chore(release): 4.4.0 (#1430)

Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 7.8.0 to 7.9.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v7.9.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/workflows/codeql-analysis.yml

@@ -37,11 +37,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4.1.4
+      uses: actions/checkout@v4.1.5
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3.25.3
+      uses: github/codeql-action/init@v3.25.4
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -52,7 +52,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v3.25.3
+      uses: github/codeql-action/autobuild@v3.25.4
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -66,4 +66,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3.25.3
+      uses: github/codeql-action/analyze@v3.25.4

.github/workflows/main.yml

@@ -8,7 +8,7 @@ jobs:
         os: [macos-latest, windows-latest, ubuntu-latest, macos-latest-xlarge]
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.1.4
+        uses: actions/checkout@v4.1.5
       - name: Install dependencies
         run: npm install
       - name: Lint
@@ -18,6 +18,7 @@ jobs:
       - name: Upload coverage to Codecov (script)
         uses: ./
         with:
+          fail_ci_if_error: true
           files: ./coverage/script/coverage-final.json
           flags: script,${{ matrix.os }}
           name: codecov-script
@@ -26,6 +27,7 @@ jobs:
       - name: Upload coverage to Codecov (demo)
         uses: ./
         with:
+          fail_ci_if_error: true
           files: ./coverage/calculator/coverage-final.json,./coverage/coverage-test/coverage-final.json
           file: ./coverage/coverage-final.json
           flags: demo,${{ matrix.os }}
@@ -35,6 +37,7 @@ jobs:
       - name: Upload coverage to Codecov (version)
         uses: ./
         with:
+          fail_ci_if_error: true
           files: ./coverage/calculator/coverage-final.json,./coverage/coverage-test/coverage-final.json
           file: ./coverage/coverage-final.json
           flags: version,${{ matrix.os }}
@@ -48,7 +51,7 @@ jobs:
     container: node:18
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.1.4
+        uses: actions/checkout@v4.1.5
       - name: Install dependencies
         run: npm install
       - name: Lint

.github/workflows/scorecards-analysis.yml

@@ -24,12 +24,12 @@ jobs:
     
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@v4.1.4 # v3.0.0
+        uses: actions/checkout@v4.1.5 # v3.0.0
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
         with:
           results_file: results.sarif
           results_format: sarif
@@ -56,6 +56,6 @@ jobs:
       
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v3.25.3 # v1.0.26
+        uses: github/codeql-action/upload-sarif@v3.25.4 # v1.0.26
         with:
           sarif_file: results.sarif

dist/index.js

@@ -7047,444 +7047,6 @@ class Deprecation extends Error {
 exports.Deprecation = Deprecation;
 
 
-/***/ }),
-
-/***/ 40:
-/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => {
-
-/*!
- * node-gpg
- * Copyright(c) 2011 Nicholas Penree <drudge@conceited.net>
- * MIT Licensed
- */
-
-/**
- * Module dependencies.
- */
-var fs = __nccwpck_require__(7147);
-var spawnGPG = __nccwpck_require__(4228);
-var keyRegex = /^gpg: key (.*?):/;
-
-/**
- * Base `GPG` object.
- */
-var GPG = {
-
-  /**
-   * Raw call to gpg.
-   *
-   * @param  {String}   stdin  String to send to stdin.
-   * @param  {Array}    [args] Array of arguments.
-   * @param  {Function} [fn]   Callback.
-   * @api public
-   */
-  call: function(stdin, args, fn) {
-    spawnGPG(stdin, args, fn);
-  },
-
-  /**
-   * Raw streaming call to gpg. Reads from input file and writes to output file.
-   *
-   * @param  {String}   inputFileName  Name of input file.
-   * @param  {String}   outputFileName Name of output file.
-   * @param  {Array}    [args]         Array of arguments.
-   * @param  {Function} [fn]           Callback.
-   * @api public
-   */
-  callStreaming: function(inputFileName, outputFileName, args, fn) {
-    spawnGPG.streaming({source: inputFileName, dest: outputFileName}, args, fn);
-  },
-
-  /**
-   * Encrypt source file passed as `options.source` and store it in a file specified in `options.dest`.
-   *
-   * @param {Object}   options  Should contain 'source' and 'dest' keys.
-   * @param {Function} [fn]     Callback.
-   * @api public
-   */
-  encryptToFile: function (options, fn){
-    spawnGPG.streaming(options, ['--encrypt'], fn);
-  },
-
-  /**
-   * Encrypt source `file` and pass the encrypted contents to the callback `fn`.
-   *
-   * @param {String}   file   Filename.
-   * @param {Function} [fn]   Callback containing the encrypted file contents.
-   * @api public
-   */
-  encryptFile: function(file, fn){
-    var self = this;
-
-    fs.readFile(file, function(err, content){
-      if (err) return fn(err);
-      self.encrypt(content, fn);
-    });
-  },
-
-  /**
-   * Encrypt source stream passed as `options.source` and pass it to the stream specified in `options.dest`.
-   * Is basicaly the same method as `encryptToFile()`.
-   *
-   * @param {Object}   options  Should contain 'source' and 'dest' keys that are streams.
-   * @param {Function} [fn]     Callback.
-   * @api public
-   */
-  encryptToStream: function (options, fn){
-    spawnGPG.streaming(options, ['--encrypt'], fn);
-  },
-
-  /**
-   * Encrypt source `stream` and pass the encrypted contents to the callback `fn`.
-   *
-   * @param {ReadableStream} stream Stream to read from.
-   * @param {Array}          [args] Array of additonal gpg arguments.
-   * @param {Function}       [fn]   Callback containing the encrypted file contents.
-   * @api public
-   */
-  encryptStream: function (stream, args, fn){
-    var self   = this;
-    var chunks = [];
-
-    stream.on('data', function (chunk){
-      chunks.push(chunk);
-    });
-
-    stream.on('end', function (){
-      self.encrypt(Buffer.concat(chunks), args, fn);
-    });
-
-    stream.on('error', fn);
-  },
-
-  /**
-   * Encrypt `str` and pass the encrypted version to the callback `fn`.
-   *
-   * @param {String|Buffer}   str    String to encrypt.
-   * @param {Array}    [args] Array of additonal gpg arguments.
-   * @param {Function} [fn]   Callback containing the encrypted Buffer.
-   * @api public
-   */
-  encrypt: function(str, args, fn){
-    spawnGPG(str, ['--encrypt'], args, fn);
-  },
-
-  /**
-   * Decrypt `str` and pass the decrypted version to the callback `fn`.
-   *
-   * @param {String|Buffer} str    Data to decrypt.
-   * @param {Array}         [args] Array of additonal gpg arguments.
-   * @param {Function}      [fn]   Callback containing the decrypted Buffer.
-   * @api public
-   */
-  decrypt: function(str, args, fn){
-    spawnGPG(str, ['--decrypt'], args, fn);
-  },
-
-  /**
-   * Decrypt source `file` and pass the decrypted contents to the callback `fn`.
-   *
-   * @param {String}   file Filename.
-   * @param {Function} fn   Callback containing the decrypted file contents.
-   * @api public
-   */
-  decryptFile: function(file, fn){
-    var self = this;
-
-    fs.readFile(file, function(err, content){
-      if (err) return fn(err);
-      self.decrypt(content, fn);
-    });
-  },
-
-  /**
-   * Decrypt source file passed as `options.source` and store it in a file specified in `options.dest`.
-   *
-   * @param {Object}   options  Should contain 'source' and 'dest' keys.
-   * @param {Function} fn       Callback
-   * @api public
-   */
-  decryptToFile: function (options, fn){
-    spawnGPG.streaming(options, ['--decrypt'], fn);
-  },
-
-  /**
-   * Decrypt source `stream` and pass the decrypted contents to the callback `fn`.
-   *
-   * @param {ReadableStream} stream Stream to read from.
-   * @param {Array}          [args] Array of additonal gpg arguments.
-   * @param {Function}       [fn]   Callback containing the decrypted file contents.
-   * @api public
-   */
-  decryptStream: function(stream, args, fn){
-    var self   = this;
-    var chunks = [];
-
-    stream.on('data', function (chunk){
-      chunks.push(chunk);
-    });
-
-    stream.on('end', function (){
-      self.decrypt(Buffer.concat(chunks), args, fn);
-    });
-
-    stream.on('error', fn);
-  },
-
-  /**
-   * Decrypt source stream passed as `options.source` and pass it to the stream specified in `options.dest`.
-   * This is basicaly the same method as `decryptToFile()`.
-   *
-   * @param {Object}   options  Should contain 'source' and 'dest' keys that are streams.
-   * @param {Function} fn       Callback
-   * @api public
-   */
-  decryptToStream: function (options, fn){
-    spawnGPG.streaming(options, ['--decrypt'], fn);
-  },
-
-  /**
-   * Clearsign `str` and pass the signed message to the callback `fn`.
-   *
-   * @param {String|Buffer} str  String to clearsign.
-   * @param {Array}         [args] Array of additonal gpg arguments.
-   * @param {Function}      fn   Callback containing the signed message Buffer.
-   * @api public
-   */
-  clearsign: function(str, args, fn){
-    spawnGPG(str, ['--clearsign'], args, fn);
-  },
-
-  /**
-   * Verify `str` and pass the output to the callback `fn`.
-   *
-   * @param {String|Buffer} str    Signature to verify.
-   * @param {Array}         [args] Array of additonal gpg arguments.
-   * @param {Function}      [fn]   Callback containing the signed message Buffer.
-   * @api public
-   */
-  verifySignature: function(str, args, fn){
-    // Set logger fd, verify otherwise outputs to stderr for whatever reason
-    var defaultArgs = ['--logger-fd', '1', '--verify'];
-    spawnGPG(str, defaultArgs, args, fn);
-  },
-
-  /**
-   * Add a key to the keychain by filename.
-   *
-   * @param {String}  fileName  Key filename.
-   * @param {Array}   [args]    Array of additonal gpg arguments.
-   * @param {Function} [fn]     Callback containing the signed message Buffer.
-   * @api public
-   */
-  importKeyFromFile: function(fileName, args, fn){
-    if (typeof args === 'function') {
-      fn = args;
-      args = [];
-    }
-
-    var self = this;
-
-    fs.readFile(fileName, function(readErr, str) {
-      if (readErr) return fn(readErr);
-      self.importKey(str, args, fn);
-    });
-  },
-
-  /**
-   * Add an ascii-armored key to gpg. Expects the key to be passed as input.
-   *
-   * @param {String}   keyStr  Key string (armored).
-   * @param {Array}    args    Optional additional arguments to pass to gpg.
-   * @param {Function} fn      Callback containing the signed message Buffer.
-   * @api public
-   */
-  importKey: function(keyStr, args, fn){
-    if (typeof args === 'function') {
-      fn = args;
-      args = [];
-    }
-
-    // Set logger fd, verify otherwise outputs to stderr for whatever reason
-    var defaultArgs = ['--logger-fd', '1', '--import'];
-
-    spawnGPG(keyStr, defaultArgs, args, function(importError, result) {
-      if (importError) {
-        // Ignorable errors
-        if (/already in secret keyring/.test(importError.message)) {
-          result = importError.message;
-        } else {
-          return fn(importError);
-        }
-      }
-      // Grab key fingerprint and send it back as second arg
-      var match = result.toString().match(keyRegex);
-      fn(null, result.toString(), match && match[1]);
-    });
-  },
-
-  /**
-   * Removes a key by fingerprint. Warning: this will remove both pub and privkeys!
-   *
-   * @param {String}   keyID  Key fingerprint.
-   * @param {Array}    [args] Array of additonal gpg arguments.
-   * @param {Function} fn     Callback containing the signed message Buffer.
-   * @api public
-   */
-  removeKey: function(keyID, args, fn){
-    // Set logger fd, verify otherwise outputs to stderr for whatever reason
-    var defaultArgs = ['--logger-fd', '1', '--delete-secret-and-public-key'];
-    spawnGPG(keyID, defaultArgs, args, fn);
-  }
-
-};
-
-/**
- * Expose `GPG` object.
- */
-module.exports = GPG;
-
-
-/***/ }),
-
-/***/ 4228:
-/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => {
-
-"use strict";
-
-
-var spawn = (__nccwpck_require__(2081).spawn);
-var globalArgs = ['--batch'];
-var readStream = (__nccwpck_require__(7147).createReadStream);
-var writeStream = (__nccwpck_require__(7147).createWriteStream);
-
-/**
- * Wrapper around spawning GPG. Handles stdout, stderr, and default args.
- *
- * @param  {String}   input       Input string. Piped to stdin.
- * @param  {Array}    defaultArgs Default arguments for this task.
- * @param  {Array}    args        Arguments to pass to GPG when spawned.
- * @param  {Function} cb          Callback.
- */
-module.exports = function(input, defaultArgs, args, cb) {
-  // Allow calling with (input, defaults, cb)
-  if (typeof args === 'function'){
-    cb = args;
-    args = [];
-  }
-
-  cb = once(cb);
-
-  var gpgArgs = (args || []).concat(defaultArgs);
-  var buffers = [];
-  var buffersLength = 0;
-  var error = '';
-  var gpg = spawnIt(gpgArgs, cb);
-
-  gpg.stdout.on('data', function (buf){
-    buffers.push(buf);
-    buffersLength += buf.length;
-  });
-
-  gpg.stderr.on('data', function(buf){
-    error += buf.toString('utf8');
-  });
-
-  gpg.on('close', function(code){
-    var msg = Buffer.concat(buffers, buffersLength);
-    if (code !== 0) {
-      // If error is empty, we probably redirected stderr to stdout (for verifySignature, import, etc)
-      return cb(new Error(error || msg));
-    }
-
-    cb(null, msg, error);
-  });
-
-  gpg.stdin.end(input);
-};
-
-/**
- * Similar to spawnGPG, but sets up a read/write pipe to/from a stream.
- *
- * @param  {Object}   options Options. Should have source and dest strings or streams.
- * @param  {Array}    args    GPG args.
- * @param  {Function} cb      Callback
- */
-module.exports.streaming = function(options, args, cb) {
-  cb = once(cb);
-  options = options || {};
-
-  var isSourceStream = isStream(options.source);
-  var isDestStream   = isStream(options.dest);
-
-  if (typeof options.source !== 'string' && !isSourceStream){
-    return cb(new Error('Missing \'source\' option (string or stream)'));
-  } else if (typeof options.dest !== 'string' && !isDestStream){
-    return cb(new Error('Missing \'dest\' option (string or stream)'));
-  }
-
-  var sourceStream;
-  if (!isSourceStream) {
-    // This will throw if the file doesn't exist
-    try {
-      sourceStream = readStream(options.source);
-    } catch(e) {
-      return cb(new Error(options.source + ' does not exist. Error: ' + e.message));
-    }
-  } else {
-    sourceStream = options.source;
-  }
-
-  var destStream;
-  if (!isDestStream) {
-    try {
-      destStream = writeStream(options.dest);
-    } catch(e) {
-      return cb(new Error('Error opening ' + options.dest + '. Error: ' + e.message));
-    }
-  } else {
-    destStream = options.dest;
-  }
-
-  // Go for it
-  var gpg = spawnIt(args, cb);
-
-  if (!isDestStream) {
-    gpg.on('close', function (code){
-      cb(null);
-    });
-  } else {
-    cb(null, destStream);
-  }
-
-  // Pipe input file into gpg stdin; gpg stdout into output file..
-  sourceStream.pipe(gpg.stdin);
-  gpg.stdout.pipe(destStream);
-};
-
-// Wrapper around spawn. Catches error events and passed global args.
-function spawnIt(args, fn) {
-  var gpg = spawn('gpg', globalArgs.concat(args || []) );
-  gpg.on('error', fn);
-  return gpg;
-}
-
-// Ensures a callback is only ever called once.
-function once(fn) {
-  var called = false;
-  return function() {
-    if (called) return;
-    called = true;
-    fn.apply(this, arguments);
-  };
-}
-
-// Check if input is stream with duck typing
-function isStream (stream) {
-  return stream != null && typeof stream === 'object' && typeof stream.pipe === 'function';
-};
-
-
 /***/ }),
 
 /***/ 3287:
@@ -14194,6 +13756,132 @@ function onConnectTimeout (socket) {
 module.exports = buildConnector
 
 
+/***/ }),
+
+/***/ 4462:
+/***/ ((module) => {
+
+"use strict";
+
+
+/** @type {Record<string, string | undefined>} */
+const headerNameLowerCasedRecord = {}
+
+// https://developer.mozilla.org/docs/Web/HTTP/Headers
+const wellknownHeaderNames = [
+  'Accept',
+  'Accept-Encoding',
+  'Accept-Language',
+  'Accept-Ranges',
+  'Access-Control-Allow-Credentials',
+  'Access-Control-Allow-Headers',
+  'Access-Control-Allow-Methods',
+  'Access-Control-Allow-Origin',
+  'Access-Control-Expose-Headers',
+  'Access-Control-Max-Age',
+  'Access-Control-Request-Headers',
+  'Access-Control-Request-Method',
+  'Age',
+  'Allow',
+  'Alt-Svc',
+  'Alt-Used',
+  'Authorization',
+  'Cache-Control',
+  'Clear-Site-Data',
+  'Connection',
+  'Content-Disposition',
+  'Content-Encoding',
+  'Content-Language',
+  'Content-Length',
+  'Content-Location',
+  'Content-Range',
+  'Content-Security-Policy',
+  'Content-Security-Policy-Report-Only',
+  'Content-Type',
+  'Cookie',
+  'Cross-Origin-Embedder-Policy',
+  'Cross-Origin-Opener-Policy',
+  'Cross-Origin-Resource-Policy',
+  'Date',
+  'Device-Memory',
+  'Downlink',
+  'ECT',
+  'ETag',
+  'Expect',
+  'Expect-CT',
+  'Expires',
+  'Forwarded',
+  'From',
+  'Host',
+  'If-Match',
+  'If-Modified-Since',
+  'If-None-Match',
+  'If-Range',
+  'If-Unmodified-Since',
+  'Keep-Alive',
+  'Last-Modified',
+  'Link',
+  'Location',
+  'Max-Forwards',
+  'Origin',
+  'Permissions-Policy',
+  'Pragma',
+  'Proxy-Authenticate',
+  'Proxy-Authorization',
+  'RTT',
+  'Range',
+  'Referer',
+  'Referrer-Policy',
+  'Refresh',
+  'Retry-After',
+  'Sec-WebSocket-Accept',
+  'Sec-WebSocket-Extensions',
+  'Sec-WebSocket-Key',
+  'Sec-WebSocket-Protocol',
+  'Sec-WebSocket-Version',
+  'Server',
+  'Server-Timing',
+  'Service-Worker-Allowed',
+  'Service-Worker-Navigation-Preload',
+  'Set-Cookie',
+  'SourceMap',
+  'Strict-Transport-Security',
+  'Supports-Loading-Mode',
+  'TE',
+  'Timing-Allow-Origin',
+  'Trailer',
+  'Transfer-Encoding',
+  'Upgrade',
+  'Upgrade-Insecure-Requests',
+  'User-Agent',
+  'Vary',
+  'Via',
+  'WWW-Authenticate',
+  'X-Content-Type-Options',
+  'X-DNS-Prefetch-Control',
+  'X-Frame-Options',
+  'X-Permitted-Cross-Domain-Policies',
+  'X-Powered-By',
+  'X-Requested-With',
+  'X-XSS-Protection'
+]
+
+for (let i = 0; i < wellknownHeaderNames.length; ++i) {
+  const key = wellknownHeaderNames[i]
+  const lowerCasedKey = key.toLowerCase()
+  headerNameLowerCasedRecord[key] = headerNameLowerCasedRecord[lowerCasedKey] =
+    lowerCasedKey
+}
+
+// Note: object prototypes should not be able to be referenced. e.g. `Object#hasOwnProperty`.
+Object.setPrototypeOf(headerNameLowerCasedRecord, null)
+
+module.exports = {
+  wellknownHeaderNames,
+  headerNameLowerCasedRecord
+}
+
+
 /***/ }),
 
 /***/ 8045:
@@ -15026,6 +14714,7 @@ const { InvalidArgumentError } = __nccwpck_require__(8045)
 const { Blob } = __nccwpck_require__(4300)
 const nodeUtil = __nccwpck_require__(3837)
 const { stringify } = __nccwpck_require__(3477)
+const { headerNameLowerCasedRecord } = __nccwpck_require__(4462)
 
 const [nodeMajor, nodeMinor] = process.versions.node.split('.').map(v => Number(v))
 
@@ -15235,6 +14924,15 @@ function parseKeepAliveTimeout (val) {
   return m ? parseInt(m[1], 10) * 1000 : null
 }
 
+/**
+ * Retrieves a header name and returns its lowercase value.
+ * @param {string | Buffer} value Header name
+ * @returns {string}
+ */
+function headerNameToString (value) {
+  return headerNameLowerCasedRecord[value] || value.toLowerCase()
+}
+
 function parseHeaders (headers, obj = {}) {
   // For H2 support
   if (!Array.isArray(headers)) return headers
@@ -15506,6 +15204,7 @@ module.exports = {
   isIterable,
   isAsyncIterable,
   isDestroyed,
+  headerNameToString,
   parseRawHeaders,
   parseHeaders,
   parseKeepAliveTimeout,
@@ -22153,14 +21852,18 @@ const { isBlobLike, toUSVString, ReadableStreamFrom } = __nccwpck_require__(3983
 const assert = __nccwpck_require__(9491)
 const { isUint8Array } = __nccwpck_require__(9830)
 
+let supportedHashes = []
+
 // https://nodejs.org/api/crypto.html#determining-if-crypto-support-is-unavailable
 /** @type {import('crypto')|undefined} */
 let crypto
 
 try {
   crypto = __nccwpck_require__(6113)
+  const possibleRelevantHashes = ['sha256', 'sha384', 'sha512']
+  supportedHashes = crypto.getHashes().filter((hash) => possibleRelevantHashes.includes(hash))
+/* c8 ignore next 3 */
 } catch {
-
 }
 
 function responseURL (response) {
@@ -22688,66 +22391,56 @@ function bytesMatch (bytes, metadataList) {
     return true
   }
 
-  // 3. If parsedMetadata is the empty set, return true.
+  // 3. If response is not eligible for integrity validation, return false.
+  // TODO
+
+  // 4. If parsedMetadata is the empty set, return true.
   if (parsedMetadata.length === 0) {
     return true
   }
 
-  // 4. Let metadata be the result of getting the strongest
+  // 5. Let metadata be the result of getting the strongest
   //    metadata from parsedMetadata.
-  const list = parsedMetadata.sort((c, d) => d.algo.localeCompare(c.algo))
-  // get the strongest algorithm
-  const strongest = list[0].algo
-  // get all entries that use the strongest algorithm; ignore weaker
-  const metadata = list.filter((item) => item.algo === strongest)
+  const strongest = getStrongestMetadata(parsedMetadata)
+  const metadata = filterMetadataListByAlgorithm(parsedMetadata, strongest)
 
-  // 5. For each item in metadata:
+  // 6. For each item in metadata:
   for (const item of metadata) {
     // 1. Let algorithm be the alg component of item.
     const algorithm = item.algo
 
     // 2. Let expectedValue be the val component of item.
-    let expectedValue = item.hash
+    const expectedValue = item.hash
 
     // See https://github.com/web-platform-tests/wpt/commit/e4c5cc7a5e48093220528dfdd1c4012dc3837a0e
     // "be liberal with padding". This is annoying, and it's not even in the spec.
 
-    if (expectedValue.endsWith('==')) {
-      expectedValue = expectedValue.slice(0, -2)
-    }
-
     // 3. Let actualValue be the result of applying algorithm to bytes.
     let actualValue = crypto.createHash(algorithm).update(bytes).digest('base64')
 
-    if (actualValue.endsWith('==')) {
+    if (actualValue[actualValue.length - 1] === '=') {
+      if (actualValue[actualValue.length - 2] === '=') {
         actualValue = actualValue.slice(0, -2)
+      } else {
+        actualValue = actualValue.slice(0, -1)
+      }
     }
 
     // 4. If actualValue is a case-sensitive match for expectedValue,
     //    return true.
-    if (actualValue === expectedValue) {
-      return true
-    }
-
-    let actualBase64URL = crypto.createHash(algorithm).update(bytes).digest('base64url')
-
-    if (actualBase64URL.endsWith('==')) {
-      actualBase64URL = actualBase64URL.slice(0, -2)
-    }
-
-    if (actualBase64URL === expectedValue) {
+    if (compareBase64Mixed(actualValue, expectedValue)) {
       return true
     }
   }
 
-  // 6. Return false.
+  // 7. Return false.
   return false
 }
 
 // https://w3c.github.io/webappsec-subresource-integrity/#grammardef-hash-with-options
 // https://www.w3.org/TR/CSP2/#source-list-syntax
 // https://www.rfc-editor.org/rfc/rfc5234#appendix-B.1
-const parseHashWithOptions = /((?<algo>sha256|sha384|sha512)-(?<hash>[A-z0-9+/]{1}.*={0,2}))( +[\x21-\x7e]?)?/i
+const parseHashWithOptions = /(?<algo>sha256|sha384|sha512)-((?<hash>[A-Za-z0-9+/]+|[A-Za-z0-9_-]+)={0,2}(?:\s|$)( +[!-~]*)?)?/i
 
 /**
  * @see https://w3c.github.io/webappsec-subresource-integrity/#parse-metadata
@@ -22761,8 +22454,6 @@ function parseMetadata (metadata) {
   // 2. Let empty be equal to true.
   let empty = true
 
-  const supportedHashes = crypto.getHashes()
-
   // 3. For each token returned by splitting metadata on spaces:
   for (const token of metadata.split(' ')) {
     // 1. Set empty to false.
@@ -22772,7 +22463,11 @@ function parseMetadata (metadata) {
     const parsedToken = parseHashWithOptions.exec(token)
 
     // 3. If token does not parse, continue to the next token.
-    if (parsedToken === null || parsedToken.groups === undefined) {
+    if (
+      parsedToken === null ||
+      parsedToken.groups === undefined ||
+      parsedToken.groups.algo === undefined
+    ) {
       // Note: Chromium blocks the request at this point, but Firefox
       // gives a warning that an invalid integrity was given. The
       // correct behavior is to ignore these, and subsequently not
@@ -22781,11 +22476,11 @@ function parseMetadata (metadata) {
     }
 
     // 4. Let algorithm be the hash-algo component of token.
-    const algorithm = parsedToken.groups.algo
+    const algorithm = parsedToken.groups.algo.toLowerCase()
 
     // 5. If algorithm is a hash function recognized by the user
     //    agent, add the parsed token to result.
-    if (supportedHashes.includes(algorithm.toLowerCase())) {
+    if (supportedHashes.includes(algorithm)) {
       result.push(parsedToken.groups)
     }
   }
@@ -22798,6 +22493,82 @@ function parseMetadata (metadata) {
   return result
 }
 
+/**
+ * @param {{ algo: 'sha256' | 'sha384' | 'sha512' }[]} metadataList
+ */
+function getStrongestMetadata (metadataList) {
+  // Let algorithm be the algo component of the first item in metadataList.
+  // Can be sha256
+  let algorithm = metadataList[0].algo
+  // If the algorithm is sha512, then it is the strongest
+  // and we can return immediately
+  if (algorithm[3] === '5') {
+    return algorithm
+  }
+
+  for (let i = 1; i < metadataList.length; ++i) {
+    const metadata = metadataList[i]
+    // If the algorithm is sha512, then it is the strongest
+    // and we can break the loop immediately
+    if (metadata.algo[3] === '5') {
+      algorithm = 'sha512'
+      break
+    // If the algorithm is sha384, then a potential sha256 or sha384 is ignored
+    } else if (algorithm[3] === '3') {
+      continue
+    // algorithm is sha256, check if algorithm is sha384 and if so, set it as
+    // the strongest
+    } else if (metadata.algo[3] === '3') {
+      algorithm = 'sha384'
+    }
+  }
+  return algorithm
+}
+
+function filterMetadataListByAlgorithm (metadataList, algorithm) {
+  if (metadataList.length === 1) {
+    return metadataList
+  }
+
+  let pos = 0
+  for (let i = 0; i < metadataList.length; ++i) {
+    if (metadataList[i].algo === algorithm) {
+      metadataList[pos++] = metadataList[i]
+    }
+  }
+
+  metadataList.length = pos
+
+  return metadataList
+}
+
+/**
+ * Compares two base64 strings, allowing for base64url
+ * in the second string.
+ *
+* @param {string} actualValue always base64
+ * @param {string} expectedValue base64 or base64url
+ * @returns {boolean}
+ */
+function compareBase64Mixed (actualValue, expectedValue) {
+  if (actualValue.length !== expectedValue.length) {
+    return false
+  }
+  for (let i = 0; i < actualValue.length; ++i) {
+    if (actualValue[i] !== expectedValue[i]) {
+      if (
+        (actualValue[i] === '+' && expectedValue[i] === '-') ||
+        (actualValue[i] === '/' && expectedValue[i] === '_')
+      ) {
+        continue
+      }
+      return false
+    }
+  }
+
+  return true
+}
+
 // https://w3c.github.io/webappsec-upgrade-insecure-requests/#upgrade-request
 function tryUpgradeRequestToAPotentiallyTrustworthyURL (request) {
   // TODO
@@ -23213,7 +22984,8 @@ module.exports = {
   urlHasHttpsScheme,
   urlIsHttpHttpsScheme,
   readAllBytes,
-  normalizeMethodRecord
+  normalizeMethodRecord,
+  parseMetadata
 }
 
 
@@ -25300,12 +25072,17 @@ function parseLocation (statusCode, headers) {
 
 // https://tools.ietf.org/html/rfc7231#section-6.4.4
 function shouldRemoveHeader (header, removeContent, unknownOrigin) {
-  return (
-    (header.length === 4 && header.toString().toLowerCase() === 'host') ||
-    (removeContent && header.toString().toLowerCase().indexOf('content-') === 0) ||
-    (unknownOrigin && header.length === 13 && header.toString().toLowerCase() === 'authorization') ||
-    (unknownOrigin && header.length === 6 && header.toString().toLowerCase() === 'cookie')
-  )
+  if (header.length === 4) {
+    return util.headerNameToString(header) === 'host'
+  }
+  if (removeContent && util.headerNameToString(header).startsWith('content-')) {
+    return true
+  }
+  if (unknownOrigin && (header.length === 13 || header.length === 6 || header.length === 19)) {
+    const name = util.headerNameToString(header)
+    return name === 'authorization' || name === 'cookie' || name === 'proxy-authorization'
+  }
+  return false
 }
 
 // https://tools.ietf.org/html/rfc7231#section-6.4
@@ -32562,7 +32339,7 @@ const getGitService = () => {
     }
     return 'github';
 };
-const isFork = () => {
+const isPullRequestFromFork = () => {
     if (`${context.eventName}` !== 'pull_request' ||
         `${context.eventName}` !== 'pull_request_target') {
         return false;
@@ -32573,7 +32350,7 @@ const isFork = () => {
     return (baseLabel.split(':')[0] !== headLabel.split(':')[0]);
 };
 const getToken = () => buildExec_awaiter(void 0, void 0, void 0, function* () {
-    if (isFork()) {
+    if (isPullRequestFromFork()) {
         core.info('==> Fork detected, tokenless uploading used');
         return Promise.resolve('');
     }
@@ -32877,10 +32654,10 @@ const buildUploadExec = () => buildExec_awaiter(void 0, void 0, void 0, function
 });
 
 
+;// CONCATENATED MODULE: external "node:child_process"
+const external_node_child_process_namespaceObject = require("node:child_process");
 ;// CONCATENATED MODULE: external "node:crypto"
 const external_node_crypto_namespaceObject = require("node:crypto");
-// EXTERNAL MODULE: ./node_modules/gpg/lib/gpg.js
-var gpg = __nccwpck_require__(40);
 // EXTERNAL MODULE: ./node_modules/undici/index.js
 var undici = __nccwpck_require__(1773);
 ;// CONCATENATED MODULE: ./src/validate.ts
@@ -32936,35 +32713,41 @@ const verify = (filename, platform, version, verbose, failCi) => validate_awaite
                     `uploader hash: ${hash}, public hash: ${shasum}`, failCi);
             }
         });
-        const verifySignature = () => {
-            gpg.call('', [
+        const verifySignature = () => validate_awaiter(void 0, void 0, void 0, function* () {
+            const command = [
+                'gpg',
                 '--logger-fd',
                 '1',
                 '--verify',
                 external_node_path_namespaceObject.join(__dirname, `${uploaderName}.SHA256SUM.sig`),
                 external_node_path_namespaceObject.join(__dirname, `${uploaderName}.SHA256SUM`),
-            ], (err, verifyResult) => validate_awaiter(void 0, void 0, void 0, function* () {
-                if (err) {
-                    setFailure(`Codecov: Error importing pgp key: ${err.message}`, failCi);
+            ].join(' ');
+            try {
+                yield (0,external_node_child_process_namespaceObject.execSync)(command, { stdio: 'inherit' });
             }
-                core.info(verifyResult);
-                yield validateSha();
-            }));
-        };
-        // Import gpg key
-        gpg.call('', [
+            catch (err) {
+                setFailure(`Codecov: Error verifying gpg signature: ${err.message}`, failCi);
+            }
+        });
+        const importKey = () => validate_awaiter(void 0, void 0, void 0, function* () {
+            const command = [
+                'gpg',
                 '--logger-fd',
                 '1',
                 '--no-default-keyring',
                 '--import',
                 external_node_path_namespaceObject.join(__dirname, 'pgp_keys.asc'),
-        ], (err, importResult) => validate_awaiter(void 0, void 0, void 0, function* () {
-            if (err) {
-                setFailure(`Codecov: Error importing pgp key: ${err.message}`, failCi);
+            ].join(' ');
+            try {
+                yield (0,external_node_child_process_namespaceObject.execSync)(command, { stdio: 'inherit' });
             }
-            core.info(importResult);
-            verifySignature();
-        }));
+            catch (err) {
+                setFailure(`Codecov: Error importing gpg key: ${err.message}`, failCi);
+            }
+        });
+        yield importKey();
+        yield verifySignature();
+        yield validateSha();
     }
     catch (err) {
         setFailure(`Codecov: Error validating uploader: ${err.message}`, failCi);

package-lock.json

@@ -1,24 +1,23 @@
 {
   "name": "codecov-action",
-  "version": "4.3.1",
+  "version": "4.4.0",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "codecov-action",
-      "version": "4.3.1",
+      "version": "4.4.0",
       "license": "MIT",
       "dependencies": {
         "@actions/core": "^1.10.1",
         "@actions/exec": "^1.1.1",
         "@actions/github": "^6.0.0",
-        "gpg": "^0.6.0",
         "undici": "5.28.4"
       },
       "devDependencies": {
         "@types/jest": "^29.5.12",
         "@typescript-eslint/eslint-plugin": "^7.8.0",
-        "@typescript-eslint/parser": "^7.8.0",
+        "@typescript-eslint/parser": "^7.9.0",
         "@vercel/ncc": "^0.38.1",
         "eslint": "^8.57.0",
         "eslint-config-google": "^0.14.0",
@@ -1619,15 +1618,15 @@
       }
     },
     "node_modules/@typescript-eslint/parser": {
-      "version": "7.8.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-7.8.0.tgz",
-      "integrity": "sha512-KgKQly1pv0l4ltcftP59uQZCi4HUYswCLbTqVZEJu7uLX8CTLyswqMLqLN+2QFz4jCptqWVV4SB7vdxcH2+0kQ==",
+      "version": "7.9.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-7.9.0.tgz",
+      "integrity": "sha512-qHMJfkL5qvgQB2aLvhUSXxbK7OLnDkwPzFalg458pxQgfxKDfT1ZDbHQM/I6mDIf/svlMkj21kzKuQ2ixJlatQ==",
       "dev": true,
       "dependencies": {
-        "@typescript-eslint/scope-manager": "7.8.0",
-        "@typescript-eslint/types": "7.8.0",
-        "@typescript-eslint/typescript-estree": "7.8.0",
-        "@typescript-eslint/visitor-keys": "7.8.0",
+        "@typescript-eslint/scope-manager": "7.9.0",
+        "@typescript-eslint/types": "7.9.0",
+        "@typescript-eslint/typescript-estree": "7.9.0",
+        "@typescript-eslint/visitor-keys": "7.9.0",
         "debug": "^4.3.4"
       },
       "engines": {
@@ -1646,6 +1645,105 @@
         }
       }
     },
+    "node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/scope-manager": {
+      "version": "7.9.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-7.9.0.tgz",
+      "integrity": "sha512-ZwPK4DeCDxr3GJltRz5iZejPFAAr4Wk3+2WIBaj1L5PYK5RgxExu/Y68FFVclN0y6GGwH8q+KgKRCvaTmFBbgQ==",
+      "dev": true,
+      "dependencies": {
+        "@typescript-eslint/types": "7.9.0",
+        "@typescript-eslint/visitor-keys": "7.9.0"
+      },
+      "engines": {
+        "node": "^18.18.0 || >=20.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/typescript-eslint"
+      }
+    },
+    "node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/types": {
+      "version": "7.9.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-7.9.0.tgz",
+      "integrity": "sha512-oZQD9HEWQanl9UfsbGVcZ2cGaR0YT5476xfWE0oE5kQa2sNK2frxOlkeacLOTh9po4AlUT5rtkGyYM5kew0z5w==",
+      "dev": true,
+      "engines": {
+        "node": "^18.18.0 || >=20.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/typescript-eslint"
+      }
+    },
+    "node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/typescript-estree": {
+      "version": "7.9.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-7.9.0.tgz",
+      "integrity": "sha512-zBCMCkrb2YjpKV3LA0ZJubtKCDxLttxfdGmwZvTqqWevUPN0FZvSI26FalGFFUZU/9YQK/A4xcQF9o/VVaCKAg==",
+      "dev": true,
+      "dependencies": {
+        "@typescript-eslint/types": "7.9.0",
+        "@typescript-eslint/visitor-keys": "7.9.0",
+        "debug": "^4.3.4",
+        "globby": "^11.1.0",
+        "is-glob": "^4.0.3",
+        "minimatch": "^9.0.4",
+        "semver": "^7.6.0",
+        "ts-api-utils": "^1.3.0"
+      },
+      "engines": {
+        "node": "^18.18.0 || >=20.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/typescript-eslint"
+      },
+      "peerDependenciesMeta": {
+        "typescript": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/visitor-keys": {
+      "version": "7.9.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-7.9.0.tgz",
+      "integrity": "sha512-iESPx2TNLDNGQLyjKhUvIKprlP49XNEK+MvIf9nIO7ZZaZdbnfWKHnXAgufpxqfA0YryH8XToi4+CjBgVnFTSQ==",
+      "dev": true,
+      "dependencies": {
+        "@typescript-eslint/types": "7.9.0",
+        "eslint-visitor-keys": "^3.4.3"
+      },
+      "engines": {
+        "node": "^18.18.0 || >=20.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/typescript-eslint"
+      }
+    },
+    "node_modules/@typescript-eslint/parser/node_modules/brace-expansion": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
+      "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
+      "dev": true,
+      "dependencies": {
+        "balanced-match": "^1.0.0"
+      }
+    },
+    "node_modules/@typescript-eslint/parser/node_modules/minimatch": {
+      "version": "9.0.4",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.4.tgz",
+      "integrity": "sha512-KqWh+VchfxcMNRAJjj2tnsSJdNbHsVgnkBhTNrW7AjVo6OvLtxw8zfT9oLw1JSohlFzJ8jCoTgaoXvJ+kHt6fw==",
+      "dev": true,
+      "dependencies": {
+        "brace-expansion": "^2.0.1"
+      },
+      "engines": {
+        "node": ">=16 || 14 >=14.17"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      }
+    },
     "node_modules/@typescript-eslint/scope-manager": {
       "version": "7.8.0",
       "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-7.8.0.tgz",
@@ -2932,14 +3030,6 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
-    "node_modules/gpg": {
-      "version": "0.6.0",
-      "resolved": "https://registry.npmjs.org/gpg/-/gpg-0.6.0.tgz",
-      "integrity": "sha512-u0BpbalUehzMbaMxtzRAFn/gMmtnaVo2Y0yCp7X6csPnumyaDrXF4uvEWPhj3b1sqrblvKvNEXFSfOQrvGEiQw==",
-      "engines": {
-        "node": ">= 0.10.0"
-      }
-    },
     "node_modules/graceful-fs": {
       "version": "4.2.11",
       "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.11.tgz",
@@ -6348,16 +6438,78 @@
       }
     },
     "@typescript-eslint/parser": {
-      "version": "7.8.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-7.8.0.tgz",
-      "integrity": "sha512-KgKQly1pv0l4ltcftP59uQZCi4HUYswCLbTqVZEJu7uLX8CTLyswqMLqLN+2QFz4jCptqWVV4SB7vdxcH2+0kQ==",
+      "version": "7.9.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-7.9.0.tgz",
+      "integrity": "sha512-qHMJfkL5qvgQB2aLvhUSXxbK7OLnDkwPzFalg458pxQgfxKDfT1ZDbHQM/I6mDIf/svlMkj21kzKuQ2ixJlatQ==",
       "dev": true,
       "requires": {
-        "@typescript-eslint/scope-manager": "7.8.0",
-        "@typescript-eslint/types": "7.8.0",
-        "@typescript-eslint/typescript-estree": "7.8.0",
-        "@typescript-eslint/visitor-keys": "7.8.0",
+        "@typescript-eslint/scope-manager": "7.9.0",
+        "@typescript-eslint/types": "7.9.0",
+        "@typescript-eslint/typescript-estree": "7.9.0",
+        "@typescript-eslint/visitor-keys": "7.9.0",
         "debug": "^4.3.4"
+      },
+      "dependencies": {
+        "@typescript-eslint/scope-manager": {
+          "version": "7.9.0",
+          "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-7.9.0.tgz",
+          "integrity": "sha512-ZwPK4DeCDxr3GJltRz5iZejPFAAr4Wk3+2WIBaj1L5PYK5RgxExu/Y68FFVclN0y6GGwH8q+KgKRCvaTmFBbgQ==",
+          "dev": true,
+          "requires": {
+            "@typescript-eslint/types": "7.9.0",
+            "@typescript-eslint/visitor-keys": "7.9.0"
+          }
+        },
+        "@typescript-eslint/types": {
+          "version": "7.9.0",
+          "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-7.9.0.tgz",
+          "integrity": "sha512-oZQD9HEWQanl9UfsbGVcZ2cGaR0YT5476xfWE0oE5kQa2sNK2frxOlkeacLOTh9po4AlUT5rtkGyYM5kew0z5w==",
+          "dev": true
+        },
+        "@typescript-eslint/typescript-estree": {
+          "version": "7.9.0",
+          "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-7.9.0.tgz",
+          "integrity": "sha512-zBCMCkrb2YjpKV3LA0ZJubtKCDxLttxfdGmwZvTqqWevUPN0FZvSI26FalGFFUZU/9YQK/A4xcQF9o/VVaCKAg==",
+          "dev": true,
+          "requires": {
+            "@typescript-eslint/types": "7.9.0",
+            "@typescript-eslint/visitor-keys": "7.9.0",
+            "debug": "^4.3.4",
+            "globby": "^11.1.0",
+            "is-glob": "^4.0.3",
+            "minimatch": "^9.0.4",
+            "semver": "^7.6.0",
+            "ts-api-utils": "^1.3.0"
+          }
+        },
+        "@typescript-eslint/visitor-keys": {
+          "version": "7.9.0",
+          "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-7.9.0.tgz",
+          "integrity": "sha512-iESPx2TNLDNGQLyjKhUvIKprlP49XNEK+MvIf9nIO7ZZaZdbnfWKHnXAgufpxqfA0YryH8XToi4+CjBgVnFTSQ==",
+          "dev": true,
+          "requires": {
+            "@typescript-eslint/types": "7.9.0",
+            "eslint-visitor-keys": "^3.4.3"
+          }
+        },
+        "brace-expansion": {
+          "version": "2.0.1",
+          "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
+          "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
+          "dev": true,
+          "requires": {
+            "balanced-match": "^1.0.0"
+          }
+        },
+        "minimatch": {
+          "version": "9.0.4",
+          "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.4.tgz",
+          "integrity": "sha512-KqWh+VchfxcMNRAJjj2tnsSJdNbHsVgnkBhTNrW7AjVo6OvLtxw8zfT9oLw1JSohlFzJ8jCoTgaoXvJ+kHt6fw==",
+          "dev": true,
+          "requires": {
+            "brace-expansion": "^2.0.1"
+          }
+        }
       }
     },
     "@typescript-eslint/scope-manager": {
@@ -7266,11 +7418,6 @@
         "slash": "^3.0.0"
       }
     },
-    "gpg": {
-      "version": "0.6.0",
-      "resolved": "https://registry.npmjs.org/gpg/-/gpg-0.6.0.tgz",
-      "integrity": "sha512-u0BpbalUehzMbaMxtzRAFn/gMmtnaVo2Y0yCp7X6csPnumyaDrXF4uvEWPhj3b1sqrblvKvNEXFSfOQrvGEiQw=="
-    },
     "graceful-fs": {
       "version": "4.2.11",
       "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.11.tgz",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codecov-action",
-  "version": "4.3.1",
+  "version": "4.4.0",
   "description": "Upload coverage reports to Codecov from GitHub Actions",
   "main": "index.js",
   "scripts": {
@@ -26,13 +26,12 @@
     "@actions/core": "^1.10.1",
     "@actions/exec": "^1.1.1",
     "@actions/github": "^6.0.0",
-    "gpg": "^0.6.0",
     "undici": "5.28.4"
   },
   "devDependencies": {
     "@types/jest": "^29.5.12",
     "@typescript-eslint/eslint-plugin": "^7.8.0",
-    "@typescript-eslint/parser": "^7.8.0",
+    "@typescript-eslint/parser": "^7.9.0",
     "@vercel/ncc": "^0.38.1",
     "eslint": "^8.57.0",
     "eslint-config-google": "^0.14.0",

src/buildExec.ts

@@ -29,7 +29,7 @@ const getGitService = (): string => {
   return 'github';
 };
 
-const isFork = (): boolean => {
+const isPullRequestFromFork = (): boolean => {
   if (
     `${context.eventName}` !== 'pull_request' ||
     `${context.eventName}` !== 'pull_request_target'
@@ -45,7 +45,7 @@ const isFork = (): boolean => {
 };
 
 const getToken = async (): Promise<string> => {
-  if (isFork()) {
+  if (isPullRequestFromFork()) {
     core.info('==> Fork detected, tokenless uploading used');
     return Promise.resolve('');
   }

src/validate.ts

@@ -1,7 +1,7 @@
+import {execSync} from 'node:child_process';
 import * as crypto from 'node:crypto';
 import * as fs from 'node:fs';
 import * as path from 'node:path';
-import * as gpg from 'gpg';
 
 import * as core from '@actions/core';
 import {request} from 'undici';
@@ -76,36 +76,43 @@ const verify = async (
       }
     };
 
-    const verifySignature = () => {
-      gpg.call('', [
+    const verifySignature = async () => {
+      const command = [
+        'gpg',
         '--logger-fd',
         '1',
         '--verify',
         path.join(__dirname, `${uploaderName}.SHA256SUM.sig`),
         path.join(__dirname, `${uploaderName}.SHA256SUM`),
-      ], async (err, verifyResult) => {
-        if (err) {
-          setFailure(`Codecov: Error importing pgp key: ${err.message}`, failCi);
+      ].join(' ');
+
+      try {
+        await execSync(command, {stdio: 'inherit'});
+      } catch (err) {
+        setFailure(`Codecov: Error verifying gpg signature: ${err.message}`, failCi);
       }
-        core.info(verifyResult);
-        await validateSha();
-      });
     };
 
-    // Import gpg key
-    gpg.call('', [
+    const importKey = async () => {
+      const command = [
+        'gpg',
         '--logger-fd',
         '1',
         '--no-default-keyring',
         '--import',
         path.join(__dirname, 'pgp_keys.asc'),
-    ], async (err, importResult) => {
-      if (err) {
-        setFailure(`Codecov: Error importing pgp key: ${err.message}`, failCi);
+      ].join(' ');
+
+      try {
+        await execSync(command, {stdio: 'inherit'});
+      } catch (err) {
+        setFailure(`Codecov: Error importing gpg key: ${err.message}`, failCi);
       }
-      core.info(importResult);
-      verifySignature();
-    });
+    };
+
+    await importKey();
+    await verifySignature();
+    await validateSha();
   } catch (err) {
     setFailure(`Codecov: Error validating uploader: ${err.message}`, failCi);
   }