Skip to content

build(deps): bump rfc3161-client from 1.0.5 to 1.0.6 in /jobs/async-upload#2556

Merged
google-oss-prow[bot] merged 2 commits intomainfrom
dependabot/pip/jobs/async-upload/rfc3161-client-1.0.6
Apr 10, 2026
Merged

build(deps): bump rfc3161-client from 1.0.5 to 1.0.6 in /jobs/async-upload#2556
google-oss-prow[bot] merged 2 commits intomainfrom
dependabot/pip/jobs/async-upload/rfc3161-client-1.0.6

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Apr 8, 2026
edited
Loading

Bumps rfc3161-client from 1.0.5 to 1.0.6.

Release notes

Sourced from rfc3161-client's releases.

v1.0.6

[1.0.6] - 2026-04-08

Fixed

  • Fixed a bug where the verification incorrectly picked the leaf certificate. This allowed an attacker who could modify a timestamp response to make a legitimately-signed timestamp from TSA-A pass verification as if it came from TSA-B.
Changelog

Sourced from rfc3161-client's changelog.

[1.0.6] - 2026-04-08

Fixed

  • Fixed a bug where the verification incorrectly picked the leaf certificate. This allowed an attacker who could modify a timestamp response to make a legitimately-signed timestamp from TSA-A pass verification as if it came from TSA-B.
Commits
  • 4ca88c2 chore: prep for release 1.0.6 (#239)
  • 4f7d372 Merge commit from fork
  • f025816 build(deps): bump pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0 in the ac...
  • 4a7c081 build(deps): bump the actions group with 2 updates (#237)
  • 47afa26 build(deps): bump pygments from 2.19.2 to 2.20.0 (#236)
  • cd620c9 build(deps): bump cryptography from 46.0.5 to 46.0.6 (#235)
  • c137f9b build(deps): bump dawidd6/action-download-artifact from 16 to 19 in the actio...
  • 25240dd build(deps): bump astral-sh/setup-uv from 7.3.1 to 7.6.0 in the actions group...
  • f45dec4 build(deps): bump actions/download-artifact from 8.0.0 to 8.0.1 in the action...
  • f7451e8 build(deps): bump github/codeql-action from 4.32.4 to 4.32.6 in the actions g...
  • Additional commits viewable in compare view

@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Apr 8, 2026
@google-oss-prow google-oss-prow bot requested review from chambridge and fege April 8, 2026 15:04
@dependabot dependabot bot force-pushed the dependabot/pip/jobs/async-upload/rfc3161-client-1.0.6 branch from f1d3bba to 71f4b2a Compare April 10, 2026 11:14
@jonburdo
Copy link
Copy Markdown
Member

jonburdo commented Apr 10, 2026

@dependabot rebase

@dependabot
build(deps): bump rfc3161-client in /jobs/async-upload
48921e5 
Bumps [rfc3161-client](https://github.com/trailofbits/rfc3161-client) from 1.0.5 to 1.0.6.
- [Release notes](https://github.com/trailofbits/rfc3161-client/releases)
- [Changelog](https://github.com/trailofbits/rfc3161-client/blob/main/CHANGELOG.md)
- [Commits](trailofbits/rfc3161-client@v1.0.5...v1.0.6)

---
updated-dependencies:
- dependency-name: rfc3161-client
  dependency-version: 1.0.6
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/pip/jobs/async-upload/rfc3161-client-1.0.6 branch from 71f4b2a to 48921e5 Compare April 10, 2026 19:24
@jonburdo
chore(async-upload): regenerate requirements.txt
3148e11 
Signed-off-by: Jon Burdo <jon@jonburdo.com>
@jonburdo
Copy link
Copy Markdown
Member

jonburdo commented Apr 10, 2026

/lgtm
/approve

rfc3161-client is a transitive dependency through model-registry[signing] which enables signing and verification of models.

A micro/patch version bump

$ poetry show rfc3161-client
 name         : rfc3161-client 
 version      : 1.0.6          
 description  :                

dependencies
 - cryptography >=43

required by
 - sigstore requires >=1.0.3,<1.1.0

@google-oss-prow google-oss-prow bot added the lgtm label Apr 10, 2026
@google-oss-prow
Copy link
Copy Markdown
Contributor

google-oss-prow bot commented Apr 10, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jonburdo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@google-oss-prow google-oss-prow bot merged commit 3f32b53 into main Apr 10, 2026
35 of 36 checks passed
@dependabot dependabot bot deleted the dependabot/pip/jobs/async-upload/rfc3161-client-1.0.6 branch April 10, 2026 22:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chambridge chambridge Awaiting requested review from chambridge

@fege fege Awaiting requested review from fege

Assignees

@jonburdo jonburdo

Labels

approved Area/Jobs/Async-upload dependencies Pull requests that update a dependency file lgtm python Pull requests that update Python code size/M

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jonburdo