 to 1.54.1 (#1872)
• 24f776a Merge pull request #1870
• 9703ab8 Add workaround for WebCrypto X25519 key generation bug on WebKit Linux
• b927564 Add workaround for WebCrypto X25519 key export bug on WebKit Linux
• d155da2 Revert "CI: do not test Webkit on Linux"
• 448418a Bump @​noble/curves from 1.9.0 to 1.9.2 in the noble group (#1855)
• 208402e Merge pull request #1850
• 232da14 Tests: revert update to chai v5
• cabc91c Bump dev dependencies to latest versions
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by larabr, a new releaser for openpgp since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #41.