chore: bump deps

vendor/github.com/ProtonMail/go-crypto/openpgp/packet/aead_config.go

@@ -37,7 +37,7 @@ func (conf *AEADConfig) Mode() AEADMode {
 
 // ChunkSizeByte returns the byte indicating the chunk size. The effective
 // chunk size is computed with the formula uint64(1) << (chunkSizeByte + 6)
-// limit to 16 = 4 MiB
+// limit chunkSizeByte to 16 which equals to 2^22 = 4 MiB
 // https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#section-5.13.2
 func (conf *AEADConfig) ChunkSizeByte() byte {
 	if conf == nil || conf.ChunkSize == 0 {
@@ -49,8 +49,8 @@ func (conf *AEADConfig) ChunkSizeByte() byte {
 	switch {
 	case exponent < 6:
 		exponent = 6
-	case exponent > 16:
-		exponent = 16
+	case exponent > 22:
+		exponent = 22
 	}
 
 	return byte(exponent - 6)

vendor/github.com/ProtonMail/go-crypto/openpgp/packet/compressed.go

@@ -98,6 +98,16 @@ func (c *Compressed) parse(r io.Reader) error {
 	return err
 }
 
+// LimitedBodyReader wraps the provided body reader with a limiter that restricts
+// the number of bytes read to the specified limit.
+// If limit is nil, the reader is unbounded.
+func (c *Compressed) LimitedBodyReader(limit *int64) io.Reader {
+	if limit == nil {
+		return c.Body
+	}
+	return &LimitReader{R: c.Body, N: *limit}
+}
+
 // compressedWriterCloser represents the serialized compression stream
 // header and the compressor. Its Close() method ensures that both the
 // compressor and serialized stream header are closed. Its Write()
@@ -159,3 +169,24 @@ func SerializeCompressed(w io.WriteCloser, algo CompressionAlgo, cc *Compression
 
 	return
 }
+
+// LimitReader is an io.Reader that fails with MessageToLarge if read bytes exceed N.
+type LimitReader struct {
+	R io.Reader // underlying reader
+	N int64     // max bytes allowed
+}
+
+func (l *LimitReader) Read(p []byte) (int, error) {
+	if l.N <= 0 {
+		return 0, errors.ErrMessageTooLarge
+	}
+
+	n, err := l.R.Read(p)
+	l.N -= int64(n)
+
+	if err == nil && l.N <= 0 {
+		err = errors.ErrMessageTooLarge
+	}
+
+	return n, err
+}

vendor/github.com/ProtonMail/go-crypto/openpgp/packet/config.go

@@ -178,6 +178,11 @@ type Config struct {
 	// When set to true, a key without flags is treated as if all flags are enabled.
 	// This behavior is consistent with GPG.
 	InsecureAllowAllKeyFlagsWhenMissing bool
+
+	// MaxDecompressedMessageSize specifies the maximum number of bytes that can be
+	// read from a compressed packet. This serves as an upper limit to prevent
+	// excessively large decompressed messages.
+	MaxDecompressedMessageSize *int64
 }
 
 func (c *Config) Random() io.Reader {
@@ -415,6 +420,13 @@ func (c *Config) AllowAllKeyFlagsWhenMissing() bool {
 	return c.InsecureAllowAllKeyFlagsWhenMissing
 }
 
+func (c *Config) DecompressedMessageSizeLimit() *int64 {
+	if c == nil {
+		return nil
+	}
+	return c.MaxDecompressedMessageSize
+}
+
 // BoolPointer is a helper function to set a boolean pointer in the Config.
 // e.g., config.CheckPacketSequence = BoolPointer(true)
 func BoolPointer(value bool) *bool {