Merge pull request #742 from cheat/dependabot/go_modules/github.com/cloudflare/circl-1.3.7

chore(deps): bump github.com/cloudflare/circl from 1.3.6 to 1.3.7
2024-01-08 15:34:48 -05:00 · 2024-01-08 16:53:49 +00:00 · 2023-12-19 14:51:50 -05:00 · 2023-12-19 00:07:38 +00:00 · 2023-12-15 12:48:39 -05:00 · 2023-12-13 12:59:52 -05:00
1516 changed files with 116916 additions and 55198 deletions
--- a/INSTALLING.md
+++ b/INSTALLING.md
@ -9,13 +9,13 @@ On Unix-like systems, you may simply paste the following snippet into your termi

 ```sh
 cd /tmp \
-  && wget https://github.com/cheat/cheat/releases/download/4.3.3/cheat-linux-amd64.gz \
+  && wget https://github.com/cheat/cheat/releases/download/4.4.2/cheat-linux-amd64.gz \
  && gunzip cheat-linux-amd64.gz \
  && chmod +x cheat-linux-amd64 \
  && sudo mv cheat-linux-amd64 /usr/local/bin/cheat
 ```

-You may need to need to change the version number (`4.3.3`) and the archive
+You may need to need to change the version number (`4.4.2`) and the archive
 (`cheat-linux-amd64.gz`) depending on your platform.

 See the [releases page][releases] for a list of supported platforms.
--- a/33
+++ b/33
@ -35,13 +35,16 @@ releases :=                        \
 	$(dist_dir)/cheat-linux-amd64  \
 	$(dist_dir)/cheat-linux-arm5   \
 	$(dist_dir)/cheat-linux-arm6   \
-	$(dist_dir)/cheat-linux-arm7   \
 	$(dist_dir)/cheat-linux-arm64  \
+	$(dist_dir)/cheat-linux-arm7   \
+	$(dist_dir)/cheat-netbsd-amd64  \
+	$(dist_dir)/cheat-openbsd-amd64  \
+	$(dist_dir)/cheat-solaris-amd64  \
 	$(dist_dir)/cheat-windows-amd64.exe

 ## build: build an executable for your architecture
 .PHONY: build
-build: $(dist_dir) | clean generate fmt lint vet vendor man
+build: | clean $(dist_dir) generate fmt lint vet vendor man
 	$(GO) build $(BUILD_FLAGS) -o $(dist_dir)/cheat $(cmd_dir)

 ## build-release: build release executables
@ -83,6 +86,26 @@ $(dist_dir)/cheat-linux-arm64: prepare
 	GOARCH=arm64 GOOS=linux \
 	$(GO) build $(BUILD_FLAGS) -o $@ $(cmd_dir) && $(GZIP) $@ && chmod -x $@.gz

+# cheat-netbsd-amd64
+$(dist_dir)/cheat-netbsd-amd64: prepare
+	GOARCH=amd64 GOOS=netbsd \
+	$(GO) build $(BUILD_FLAGS) -o $@ $(cmd_dir) && $(GZIP) $@ && chmod -x $@.gz
+
+# cheat-openbsd-amd64
+$(dist_dir)/cheat-openbsd-amd64: prepare
+	GOARCH=amd64 GOOS=openbsd \
+	$(GO) build $(BUILD_FLAGS) -o $@ $(cmd_dir) && $(GZIP) $@ && chmod -x $@.gz
+
+# cheat-plan9-amd64
+$(dist_dir)/cheat-plan9-amd64: prepare
+	GOARCH=amd64 GOOS=plan9 \
+	$(GO) build $(BUILD_FLAGS) -o $@ $(cmd_dir) && $(GZIP) $@ && chmod -x $@.gz
+
+# cheat-solaris-amd64
+$(dist_dir)/cheat-solaris-amd64: prepare
+	GOARCH=amd64 GOOS=solaris \
+	$(GO) build $(BUILD_FLAGS) -o $@ $(cmd_dir) && $(GZIP) $@ && chmod -x $@.gz
+
 # cheat-windows-amd64
 $(dist_dir)/cheat-windows-amd64.exe: prepare
 	GOARCH=amd64 GOOS=windows \
@ -103,7 +126,7 @@ install: build

 ## clean: remove compiled executables
 .PHONY: clean
-clean: $(dist_dir)
+clean:
 	$(RM) -f $(dist_dir)/* $(cmd_dir)/str_config.go $(cmd_dir)/str_usage.go

 ## distclean: remove the tags file
@ -140,7 +163,7 @@ vendor:

 ## vendor-update: update vendored dependencies
 vendor-update:
-	$(GO) get -t -u ./... && $(GO) mod vendor
+	$(GO) get -t -u ./... && $(GO) mod vendor && $(GO) mod tidy && $(GO) mod verify

 ## fmt: run go fmt
 .PHONY: fmt
@ -173,7 +196,7 @@ coverage:
 check: | vendor fmt lint vet test

 .PHONY: prepare
-prepare: | $(dist_dir) clean generate vendor fmt lint vet test
+prepare: | clean $(dist_dir) generate vendor fmt lint vet test

 ## docker-setup: create a docker image for use during development
 .PHONY: docker-setup
--- a/cmd/cheat/cmd_conf.go
+++ b/cmd/cheat/cmd_conf.go
@ -6,6 +6,6 @@ import (
 	"github.com/cheat/cheat/internal/config"
 )

-func cmdConf(opts map[string]interface{}, conf config.Config) {
+func cmdConf(_ map[string]interface{}, conf config.Config) {
 	fmt.Println(conf.Path)
 }
--- a/cmd/cheat/cmd_directories.go
+++ b/cmd/cheat/cmd_directories.go
@ -10,7 +10,7 @@ import (
 )

 // cmdDirectories lists the configured cheatpaths.
-func cmdDirectories(opts map[string]interface{}, conf config.Config) {
+func cmdDirectories(_ map[string]interface{}, conf config.Config) {

 	// initialize a tabwriter to produce cleanly columnized output
 	var out bytes.Buffer
--- a/cmd/cheat/cmd_tags.go
+++ b/cmd/cheat/cmd_tags.go
@ -10,7 +10,7 @@ import (
 )

 // cmdTags lists all tags in use.
-func cmdTags(opts map[string]interface{}, conf config.Config) {
+func cmdTags(_ map[string]interface{}, conf config.Config) {

 	// load the cheatsheets
 	cheatsheets, err := sheets.Load(conf.Cheatpaths)
--- a/cmd/cheat/main.go
+++ b/cmd/cheat/main.go
@ -1,3 +1,4 @@
+// Package main serves as the executable entrypoint.
 package main

 //go:generate go run ../../build/embed.go
@ -16,7 +17,7 @@ import (
 	"github.com/cheat/cheat/internal/installer"
 )

-const version = "4.3.3"
+const version = "4.4.2"

 func main() {

--- a/doc/cheat.1
+++ b/doc/cheat.1
@ -1,182 +1,150 @@
-.\" Automatically generated by Pandoc 2.2.1
+.\" Automatically generated by Pandoc 2.17.1.1
 .\"
+.\" Define V font for inline verbatim, using C font in formats
+.\" that render this, and otherwise B font.
+.ie "\f[CB]x\f[]"x" \{\
+. ftr V B
+. ftr VI BI
+. ftr VB B
+. ftr VBI BI
+.\}
+.el \{\
+. ftr V CR
+. ftr VI CI
+. ftr VB CB
+. ftr VBI CBI
+.\}
 .TH "CHEAT" "1" "" "" "General Commands Manual"
 .hy
 .SH NAME
 .PP
-\f[B]cheat\f[] \[em] create and view command\-line cheatsheets
+\f[B]cheat\f[R] \[em] create and view command-line cheatsheets
 .SH SYNOPSIS
 .PP
-\f[B]cheat\f[] [options] [\f[I]CHEATSHEET\f[]]
+\f[B]cheat\f[R] [options] [\f[I]CHEATSHEET\f[R]]
 .SH DESCRIPTION
 .PP
-\f[B]cheat\f[] allows you to create and view interactive cheatsheets on
-the command\-line.
+\f[B]cheat\f[R] allows you to create and view interactive cheatsheets on
+the command-line.
 It was designed to help remind *nix system administrators of options for
 commands that they use frequently, but not frequently enough to
 remember.
 .SH OPTIONS
 .TP
-.B \[en]init
+\[en]init
 Print a config file to stdout.
-.RS
-.RE
 .TP
-.B \-c, \[en]colorize
+-c, \[en]colorize
 Colorize output.
-.RS
-.RE
 .TP
-.B \-d, \[en]directories
+-d, \[en]directories
 List cheatsheet directories.
-.RS
-.RE
 .TP
-.B \-e, \[en]edit=\f[I]CHEATSHEET\f[]
-Open \f[I]CHEATSHEET\f[] for editing.
-.RS
-.RE
+-e, \[en]edit=\f[I]CHEATSHEET\f[R]
+Open \f[I]CHEATSHEET\f[R] for editing.
 .TP
-.B \-l, \[en]list
+-l, \[en]list
 List available cheatsheets.
-.RS
-.RE
 .TP
-.B \-p, \[en]path=\f[I]PATH\f[]
-Filter only to sheets found on path \f[I]PATH\f[].
-.RS
-.RE
+-p, \[en]path=\f[I]PATH\f[R]
+Filter only to sheets found on path \f[I]PATH\f[R].
 .TP
-.B \-r, \[en]regex
-Treat search \f[I]PHRASE\f[] as a regular expression.
-.RS
-.RE
+-r, \[en]regex
+Treat search \f[I]PHRASE\f[R] as a regular expression.
 .TP
-.B \-s, \[en]search=\f[I]PHRASE\f[]
-Search cheatsheets for \f[I]PHRASE\f[].
-.RS
-.RE
+-s, \[en]search=\f[I]PHRASE\f[R]
+Search cheatsheets for \f[I]PHRASE\f[R].
 .TP
-.B \-t, \[en]tag=\f[I]TAG\f[]
-Filter only to sheets tagged with \f[I]TAG\f[].
-.RS
-.RE
+-t, \[en]tag=\f[I]TAG\f[R]
+Filter only to sheets tagged with \f[I]TAG\f[R].
 .TP
-.B \-T, \[en]tags
+-T, \[en]tags
 List all tags in use.
-.RS
-.RE
 .TP
-.B \-v, \[en]version
+-v, \[en]version
 Print the version number.
-.RS
-.RE
 .TP
-.B \[en]rm=\f[I]CHEATSHEET\f[]
-Remove (deletes) \f[I]CHEATSHEET\f[].
-.RS
-.RE
+\[en]rm=\f[I]CHEATSHEET\f[R]
+Remove (deletes) \f[I]CHEATSHEET\f[R].
 .SH EXAMPLES
 .TP
-.B To view the foo cheatsheet:
-cheat \f[I]foo\f[]
-.RS
-.RE
+To view the foo cheatsheet:
+cheat \f[I]foo\f[R]
 .TP
-.B To edit (or create) the foo cheatsheet:
-cheat \-e \f[I]foo\f[]
-.RS
-.RE
+To edit (or create) the foo cheatsheet:
+cheat -e \f[I]foo\f[R]
 .TP
-.B To edit (or create) the foo/bar cheatsheet on the `work' cheatpath:
-cheat \-p \f[I]work\f[] \-e \f[I]foo/bar\f[]
-.RS
-.RE
+To edit (or create) the foo/bar cheatsheet on the `work' cheatpath:
+cheat -p \f[I]work\f[R] -e \f[I]foo/bar\f[R]
 .TP
-.B To view all cheatsheet directories:
-cheat \-d
-.RS
-.RE
+To view all cheatsheet directories:
+cheat -d
 .TP
-.B To list all available cheatsheets:
-cheat \-l
-.RS
-.RE
+To list all available cheatsheets:
+cheat -l
 .TP
-.B To list all cheatsheets whose titles match `apt':
-cheat \-l \f[I]apt\f[]
-.RS
-.RE
+To list all cheatsheets whose titles match `apt':
+cheat -l \f[I]apt\f[R]
 .TP
-.B To list all tags in use:
-cheat \-T
-.RS
-.RE
+To list all tags in use:
+cheat -T
 .TP
-.B To list available cheatsheets that are tagged as `personal':
-cheat \-l \-t \f[I]personal\f[]
-.RS
-.RE
+To list available cheatsheets that are tagged as `personal':
+cheat -l -t \f[I]personal\f[R]
 .TP
-.B To search for `ssh' among all cheatsheets, and colorize matches:
-cheat \-c \-s \f[I]ssh\f[]
-.RS
-.RE
+To search for `ssh' among all cheatsheets, and colorize matches:
+cheat -c -s \f[I]ssh\f[R]
 .TP
-.B To search (by regex) for cheatsheets that contain an IP address:
-cheat \-c \-r \-s \f[I]`(?:[0\-9]{1,3}.){3}[0\-9]{1,3}'\f[]
-.RS
-.RE
+To search (by regex) for cheatsheets that contain an IP address:
+cheat -c -r -s \f[I]`(?:[0-9]{1,3}.){3}[0-9]{1,3}'\f[R]
 .TP
-.B To remove (delete) the foo/bar cheatsheet:
-cheat \[en]rm \f[I]foo/bar\f[]
-.RS
-.RE
+To remove (delete) the foo/bar cheatsheet:
+cheat \[en]rm \f[I]foo/bar\f[R]
 .SH FILES
 .SS Configuration
 .PP
-\f[B]cheat\f[] is configured via a YAML file that is conventionally
-named \f[I]conf.yaml\f[].
-\f[B]cheat\f[] will search for \f[I]conf.yaml\f[] in varying locations,
-depending upon your platform:
+\f[B]cheat\f[R] is configured via a YAML file that is conventionally
+named \f[I]conf.yaml\f[R].
+\f[B]cheat\f[R] will search for \f[I]conf.yaml\f[R] in varying
+locations, depending upon your platform:
 .SS Linux, OSX, and other Unixes
 .IP "1." 3
-\f[B]CHEAT_CONFIG_PATH\f[]
+\f[B]CHEAT_CONFIG_PATH\f[R]
 .IP "2." 3
-\f[B]XDG_CONFIG_HOME\f[]/cheat/conf.yaml
+\f[B]XDG_CONFIG_HOME\f[R]/cheat/conf.yaml
 .IP "3." 3
-\f[B]$HOME\f[]/.config/cheat/conf.yml
+\f[B]$HOME\f[R]/.config/cheat/conf.yml
 .IP "4." 3
-\f[B]$HOME\f[]/.cheat/conf.yml
+\f[B]$HOME\f[R]/.cheat/conf.yml
 .SS Windows
 .IP "1." 3
-\f[B]CHEAT_CONFIG_PATH\f[]
+\f[B]CHEAT_CONFIG_PATH\f[R]
 .IP "2." 3
-\f[B]APPDATA\f[]/cheat/conf.yml
+\f[B]APPDATA\f[R]/cheat/conf.yml
 .IP "3." 3
-\f[B]PROGRAMDATA\f[]/cheat/conf.yml
+\f[B]PROGRAMDATA\f[R]/cheat/conf.yml
 .PP
-\f[B]cheat\f[] will search in the order specified above.
-The first \f[I]conf.yaml\f[] encountered will be respected.
+\f[B]cheat\f[R] will search in the order specified above.
+The first \f[I]conf.yaml\f[R] encountered will be respected.
 .PP
-If \f[B]cheat\f[] cannot locate a config file, it will ask if you'd like
-to generate one automatically.
+If \f[B]cheat\f[R] cannot locate a config file, it will ask if you\[cq]d
+like to generate one automatically.
 Alternatively, you may also generate a config file manually by running
-\f[B]cheat \[en]init\f[] and saving its output to the appropriate
+\f[B]cheat \[en]init\f[R] and saving its output to the appropriate
 location for your platform.
 .SS Cheatpaths
 .PP
-\f[B]cheat\f[] reads its cheatsheets from \[lq]cheatpaths\[rq], which
+\f[B]cheat\f[R] reads its cheatsheets from \[lq]cheatpaths\[rq], which
 are the directories in which cheatsheets are stored.
-Cheatpaths may be configured in \f[I]conf.yaml\f[], and viewed via
-\f[B]cheat \-d\f[].
+Cheatpaths may be configured in \f[I]conf.yaml\f[R], and viewed via
+\f[B]cheat -d\f[R].
 .PP
 For detailed instructions on how to configure cheatpaths, please refer
 to the comments in conf.yml.
 .SS Autocompletion
 .PP
-Autocompletion scripts for \f[B]bash\f[], \f[B]zsh\f[], and
-\f[B]fish\f[] are available for download:
+Autocompletion scripts for \f[B]bash\f[R], \f[B]zsh\f[R], and
+\f[B]fish\f[R] are available for download:
 .IP \[bu] 2
 <https://github.com/cheat/cheat/blob/master/scripts/cheat.bash>
 .IP \[bu] 2
@ -184,25 +152,22 @@ Autocompletion scripts for \f[B]bash\f[], \f[B]zsh\f[], and
 .IP \[bu] 2
 <https://github.com/cheat/cheat/blob/master/scripts/cheat.zsh>
 .PP
-The \f[B]bash\f[] and \f[B]zsh\f[] scripts provide optional integration
-with \f[B]fzf\f[], if the latter is available on your \f[B]PATH\f[].
+The \f[B]bash\f[R] and \f[B]zsh\f[R] scripts provide optional
+integration with \f[B]fzf\f[R], if the latter is available on your
+\f[B]PATH\f[R].
 .PP
 The installation process will vary per system and shell configuration,
 and thus will not be discussed here.
 .SH ENVIRONMENT
 .TP
-.B \f[B]CHEAT_CONFIG_PATH\f[]
+\f[B]CHEAT_CONFIG_PATH\f[R]
 The path at which the config file is available.
-If \f[B]CHEAT_CONFIG_PATH\f[] is set, all other config paths will be
+If \f[B]CHEAT_CONFIG_PATH\f[R] is set, all other config paths will be
 ignored.
-.RS
-.RE
 .TP
-.B \f[B]CHEAT_USE_FZF\f[]
+\f[B]CHEAT_USE_FZF\f[R]
 If set, autocompletion scripts will attempt to integrate with
-\f[B]fzf\f[].
-.RS
-.RE
+\f[B]fzf\f[R].
 .SH RETURN VALUES
 .IP "0." 3
 Successful termination
@ -218,4 +183,4 @@ See GitHub issues: <https://github.com/cheat/cheat/issues>
 Christopher Allen Lane <chris@chris-allen-lane.com>
 .SH SEE ALSO
 .PP
-\f[B]fzf(1)\f[]
+\f[B]fzf(1)\f[R]
--- a/go.mod
+++ b/go.mod
@ -3,32 +3,36 @@ module github.com/cheat/cheat
 go 1.19

 require (
-	github.com/alecthomas/chroma v0.10.0
+	github.com/alecthomas/chroma/v2 v2.12.0
 	github.com/davecgh/go-spew v1.1.1
 	github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815
-	github.com/go-git/go-git/v5 v5.4.2
-	github.com/mattn/go-isatty v0.0.16
+	github.com/go-git/go-git/v5 v5.11.0
+	github.com/mattn/go-isatty v0.0.20
 	github.com/mitchellh/go-homedir v1.1.0
-	gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0
-	gopkg.in/yaml.v2 v2.4.0
+	gopkg.in/yaml.v3 v3.0.1
 )

 require (
-	github.com/Microsoft/go-winio v0.5.2 // indirect
-	github.com/ProtonMail/go-crypto v0.0.0-20220824120805-4b6e5c587895 // indirect
-	github.com/acomagu/bufpipe v1.0.3 // indirect
-	github.com/cloudflare/circl v1.2.0 // indirect
-	github.com/dlclark/regexp2 v1.7.0 // indirect
+	dario.cat/mergo v1.0.0 // indirect
+	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c // indirect
+	github.com/cloudflare/circl v1.3.7 // indirect
+	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
+	github.com/dlclark/regexp2 v1.10.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
-	github.com/go-git/gcfg v1.5.0 // indirect
-	github.com/go-git/go-billy/v5 v5.3.1 // indirect
-	github.com/imdario/mergo v0.3.13 // indirect
+	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
+	github.com/go-git/go-billy/v5 v5.5.0 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/sergi/go-diff v1.2.0 // indirect
-	github.com/xanzy/ssh-agent v0.3.2 // indirect
-	golang.org/x/crypto v0.0.0-20220826181053-bd7e27e6170d // indirect
-	golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b // indirect
-	golang.org/x/sys v0.0.0-20220825204002-c680a09ffe64 // indirect
+	github.com/pjbgf/sha1cd v0.3.0 // indirect
+	github.com/sergi/go-diff v1.3.1 // indirect
+	github.com/skeema/knownhosts v1.2.1 // indirect
+	github.com/xanzy/ssh-agent v0.3.3 // indirect
+	golang.org/x/crypto v0.17.0 // indirect
+	golang.org/x/mod v0.14.0 // indirect
+	golang.org/x/net v0.19.0 // indirect
+	golang.org/x/sys v0.15.0 // indirect
+	golang.org/x/tools v0.16.1 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -1,143 +1,143 @@
-github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA=
-github.com/Microsoft/go-winio v0.4.16/go.mod h1:XB6nPKklQyQ7GC9LdcBEcBl8PF76WugXOPRXwdLnMv0=
-github.com/Microsoft/go-winio v0.5.2 h1:a9IhgEQBCUEk6QCdml9CiJGhAws+YwffDHEMp1VMrpA=
+dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
+dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
-github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7/go.mod h1:z4/9nQmJSSwwds7ejkxaJwO37dru3geImFUdJlaLzQo=
-github.com/ProtonMail/go-crypto v0.0.0-20220824120805-4b6e5c587895 h1:NsReiLpErIPzRrnogAXYwSoU7txA977LjDGrbkewJbg=
-github.com/ProtonMail/go-crypto v0.0.0-20220824120805-4b6e5c587895/go.mod h1:UBYPn8k0D56RtnR8RFQMjmh4KrZzWJ5o7Z9SYjossQ8=
-github.com/acomagu/bufpipe v1.0.3 h1:fxAGrHZTgQ9w5QqVItgzwj235/uYZYgbXitB+dLupOk=
-github.com/acomagu/bufpipe v1.0.3/go.mod h1:mxdxdup/WdsKVreO5GpW4+M/1CE2sMG4jeGJ2sYmHc4=
-github.com/alecthomas/chroma v0.10.0 h1:7XDcGkCQopCNKjZHfYrNLraA+M7e0fMiJ/Mfikbfjek=
-github.com/alecthomas/chroma v0.10.0/go.mod h1:jtJATyUxlIORhUOFNA9NZDWGAQ8wpxQQqNSB4rjA/1s=
-github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 h1:kFOfPq6dUM1hTo4JG6LR5AXSUEsOjtdm0kw0FtQtMJA=
-github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
+github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
+github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
+github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c h1:kMFnB0vCcX7IL/m9Y5LO+KQYv+t1CQOiFe6+SV2J7bE=
+github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
+github.com/alecthomas/assert/v2 v2.2.1 h1:XivOgYcduV98QCahG8T5XTezV5bylXe+lBxLG2K2ink=
+github.com/alecthomas/chroma/v2 v2.12.0 h1:Wh8qLEgMMsN7mgyG8/qIpegky2Hvzr4By6gEF7cmWgw=
+github.com/alecthomas/chroma/v2 v2.12.0/go.mod h1:4TQu7gdfuPjSh76j78ietmqh9LiurGF0EpseFXdKMBw=
+github.com/alecthomas/repr v0.2.0 h1:HAzS41CIzNW5syS8Mf9UwXhNH1J9aix/BvDRf1Ml2Yk=
+github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
-github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
-github.com/bwesterb/go-ristretto v1.2.0/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
-github.com/bwesterb/go-ristretto v1.2.1/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
-github.com/cloudflare/circl v1.1.0/go.mod h1:prBCrKB9DV4poKZY1l9zBXg2QJY7mvgRvtMxxK7fi4I=
-github.com/cloudflare/circl v1.2.0 h1:NheeISPSUcYftKlfrLuOo4T62FkmD4t4jviLfFFYaec=
-github.com/cloudflare/circl v1.2.0/go.mod h1:Ch2UgYr6ti2KTtlejELlROl0YIYj7SLjAC8M+INXlMk=
-github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
+github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
+github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU=
+github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
+github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
+github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dlclark/regexp2 v1.4.0/go.mod h1:2pZnwuY/m+8K6iRw6wQdMtk+rH5tNGR1i55kozfMjCc=
-github.com/dlclark/regexp2 v1.7.0 h1:7lJfhqlPssTb1WQx4yvTHN0uElPEv52sbaECrAQxjAo=
-github.com/dlclark/regexp2 v1.7.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
+github.com/dlclark/regexp2 v1.10.0 h1:+/GIL799phkJqYW+3YbOd8LCcbHzT0Pbo8zl70MHsq0=
+github.com/dlclark/regexp2 v1.10.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815 h1:bWDMxwH3px2JBh6AyO7hdCn/PkvCZXii8TGj7sbtEbQ=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
-github.com/emirpasic/gods v1.12.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o=
+github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a h1:mATvB/9r/3gvcejNsXKSkQ6lcIaNec2nyfOdlTBR2lU=
 github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
 github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
-github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
-github.com/gliderlabs/ssh v0.2.2 h1:6zsha5zo/TWhRhwqCD3+EarCAgZ2yN28ipRnGPnwkI0=
-github.com/gliderlabs/ssh v0.2.2/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
-github.com/go-git/gcfg v1.5.0 h1:Q5ViNfGF8zFgyJWPqYwA7qGFoMTEiBmdlkcfRmpIMa4=
-github.com/go-git/gcfg v1.5.0/go.mod h1:5m20vg6GwYabIxaOonVkTdrILxQMpEShl1xiMF4ua+E=
-github.com/go-git/go-billy/v5 v5.2.0/go.mod h1:pmpqyWchKfYfrkb/UVH4otLvyi/5gJlGI4Hb3ZqZ3W0=
-github.com/go-git/go-billy/v5 v5.3.1 h1:CPiOUAzKtMRvolEKw+bG1PLRpT7D3LIs3/3ey4Aiu34=
-github.com/go-git/go-billy/v5 v5.3.1/go.mod h1:pmpqyWchKfYfrkb/UVH4otLvyi/5gJlGI4Hb3ZqZ3W0=
-github.com/go-git/go-git-fixtures/v4 v4.2.1 h1:n9gGL1Ct/yIw+nfsfr8s4+sbhT+Ncu2SubfXjIWgci8=
-github.com/go-git/go-git-fixtures/v4 v4.2.1/go.mod h1:K8zd3kDUAykwTdDCr+I0per6Y6vMiRR/nnVTBtavnB0=
-github.com/go-git/go-git/v5 v5.4.2 h1:BXyZu9t0VkbiHtqrsvdq39UDhGJTl1h55VW6CSC4aY4=
-github.com/go-git/go-git/v5 v5.4.2/go.mod h1:gQ1kArt6d+n+BGd+/B/I74HwRTLhth2+zti4ihgckDc=
-github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY=
-github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
-github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk=
-github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg=
+github.com/gliderlabs/ssh v0.3.5 h1:OcaySEmAQJgyYcArR+gGGTHCyE7nvhEMTlYY+Dp8CpY=
+github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
+github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
+github.com/go-git/go-billy/v5 v5.5.0 h1:yEY4yhzCDuMGSv83oGxiBotRzhwhNr8VZyphhiu+mTU=
+github.com/go-git/go-billy/v5 v5.5.0/go.mod h1:hmexnoNsr2SJU1Ju67OaNz5ASJY3+sHgFRpCtpDCKow=
+github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
+github.com/go-git/go-git/v5 v5.11.0 h1:XIZc1p+8YzypNr34itUfSvYJcv+eYdTnTvOZ2vD3cA4=
+github.com/go-git/go-git/v5 v5.11.0/go.mod h1:6GFcX2P3NM7FPBfpePbpLd21XxsgdAt+lKqXmCUiUCY=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUqJM=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
-github.com/jessevdk/go-flags v1.5.0/go.mod h1:Fw0T6WPc1dYxT4mKEZRfG5kJhaTDP9pj1c2EWnYs/m4=
-github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
 github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=
 github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
-github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
-github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI=
-github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
-github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/matryer/is v1.2.0 h1:92UTHpy8CDwaJ08GqLDzhhuixiBUUD1p3AU6PHddz4A=
-github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA=
-github.com/mattn/go-isatty v0.0.16 h1:bq3VjFmv/sOjHtdEhmkEV4x1AJtvUvOJ2PFAZ5+peKQ=
-github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
-github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI=
+github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4=
+github.com/pjbgf/sha1cd v0.3.0/go.mod h1:nZ1rrWOcGJ5uZgEEVL1VUM9iRQiZvWdbZjkKyFzPPsI=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
-github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ=
-github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
-github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
+github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
+github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8=
+github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/skeema/knownhosts v1.2.1 h1:SHWdIUa82uGZz+F+47k8SY4QhhI291cXCpopT1lK2AQ=
+github.com/skeema/knownhosts v1.2.1/go.mod h1:xYbVRSPxqBZFrdmDyMmsOs+uX1UZC3nTN3ThzgDxUwo=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
-github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
-github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/xanzy/ssh-agent v0.3.0/go.mod h1:3s9xbODqPuuhK9JV1R321M/FlMZSBvE5aY6eAcqrDh0=
-github.com/xanzy/ssh-agent v0.3.2 h1:eKj4SX2Fe7mui28ZgnFW5fmTz1EIr7ugo5s6wDxdHBM=
-github.com/xanzy/ssh-agent v0.3.2/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw=
-golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
-golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
+github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20220826181053-bd7e27e6170d h1:3qF+Z8Hkrw9sOhrFHti9TlB1Hkac1x+DNRkv0XQiFjo=
-golang.org/x/crypto v0.0.0-20220826181053-bd7e27e6170d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
+golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
+golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
+golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
+golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210326060303-6b1517762897/go.mod h1:uSPa2vr4CLtc/ILN5odXGNXS6mhrKVzTaCXzk9m6W3k=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b h1:ZmngSVLe/wycRns9MKikG9OWIEjGcGAkacif7oYQaUY=
-golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
-golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
+golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
+golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210324051608-47abb6519492/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210502180810-71e4cd670f79/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220315194320-039c03cc5b86/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220825204002-c680a09ffe64 h1:UiNENfZ8gDvpiWw7IpOMQ27spWmThO1RwwdQVbJahJM=
-golang.org/x/sys v0.0.0-20220825204002-c680a09ffe64/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
+golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
+golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA=
+golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
-gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
 gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
-gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0 h1:POO/ycCATvegFmVuPpQzZFJ+pGZeX22Ufu6fibxDVjU=
-gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0/go.mod h1:WDnlLJ4WF5VGsH/HVa3CI79GS0ol3YnhVnKP89i0kNg=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0 h1:hjy8E9ON/egN1tAYqKb61G10WtihqetD4sz2H+8nIeA=
-gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
--- a/internal/cheatpath/cheatpath.go
+++ b/internal/cheatpath/cheatpath.go
@ -1,3 +1,5 @@
+// Package cheatpath implements functions pertaining to cheatsheet file path
+// management.
 package cheatpath

 // Cheatpath encapsulates cheatsheet path information
--- a/internal/config/config.go
+++ b/internal/config/config.go
@ -1,3 +1,4 @@
+// Package config implements functions pertaining to configuration management.
 package config

 import (
@ -9,7 +10,7 @@ import (
 	cp "github.com/cheat/cheat/internal/cheatpath"

 	"github.com/mitchellh/go-homedir"
-	"gopkg.in/yaml.v2"
+	"gopkg.in/yaml.v3"
 )

 // Config encapsulates configuration parameters
@ -24,7 +25,7 @@ type Config struct {
 }

 // New returns a new Config struct
-func New(opts map[string]interface{}, confPath string, resolve bool) (Config, error) {
+func New(_ map[string]interface{}, confPath string, resolve bool) (Config, error) {

 	// read the config file
 	buf, err := os.ReadFile(confPath)
@ -39,7 +40,7 @@ func New(opts map[string]interface{}, confPath string, resolve bool) (Config, er
 	conf.Path = confPath

 	// unmarshal the yaml
-	err = yaml.UnmarshalStrict(buf, &conf)
+	err = yaml.Unmarshal(buf, &conf)
 	if err != nil {
 		return Config{}, fmt.Errorf("could not unmarshal yaml: %v", err)
 	}
--- a/internal/config/paths.go
+++ b/internal/config/paths.go
@ -28,7 +28,10 @@ func Paths(
 	}

 	switch sys {
-	case "android", "darwin", "linux", "freebsd":
+
+	// darwin/linux/unix
+	case "aix", "android", "darwin", "dragonfly", "freebsd", "illumos", "ios",
+		"linux", "netbsd", "openbsd", "plan9", "solaris":
 		paths := []string{}

 		// don't include the `XDG_CONFIG_HOME` path if that envvar is not set
@ -43,6 +46,8 @@ func Paths(
 		}...)

 		return paths, nil
+
+	// windows
 	case "windows":
 		return []string{
 			filepath.Join(envvars["APPDATA"], "cheat", "conf.yml"),
--- a/internal/display/faint.go
+++ b/internal/display/faint.go
@ -1,3 +1,5 @@
+// Package display implement functions pertaining to writing formatted
+// cheatsheet content to stdout, or alternatively the system pager.
 package display

 import (
@ -6,7 +8,8 @@ import (
 	"github.com/cheat/cheat/internal/config"
 )

-// Faint returns an faint string
+// Faint returns a faintly-colored string that's used to de-prioritize text
+// written to stdout
 func Faint(str string, conf config.Config) string {
 	// make `str` faint only if colorization has been requested
 	if conf.Colorize {
--- a/internal/installer/prompt.go
+++ b/internal/installer/prompt.go
@ -1,3 +1,5 @@
+// Package installer implements functions that provide a first-time
+// installation wizard.
 package installer

 import (
--- a/internal/mock/path.go
+++ b/internal/mock/path.go
@ -1,3 +1,4 @@
+// Package mock implements mock functions used in unit-tests.
 package mock

 import (
--- a/internal/repo/clone.go
+++ b/internal/repo/clone.go
@ -1,3 +1,4 @@
+// Package repo implements functions pertaining to the management of git repos.
 package repo

 import (
--- a/internal/repo/gitdir.go
+++ b/internal/repo/gitdir.go
@ -60,6 +60,7 @@ func GitDir(path string) (bool, error) {
 		2. A cheatpath is a repository
 		3. A cheatpath is a repository, and contains a `.git*` file
 		4. A cheatpath is a submodule
+		5. A cheatpath is a hidden directory

 		Care must be taken to support the above on both Unix and Windows
 		systems, which have different directory separators and line-endings.
--- a/internal/sheet/colorize.go
+++ b/internal/sheet/colorize.go
@ -5,7 +5,7 @@ import (

 	"github.com/cheat/cheat/internal/config"

-	"github.com/alecthomas/chroma/quick"
+	"github.com/alecthomas/chroma/v2/quick"
 )

 // Colorize applies syntax-highlighting to a cheatsheet's Text.
--- a/internal/sheet/parse.go
+++ b/internal/sheet/parse.go
@ -5,7 +5,7 @@ import (
 	"runtime"
 	"strings"

-	"gopkg.in/yaml.v1"
+	"gopkg.in/yaml.v3"
 )

 // Parse parses cheatsheet frontmatter
--- a/internal/sheet/sheet.go
+++ b/internal/sheet/sheet.go
@ -1,3 +1,5 @@
+// Package sheet implements functions pertaining to parsing, searching, and
+// displaying cheatsheets.
 package sheet

 import (
--- a/internal/sheets/consolidate.go
+++ b/internal/sheets/consolidate.go
@ -1,3 +1,5 @@
+// Package sheets implements functions pertaining to loading, sorting,
+// filtering, and tagging cheatsheets.
 package sheets

 import (
--- a/vendor/dario.cat/mergo/.deepsource.toml
+++ b/vendor/dario.cat/mergo/.deepsource.toml
@ -0,0 +1,12 @@
+version = 1
+
+test_patterns = [
+  "*_test.go"
+]
+
+[[analyzers]]
+name = "go"
+enabled = true
+
+  [analyzers.meta]
+  import_path = "dario.cat/mergo"
--- a/vendor/github.com/imdario/mergo/.gitignore
+++ b/vendor/github.com/imdario/mergo/.gitignore
--- a/vendor/github.com/imdario/mergo/.travis.yml
+++ b/vendor/github.com/imdario/mergo/.travis.yml
--- a/vendor/github.com/imdario/mergo/CODE_OF_CONDUCT.md
+++ b/vendor/github.com/imdario/mergo/CODE_OF_CONDUCT.md
--- a/vendor/dario.cat/mergo/CONTRIBUTING.md
+++ b/vendor/dario.cat/mergo/CONTRIBUTING.md
@ -0,0 +1,112 @@
+<!-- omit in toc -->
+# Contributing to mergo
+
+First off, thanks for taking the time to contribute! ❤️
+
+All types of contributions are encouraged and valued. See the [Table of Contents](#table-of-contents) for different ways to help and details about how this project handles them. Please make sure to read the relevant section before making your contribution. It will make it a lot easier for us maintainers and smooth out the experience for all involved. The community looks forward to your contributions. 🎉
+
+> And if you like the project, but just don't have time to contribute, that's fine. There are other easy ways to support the project and show your appreciation, which we would also be very happy about:
+> - Star the project
+> - Tweet about it
+> - Refer this project in your project's readme
+> - Mention the project at local meetups and tell your friends/colleagues
+
+<!-- omit in toc -->
+## Table of Contents
+
+- [Code of Conduct](#code-of-conduct)
+- [I Have a Question](#i-have-a-question)
+- [I Want To Contribute](#i-want-to-contribute)
+- [Reporting Bugs](#reporting-bugs)
+- [Suggesting Enhancements](#suggesting-enhancements)
+
+## Code of Conduct
+
+This project and everyone participating in it is governed by the
+[mergo Code of Conduct](https://github.com/imdario/mergoblob/master/CODE_OF_CONDUCT.md).
+By participating, you are expected to uphold this code. Please report unacceptable behavior
+to <>.
+
+
+## I Have a Question
+
+> If you want to ask a question, we assume that you have read the available [Documentation](https://pkg.go.dev/github.com/imdario/mergo).
+
+Before you ask a question, it is best to search for existing [Issues](https://github.com/imdario/mergo/issues) that might help you. In case you have found a suitable issue and still need clarification, you can write your question in this issue. It is also advisable to search the internet for answers first.
+
+If you then still feel the need to ask a question and need clarification, we recommend the following:
+
+- Open an [Issue](https://github.com/imdario/mergo/issues/new).
+- Provide as much context as you can about what you're running into.
+- Provide project and platform versions (nodejs, npm, etc), depending on what seems relevant.
+
+We will then take care of the issue as soon as possible.
+
+## I Want To Contribute
+
+> ### Legal Notice <!-- omit in toc -->
+> When contributing to this project, you must agree that you have authored 100% of the content, that you have the necessary rights to the content and that the content you contribute may be provided under the project license.
+
+### Reporting Bugs
+
+<!-- omit in toc -->
+#### Before Submitting a Bug Report
+
+A good bug report shouldn't leave others needing to chase you up for more information. Therefore, we ask you to investigate carefully, collect information and describe the issue in detail in your report. Please complete the following steps in advance to help us fix any potential bug as fast as possible.
+
+- Make sure that you are using the latest version.
+- Determine if your bug is really a bug and not an error on your side e.g. using incompatible environment components/versions (Make sure that you have read the [documentation](). If you are looking for support, you might want to check [this section](#i-have-a-question)).
+- To see if other users have experienced (and potentially already solved) the same issue you are having, check if there is not already a bug report existing for your bug or error in the [bug tracker](https://github.com/imdario/mergoissues?q=label%3Abug).
+- Also make sure to search the internet (including Stack Overflow) to see if users outside of the GitHub community have discussed the issue.
+- Collect information about the bug:
+- Stack trace (Traceback)
+- OS, Platform and Version (Windows, Linux, macOS, x86, ARM)
+- Version of the interpreter, compiler, SDK, runtime environment, package manager, depending on what seems relevant.
+- Possibly your input and the output
+- Can you reliably reproduce the issue? And can you also reproduce it with older versions?
+
+<!-- omit in toc -->
+#### How Do I Submit a Good Bug Report?
+
+> You must never report security related issues, vulnerabilities or bugs including sensitive information to the issue tracker, or elsewhere in public. Instead sensitive bugs must be sent by email to .
+<!-- You may add a PGP key to allow the messages to be sent encrypted as well. -->
+
+We use GitHub issues to track bugs and errors. If you run into an issue with the project:
+
+- Open an [Issue](https://github.com/imdario/mergo/issues/new). (Since we can't be sure at this point whether it is a bug or not, we ask you not to talk about a bug yet and not to label the issue.)
+- Explain the behavior you would expect and the actual behavior.
+- Please provide as much context as possible and describe the *reproduction steps* that someone else can follow to recreate the issue on their own. This usually includes your code. For good bug reports you should isolate the problem and create a reduced test case.
+- Provide the information you collected in the previous section.
+
+Once it's filed:
+
+- The project team will label the issue accordingly.
+- A team member will try to reproduce the issue with your provided steps. If there are no reproduction steps or no obvious way to reproduce the issue, the team will ask you for those steps and mark the issue as `needs-repro`. Bugs with the `needs-repro` tag will not be addressed until they are reproduced.
+- If the team is able to reproduce the issue, it will be marked `needs-fix`, as well as possibly other tags (such as `critical`), and the issue will be left to be implemented by someone.
+
+### Suggesting Enhancements
+
+This section guides you through submitting an enhancement suggestion for mergo, **including completely new features and minor improvements to existing functionality**. Following these guidelines will help maintainers and the community to understand your suggestion and find related suggestions.
+
+<!-- omit in toc -->
+#### Before Submitting an Enhancement
+
+- Make sure that you are using the latest version.
+- Read the [documentation]() carefully and find out if the functionality is already covered, maybe by an individual configuration.
+- Perform a [search](https://github.com/imdario/mergo/issues) to see if the enhancement has already been suggested. If it has, add a comment to the existing issue instead of opening a new one.
+- Find out whether your idea fits with the scope and aims of the project. It's up to you to make a strong case to convince the project's developers of the merits of this feature. Keep in mind that we want features that will be useful to the majority of our users and not just a small subset. If you're just targeting a minority of users, consider writing an add-on/plugin library.
+
+<!-- omit in toc -->
+#### How Do I Submit a Good Enhancement Suggestion?
+
+Enhancement suggestions are tracked as [GitHub issues](https://github.com/imdario/mergo/issues).
+
+- Use a **clear and descriptive title** for the issue to identify the suggestion.
+- Provide a **step-by-step description of the suggested enhancement** in as many details as possible.
+- **Describe the current behavior** and **explain which behavior you expected to see instead** and why. At this point you can also tell which alternatives do not work for you.
+- You may want to **include screenshots and animated GIFs** which help you demonstrate the steps or point out the part which the suggestion is related to. You can use [this tool](https://www.cockos.com/licecap/) to record GIFs on macOS and Windows, and [this tool](https://github.com/colinkeenan/silentcast) or [this tool](https://github.com/GNOME/byzanz) on Linux. <!-- this should only be included if the project has a GUI -->
+- **Explain why this enhancement would be useful** to most mergo users. You may also want to point out the other projects that solved it better and which could serve as inspiration.
+
+<!-- omit in toc -->
+## Attribution
+This guide is based on the **contributing-gen**. [Make your own](https://github.com/bttger/contributing-gen)!
--- a/vendor/github.com/imdario/mergo/LICENSE
+++ b/vendor/github.com/imdario/mergo/LICENSE
--- a/vendor/dario.cat/mergo/README.md
+++ b/vendor/dario.cat/mergo/README.md
@ -0,0 +1,248 @@
+# Mergo
+
+[![GitHub release][5]][6]
+[![GoCard][7]][8]
+[![Test status][1]][2]
+[![OpenSSF Scorecard][21]][22]
+[![OpenSSF Best Practices][19]][20]
+[![Coverage status][9]][10]
+[![Sourcegraph][11]][12]
+[![FOSSA status][13]][14]
+
+[![GoDoc][3]][4]
+[![Become my sponsor][15]][16]
+[![Tidelift][17]][18]
+
+[1]: https://github.com/imdario/mergo/workflows/tests/badge.svg?branch=master
+[2]: https://github.com/imdario/mergo/actions/workflows/tests.yml
+[3]: https://godoc.org/github.com/imdario/mergo?status.svg
+[4]: https://godoc.org/github.com/imdario/mergo
+[5]: https://img.shields.io/github/release/imdario/mergo.svg
+[6]: https://github.com/imdario/mergo/releases
+[7]: https://goreportcard.com/badge/imdario/mergo
+[8]: https://goreportcard.com/report/github.com/imdario/mergo
+[9]: https://coveralls.io/repos/github/imdario/mergo/badge.svg?branch=master
+[10]: https://coveralls.io/github/imdario/mergo?branch=master
+[11]: https://sourcegraph.com/github.com/imdario/mergo/-/badge.svg
+[12]: https://sourcegraph.com/github.com/imdario/mergo?badge
+[13]: https://app.fossa.io/api/projects/git%2Bgithub.com%2Fimdario%2Fmergo.svg?type=shield
+[14]: https://app.fossa.io/projects/git%2Bgithub.com%2Fimdario%2Fmergo?ref=badge_shield
+[15]: https://img.shields.io/github/sponsors/imdario
+[16]: https://github.com/sponsors/imdario
+[17]: https://tidelift.com/badges/package/go/github.com%2Fimdario%2Fmergo
+[18]: https://tidelift.com/subscription/pkg/go-github.com-imdario-mergo
+[19]: https://bestpractices.coreinfrastructure.org/projects/7177/badge
+[20]: https://bestpractices.coreinfrastructure.org/projects/7177
+[21]: https://api.securityscorecards.dev/projects/github.com/imdario/mergo/badge
+[22]: https://api.securityscorecards.dev/projects/github.com/imdario/mergo
+
+A helper to merge structs and maps in Golang. Useful for configuration default values, avoiding messy if-statements.
+
+Mergo merges same-type structs and maps by setting default values in zero-value fields. Mergo won't merge unexported (private) fields. It will do recursively any exported one. It also won't merge structs inside maps (because they are not addressable using Go reflection).
+
+Also a lovely [comune](http://en.wikipedia.org/wiki/Mergo) (municipality) in the Province of Ancona in the Italian region of Marche.
+
+## Status
+
+It is ready for production use. [It is used in several projects by Docker, Google, The Linux Foundation, VMWare, Shopify, Microsoft, etc](https://github.com/imdario/mergo#mergo-in-the-wild).
+
+### Important notes
+
+#### 1.0.0
+
+In [1.0.0](//github.com/imdario/mergo/releases/tag/1.0.0) Mergo moves to a vanity URL `dario.cat/mergo`.
+
+#### 0.3.9
+
+Please keep in mind that a problematic PR broke [0.3.9](//github.com/imdario/mergo/releases/tag/0.3.9). I reverted it in [0.3.10](//github.com/imdario/mergo/releases/tag/0.3.10), and I consider it stable but not bug-free. Also, this version adds support for go modules.
+
+Keep in mind that in [0.3.2](//github.com/imdario/mergo/releases/tag/0.3.2), Mergo changed `Merge()`and `Map()` signatures to support [transformers](#transformers). I added an optional/variadic argument so that it won't break the existing code.
+
+If you were using Mergo before April 6th, 2015, please check your project works as intended after updating your local copy with ```go get -u dario.cat/mergo```. I apologize for any issue caused by its previous behavior and any future bug that Mergo could cause in existing projects after the change (release 0.2.0).
+
+### Donations
+
+If Mergo is useful to you, consider buying me a coffee, a beer, or making a monthly donation to allow me to keep building great free software. :heart_eyes:
+
+<a href='https://ko-fi.com/B0B58839' target='_blank'><img height='36' style='border:0px;height:36px;' src='https://az743702.vo.msecnd.net/cdn/kofi1.png?v=0' border='0' alt='Buy Me a Coffee at ko-fi.com' /></a>
+<a href="https://liberapay.com/dario/donate"><img alt="Donate using Liberapay" src="https://liberapay.com/assets/widgets/donate.svg"></a>
+<a href='https://github.com/sponsors/imdario' target='_blank'><img alt="Become my sponsor" src="https://img.shields.io/github/sponsors/imdario?style=for-the-badge" /></a>
+
+### Mergo in the wild
+
+- [moby/moby](https://github.com/moby/moby)
+- [kubernetes/kubernetes](https://github.com/kubernetes/kubernetes)
+- [vmware/dispatch](https://github.com/vmware/dispatch)
+- [Shopify/themekit](https://github.com/Shopify/themekit)
+- [imdario/zas](https://github.com/imdario/zas)
+- [matcornic/hermes](https://github.com/matcornic/hermes)
+- [OpenBazaar/openbazaar-go](https://github.com/OpenBazaar/openbazaar-go)
+- [kataras/iris](https://github.com/kataras/iris)
+- [michaelsauter/crane](https://github.com/michaelsauter/crane)
+- [go-task/task](https://github.com/go-task/task)
+- [sensu/uchiwa](https://github.com/sensu/uchiwa)
+- [ory/hydra](https://github.com/ory/hydra)
+- [sisatech/vcli](https://github.com/sisatech/vcli)
+- [dairycart/dairycart](https://github.com/dairycart/dairycart)
+- [projectcalico/felix](https://github.com/projectcalico/felix)
+- [resin-os/balena](https://github.com/resin-os/balena)
+- [go-kivik/kivik](https://github.com/go-kivik/kivik)
+- [Telefonica/govice](https://github.com/Telefonica/govice)
+- [supergiant/supergiant](supergiant/supergiant)
+- [SergeyTsalkov/brooce](https://github.com/SergeyTsalkov/brooce)
+- [soniah/dnsmadeeasy](https://github.com/soniah/dnsmadeeasy)
+- [ohsu-comp-bio/funnel](https://github.com/ohsu-comp-bio/funnel)
+- [EagerIO/Stout](https://github.com/EagerIO/Stout)
+- [lynndylanhurley/defsynth-api](https://github.com/lynndylanhurley/defsynth-api)
+- [russross/canvasassignments](https://github.com/russross/canvasassignments)
+- [rdegges/cryptly-api](https://github.com/rdegges/cryptly-api)
+- [casualjim/exeggutor](https://github.com/casualjim/exeggutor)
+- [divshot/gitling](https://github.com/divshot/gitling)
+- [RWJMurphy/gorl](https://github.com/RWJMurphy/gorl)
+- [andrerocker/deploy42](https://github.com/andrerocker/deploy42)
+- [elwinar/rambler](https://github.com/elwinar/rambler)
+- [tmaiaroto/gopartman](https://github.com/tmaiaroto/gopartman)
+- [jfbus/impressionist](https://github.com/jfbus/impressionist)
+- [Jmeyering/zealot](https://github.com/Jmeyering/zealot)
+- [godep-migrator/rigger-host](https://github.com/godep-migrator/rigger-host)
+- [Dronevery/MultiwaySwitch-Go](https://github.com/Dronevery/MultiwaySwitch-Go)
+- [thoas/picfit](https://github.com/thoas/picfit)
+- [mantasmatelis/whooplist-server](https://github.com/mantasmatelis/whooplist-server)
+- [jnuthong/item_search](https://github.com/jnuthong/item_search)
+- [bukalapak/snowboard](https://github.com/bukalapak/snowboard)
+- [containerssh/containerssh](https://github.com/containerssh/containerssh)
+- [goreleaser/goreleaser](https://github.com/goreleaser/goreleaser)
+- [tjpnz/structbot](https://github.com/tjpnz/structbot)
+
+## Install
+
+    go get dario.cat/mergo
+
+    // use in your .go code
+    import (
+        "dario.cat/mergo"
+    )
+
+## Usage
+
+You can only merge same-type structs with exported fields initialized as zero value of their type and same-types maps. Mergo won't merge unexported (private) fields but will do recursively any exported one. It won't merge empty structs value as [they are zero values](https://golang.org/ref/spec#The_zero_value) too. Also, maps will be merged recursively except for structs inside maps (because they are not addressable using Go reflection).
+
+```go
+if err := mergo.Merge(&dst, src); err != nil {
+    // ...
+}
+```
+
+Also, you can merge overwriting values using the transformer `WithOverride`.
+
+```go
+if err := mergo.Merge(&dst, src, mergo.WithOverride); err != nil {
+    // ...
+}
+```
+
+Additionally, you can map a `map[string]interface{}` to a struct (and otherwise, from struct to map), following the same restrictions as in `Merge()`. Keys are capitalized to find each corresponding exported field.
+
+```go
+if err := mergo.Map(&dst, srcMap); err != nil {
+    // ...
+}
+```
+
+Warning: if you map a struct to map, it won't do it recursively. Don't expect Mergo to map struct members of your struct as `map[string]interface{}`. They will be just assigned as values.
+
+Here is a nice example:
+
+```go
+package main
+
+import (
+	"fmt"
+	"dario.cat/mergo"
+)
+
+type Foo struct {
+	A string
+	B int64
+}
+
+func main() {
+	src := Foo{
+		A: "one",
+		B: 2,
+	}
+	dest := Foo{
+		A: "two",
+	}
+	mergo.Merge(&dest, src)
+	fmt.Println(dest)
+	// Will print
+	// {two 2}
+}
+```
+
+Note: if test are failing due missing package, please execute:
+
+    go get gopkg.in/yaml.v3
+
+### Transformers
+
+Transformers allow to merge specific types differently than in the default behavior. In other words, now you can customize how some types are merged. For example, `time.Time` is a struct; it doesn't have zero value but IsZero can return true because it has fields with zero value. How can we merge a non-zero `time.Time`?
+
+```go
+package main
+
+import (
+	"fmt"
+	"dario.cat/mergo"
+    "reflect"
+    "time"
+)
+
+type timeTransformer struct {
+}
+
+func (t timeTransformer) Transformer(typ reflect.Type) func(dst, src reflect.Value) error {
+	if typ == reflect.TypeOf(time.Time{}) {
+		return func(dst, src reflect.Value) error {
+			if dst.CanSet() {
+				isZero := dst.MethodByName("IsZero")
+				result := isZero.Call([]reflect.Value{})
+				if result[0].Bool() {
+					dst.Set(src)
+				}
+			}
+			return nil
+		}
+	}
+	return nil
+}
+
+type Snapshot struct {
+	Time time.Time
+	// ...
+}
+
+func main() {
+	src := Snapshot{time.Now()}
+	dest := Snapshot{}
+	mergo.Merge(&dest, src, mergo.WithTransformers(timeTransformer{}))
+	fmt.Println(dest)
+	// Will print
+	// { 2018-01-12 01:15:00 +0000 UTC m=+0.000000001 }
+}
+```
+
+## Contact me
+
+If I can help you, you have an idea or you are using Mergo in your projects, don't hesitate to drop me a line (or a pull request): [@im_dario](https://twitter.com/im_dario)
+
+## About
+
+Written by [Dario Castañé](http://dario.im).
+
+## License
+
+[BSD 3-Clause](http://opensource.org/licenses/BSD-3-Clause) license, as [Go language](http://golang.org/LICENSE).
+
+[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fimdario%2Fmergo.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2Fimdario%2Fmergo?ref=badge_large)
--- a/vendor/dario.cat/mergo/SECURITY.md
+++ b/vendor/dario.cat/mergo/SECURITY.md
@ -0,0 +1,14 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 0.3.x   | :white_check_mark: |
+| < 0.3   | :x:                |
+
+## Security contact information
+
+To report a security vulnerability, please use the
+[Tidelift security contact](https://tidelift.com/security).
+Tidelift will coordinate the fix and disclosure.
--- a/vendor/dario.cat/mergo/doc.go
+++ b/vendor/dario.cat/mergo/doc.go
@ -0,0 +1,148 @@
+// Copyright 2013 Dario Castañé. All rights reserved.
+// Copyright 2009 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+/*
+A helper to merge structs and maps in Golang. Useful for configuration default values, avoiding messy if-statements.
+
+Mergo merges same-type structs and maps by setting default values in zero-value fields. Mergo won't merge unexported (private) fields. It will do recursively any exported one. It also won't merge structs inside maps (because they are not addressable using Go reflection).
+
+# Status
+
+It is ready for production use. It is used in several projects by Docker, Google, The Linux Foundation, VMWare, Shopify, etc.
+
+# Important notes
+
+1.0.0
+
+In 1.0.0 Mergo moves to a vanity URL `dario.cat/mergo`.
+
+0.3.9
+
+Please keep in mind that a problematic PR broke 0.3.9. We reverted it in 0.3.10. We consider 0.3.10 as stable but not bug-free. . Also, this version adds suppot for go modules.
+
+Keep in mind that in 0.3.2, Mergo changed Merge() and Map() signatures to support transformers. We added an optional/variadic argument so that it won't break the existing code.
+
+If you were using Mergo before April 6th, 2015, please check your project works as intended after updating your local copy with go get -u dario.cat/mergo. I apologize for any issue caused by its previous behavior and any future bug that Mergo could cause in existing projects after the change (release 0.2.0).
+
+# Install
+
+Do your usual installation procedure:
+
+	go get dario.cat/mergo
+
+	// use in your .go code
+	import (
+	    "dario.cat/mergo"
+	)
+
+# Usage
+
+You can only merge same-type structs with exported fields initialized as zero value of their type and same-types maps. Mergo won't merge unexported (private) fields but will do recursively any exported one. It won't merge empty structs value as they are zero values too. Also, maps will be merged recursively except for structs inside maps (because they are not addressable using Go reflection).
+
+	if err := mergo.Merge(&dst, src); err != nil {
+		// ...
+	}
+
+Also, you can merge overwriting values using the transformer WithOverride.
+
+	if err := mergo.Merge(&dst, src, mergo.WithOverride); err != nil {
+		// ...
+	}
+
+Additionally, you can map a map[string]interface{} to a struct (and otherwise, from struct to map), following the same restrictions as in Merge(). Keys are capitalized to find each corresponding exported field.
+
+	if err := mergo.Map(&dst, srcMap); err != nil {
+		// ...
+	}
+
+Warning: if you map a struct to map, it won't do it recursively. Don't expect Mergo to map struct members of your struct as map[string]interface{}. They will be just assigned as values.
+
+Here is a nice example:
+
+	package main
+
+	import (
+		"fmt"
+		"dario.cat/mergo"
+	)
+
+	type Foo struct {
+		A string
+		B int64
+	}
+
+	func main() {
+		src := Foo{
+			A: "one",
+			B: 2,
+		}
+		dest := Foo{
+			A: "two",
+		}
+		mergo.Merge(&dest, src)
+		fmt.Println(dest)
+		// Will print
+		// {two 2}
+	}
+
+# Transformers
+
+Transformers allow to merge specific types differently than in the default behavior. In other words, now you can customize how some types are merged. For example, time.Time is a struct; it doesn't have zero value but IsZero can return true because it has fields with zero value. How can we merge a non-zero time.Time?
+
+	package main
+
+	import (
+		"fmt"
+		"dario.cat/mergo"
+		"reflect"
+		"time"
+	)
+
+	type timeTransformer struct {
+	}
+
+	func (t timeTransformer) Transformer(typ reflect.Type) func(dst, src reflect.Value) error {
+		if typ == reflect.TypeOf(time.Time{}) {
+			return func(dst, src reflect.Value) error {
+				if dst.CanSet() {
+					isZero := dst.MethodByName("IsZero")
+					result := isZero.Call([]reflect.Value{})
+					if result[0].Bool() {
+						dst.Set(src)
+					}
+				}
+				return nil
+			}
+		}
+		return nil
+	}
+
+	type Snapshot struct {
+		Time time.Time
+		// ...
+	}
+
+	func main() {
+		src := Snapshot{time.Now()}
+		dest := Snapshot{}
+		mergo.Merge(&dest, src, mergo.WithTransformers(timeTransformer{}))
+		fmt.Println(dest)
+		// Will print
+		// { 2018-01-12 01:15:00 +0000 UTC m=+0.000000001 }
+	}
+
+# Contact me
+
+If I can help you, you have an idea or you are using Mergo in your projects, don't hesitate to drop me a line (or a pull request): https://twitter.com/im_dario
+
+# About
+
+Written by Dario Castañé: https://da.rio.hn
+
+# License
+
+BSD 3-Clause license, as Go language.
+*/
+package mergo
--- a/vendor/dario.cat/mergo/map.go
+++ b/vendor/dario.cat/mergo/map.go
@ -0,0 +1,178 @@
+// Copyright 2014 Dario Castañé. All rights reserved.
+// Copyright 2009 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Based on src/pkg/reflect/deepequal.go from official
+// golang's stdlib.
+
+package mergo
+
+import (
+	"fmt"
+	"reflect"
+	"unicode"
+	"unicode/utf8"
+)
+
+func changeInitialCase(s string, mapper func(rune) rune) string {
+	if s == "" {
+		return s
+	}
+	r, n := utf8.DecodeRuneInString(s)
+	return string(mapper(r)) + s[n:]
+}
+
+func isExported(field reflect.StructField) bool {
+	r, _ := utf8.DecodeRuneInString(field.Name)
+	return r >= 'A' && r <= 'Z'
+}
+
+// Traverses recursively both values, assigning src's fields values to dst.
+// The map argument tracks comparisons that have already been seen, which allows
+// short circuiting on recursive types.
+func deepMap(dst, src reflect.Value, visited map[uintptr]*visit, depth int, config *Config) (err error) {
+	overwrite := config.Overwrite
+	if dst.CanAddr() {
+		addr := dst.UnsafeAddr()
+		h := 17 * addr
+		seen := visited[h]
+		typ := dst.Type()
+		for p := seen; p != nil; p = p.next {
+			if p.ptr == addr && p.typ == typ {
+				return nil
+			}
+		}
+		// Remember, remember...
+		visited[h] = &visit{typ, seen, addr}
+	}
+	zeroValue := reflect.Value{}
+	switch dst.Kind() {
+	case reflect.Map:
+		dstMap := dst.Interface().(map[string]interface{})
+		for i, n := 0, src.NumField(); i < n; i++ {
+			srcType := src.Type()
+			field := srcType.Field(i)
+			if !isExported(field) {
+				continue
+			}
+			fieldName := field.Name
+			fieldName = changeInitialCase(fieldName, unicode.ToLower)
+			if v, ok := dstMap[fieldName]; !ok || (isEmptyValue(reflect.ValueOf(v), !config.ShouldNotDereference) || overwrite) {
+				dstMap[fieldName] = src.Field(i).Interface()
+			}
+		}
+	case reflect.Ptr:
+		if dst.IsNil() {
+			v := reflect.New(dst.Type().Elem())
+			dst.Set(v)
+		}
+		dst = dst.Elem()
+		fallthrough
+	case reflect.Struct:
+		srcMap := src.Interface().(map[string]interface{})
+		for key := range srcMap {
+			config.overwriteWithEmptyValue = true
+			srcValue := srcMap[key]
+			fieldName := changeInitialCase(key, unicode.ToUpper)
+			dstElement := dst.FieldByName(fieldName)
+			if dstElement == zeroValue {
+				// We discard it because the field doesn't exist.
+				continue
+			}
+			srcElement := reflect.ValueOf(srcValue)
+			dstKind := dstElement.Kind()
+			srcKind := srcElement.Kind()
+			if srcKind == reflect.Ptr && dstKind != reflect.Ptr {
+				srcElement = srcElement.Elem()
+				srcKind = reflect.TypeOf(srcElement.Interface()).Kind()
+			} else if dstKind == reflect.Ptr {
+				// Can this work? I guess it can't.
+				if srcKind != reflect.Ptr && srcElement.CanAddr() {
+					srcPtr := srcElement.Addr()
+					srcElement = reflect.ValueOf(srcPtr)
+					srcKind = reflect.Ptr
+				}
+			}
+
+			if !srcElement.IsValid() {
+				continue
+			}
+			if srcKind == dstKind {
+				if err = deepMerge(dstElement, srcElement, visited, depth+1, config); err != nil {
+					return
+				}
+			} else if dstKind == reflect.Interface && dstElement.Kind() == reflect.Interface {
+				if err = deepMerge(dstElement, srcElement, visited, depth+1, config); err != nil {
+					return
+				}
+			} else if srcKind == reflect.Map {
+				if err = deepMap(dstElement, srcElement, visited, depth+1, config); err != nil {
+					return
+				}
+			} else {
+				return fmt.Errorf("type mismatch on %s field: found %v, expected %v", fieldName, srcKind, dstKind)
+			}
+		}
+	}
+	return
+}
+
+// Map sets fields' values in dst from src.
+// src can be a map with string keys or a struct. dst must be the opposite:
+// if src is a map, dst must be a valid pointer to struct. If src is a struct,
+// dst must be map[string]interface{}.
+// It won't merge unexported (private) fields and will do recursively
+// any exported field.
+// If dst is a map, keys will be src fields' names in lower camel case.
+// Missing key in src that doesn't match a field in dst will be skipped. This
+// doesn't apply if dst is a map.
+// This is separated method from Merge because it is cleaner and it keeps sane
+// semantics: merging equal types, mapping different (restricted) types.
+func Map(dst, src interface{}, opts ...func(*Config)) error {
+	return _map(dst, src, opts...)
+}
+
+// MapWithOverwrite will do the same as Map except that non-empty dst attributes will be overridden by
+// non-empty src attribute values.
+// Deprecated: Use Map(…) with WithOverride
+func MapWithOverwrite(dst, src interface{}, opts ...func(*Config)) error {
+	return _map(dst, src, append(opts, WithOverride)...)
+}
+
+func _map(dst, src interface{}, opts ...func(*Config)) error {
+	if dst != nil && reflect.ValueOf(dst).Kind() != reflect.Ptr {
+		return ErrNonPointerArgument
+	}
+	var (
+		vDst, vSrc reflect.Value
+		err        error
+	)
+	config := &Config{}
+
+	for _, opt := range opts {
+		opt(config)
+	}
+
+	if vDst, vSrc, err = resolveValues(dst, src); err != nil {
+		return err
+	}
+	// To be friction-less, we redirect equal-type arguments
+	// to deepMerge. Only because arguments can be anything.
+	if vSrc.Kind() == vDst.Kind() {
+		return deepMerge(vDst, vSrc, make(map[uintptr]*visit), 0, config)
+	}
+	switch vSrc.Kind() {
+	case reflect.Struct:
+		if vDst.Kind() != reflect.Map {
+			return ErrExpectedMapAsDestination
+		}
+	case reflect.Map:
+		if vDst.Kind() != reflect.Struct {
+			return ErrExpectedStructAsDestination
+		}
+	default:
+		return ErrNotSupported
+	}
+	return deepMap(vDst, vSrc, make(map[uintptr]*visit), 0, config)
+}
--- a/vendor/dario.cat/mergo/merge.go
+++ b/vendor/dario.cat/mergo/merge.go
@ -0,0 +1,409 @@
+// Copyright 2013 Dario Castañé. All rights reserved.
+// Copyright 2009 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Based on src/pkg/reflect/deepequal.go from official
+// golang's stdlib.
+
+package mergo
+
+import (
+	"fmt"
+	"reflect"
+)
+
+func hasMergeableFields(dst reflect.Value) (exported bool) {
+	for i, n := 0, dst.NumField(); i < n; i++ {
+		field := dst.Type().Field(i)
+		if field.Anonymous && dst.Field(i).Kind() == reflect.Struct {
+			exported = exported || hasMergeableFields(dst.Field(i))
+		} else if isExportedComponent(&field) {
+			exported = exported || len(field.PkgPath) == 0
+		}
+	}
+	return
+}
+
+func isExportedComponent(field *reflect.StructField) bool {
+	pkgPath := field.PkgPath
+	if len(pkgPath) > 0 {
+		return false
+	}
+	c := field.Name[0]
+	if 'a' <= c && c <= 'z' || c == '_' {
+		return false
+	}
+	return true
+}
+
+type Config struct {
+	Transformers                 Transformers
+	Overwrite                    bool
+	ShouldNotDereference         bool
+	AppendSlice                  bool
+	TypeCheck                    bool
+	overwriteWithEmptyValue      bool
+	overwriteSliceWithEmptyValue bool
+	sliceDeepCopy                bool
+	debug                        bool
+}
+
+type Transformers interface {
+	Transformer(reflect.Type) func(dst, src reflect.Value) error
+}
+
+// Traverses recursively both values, assigning src's fields values to dst.
+// The map argument tracks comparisons that have already been seen, which allows
+// short circuiting on recursive types.
+func deepMerge(dst, src reflect.Value, visited map[uintptr]*visit, depth int, config *Config) (err error) {
+	overwrite := config.Overwrite
+	typeCheck := config.TypeCheck
+	overwriteWithEmptySrc := config.overwriteWithEmptyValue
+	overwriteSliceWithEmptySrc := config.overwriteSliceWithEmptyValue
+	sliceDeepCopy := config.sliceDeepCopy
+
+	if !src.IsValid() {
+		return
+	}
+	if dst.CanAddr() {
+		addr := dst.UnsafeAddr()
+		h := 17 * addr
+		seen := visited[h]
+		typ := dst.Type()
+		for p := seen; p != nil; p = p.next {
+			if p.ptr == addr && p.typ == typ {
+				return nil
+			}
+		}
+		// Remember, remember...
+		visited[h] = &visit{typ, seen, addr}
+	}
+
+	if config.Transformers != nil && !isReflectNil(dst) && dst.IsValid() {
+		if fn := config.Transformers.Transformer(dst.Type()); fn != nil {
+			err = fn(dst, src)
+			return
+		}
+	}
+
+	switch dst.Kind() {
+	case reflect.Struct:
+		if hasMergeableFields(dst) {
+			for i, n := 0, dst.NumField(); i < n; i++ {
+				if err = deepMerge(dst.Field(i), src.Field(i), visited, depth+1, config); err != nil {
+					return
+				}
+			}
+		} else {
+			if dst.CanSet() && (isReflectNil(dst) || overwrite) && (!isEmptyValue(src, !config.ShouldNotDereference) || overwriteWithEmptySrc) {
+				dst.Set(src)
+			}
+		}
+	case reflect.Map:
+		if dst.IsNil() && !src.IsNil() {
+			if dst.CanSet() {
+				dst.Set(reflect.MakeMap(dst.Type()))
+			} else {
+				dst = src
+				return
+			}
+		}
+
+		if src.Kind() != reflect.Map {
+			if overwrite && dst.CanSet() {
+				dst.Set(src)
+			}
+			return
+		}
+
+		for _, key := range src.MapKeys() {
+			srcElement := src.MapIndex(key)
+			if !srcElement.IsValid() {
+				continue
+			}
+			dstElement := dst.MapIndex(key)
+			switch srcElement.Kind() {
+			case reflect.Chan, reflect.Func, reflect.Map, reflect.Interface, reflect.Slice:
+				if srcElement.IsNil() {
+					if overwrite {
+						dst.SetMapIndex(key, srcElement)
+					}
+					continue
+				}
+				fallthrough
+			default:
+				if !srcElement.CanInterface() {
+					continue
+				}
+				switch reflect.TypeOf(srcElement.Interface()).Kind() {
+				case reflect.Struct:
+					fallthrough
+				case reflect.Ptr:
+					fallthrough
+				case reflect.Map:
+					srcMapElm := srcElement
+					dstMapElm := dstElement
+					if srcMapElm.CanInterface() {
+						srcMapElm = reflect.ValueOf(srcMapElm.Interface())
+						if dstMapElm.IsValid() {
+							dstMapElm = reflect.ValueOf(dstMapElm.Interface())
+						}
+					}
+					if err = deepMerge(dstMapElm, srcMapElm, visited, depth+1, config); err != nil {
+						return
+					}
+				case reflect.Slice:
+					srcSlice := reflect.ValueOf(srcElement.Interface())
+
+					var dstSlice reflect.Value
+					if !dstElement.IsValid() || dstElement.IsNil() {
+						dstSlice = reflect.MakeSlice(srcSlice.Type(), 0, srcSlice.Len())
+					} else {
+						dstSlice = reflect.ValueOf(dstElement.Interface())
+					}
+
+					if (!isEmptyValue(src, !config.ShouldNotDereference) || overwriteWithEmptySrc || overwriteSliceWithEmptySrc) && (overwrite || isEmptyValue(dst, !config.ShouldNotDereference)) && !config.AppendSlice && !sliceDeepCopy {
+						if typeCheck && srcSlice.Type() != dstSlice.Type() {
+							return fmt.Errorf("cannot override two slices with different type (%s, %s)", srcSlice.Type(), dstSlice.Type())
+						}
+						dstSlice = srcSlice
+					} else if config.AppendSlice {
+						if srcSlice.Type() != dstSlice.Type() {
+							return fmt.Errorf("cannot append two slices with different type (%s, %s)", srcSlice.Type(), dstSlice.Type())
+						}
+						dstSlice = reflect.AppendSlice(dstSlice, srcSlice)
+					} else if sliceDeepCopy {
+						i := 0
+						for ; i < srcSlice.Len() && i < dstSlice.Len(); i++ {
+							srcElement := srcSlice.Index(i)
+							dstElement := dstSlice.Index(i)
+
+							if srcElement.CanInterface() {
+								srcElement = reflect.ValueOf(srcElement.Interface())
+							}
+							if dstElement.CanInterface() {
+								dstElement = reflect.ValueOf(dstElement.Interface())
+							}
+
+							if err = deepMerge(dstElement, srcElement, visited, depth+1, config); err != nil {
+								return
+							}
+						}
+
+					}
+					dst.SetMapIndex(key, dstSlice)
+				}
+			}
+
+			if dstElement.IsValid() && !isEmptyValue(dstElement, !config.ShouldNotDereference) {
+				if reflect.TypeOf(srcElement.Interface()).Kind() == reflect.Slice {
+					continue
+				}
+				if reflect.TypeOf(srcElement.Interface()).Kind() == reflect.Map && reflect.TypeOf(dstElement.Interface()).Kind() == reflect.Map {
+					continue
+				}
+			}
+
+			if srcElement.IsValid() && ((srcElement.Kind() != reflect.Ptr && overwrite) || !dstElement.IsValid() || isEmptyValue(dstElement, !config.ShouldNotDereference)) {
+				if dst.IsNil() {
+					dst.Set(reflect.MakeMap(dst.Type()))
+				}
+				dst.SetMapIndex(key, srcElement)
+			}
+		}
+
+		// Ensure that all keys in dst are deleted if they are not in src.
+		if overwriteWithEmptySrc {
+			for _, key := range dst.MapKeys() {
+				srcElement := src.MapIndex(key)
+				if !srcElement.IsValid() {
+					dst.SetMapIndex(key, reflect.Value{})
+				}
+			}
+		}
+	case reflect.Slice:
+		if !dst.CanSet() {
+			break
+		}
+		if (!isEmptyValue(src, !config.ShouldNotDereference) || overwriteWithEmptySrc || overwriteSliceWithEmptySrc) && (overwrite || isEmptyValue(dst, !config.ShouldNotDereference)) && !config.AppendSlice && !sliceDeepCopy {
+			dst.Set(src)
+		} else if config.AppendSlice {
+			if src.Type() != dst.Type() {
+				return fmt.Errorf("cannot append two slice with different type (%s, %s)", src.Type(), dst.Type())
+			}
+			dst.Set(reflect.AppendSlice(dst, src))
+		} else if sliceDeepCopy {
+			for i := 0; i < src.Len() && i < dst.Len(); i++ {
+				srcElement := src.Index(i)
+				dstElement := dst.Index(i)
+				if srcElement.CanInterface() {
+					srcElement = reflect.ValueOf(srcElement.Interface())
+				}
+				if dstElement.CanInterface() {
+					dstElement = reflect.ValueOf(dstElement.Interface())
+				}
+
+				if err = deepMerge(dstElement, srcElement, visited, depth+1, config); err != nil {
+					return
+				}
+			}
+		}
+	case reflect.Ptr:
+		fallthrough
+	case reflect.Interface:
+		if isReflectNil(src) {
+			if overwriteWithEmptySrc && dst.CanSet() && src.Type().AssignableTo(dst.Type()) {
+				dst.Set(src)
+			}
+			break
+		}
+
+		if src.Kind() != reflect.Interface {
+			if dst.IsNil() || (src.Kind() != reflect.Ptr && overwrite) {
+				if dst.CanSet() && (overwrite || isEmptyValue(dst, !config.ShouldNotDereference)) {
+					dst.Set(src)
+				}
+			} else if src.Kind() == reflect.Ptr {
+				if !config.ShouldNotDereference {
+					if err = deepMerge(dst.Elem(), src.Elem(), visited, depth+1, config); err != nil {
+						return
+					}
+				} else {
+					if overwriteWithEmptySrc || (overwrite && !src.IsNil()) || dst.IsNil() {
+						dst.Set(src)
+					}
+				}
+			} else if dst.Elem().Type() == src.Type() {
+				if err = deepMerge(dst.Elem(), src, visited, depth+1, config); err != nil {
+					return
+				}
+			} else {
+				return ErrDifferentArgumentsTypes
+			}
+			break
+		}
+
+		if dst.IsNil() || overwrite {
+			if dst.CanSet() && (overwrite || isEmptyValue(dst, !config.ShouldNotDereference)) {
+				dst.Set(src)
+			}
+			break
+		}
+
+		if dst.Elem().Kind() == src.Elem().Kind() {
+			if err = deepMerge(dst.Elem(), src.Elem(), visited, depth+1, config); err != nil {
+				return
+			}
+			break
+		}
+	default:
+		mustSet := (isEmptyValue(dst, !config.ShouldNotDereference) || overwrite) && (!isEmptyValue(src, !config.ShouldNotDereference) || overwriteWithEmptySrc)
+		if mustSet {
+			if dst.CanSet() {
+				dst.Set(src)
+			} else {
+				dst = src
+			}
+		}
+	}
+
+	return
+}
+
+// Merge will fill any empty for value type attributes on the dst struct using corresponding
+// src attributes if they themselves are not empty. dst and src must be valid same-type structs
+// and dst must be a pointer to struct.
+// It won't merge unexported (private) fields and will do recursively any exported field.
+func Merge(dst, src interface{}, opts ...func(*Config)) error {
+	return merge(dst, src, opts...)
+}
+
+// MergeWithOverwrite will do the same as Merge except that non-empty dst attributes will be overridden by
+// non-empty src attribute values.
+// Deprecated: use Merge(…) with WithOverride
+func MergeWithOverwrite(dst, src interface{}, opts ...func(*Config)) error {
+	return merge(dst, src, append(opts, WithOverride)...)
+}
+
+// WithTransformers adds transformers to merge, allowing to customize the merging of some types.
+func WithTransformers(transformers Transformers) func(*Config) {
+	return func(config *Config) {
+		config.Transformers = transformers
+	}
+}
+
+// WithOverride will make merge override non-empty dst attributes with non-empty src attributes values.
+func WithOverride(config *Config) {
+	config.Overwrite = true
+}
+
+// WithOverwriteWithEmptyValue will make merge override non empty dst attributes with empty src attributes values.
+func WithOverwriteWithEmptyValue(config *Config) {
+	config.Overwrite = true
+	config.overwriteWithEmptyValue = true
+}
+
+// WithOverrideEmptySlice will make merge override empty dst slice with empty src slice.
+func WithOverrideEmptySlice(config *Config) {
+	config.overwriteSliceWithEmptyValue = true
+}
+
+// WithoutDereference prevents dereferencing pointers when evaluating whether they are empty
+// (i.e. a non-nil pointer is never considered empty).
+func WithoutDereference(config *Config) {
+	config.ShouldNotDereference = true
+}
+
+// WithAppendSlice will make merge append slices instead of overwriting it.
+func WithAppendSlice(config *Config) {
+	config.AppendSlice = true
+}
+
+// WithTypeCheck will make merge check types while overwriting it (must be used with WithOverride).
+func WithTypeCheck(config *Config) {
+	config.TypeCheck = true
+}
+
+// WithSliceDeepCopy will merge slice element one by one with Overwrite flag.
+func WithSliceDeepCopy(config *Config) {
+	config.sliceDeepCopy = true
+	config.Overwrite = true
+}
+
+func merge(dst, src interface{}, opts ...func(*Config)) error {
+	if dst != nil && reflect.ValueOf(dst).Kind() != reflect.Ptr {
+		return ErrNonPointerArgument
+	}
+	var (
+		vDst, vSrc reflect.Value
+		err        error
+	)
+
+	config := &Config{}
+
+	for _, opt := range opts {
+		opt(config)
+	}
+
+	if vDst, vSrc, err = resolveValues(dst, src); err != nil {
+		return err
+	}
+	if vDst.Type() != vSrc.Type() {
+		return ErrDifferentArgumentsTypes
+	}
+	return deepMerge(vDst, vSrc, make(map[uintptr]*visit), 0, config)
+}
+
+// IsReflectNil is the reflect value provided nil
+func isReflectNil(v reflect.Value) bool {
+	k := v.Kind()
+	switch k {
+	case reflect.Interface, reflect.Slice, reflect.Chan, reflect.Func, reflect.Map, reflect.Ptr:
+		// Both interface and slice are nil if first word is 0.
+		// Both are always bigger than a word; assume flagIndir.
+		return v.IsNil()
+	default:
+		return false
+	}
+}
--- a/vendor/dario.cat/mergo/mergo.go
+++ b/vendor/dario.cat/mergo/mergo.go
@ -0,0 +1,81 @@
+// Copyright 2013 Dario Castañé. All rights reserved.
+// Copyright 2009 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Based on src/pkg/reflect/deepequal.go from official
+// golang's stdlib.
+
+package mergo
+
+import (
+	"errors"
+	"reflect"
+)
+
+// Errors reported by Mergo when it finds invalid arguments.
+var (
+	ErrNilArguments                = errors.New("src and dst must not be nil")
+	ErrDifferentArgumentsTypes     = errors.New("src and dst must be of same type")
+	ErrNotSupported                = errors.New("only structs, maps, and slices are supported")
+	ErrExpectedMapAsDestination    = errors.New("dst was expected to be a map")
+	ErrExpectedStructAsDestination = errors.New("dst was expected to be a struct")
+	ErrNonPointerArgument          = errors.New("dst must be a pointer")
+)
+
+// During deepMerge, must keep track of checks that are
+// in progress.  The comparison algorithm assumes that all
+// checks in progress are true when it reencounters them.
+// Visited are stored in a map indexed by 17 * a1 + a2;
+type visit struct {
+	typ  reflect.Type
+	next *visit
+	ptr  uintptr
+}
+
+// From src/pkg/encoding/json/encode.go.
+func isEmptyValue(v reflect.Value, shouldDereference bool) bool {
+	switch v.Kind() {
+	case reflect.Array, reflect.Map, reflect.Slice, reflect.String:
+		return v.Len() == 0
+	case reflect.Bool:
+		return !v.Bool()
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+		return v.Int() == 0
+	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
+		return v.Uint() == 0
+	case reflect.Float32, reflect.Float64:
+		return v.Float() == 0
+	case reflect.Interface, reflect.Ptr:
+		if v.IsNil() {
+			return true
+		}
+		if shouldDereference {
+			return isEmptyValue(v.Elem(), shouldDereference)
+		}
+		return false
+	case reflect.Func:
+		return v.IsNil()
+	case reflect.Invalid:
+		return true
+	}
+	return false
+}
+
+func resolveValues(dst, src interface{}) (vDst, vSrc reflect.Value, err error) {
+	if dst == nil || src == nil {
+		err = ErrNilArguments
+		return
+	}
+	vDst = reflect.ValueOf(dst).Elem()
+	if vDst.Kind() != reflect.Struct && vDst.Kind() != reflect.Map && vDst.Kind() != reflect.Slice {
+		err = ErrNotSupported
+		return
+	}
+	vSrc = reflect.ValueOf(src)
+	// We check if vSrc is a pointer to dereference it.
+	if vSrc.Kind() == reflect.Ptr {
+		vSrc = vSrc.Elem()
+	}
+	return
+}
--- a/vendor/github.com/Microsoft/go-winio/.gitattributes
+++ b/vendor/github.com/Microsoft/go-winio/.gitattributes
@ -0,0 +1 @@
+* text=auto eol=lf
--- a/vendor/github.com/Microsoft/go-winio/.gitignore
+++ b/vendor/github.com/Microsoft/go-winio/.gitignore
@ -1 +1,10 @@
+.vscode/
+
 *.exe
+
+# testing
+testdata
+
+# go workspaces
+go.work
+go.work.sum
--- a/vendor/github.com/Microsoft/go-winio/.golangci.yml
+++ b/vendor/github.com/Microsoft/go-winio/.golangci.yml
@ -0,0 +1,149 @@
+run:
+  skip-dirs:
+    - pkg/etw/sample
+
+linters:
+  enable:
+    # style
+    - containedctx # struct contains a context
+    - dupl # duplicate code
+    - errname # erorrs are named correctly
+    - nolintlint # "//nolint" directives are properly explained
+    - revive # golint replacement
+    - unconvert # unnecessary conversions
+    - wastedassign
+
+    # bugs, performance, unused, etc ...
+    - contextcheck # function uses a non-inherited context
+    - errorlint # errors not wrapped for 1.13
+    - exhaustive # check exhaustiveness of enum switch statements
+    - gofmt # files are gofmt'ed
+    - gosec # security
+    - nilerr # returns nil even with non-nil error
+    - unparam # unused function params
+
+issues:
+  exclude-rules:
+    # err is very often shadowed in nested scopes
+    - linters:
+        - govet
+      text: '^shadow: declaration of "err" shadows declaration'
+
+    # ignore long lines for skip autogen directives
+    - linters:
+        - revive
+      text: "^line-length-limit: "
+      source: "^//(go:generate|sys) "
+
+    #TODO: remove after upgrading to go1.18
+    # ignore comment spacing for nolint and sys directives
+    - linters:
+        - revive
+      text: "^comment-spacings: no space between comment delimiter and comment text"
+      source: "//(cspell:|nolint:|sys |todo)"
+
+    # not on go 1.18 yet, so no any
+    - linters:
+        - revive
+      text: "^use-any: since GO 1.18 'interface{}' can be replaced by 'any'"
+
+    # allow unjustified ignores of error checks in defer statements
+    - linters:
+        - nolintlint
+      text: "^directive `//nolint:errcheck` should provide explanation"
+      source: '^\s*defer '
+
+    # allow unjustified ignores of error lints for io.EOF
+    - linters:
+        - nolintlint
+      text: "^directive `//nolint:errorlint` should provide explanation"
+      source: '[=|!]= io.EOF'
+
+
+linters-settings:
+  exhaustive:
+    default-signifies-exhaustive: true
+  govet:
+    enable-all: true
+    disable:
+      # struct order is often for Win32 compat
+      # also, ignore pointer bytes/GC issues for now until performance becomes an issue
+      - fieldalignment
+    check-shadowing: true
+  nolintlint:
+    allow-leading-space: false
+    require-explanation: true
+    require-specific: true
+  revive:
+    # revive is more configurable than static check, so likely the preferred alternative to static-check
+    # (once the perf issue is solved: https://github.com/golangci/golangci-lint/issues/2997)
+    enable-all-rules:
+      true
+      # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md
+    rules:
+      # rules with required arguments
+      - name: argument-limit
+        disabled: true
+      - name: banned-characters
+        disabled: true
+      - name: cognitive-complexity
+        disabled: true
+      - name: cyclomatic
+        disabled: true
+      - name: file-header
+        disabled: true
+      - name: function-length
+        disabled: true
+      - name: function-result-limit
+        disabled: true
+      - name: max-public-structs
+        disabled: true
+      # geneally annoying rules
+      - name: add-constant # complains about any and all strings and integers
+        disabled: true
+      - name: confusing-naming # we frequently use "Foo()" and "foo()" together
+        disabled: true
+      - name: flag-parameter # excessive, and a common idiom we use
+        disabled: true
+      - name: unhandled-error # warns over common fmt.Print* and io.Close; rely on errcheck instead
+        disabled: true
+      # general config
+      - name: line-length-limit
+        arguments:
+          - 140
+      - name: var-naming
+        arguments:
+          - []
+          - - CID
+            - CRI
+            - CTRD
+            - DACL
+            - DLL
+            - DOS
+            - ETW
+            - FSCTL
+            - GCS
+            - GMSA
+            - HCS
+            - HV
+            - IO
+            - LCOW
+            - LDAP
+            - LPAC
+            - LTSC
+            - MMIO
+            - NT
+            - OCI
+            - PMEM
+            - PWSH
+            - RX
+            - SACl
+            - SID
+            - SMB
+            - TX
+            - VHD
+            - VHDX
+            - VMID
+            - VPCI
+            - WCOW
+            - WIM
--- a/vendor/github.com/Microsoft/go-winio/README.md
+++ b/vendor/github.com/Microsoft/go-winio/README.md
@ -13,16 +13,60 @@ Please see the LICENSE file for licensing information.

 ## Contributing

-This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA)
-declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.
+This project welcomes contributions and suggestions.
+Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that
+you have the right to, and actually do, grant us the rights to use your contribution.
+For details, visit [Microsoft CLA](https://cla.microsoft.com).

-When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR
-appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
+When you submit a pull request, a CLA-bot will automatically determine whether you need to
+provide a CLA and decorate the PR appropriately (e.g., label, comment).
+Simply follow the instructions provided by the bot.
+You will only need to do this once across all repos using our CLA.

-We also require that contributors sign their commits using git commit -s or git commit --signoff to certify they either authored the work themselves
-or otherwise have permission to use it in this project. Please see https://developercertificate.org/ for more info, as well as to make sure that you can
-attest to the rules listed. Our CI uses the DCO Github app to ensure that all commits in a given PR are signed-off.
+Additionally, the pull request pipeline requires the following steps to be performed before
+mergining.

+### Code Sign-Off
+
+We require that contributors sign their commits using [`git commit --signoff`][git-commit-s]
+to certify they either authored the work themselves or otherwise have permission to use it in this project.
+
+A range of commits can be signed off using [`git rebase --signoff`][git-rebase-s].
+
+Please see [the developer certificate](https://developercertificate.org) for more info,
+as well as to make sure that you can attest to the rules listed.
+Our CI uses the DCO Github app to ensure that all commits in a given PR are signed-off.
+
+### Linting
+
+Code must pass a linting stage, which uses [`golangci-lint`][lint].
+The linting settings are stored in [`.golangci.yaml`](./.golangci.yaml), and can be run
+automatically with VSCode by adding the following to your workspace or folder settings:
+
+```json
+    "go.lintTool": "golangci-lint",
+    "go.lintOnSave": "package",
+```
+
+Additional editor [integrations options are also available][lint-ide].
+
+Alternatively, `golangci-lint` can be [installed locally][lint-install] and run from the repo root:
+
+```shell
+# use . or specify a path to only lint a package
+# to show all lint errors, use flags "--max-issues-per-linter=0 --max-same-issues=0"
+> golangci-lint run ./...
+```
+
+### Go Generate
+
+The pipeline checks that auto-generated code, via `go generate`, are up to date.
+
+This can be done for the entire repo:
+
+```shell
+> go generate ./...
+```

 ## Code of Conduct

@ -30,8 +74,16 @@ This project has adopted the [Microsoft Open Source Code of Conduct](https://ope
 For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or
 contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.

-
-
 ## Special Thanks
-Thanks to natefinch for the inspiration for this library. See https://github.com/natefinch/npipe
-for another named pipe implementation.
+
+Thanks to [natefinch][natefinch] for the inspiration for this library.
+See [npipe](https://github.com/natefinch/npipe) for another named pipe implementation.
+
+[lint]: https://golangci-lint.run/
+[lint-ide]: https://golangci-lint.run/usage/integrations/#editor-integration
+[lint-install]: https://golangci-lint.run/usage/install/#local-installation
+
+[git-commit-s]: https://git-scm.com/docs/git-commit#Documentation/git-commit.txt--s
+[git-rebase-s]: https://git-scm.com/docs/git-rebase#Documentation/git-rebase.txt---signoff
+
+[natefinch]: https://github.com/natefinch
--- a/vendor/github.com/Microsoft/go-winio/SECURITY.md
+++ b/vendor/github.com/Microsoft/go-winio/SECURITY.md
@ -0,0 +1,41 @@
+<!-- BEGIN MICROSOFT SECURITY.MD V0.0.7 BLOCK -->
+
+## Security
+
+Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/Microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/).
+
+If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/opensource/security/definition), please report it to us as described below.
+
+## Reporting Security Issues
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/opensource/security/create-report).
+
+If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com).  If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/opensource/security/pgpkey).
+
+You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://aka.ms/opensource/security/msrc). 
+
+Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
+
+  * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
+  * Full paths of source file(s) related to the manifestation of the issue
+  * The location of the affected source code (tag/branch/commit or direct URL)
+  * Any special configuration required to reproduce the issue
+  * Step-by-step instructions to reproduce the issue
+  * Proof-of-concept or exploit code (if possible)
+  * Impact of the issue, including how an attacker might exploit the issue
+
+This information will help us triage your report more quickly.
+
+If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/opensource/security/bounty) page for more details about our active programs.
+
+## Preferred Languages
+
+We prefer all communications to be in English.
+
+## Policy
+
+Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/opensource/security/cvd).
+
+<!-- END MICROSOFT SECURITY.MD BLOCK -->
--- a/vendor/github.com/Microsoft/go-winio/backup.go
+++ b/vendor/github.com/Microsoft/go-winio/backup.go
@ -1,3 +1,4 @@
+//go:build windows
 // +build windows

 package winio
@ -7,11 +8,12 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"os"
 	"runtime"
 	"syscall"
 	"unicode/utf16"
+
+	"golang.org/x/sys/windows"
 )

 //sys backupRead(h syscall.Handle, b []byte, bytesRead *uint32, abort bool, processSecurity bool, context *uintptr) (err error) = BackupRead
@ -24,7 +26,7 @@ const (
 	BackupAlternateData
 	BackupLink
 	BackupPropertyData
-	BackupObjectId
+	BackupObjectId //revive:disable-line:var-naming ID, not Id
 	BackupReparseData
 	BackupSparseBlock
 	BackupTxfsData
@ -34,14 +36,16 @@ const (
 	StreamSparseAttributes = uint32(8)
 )

+//nolint:revive // var-naming: ALL_CAPS
 const (
-	WRITE_DAC              = 0x40000
-	WRITE_OWNER            = 0x80000
-	ACCESS_SYSTEM_SECURITY = 0x1000000
+	WRITE_DAC              = windows.WRITE_DAC
+	WRITE_OWNER            = windows.WRITE_OWNER
+	ACCESS_SYSTEM_SECURITY = windows.ACCESS_SYSTEM_SECURITY
 )

 // BackupHeader represents a backup stream of a file.
 type BackupHeader struct {
+	//revive:disable-next-line:var-naming ID, not Id
 	Id         uint32 // The backup stream ID
 	Attributes uint32 // Stream attributes
 	Size       int64  // The size of the stream in bytes
@ -49,8 +53,8 @@ type BackupHeader struct {
 	Offset     int64  // The offset of the stream in the file (for BackupSparseBlock only).
 }

-type win32StreamId struct {
-	StreamId   uint32
+type win32StreamID struct {
+	StreamID   uint32
 	Attributes uint32
 	Size       uint64
 	NameSize   uint32
@ -71,7 +75,7 @@ func NewBackupStreamReader(r io.Reader) *BackupStreamReader {
 // Next returns the next backup stream and prepares for calls to Read(). It skips the remainder of the current stream if
 // it was not completely read.
 func (r *BackupStreamReader) Next() (*BackupHeader, error) {
-	if r.bytesLeft > 0 {
+	if r.bytesLeft > 0 { //nolint:nestif // todo: flatten this
 		if s, ok := r.r.(io.Seeker); ok {
 			// Make sure Seek on io.SeekCurrent sometimes succeeds
 			// before trying the actual seek.
@ -82,16 +86,16 @@ func (r *BackupStreamReader) Next() (*BackupHeader, error) {
 				r.bytesLeft = 0
 			}
 		}
-		if _, err := io.Copy(ioutil.Discard, r); err != nil {
+		if _, err := io.Copy(io.Discard, r); err != nil {
 			return nil, err
 		}
 	}
-	var wsi win32StreamId
+	var wsi win32StreamID
 	if err := binary.Read(r.r, binary.LittleEndian, &wsi); err != nil {
 		return nil, err
 	}
 	hdr := &BackupHeader{
-		Id:         wsi.StreamId,
+		Id:         wsi.StreamID,
 		Attributes: wsi.Attributes,
 		Size:       int64(wsi.Size),
 	}
@ -102,7 +106,7 @@ func (r *BackupStreamReader) Next() (*BackupHeader, error) {
 		}
 		hdr.Name = syscall.UTF16ToString(name)
 	}
-	if wsi.StreamId == BackupSparseBlock {
+	if wsi.StreamID == BackupSparseBlock {
 		if err := binary.Read(r.r, binary.LittleEndian, &hdr.Offset); err != nil {
 			return nil, err
 		}
@ -147,8 +151,8 @@ func (w *BackupStreamWriter) WriteHeader(hdr *BackupHeader) error {
 		return fmt.Errorf("missing %d bytes", w.bytesLeft)
 	}
 	name := utf16.Encode([]rune(hdr.Name))
-	wsi := win32StreamId{
-		StreamId:   hdr.Id,
+	wsi := win32StreamID{
+		StreamID:   hdr.Id,
 		Attributes: hdr.Attributes,
 		Size:       uint64(hdr.Size),
 		NameSize:   uint32(len(name) * 2),
@ -203,7 +207,7 @@ func (r *BackupFileReader) Read(b []byte) (int, error) {
 	var bytesRead uint32
 	err := backupRead(syscall.Handle(r.f.Fd()), b, &bytesRead, false, r.includeSecurity, &r.ctx)
 	if err != nil {
-		return 0, &os.PathError{"BackupRead", r.f.Name(), err}
+		return 0, &os.PathError{Op: "BackupRead", Path: r.f.Name(), Err: err}
 	}
 	runtime.KeepAlive(r.f)
 	if bytesRead == 0 {
@ -216,7 +220,7 @@ func (r *BackupFileReader) Read(b []byte) (int, error) {
 // the underlying file.
 func (r *BackupFileReader) Close() error {
 	if r.ctx != 0 {
-		backupRead(syscall.Handle(r.f.Fd()), nil, nil, true, false, &r.ctx)
+		_ = backupRead(syscall.Handle(r.f.Fd()), nil, nil, true, false, &r.ctx)
 		runtime.KeepAlive(r.f)
 		r.ctx = 0
 	}
@ -242,7 +246,7 @@ func (w *BackupFileWriter) Write(b []byte) (int, error) {
 	var bytesWritten uint32
 	err := backupWrite(syscall.Handle(w.f.Fd()), b, &bytesWritten, false, w.includeSecurity, &w.ctx)
 	if err != nil {
-		return 0, &os.PathError{"BackupWrite", w.f.Name(), err}
+		return 0, &os.PathError{Op: "BackupWrite", Path: w.f.Name(), Err: err}
 	}
 	runtime.KeepAlive(w.f)
 	if int(bytesWritten) != len(b) {
@ -255,7 +259,7 @@ func (w *BackupFileWriter) Write(b []byte) (int, error) {
 // close the underlying file.
 func (w *BackupFileWriter) Close() error {
 	if w.ctx != 0 {
-		backupWrite(syscall.Handle(w.f.Fd()), nil, nil, true, false, &w.ctx)
+		_ = backupWrite(syscall.Handle(w.f.Fd()), nil, nil, true, false, &w.ctx)
 		runtime.KeepAlive(w.f)
 		w.ctx = 0
 	}
@ -271,7 +275,13 @@ func OpenForBackup(path string, access uint32, share uint32, createmode uint32)
 	if err != nil {
 		return nil, err
 	}
-	h, err := syscall.CreateFile(&winPath[0], access, share, nil, createmode, syscall.FILE_FLAG_BACKUP_SEMANTICS|syscall.FILE_FLAG_OPEN_REPARSE_POINT, 0)
+	h, err := syscall.CreateFile(&winPath[0],
+		access,
+		share,
+		nil,
+		createmode,
+		syscall.FILE_FLAG_BACKUP_SEMANTICS|syscall.FILE_FLAG_OPEN_REPARSE_POINT,
+		0)
 	if err != nil {
 		err = &os.PathError{Op: "open", Path: path, Err: err}
 		return nil, err
--- a/vendor/github.com/Microsoft/go-winio/doc.go
+++ b/vendor/github.com/Microsoft/go-winio/doc.go
@ -0,0 +1,22 @@
+// This package provides utilities for efficiently performing Win32 IO operations in Go.
+// Currently, this package is provides support for genreal IO and management of
+//   - named pipes
+//   - files
+//   - [Hyper-V sockets]
+//
+// This code is similar to Go's [net] package, and uses IO completion ports to avoid
+// blocking IO on system threads, allowing Go to reuse the thread to schedule other goroutines.
+//
+// This limits support to Windows Vista and newer operating systems.
+//
+// Additionally, this package provides support for:
+//   - creating and managing GUIDs
+//   - writing to [ETW]
+//   - opening and manageing VHDs
+//   - parsing [Windows Image files]
+//   - auto-generating Win32 API code
+//
+// [Hyper-V sockets]: https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/make-integration-service
+// [ETW]: https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/event-tracing-for-windows--etw-
+// [Windows Image files]: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/work-with-windows-images
+package winio
--- a/vendor/github.com/Microsoft/go-winio/ea.go
+++ b/vendor/github.com/Microsoft/go-winio/ea.go
@ -33,7 +33,7 @@ func parseEa(b []byte) (ea ExtendedAttribute, nb []byte, err error) {
 	err = binary.Read(bytes.NewReader(b), binary.LittleEndian, &info)
 	if err != nil {
 		err = errInvalidEaBuffer
-		return
+		return ea, nb, err
 	}

 	nameOffset := fileFullEaInformationSize
@ -43,7 +43,7 @@ func parseEa(b []byte) (ea ExtendedAttribute, nb []byte, err error) {
 	nextOffset := int(info.NextEntryOffset)
 	if valueLen+valueOffset > len(b) || nextOffset < 0 || nextOffset > len(b) {
 		err = errInvalidEaBuffer
-		return
+		return ea, nb, err
 	}

 	ea.Name = string(b[nameOffset : nameOffset+nameLen])
@ -52,7 +52,7 @@ func parseEa(b []byte) (ea ExtendedAttribute, nb []byte, err error) {
 	if info.NextEntryOffset != 0 {
 		nb = b[info.NextEntryOffset:]
 	}
-	return
+	return ea, nb, err
 }

 // DecodeExtendedAttributes decodes a list of EAs from a FILE_FULL_EA_INFORMATION
@ -67,7 +67,7 @@ func DecodeExtendedAttributes(b []byte) (eas []ExtendedAttribute, err error) {
 		eas = append(eas, ea)
 		b = nb
 	}
-	return
+	return eas, err
 }

 func writeEa(buf *bytes.Buffer, ea *ExtendedAttribute, last bool) error {
--- a/vendor/github.com/Microsoft/go-winio/file.go
+++ b/vendor/github.com/Microsoft/go-winio/file.go
@ -11,6 +11,8 @@ import (
 	"sync/atomic"
 	"syscall"
 	"time"
+
+	"golang.org/x/sys/windows"
 )

 //sys cancelIoEx(file syscall.Handle, o *syscall.Overlapped) (err error) = CancelIoEx
@ -24,6 +26,8 @@ type atomicBool int32
 func (b *atomicBool) isSet() bool { return atomic.LoadInt32((*int32)(b)) != 0 }
 func (b *atomicBool) setFalse()   { atomic.StoreInt32((*int32)(b), 0) }
 func (b *atomicBool) setTrue()    { atomic.StoreInt32((*int32)(b), 1) }
+
+//revive:disable-next-line:predeclared Keep "new" to maintain consistency with "atomic" pkg
 func (b *atomicBool) swap(new bool) bool {
 	var newInt int32
 	if new {
@ -32,11 +36,6 @@ func (b *atomicBool) swap(new bool) bool {
 	return atomic.SwapInt32((*int32)(b), newInt) == 1
 }

-const (
-	cFILE_SKIP_COMPLETION_PORT_ON_SUCCESS = 1
-	cFILE_SKIP_SET_EVENT_ON_HANDLE        = 2
-)
-
 var (
 	ErrFileClosed = errors.New("file has already been closed")
 	ErrTimeout    = &timeoutError{}
@ -44,28 +43,28 @@ var (

 type timeoutError struct{}

-func (e *timeoutError) Error() string   { return "i/o timeout" }
-func (e *timeoutError) Timeout() bool   { return true }
-func (e *timeoutError) Temporary() bool { return true }
+func (*timeoutError) Error() string   { return "i/o timeout" }
+func (*timeoutError) Timeout() bool   { return true }
+func (*timeoutError) Temporary() bool { return true }

 type timeoutChan chan struct{}

 var ioInitOnce sync.Once
 var ioCompletionPort syscall.Handle

-// ioResult contains the result of an asynchronous IO operation
+// ioResult contains the result of an asynchronous IO operation.
 type ioResult struct {
 	bytes uint32
 	err   error
 }

-// ioOperation represents an outstanding asynchronous Win32 IO
+// ioOperation represents an outstanding asynchronous Win32 IO.
 type ioOperation struct {
 	o  syscall.Overlapped
 	ch chan ioResult
 }

-func initIo() {
+func initIO() {
 	h, err := createIoCompletionPort(syscall.InvalidHandle, 0, 0, 0xffffffff)
 	if err != nil {
 		panic(err)
@ -94,15 +93,15 @@ type deadlineHandler struct {
 	timedout    atomicBool
 }

-// makeWin32File makes a new win32File from an existing file handle
+// makeWin32File makes a new win32File from an existing file handle.
 func makeWin32File(h syscall.Handle) (*win32File, error) {
 	f := &win32File{handle: h}
-	ioInitOnce.Do(initIo)
+	ioInitOnce.Do(initIO)
 	_, err := createIoCompletionPort(h, ioCompletionPort, 0, 0xffffffff)
 	if err != nil {
 		return nil, err
 	}
-	err = setFileCompletionNotificationModes(h, cFILE_SKIP_COMPLETION_PORT_ON_SUCCESS|cFILE_SKIP_SET_EVENT_ON_HANDLE)
+	err = setFileCompletionNotificationModes(h, windows.FILE_SKIP_COMPLETION_PORT_ON_SUCCESS|windows.FILE_SKIP_SET_EVENT_ON_HANDLE)
 	if err != nil {
 		return nil, err
 	}
@ -121,14 +120,14 @@ func MakeOpenFile(h syscall.Handle) (io.ReadWriteCloser, error) {
 	return f, nil
 }

-// closeHandle closes the resources associated with a Win32 handle
+// closeHandle closes the resources associated with a Win32 handle.
 func (f *win32File) closeHandle() {
 	f.wgLock.Lock()
 	// Atomically set that we are closing, releasing the resources only once.
 	if !f.closing.swap(true) {
 		f.wgLock.Unlock()
 		// cancel all IO and wait for it to complete
-		cancelIoEx(f.handle, nil)
+		_ = cancelIoEx(f.handle, nil)
 		f.wg.Wait()
 		// at this point, no new IO can start
 		syscall.Close(f.handle)
@ -144,14 +143,14 @@ func (f *win32File) Close() error {
 	return nil
 }

-// IsClosed checks if the file has been closed
+// IsClosed checks if the file has been closed.
 func (f *win32File) IsClosed() bool {
 	return f.closing.isSet()
 }

-// prepareIo prepares for a new IO operation.
+// prepareIO prepares for a new IO operation.
 // The caller must call f.wg.Done() when the IO is finished, prior to Close() returning.
-func (f *win32File) prepareIo() (*ioOperation, error) {
+func (f *win32File) prepareIO() (*ioOperation, error) {
 	f.wgLock.RLock()
 	if f.closing.isSet() {
 		f.wgLock.RUnlock()
@ -164,7 +163,7 @@ func (f *win32File) prepareIo() (*ioOperation, error) {
 	return c, nil
 }

-// ioCompletionProcessor processes completed async IOs forever
+// ioCompletionProcessor processes completed async IOs forever.
 func ioCompletionProcessor(h syscall.Handle) {
 	for {
 		var bytes uint32
@ -178,15 +177,17 @@ func ioCompletionProcessor(h syscall.Handle) {
 	}
 }

-// asyncIo processes the return value from ReadFile or WriteFile, blocking until
+// todo: helsaawy - create an asyncIO version that takes a context
+
+// asyncIO processes the return value from ReadFile or WriteFile, blocking until
 // the operation has actually completed.
-func (f *win32File) asyncIo(c *ioOperation, d *deadlineHandler, bytes uint32, err error) (int, error) {
-	if err != syscall.ERROR_IO_PENDING {
+func (f *win32File) asyncIO(c *ioOperation, d *deadlineHandler, bytes uint32, err error) (int, error) {
+	if err != syscall.ERROR_IO_PENDING { //nolint:errorlint // err is Errno
 		return int(bytes), err
 	}

 	if f.closing.isSet() {
-		cancelIoEx(f.handle, &c.o)
+		_ = cancelIoEx(f.handle, &c.o)
 	}

 	var timeout timeoutChan
@ -200,7 +201,7 @@ func (f *win32File) asyncIo(c *ioOperation, d *deadlineHandler, bytes uint32, er
 	select {
 	case r = <-c.ch:
 		err = r.err
-		if err == syscall.ERROR_OPERATION_ABORTED {
+		if err == syscall.ERROR_OPERATION_ABORTED { //nolint:errorlint // err is Errno
 			if f.closing.isSet() {
 				err = ErrFileClosed
 			}
@ -210,10 +211,10 @@ func (f *win32File) asyncIo(c *ioOperation, d *deadlineHandler, bytes uint32, er
 			err = wsaGetOverlappedResult(f.handle, &c.o, &bytes, false, &flags)
 		}
 	case <-timeout:
-		cancelIoEx(f.handle, &c.o)
+		_ = cancelIoEx(f.handle, &c.o)
 		r = <-c.ch
 		err = r.err
-		if err == syscall.ERROR_OPERATION_ABORTED {
+		if err == syscall.ERROR_OPERATION_ABORTED { //nolint:errorlint // err is Errno
 			err = ErrTimeout
 		}
 	}
@ -221,13 +222,14 @@ func (f *win32File) asyncIo(c *ioOperation, d *deadlineHandler, bytes uint32, er
 	// runtime.KeepAlive is needed, as c is passed via native
 	// code to ioCompletionProcessor, c must remain alive
 	// until the channel read is complete.
+	// todo: (de)allocate *ioOperation via win32 heap functions, instead of needing to KeepAlive?
 	runtime.KeepAlive(c)
 	return int(r.bytes), err
 }

 // Read reads from a file handle.
 func (f *win32File) Read(b []byte) (int, error) {
-	c, err := f.prepareIo()
+	c, err := f.prepareIO()
 	if err != nil {
 		return 0, err
 	}
@ -239,13 +241,13 @@ func (f *win32File) Read(b []byte) (int, error) {

 	var bytes uint32
 	err = syscall.ReadFile(f.handle, b, &bytes, &c.o)
-	n, err := f.asyncIo(c, &f.readDeadline, bytes, err)
+	n, err := f.asyncIO(c, &f.readDeadline, bytes, err)
 	runtime.KeepAlive(b)

 	// Handle EOF conditions.
 	if err == nil && n == 0 && len(b) != 0 {
 		return 0, io.EOF
-	} else if err == syscall.ERROR_BROKEN_PIPE {
+	} else if err == syscall.ERROR_BROKEN_PIPE { //nolint:errorlint // err is Errno
 		return 0, io.EOF
 	} else {
 		return n, err
@ -254,7 +256,7 @@ func (f *win32File) Read(b []byte) (int, error) {

 // Write writes to a file handle.
 func (f *win32File) Write(b []byte) (int, error) {
-	c, err := f.prepareIo()
+	c, err := f.prepareIO()
 	if err != nil {
 		return 0, err
 	}
@ -266,7 +268,7 @@ func (f *win32File) Write(b []byte) (int, error) {

 	var bytes uint32
 	err = syscall.WriteFile(f.handle, b, &bytes, &c.o)
-	n, err := f.asyncIo(c, &f.writeDeadline, bytes, err)
+	n, err := f.asyncIO(c, &f.writeDeadline, bytes, err)
 	runtime.KeepAlive(b)
 	return n, err
 }
--- a/vendor/github.com/Microsoft/go-winio/fileinfo.go
+++ b/vendor/github.com/Microsoft/go-winio/fileinfo.go
@ -1,3 +1,4 @@
+//go:build windows
 // +build windows

 package winio
@ -14,13 +15,18 @@ import (
 type FileBasicInfo struct {
 	CreationTime, LastAccessTime, LastWriteTime, ChangeTime windows.Filetime
 	FileAttributes                                          uint32
-	pad                                                     uint32 // padding
+	_                                                       uint32 // padding
 }

 // GetFileBasicInfo retrieves times and attributes for a file.
 func GetFileBasicInfo(f *os.File) (*FileBasicInfo, error) {
 	bi := &FileBasicInfo{}
-	if err := windows.GetFileInformationByHandleEx(windows.Handle(f.Fd()), windows.FileBasicInfo, (*byte)(unsafe.Pointer(bi)), uint32(unsafe.Sizeof(*bi))); err != nil {
+	if err := windows.GetFileInformationByHandleEx(
+		windows.Handle(f.Fd()),
+		windows.FileBasicInfo,
+		(*byte)(unsafe.Pointer(bi)),
+		uint32(unsafe.Sizeof(*bi)),
+	); err != nil {
 		return nil, &os.PathError{Op: "GetFileInformationByHandleEx", Path: f.Name(), Err: err}
 	}
 	runtime.KeepAlive(f)
@ -29,7 +35,12 @@ func GetFileBasicInfo(f *os.File) (*FileBasicInfo, error) {

 // SetFileBasicInfo sets times and attributes for a file.
 func SetFileBasicInfo(f *os.File, bi *FileBasicInfo) error {
-	if err := windows.SetFileInformationByHandle(windows.Handle(f.Fd()), windows.FileBasicInfo, (*byte)(unsafe.Pointer(bi)), uint32(unsafe.Sizeof(*bi))); err != nil {
+	if err := windows.SetFileInformationByHandle(
+		windows.Handle(f.Fd()),
+		windows.FileBasicInfo,
+		(*byte)(unsafe.Pointer(bi)),
+		uint32(unsafe.Sizeof(*bi)),
+	); err != nil {
 		return &os.PathError{Op: "SetFileInformationByHandle", Path: f.Name(), Err: err}
 	}
 	runtime.KeepAlive(f)
@ -48,7 +59,10 @@ type FileStandardInfo struct {
 // GetFileStandardInfo retrieves ended information for the file.
 func GetFileStandardInfo(f *os.File) (*FileStandardInfo, error) {
 	si := &FileStandardInfo{}
-	if err := windows.GetFileInformationByHandleEx(windows.Handle(f.Fd()), windows.FileStandardInfo, (*byte)(unsafe.Pointer(si)), uint32(unsafe.Sizeof(*si))); err != nil {
+	if err := windows.GetFileInformationByHandleEx(windows.Handle(f.Fd()),
+		windows.FileStandardInfo,
+		(*byte)(unsafe.Pointer(si)),
+		uint32(unsafe.Sizeof(*si))); err != nil {
 		return nil, &os.PathError{Op: "GetFileInformationByHandleEx", Path: f.Name(), Err: err}
 	}
 	runtime.KeepAlive(f)
@ -65,7 +79,12 @@ type FileIDInfo struct {
 // GetFileID retrieves the unique (volume, file ID) pair for a file.
 func GetFileID(f *os.File) (*FileIDInfo, error) {
 	fileID := &FileIDInfo{}
-	if err := windows.GetFileInformationByHandleEx(windows.Handle(f.Fd()), windows.FileIdInfo, (*byte)(unsafe.Pointer(fileID)), uint32(unsafe.Sizeof(*fileID))); err != nil {
+	if err := windows.GetFileInformationByHandleEx(
+		windows.Handle(f.Fd()),
+		windows.FileIdInfo,
+		(*byte)(unsafe.Pointer(fileID)),
+		uint32(unsafe.Sizeof(*fileID)),
+	); err != nil {
 		return nil, &os.PathError{Op: "GetFileInformationByHandleEx", Path: f.Name(), Err: err}
 	}
 	runtime.KeepAlive(f)
--- a/vendor/github.com/Microsoft/go-winio/hvsock.go
+++ b/vendor/github.com/Microsoft/go-winio/hvsock.go
@ -4,6 +4,8 @@
 package winio

 import (
+	"context"
+	"errors"
 	"fmt"
 	"io"
 	"net"
@ -12,16 +14,87 @@ import (
 	"time"
 	"unsafe"

+	"golang.org/x/sys/windows"
+
+	"github.com/Microsoft/go-winio/internal/socket"
 	"github.com/Microsoft/go-winio/pkg/guid"
 )

-//sys bind(s syscall.Handle, name unsafe.Pointer, namelen int32) (err error) [failretval==socketError] = ws2_32.bind
+const afHVSock = 34 // AF_HYPERV

-const (
-	afHvSock = 34 // AF_HYPERV
+// Well known Service and VM IDs
+// https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/make-integration-service#vmid-wildcards

-	socketError = ^uintptr(0)
-)
+// HvsockGUIDWildcard is the wildcard VmId for accepting connections from all partitions.
+func HvsockGUIDWildcard() guid.GUID { // 00000000-0000-0000-0000-000000000000
+	return guid.GUID{}
+}
+
+// HvsockGUIDBroadcast is the wildcard VmId for broadcasting sends to all partitions.
+func HvsockGUIDBroadcast() guid.GUID { // ffffffff-ffff-ffff-ffff-ffffffffffff
+	return guid.GUID{
+		Data1: 0xffffffff,
+		Data2: 0xffff,
+		Data3: 0xffff,
+		Data4: [8]uint8{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
+	}
+}
+
+// HvsockGUIDLoopback is the Loopback VmId for accepting connections to the same partition as the connector.
+func HvsockGUIDLoopback() guid.GUID { // e0e16197-dd56-4a10-9195-5ee7a155a838
+	return guid.GUID{
+		Data1: 0xe0e16197,
+		Data2: 0xdd56,
+		Data3: 0x4a10,
+		Data4: [8]uint8{0x91, 0x95, 0x5e, 0xe7, 0xa1, 0x55, 0xa8, 0x38},
+	}
+}
+
+// HvsockGUIDSiloHost is the address of a silo's host partition:
+//   - The silo host of a hosted silo is the utility VM.
+//   - The silo host of a silo on a physical host is the physical host.
+func HvsockGUIDSiloHost() guid.GUID { // 36bd0c5c-7276-4223-88ba-7d03b654c568
+	return guid.GUID{
+		Data1: 0x36bd0c5c,
+		Data2: 0x7276,
+		Data3: 0x4223,
+		Data4: [8]byte{0x88, 0xba, 0x7d, 0x03, 0xb6, 0x54, 0xc5, 0x68},
+	}
+}
+
+// HvsockGUIDChildren is the wildcard VmId for accepting connections from the connector's child partitions.
+func HvsockGUIDChildren() guid.GUID { // 90db8b89-0d35-4f79-8ce9-49ea0ac8b7cd
+	return guid.GUID{
+		Data1: 0x90db8b89,
+		Data2: 0xd35,
+		Data3: 0x4f79,
+		Data4: [8]uint8{0x8c, 0xe9, 0x49, 0xea, 0xa, 0xc8, 0xb7, 0xcd},
+	}
+}
+
+// HvsockGUIDParent is the wildcard VmId for accepting connections from the connector's parent partition.
+// Listening on this VmId accepts connection from:
+//   - Inside silos: silo host partition.
+//   - Inside hosted silo: host of the VM.
+//   - Inside VM: VM host.
+//   - Physical host: Not supported.
+func HvsockGUIDParent() guid.GUID { // a42e7cda-d03f-480c-9cc2-a4de20abb878
+	return guid.GUID{
+		Data1: 0xa42e7cda,
+		Data2: 0xd03f,
+		Data3: 0x480c,
+		Data4: [8]uint8{0x9c, 0xc2, 0xa4, 0xde, 0x20, 0xab, 0xb8, 0x78},
+	}
+}
+
+// hvsockVsockServiceTemplate is the Service GUID used for the VSOCK protocol.
+func hvsockVsockServiceTemplate() guid.GUID { // 00000000-facb-11e6-bd58-64006a7986d3
+	return guid.GUID{
+		Data2: 0xfacb,
+		Data3: 0x11e6,
+		Data4: [8]uint8{0xbd, 0x58, 0x64, 0x00, 0x6a, 0x79, 0x86, 0xd3},
+	}
+}

 // An HvsockAddr is an address for a AF_HYPERV socket.
 type HvsockAddr struct {
@ -36,8 +109,10 @@ type rawHvsockAddr struct {
 	ServiceID guid.GUID
 }

+var _ socket.RawSockaddr = &rawHvsockAddr{}
+
 // Network returns the address's network name, "hvsock".
-func (addr *HvsockAddr) Network() string {
+func (*HvsockAddr) Network() string {
 	return "hvsock"
 }

@ -47,14 +122,14 @@ func (addr *HvsockAddr) String() string {

 // VsockServiceID returns an hvsock service ID corresponding to the specified AF_VSOCK port.
 func VsockServiceID(port uint32) guid.GUID {
-	g, _ := guid.FromString("00000000-facb-11e6-bd58-64006a7986d3")
+	g := hvsockVsockServiceTemplate() // make a copy
 	g.Data1 = port
 	return g
 }

 func (addr *HvsockAddr) raw() rawHvsockAddr {
 	return rawHvsockAddr{
-		Family:    afHvSock,
+		Family:    afHVSock,
 		VMID:      addr.VMID,
 		ServiceID: addr.ServiceID,
 	}
@ -65,20 +140,48 @@ func (addr *HvsockAddr) fromRaw(raw *rawHvsockAddr) {
 	addr.ServiceID = raw.ServiceID
 }

+// Sockaddr returns a pointer to and the size of this struct.
+//
+// Implements the [socket.RawSockaddr] interface, and allows use in
+// [socket.Bind] and [socket.ConnectEx].
+func (r *rawHvsockAddr) Sockaddr() (unsafe.Pointer, int32, error) {
+	return unsafe.Pointer(r), int32(unsafe.Sizeof(rawHvsockAddr{})), nil
+}
+
+// Sockaddr interface allows use with `sockets.Bind()` and `.ConnectEx()`.
+func (r *rawHvsockAddr) FromBytes(b []byte) error {
+	n := int(unsafe.Sizeof(rawHvsockAddr{}))
+
+	if len(b) < n {
+		return fmt.Errorf("got %d, want %d: %w", len(b), n, socket.ErrBufferSize)
+	}
+
+	copy(unsafe.Slice((*byte)(unsafe.Pointer(r)), n), b[:n])
+	if r.Family != afHVSock {
+		return fmt.Errorf("got %d, want %d: %w", r.Family, afHVSock, socket.ErrAddrFamily)
+	}
+
+	return nil
+}
+
 // HvsockListener is a socket listener for the AF_HYPERV address family.
 type HvsockListener struct {
 	sock *win32File
 	addr HvsockAddr
 }

+var _ net.Listener = &HvsockListener{}
+
 // HvsockConn is a connected socket of the AF_HYPERV address family.
 type HvsockConn struct {
 	sock          *win32File
 	local, remote HvsockAddr
 }

-func newHvSocket() (*win32File, error) {
-	fd, err := syscall.Socket(afHvSock, syscall.SOCK_STREAM, 1)
+var _ net.Conn = &HvsockConn{}
+
+func newHVSocket() (*win32File, error) {
+	fd, err := syscall.Socket(afHVSock, syscall.SOCK_STREAM, 1)
 	if err != nil {
 		return nil, os.NewSyscallError("socket", err)
 	}
@ -94,12 +197,12 @@ func newHvSocket() (*win32File, error) {
 // ListenHvsock listens for connections on the specified hvsock address.
 func ListenHvsock(addr *HvsockAddr) (_ *HvsockListener, err error) {
 	l := &HvsockListener{addr: *addr}
-	sock, err := newHvSocket()
+	sock, err := newHVSocket()
 	if err != nil {
 		return nil, l.opErr("listen", err)
 	}
 	sa := addr.raw()
-	err = bind(sock.handle, unsafe.Pointer(&sa), int32(unsafe.Sizeof(sa)))
+	err = socket.Bind(windows.Handle(sock.handle), &sa)
 	if err != nil {
 		return nil, l.opErr("listen", os.NewSyscallError("socket", err))
 	}
@ -121,7 +224,7 @@ func (l *HvsockListener) Addr() net.Addr {

 // Accept waits for the next connection and returns it.
 func (l *HvsockListener) Accept() (_ net.Conn, err error) {
-	sock, err := newHvSocket()
+	sock, err := newHVSocket()
 	if err != nil {
 		return nil, l.opErr("accept", err)
 	}
@ -130,27 +233,42 @@ func (l *HvsockListener) Accept() (_ net.Conn, err error) {
 			sock.Close()
 		}
 	}()
-	c, err := l.sock.prepareIo()
+	c, err := l.sock.prepareIO()
 	if err != nil {
 		return nil, l.opErr("accept", err)
 	}
 	defer l.sock.wg.Done()

 	// AcceptEx, per documentation, requires an extra 16 bytes per address.
+	//
+	// https://docs.microsoft.com/en-us/windows/win32/api/mswsock/nf-mswsock-acceptex
 	const addrlen = uint32(16 + unsafe.Sizeof(rawHvsockAddr{}))
 	var addrbuf [addrlen * 2]byte

 	var bytes uint32
-	err = syscall.AcceptEx(l.sock.handle, sock.handle, &addrbuf[0], 0, addrlen, addrlen, &bytes, &c.o)
-	_, err = l.sock.asyncIo(c, nil, bytes, err)
-	if err != nil {
+	err = syscall.AcceptEx(l.sock.handle, sock.handle, &addrbuf[0], 0 /* rxdatalen */, addrlen, addrlen, &bytes, &c.o)
+	if _, err = l.sock.asyncIO(c, nil, bytes, err); err != nil {
 		return nil, l.opErr("accept", os.NewSyscallError("acceptex", err))
 	}
+
 	conn := &HvsockConn{
 		sock: sock,
 	}
+	// The local address returned in the AcceptEx buffer is the same as the Listener socket's
+	// address. However, the service GUID reported by GetSockName is different from the Listeners
+	// socket, and is sometimes the same as the local address of the socket that dialed the
+	// address, with the service GUID.Data1 incremented, but othertimes is different.
+	// todo: does the local address matter? is the listener's address or the actual address appropriate?
 	conn.local.fromRaw((*rawHvsockAddr)(unsafe.Pointer(&addrbuf[0])))
 	conn.remote.fromRaw((*rawHvsockAddr)(unsafe.Pointer(&addrbuf[addrlen])))
+
+	// initialize the accepted socket and update its properties with those of the listening socket
+	if err = windows.Setsockopt(windows.Handle(sock.handle),
+		windows.SOL_SOCKET, windows.SO_UPDATE_ACCEPT_CONTEXT,
+		(*byte)(unsafe.Pointer(&l.sock.handle)), int32(unsafe.Sizeof(l.sock.handle))); err != nil {
+		return nil, conn.opErr("accept", os.NewSyscallError("setsockopt", err))
+	}
+
 	sock = nil
 	return conn, nil
 }
@ -160,43 +278,171 @@ func (l *HvsockListener) Close() error {
 	return l.sock.Close()
 }

-/* Need to finish ConnectEx handling
-func DialHvsock(ctx context.Context, addr *HvsockAddr) (*HvsockConn, error) {
-	sock, err := newHvSocket()
+// HvsockDialer configures and dials a Hyper-V Socket (ie, [HvsockConn]).
+type HvsockDialer struct {
+	// Deadline is the time the Dial operation must connect before erroring.
+	Deadline time.Time
+
+	// Retries is the number of additional connects to try if the connection times out, is refused,
+	// or the host is unreachable
+	Retries uint
+
+	// RetryWait is the time to wait after a connection error to retry
+	RetryWait time.Duration
+
+	rt *time.Timer // redial wait timer
+}
+
+// Dial the Hyper-V socket at addr.
+//
+// See [HvsockDialer.Dial] for more information.
+func Dial(ctx context.Context, addr *HvsockAddr) (conn *HvsockConn, err error) {
+	return (&HvsockDialer{}).Dial(ctx, addr)
+}
+
+// Dial attempts to connect to the Hyper-V socket at addr, and returns a connection if successful.
+// Will attempt (HvsockDialer).Retries if dialing fails, waiting (HvsockDialer).RetryWait between
+// retries.
+//
+// Dialing can be cancelled either by providing (HvsockDialer).Deadline, or cancelling ctx.
+func (d *HvsockDialer) Dial(ctx context.Context, addr *HvsockAddr) (conn *HvsockConn, err error) {
+	op := "dial"
+	// create the conn early to use opErr()
+	conn = &HvsockConn{
+		remote: *addr,
+	}
+
+	if !d.Deadline.IsZero() {
+		var cancel context.CancelFunc
+		ctx, cancel = context.WithDeadline(ctx, d.Deadline)
+		defer cancel()
+	}
+
+	// preemptive timeout/cancellation check
+	if err = ctx.Err(); err != nil {
+		return nil, conn.opErr(op, err)
+	}
+
+	sock, err := newHVSocket()
 	if err != nil {
-		return nil, err
+		return nil, conn.opErr(op, err)
 	}
 	defer func() {
 		if sock != nil {
 			sock.Close()
 		}
 	}()
-	c, err := sock.prepareIo()
+
+	sa := addr.raw()
+	err = socket.Bind(windows.Handle(sock.handle), &sa)
 	if err != nil {
-		return nil, err
+		return nil, conn.opErr(op, os.NewSyscallError("bind", err))
+	}
+
+	c, err := sock.prepareIO()
+	if err != nil {
+		return nil, conn.opErr(op, err)
 	}
 	defer sock.wg.Done()
 	var bytes uint32
-	err = windows.ConnectEx(windows.Handle(sock.handle), sa, nil, 0, &bytes, &c.o)
-	_, err = sock.asyncIo(ctx, c, nil, bytes, err)
+	for i := uint(0); i <= d.Retries; i++ {
+		err = socket.ConnectEx(
+			windows.Handle(sock.handle),
+			&sa,
+			nil, // sendBuf
+			0,   // sendDataLen
+			&bytes,
+			(*windows.Overlapped)(unsafe.Pointer(&c.o)))
+		_, err = sock.asyncIO(c, nil, bytes, err)
+		if i < d.Retries && canRedial(err) {
+			if err = d.redialWait(ctx); err == nil {
+				continue
+			}
+		}
+		break
+	}
 	if err != nil {
-		return nil, err
+		return nil, conn.opErr(op, os.NewSyscallError("connectex", err))
 	}
-	conn := &HvsockConn{
-		sock:   sock,
-		remote: *addr,
+
+	// update the connection properties, so shutdown can be used
+	if err = windows.Setsockopt(
+		windows.Handle(sock.handle),
+		windows.SOL_SOCKET,
+		windows.SO_UPDATE_CONNECT_CONTEXT,
+		nil, // optvalue
+		0,   // optlen
+	); err != nil {
+		return nil, conn.opErr(op, os.NewSyscallError("setsockopt", err))
 	}
+
+	// get the local name
+	var sal rawHvsockAddr
+	err = socket.GetSockName(windows.Handle(sock.handle), &sal)
+	if err != nil {
+		return nil, conn.opErr(op, os.NewSyscallError("getsockname", err))
+	}
+	conn.local.fromRaw(&sal)
+
+	// one last check for timeout, since asyncIO doesn't check the context
+	if err = ctx.Err(); err != nil {
+		return nil, conn.opErr(op, err)
+	}
+
+	conn.sock = sock
 	sock = nil
+
 	return conn, nil
 }
-*/
+
+// redialWait waits before attempting to redial, resetting the timer as appropriate.
+func (d *HvsockDialer) redialWait(ctx context.Context) (err error) {
+	if d.RetryWait == 0 {
+		return nil
+	}
+
+	if d.rt == nil {
+		d.rt = time.NewTimer(d.RetryWait)
+	} else {
+		// should already be stopped and drained
+		d.rt.Reset(d.RetryWait)
+	}
+
+	select {
+	case <-ctx.Done():
+	case <-d.rt.C:
+		return nil
+	}
+
+	// stop and drain the timer
+	if !d.rt.Stop() {
+		<-d.rt.C
+	}
+	return ctx.Err()
+}
+
+// assumes error is a plain, unwrapped syscall.Errno provided by direct syscall.
+func canRedial(err error) bool {
+	//nolint:errorlint // guaranteed to be an Errno
+	switch err {
+	case windows.WSAECONNREFUSED, windows.WSAENETUNREACH, windows.WSAETIMEDOUT,
+		windows.ERROR_CONNECTION_REFUSED, windows.ERROR_CONNECTION_UNAVAIL:
+		return true
+	default:
+		return false
+	}
+}

 func (conn *HvsockConn) opErr(op string, err error) error {
+	// translate from "file closed" to "socket closed"
+	if errors.Is(err, ErrFileClosed) {
+		err = socket.ErrSocketClosed
+	}
 	return &net.OpError{Op: op, Net: "hvsock", Source: &conn.local, Addr: &conn.remote, Err: err}
 }

 func (conn *HvsockConn) Read(b []byte) (int, error) {
-	c, err := conn.sock.prepareIo()
+	c, err := conn.sock.prepareIO()
 	if err != nil {
 		return 0, conn.opErr("read", err)
 	}
@ -204,10 +450,11 @@ func (conn *HvsockConn) Read(b []byte) (int, error) {
 	buf := syscall.WSABuf{Buf: &b[0], Len: uint32(len(b))}
 	var flags, bytes uint32
 	err = syscall.WSARecv(conn.sock.handle, &buf, 1, &bytes, &flags, &c.o, nil)
-	n, err := conn.sock.asyncIo(c, &conn.sock.readDeadline, bytes, err)
+	n, err := conn.sock.asyncIO(c, &conn.sock.readDeadline, bytes, err)
 	if err != nil {
-		if _, ok := err.(syscall.Errno); ok {
-			err = os.NewSyscallError("wsarecv", err)
+		var eno windows.Errno
+		if errors.As(err, &eno) {
+			err = os.NewSyscallError("wsarecv", eno)
 		}
 		return 0, conn.opErr("read", err)
 	} else if n == 0 {
@ -230,7 +477,7 @@ func (conn *HvsockConn) Write(b []byte) (int, error) {
 }

 func (conn *HvsockConn) write(b []byte) (int, error) {
-	c, err := conn.sock.prepareIo()
+	c, err := conn.sock.prepareIO()
 	if err != nil {
 		return 0, conn.opErr("write", err)
 	}
@ -238,10 +485,11 @@ func (conn *HvsockConn) write(b []byte) (int, error) {
 	buf := syscall.WSABuf{Buf: &b[0], Len: uint32(len(b))}
 	var bytes uint32
 	err = syscall.WSASend(conn.sock.handle, &buf, 1, &bytes, 0, &c.o, nil)
-	n, err := conn.sock.asyncIo(c, &conn.sock.writeDeadline, bytes, err)
+	n, err := conn.sock.asyncIO(c, &conn.sock.writeDeadline, bytes, err)
 	if err != nil {
-		if _, ok := err.(syscall.Errno); ok {
-			err = os.NewSyscallError("wsasend", err)
+		var eno windows.Errno
+		if errors.As(err, &eno) {
+			err = os.NewSyscallError("wsasend", eno)
 		}
 		return 0, conn.opErr("write", err)
 	}
@ -257,13 +505,19 @@ func (conn *HvsockConn) IsClosed() bool {
 	return conn.sock.IsClosed()
 }

+// shutdown disables sending or receiving on a socket.
 func (conn *HvsockConn) shutdown(how int) error {
 	if conn.IsClosed() {
-		return ErrFileClosed
+		return socket.ErrSocketClosed
 	}

 	err := syscall.Shutdown(conn.sock.handle, how)
 	if err != nil {
+		// If the connection was closed, shutdowns fail with "not connected"
+		if errors.Is(err, windows.WSAENOTCONN) ||
+			errors.Is(err, windows.WSAESHUTDOWN) {
+			err = socket.ErrSocketClosed
+		}
 		return os.NewSyscallError("shutdown", err)
 	}
 	return nil
@ -273,7 +527,7 @@ func (conn *HvsockConn) shutdown(how int) error {
 func (conn *HvsockConn) CloseRead() error {
 	err := conn.shutdown(syscall.SHUT_RD)
 	if err != nil {
-		return conn.opErr("close", err)
+		return conn.opErr("closeread", err)
 	}
 	return nil
 }
@ -283,7 +537,7 @@ func (conn *HvsockConn) CloseRead() error {
 func (conn *HvsockConn) CloseWrite() error {
 	err := conn.shutdown(syscall.SHUT_WR)
 	if err != nil {
-		return conn.opErr("close", err)
+		return conn.opErr("closewrite", err)
 	}
 	return nil
 }
@ -300,8 +554,13 @@ func (conn *HvsockConn) RemoteAddr() net.Addr {

 // SetDeadline implements the net.Conn SetDeadline method.
 func (conn *HvsockConn) SetDeadline(t time.Time) error {
-	conn.SetReadDeadline(t)
-	conn.SetWriteDeadline(t)
+	// todo: implement `SetDeadline` for `win32File`
+	if err := conn.SetReadDeadline(t); err != nil {
+		return fmt.Errorf("set read deadline: %w", err)
+	}
+	if err := conn.SetWriteDeadline(t); err != nil {
+		return fmt.Errorf("set write deadline: %w", err)
+	}
 	return nil
 }

--- a/vendor/github.com/Microsoft/go-winio/internal/fs/doc.go
+++ b/vendor/github.com/Microsoft/go-winio/internal/fs/doc.go
@ -0,0 +1,2 @@
+// This package contains Win32 filesystem functionality.
+package fs
--- a/vendor/github.com/Microsoft/go-winio/internal/fs/fs.go
+++ b/vendor/github.com/Microsoft/go-winio/internal/fs/fs.go
@ -0,0 +1,202 @@
+//go:build windows
+
+package fs
+
+import (
+	"golang.org/x/sys/windows"
+
+	"github.com/Microsoft/go-winio/internal/stringbuffer"
+)
+
+//go:generate go run github.com/Microsoft/go-winio/tools/mkwinsyscall -output zsyscall_windows.go fs.go
+
+// https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilew
+//sys CreateFile(name string, access AccessMask, mode FileShareMode, sa *syscall.SecurityAttributes, createmode FileCreationDisposition, attrs FileFlagOrAttribute, templatefile windows.Handle) (handle windows.Handle, err error) [failretval==windows.InvalidHandle] = CreateFileW
+
+const NullHandle windows.Handle = 0
+
+// AccessMask defines standard, specific, and generic rights.
+//
+//	Bitmask:
+//	 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
+//	 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
+//	+---------------+---------------+-------------------------------+
+//	|G|G|G|G|Resvd|A| StandardRights|         SpecificRights        |
+//	|R|W|E|A|     |S|               |                               |
+//	+-+-------------+---------------+-------------------------------+
+//
+//	GR     Generic Read
+//	GW     Generic Write
+//	GE     Generic Exectue
+//	GA     Generic All
+//	Resvd  Reserved
+//	AS     Access Security System
+//
+// https://learn.microsoft.com/en-us/windows/win32/secauthz/access-mask
+//
+// https://learn.microsoft.com/en-us/windows/win32/secauthz/generic-access-rights
+//
+// https://learn.microsoft.com/en-us/windows/win32/fileio/file-access-rights-constants
+type AccessMask = windows.ACCESS_MASK
+
+//nolint:revive // SNAKE_CASE is not idiomatic in Go, but aligned with Win32 API.
+const (
+	// Not actually any.
+	//
+	// For CreateFile: "query certain metadata such as file, directory, or device attributes without accessing that file or device"
+	// https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilew#parameters
+	FILE_ANY_ACCESS AccessMask = 0
+
+	// Specific Object Access
+	// from ntioapi.h
+
+	FILE_READ_DATA      AccessMask = (0x0001) // file & pipe
+	FILE_LIST_DIRECTORY AccessMask = (0x0001) // directory
+
+	FILE_WRITE_DATA AccessMask = (0x0002) // file & pipe
+	FILE_ADD_FILE   AccessMask = (0x0002) // directory
+
+	FILE_APPEND_DATA          AccessMask = (0x0004) // file
+	FILE_ADD_SUBDIRECTORY     AccessMask = (0x0004) // directory
+	FILE_CREATE_PIPE_INSTANCE AccessMask = (0x0004) // named pipe
+
+	FILE_READ_EA         AccessMask = (0x0008) // file & directory
+	FILE_READ_PROPERTIES AccessMask = FILE_READ_EA
+
+	FILE_WRITE_EA         AccessMask = (0x0010) // file & directory
+	FILE_WRITE_PROPERTIES AccessMask = FILE_WRITE_EA
+
+	FILE_EXECUTE  AccessMask = (0x0020) // file
+	FILE_TRAVERSE AccessMask = (0x0020) // directory
+
+	FILE_DELETE_CHILD AccessMask = (0x0040) // directory
+
+	FILE_READ_ATTRIBUTES AccessMask = (0x0080) // all
+
+	FILE_WRITE_ATTRIBUTES AccessMask = (0x0100) // all
+
+	FILE_ALL_ACCESS      AccessMask = (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1FF)
+	FILE_GENERIC_READ    AccessMask = (STANDARD_RIGHTS_READ | FILE_READ_DATA | FILE_READ_ATTRIBUTES | FILE_READ_EA | SYNCHRONIZE)
+	FILE_GENERIC_WRITE   AccessMask = (STANDARD_RIGHTS_WRITE | FILE_WRITE_DATA | FILE_WRITE_ATTRIBUTES | FILE_WRITE_EA | FILE_APPEND_DATA | SYNCHRONIZE)
+	FILE_GENERIC_EXECUTE AccessMask = (STANDARD_RIGHTS_EXECUTE | FILE_READ_ATTRIBUTES | FILE_EXECUTE | SYNCHRONIZE)
+
+	SPECIFIC_RIGHTS_ALL AccessMask = 0x0000FFFF
+
+	// Standard Access
+	// from ntseapi.h
+
+	DELETE       AccessMask = 0x0001_0000
+	READ_CONTROL AccessMask = 0x0002_0000
+	WRITE_DAC    AccessMask = 0x0004_0000
+	WRITE_OWNER  AccessMask = 0x0008_0000
+	SYNCHRONIZE  AccessMask = 0x0010_0000
+
+	STANDARD_RIGHTS_REQUIRED AccessMask = 0x000F_0000
+
+	STANDARD_RIGHTS_READ    AccessMask = READ_CONTROL
+	STANDARD_RIGHTS_WRITE   AccessMask = READ_CONTROL
+	STANDARD_RIGHTS_EXECUTE AccessMask = READ_CONTROL
+
+	STANDARD_RIGHTS_ALL AccessMask = 0x001F_0000
+)
+
+type FileShareMode uint32
+
+//nolint:revive // SNAKE_CASE is not idiomatic in Go, but aligned with Win32 API.
+const (
+	FILE_SHARE_NONE        FileShareMode = 0x00
+	FILE_SHARE_READ        FileShareMode = 0x01
+	FILE_SHARE_WRITE       FileShareMode = 0x02
+	FILE_SHARE_DELETE      FileShareMode = 0x04
+	FILE_SHARE_VALID_FLAGS FileShareMode = 0x07
+)
+
+type FileCreationDisposition uint32
+
+//nolint:revive // SNAKE_CASE is not idiomatic in Go, but aligned with Win32 API.
+const (
+	// from winbase.h
+
+	CREATE_NEW        FileCreationDisposition = 0x01
+	CREATE_ALWAYS     FileCreationDisposition = 0x02
+	OPEN_EXISTING     FileCreationDisposition = 0x03
+	OPEN_ALWAYS       FileCreationDisposition = 0x04
+	TRUNCATE_EXISTING FileCreationDisposition = 0x05
+)
+
+// CreateFile and co. take flags or attributes together as one parameter.
+// Define alias until we can use generics to allow both
+
+// https://learn.microsoft.com/en-us/windows/win32/fileio/file-attribute-constants
+type FileFlagOrAttribute uint32
+
+//nolint:revive // SNAKE_CASE is not idiomatic in Go, but aligned with Win32 API.
+const ( // from winnt.h
+	FILE_FLAG_WRITE_THROUGH       FileFlagOrAttribute = 0x8000_0000
+	FILE_FLAG_OVERLAPPED          FileFlagOrAttribute = 0x4000_0000
+	FILE_FLAG_NO_BUFFERING        FileFlagOrAttribute = 0x2000_0000
+	FILE_FLAG_RANDOM_ACCESS       FileFlagOrAttribute = 0x1000_0000
+	FILE_FLAG_SEQUENTIAL_SCAN     FileFlagOrAttribute = 0x0800_0000
+	FILE_FLAG_DELETE_ON_CLOSE     FileFlagOrAttribute = 0x0400_0000
+	FILE_FLAG_BACKUP_SEMANTICS    FileFlagOrAttribute = 0x0200_0000
+	FILE_FLAG_POSIX_SEMANTICS     FileFlagOrAttribute = 0x0100_0000
+	FILE_FLAG_OPEN_REPARSE_POINT  FileFlagOrAttribute = 0x0020_0000
+	FILE_FLAG_OPEN_NO_RECALL      FileFlagOrAttribute = 0x0010_0000
+	FILE_FLAG_FIRST_PIPE_INSTANCE FileFlagOrAttribute = 0x0008_0000
+)
+
+type FileSQSFlag = FileFlagOrAttribute
+
+//nolint:revive // SNAKE_CASE is not idiomatic in Go, but aligned with Win32 API.
+const ( // from winbase.h
+	SECURITY_ANONYMOUS      FileSQSFlag = FileSQSFlag(SecurityAnonymous << 16)
+	SECURITY_IDENTIFICATION FileSQSFlag = FileSQSFlag(SecurityIdentification << 16)
+	SECURITY_IMPERSONATION  FileSQSFlag = FileSQSFlag(SecurityImpersonation << 16)
+	SECURITY_DELEGATION     FileSQSFlag = FileSQSFlag(SecurityDelegation << 16)
+
+	SECURITY_SQOS_PRESENT     FileSQSFlag = 0x00100000
+	SECURITY_VALID_SQOS_FLAGS FileSQSFlag = 0x001F0000
+)
+
+// GetFinalPathNameByHandle flags
+//
+// https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-getfinalpathnamebyhandlew#parameters
+type GetFinalPathFlag uint32
+
+//nolint:revive // SNAKE_CASE is not idiomatic in Go, but aligned with Win32 API.
+const (
+	GetFinalPathDefaultFlag GetFinalPathFlag = 0x0
+
+	FILE_NAME_NORMALIZED GetFinalPathFlag = 0x0
+	FILE_NAME_OPENED     GetFinalPathFlag = 0x8
+
+	VOLUME_NAME_DOS  GetFinalPathFlag = 0x0
+	VOLUME_NAME_GUID GetFinalPathFlag = 0x1
+	VOLUME_NAME_NT   GetFinalPathFlag = 0x2
+	VOLUME_NAME_NONE GetFinalPathFlag = 0x4
+)
+
+// getFinalPathNameByHandle facilitates calling the Windows API GetFinalPathNameByHandle
+// with the given handle and flags. It transparently takes care of creating a buffer of the
+// correct size for the call.
+//
+// https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-getfinalpathnamebyhandlew
+func GetFinalPathNameByHandle(h windows.Handle, flags GetFinalPathFlag) (string, error) {
+	b := stringbuffer.NewWString()
+	//TODO: can loop infinitely if Win32 keeps returning the same (or a larger) n?
+	for {
+		n, err := windows.GetFinalPathNameByHandle(h, b.Pointer(), b.Cap(), uint32(flags))
+		if err != nil {
+			return "", err
+		}
+		// If the buffer wasn't large enough, n will be the total size needed (including null terminator).
+		// Resize and try again.
+		if n > b.Cap() {
+			b.ResizeTo(n)
+			continue
+		}
+		// If the buffer is large enough, n will be the size not including the null terminator.
+		// Convert to a Go string and return.
+		return b.String(), nil
+	}
+}
--- a/vendor/github.com/Microsoft/go-winio/internal/fs/security.go
+++ b/vendor/github.com/Microsoft/go-winio/internal/fs/security.go
@ -0,0 +1,12 @@
+package fs
+
+// https://learn.microsoft.com/en-us/windows/win32/api/winnt/ne-winnt-security_impersonation_level
+type SecurityImpersonationLevel int32 // C default enums underlying type is `int`, which is Go `int32`
+
+// Impersonation levels
+const (
+	SecurityAnonymous      SecurityImpersonationLevel = 0
+	SecurityIdentification SecurityImpersonationLevel = 1
+	SecurityImpersonation  SecurityImpersonationLevel = 2
+	SecurityDelegation     SecurityImpersonationLevel = 3
+)
--- a/vendor/github.com/Microsoft/go-winio/internal/fs/zsyscall_windows.go
+++ b/vendor/github.com/Microsoft/go-winio/internal/fs/zsyscall_windows.go
@ -0,0 +1,64 @@
+//go:build windows
+
+// Code generated by 'go generate' using "github.com/Microsoft/go-winio/tools/mkwinsyscall"; DO NOT EDIT.
+
+package fs
+
+import (
+	"syscall"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+var _ unsafe.Pointer
+
+// Do the interface allocations only once for common
+// Errno values.
+const (
+	errnoERROR_IO_PENDING = 997
+)
+
+var (
+	errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING)
+	errERROR_EINVAL     error = syscall.EINVAL
+)
+
+// errnoErr returns common boxed Errno values, to prevent
+// allocations at runtime.
+func errnoErr(e syscall.Errno) error {
+	switch e {
+	case 0:
+		return errERROR_EINVAL
+	case errnoERROR_IO_PENDING:
+		return errERROR_IO_PENDING
+	}
+	// TODO: add more here, after collecting data on the common
+	// error values see on Windows. (perhaps when running
+	// all.bat?)
+	return e
+}
+
+var (
+	modkernel32 = windows.NewLazySystemDLL("kernel32.dll")
+
+	procCreateFileW = modkernel32.NewProc("CreateFileW")
+)
+
+func CreateFile(name string, access AccessMask, mode FileShareMode, sa *syscall.SecurityAttributes, createmode FileCreationDisposition, attrs FileFlagOrAttribute, templatefile windows.Handle) (handle windows.Handle, err error) {
+	var _p0 *uint16
+	_p0, err = syscall.UTF16PtrFromString(name)
+	if err != nil {
+		return
+	}
+	return _CreateFile(_p0, access, mode, sa, createmode, attrs, templatefile)
+}
+
+func _CreateFile(name *uint16, access AccessMask, mode FileShareMode, sa *syscall.SecurityAttributes, createmode FileCreationDisposition, attrs FileFlagOrAttribute, templatefile windows.Handle) (handle windows.Handle, err error) {
+	r0, _, e1 := syscall.Syscall9(procCreateFileW.Addr(), 7, uintptr(unsafe.Pointer(name)), uintptr(access), uintptr(mode), uintptr(unsafe.Pointer(sa)), uintptr(createmode), uintptr(attrs), uintptr(templatefile), 0, 0)
+	handle = windows.Handle(r0)
+	if handle == windows.InvalidHandle {
+		err = errnoErr(e1)
+	}
+	return
+}
--- a/vendor/github.com/Microsoft/go-winio/internal/socket/rawaddr.go
+++ b/vendor/github.com/Microsoft/go-winio/internal/socket/rawaddr.go
@ -0,0 +1,20 @@
+package socket
+
+import (
+	"unsafe"
+)
+
+// RawSockaddr allows structs to be used with [Bind] and [ConnectEx]. The
+// struct must meet the Win32 sockaddr requirements specified here:
+// https://docs.microsoft.com/en-us/windows/win32/winsock/sockaddr-2
+//
+// Specifically, the struct size must be least larger than an int16 (unsigned short)
+// for the address family.
+type RawSockaddr interface {
+	// Sockaddr returns a pointer to the RawSockaddr and its struct size, allowing
+	// for the RawSockaddr's data to be overwritten by syscalls (if necessary).
+	//
+	// It is the callers responsibility to validate that the values are valid; invalid
+	// pointers or size can cause a panic.
+	Sockaddr() (unsafe.Pointer, int32, error)
+}
--- a/vendor/github.com/Microsoft/go-winio/internal/socket/socket.go
+++ b/vendor/github.com/Microsoft/go-winio/internal/socket/socket.go
@ -0,0 +1,179 @@
+//go:build windows
+
+package socket
+
+import (
+	"errors"
+	"fmt"
+	"net"
+	"sync"
+	"syscall"
+	"unsafe"
+
+	"github.com/Microsoft/go-winio/pkg/guid"
+	"golang.org/x/sys/windows"
+)
+
+//go:generate go run github.com/Microsoft/go-winio/tools/mkwinsyscall -output zsyscall_windows.go socket.go
+
+//sys getsockname(s windows.Handle, name unsafe.Pointer, namelen *int32) (err error) [failretval==socketError] = ws2_32.getsockname
+//sys getpeername(s windows.Handle, name unsafe.Pointer, namelen *int32) (err error) [failretval==socketError] = ws2_32.getpeername
+//sys bind(s windows.Handle, name unsafe.Pointer, namelen int32) (err error) [failretval==socketError] = ws2_32.bind
+
+const socketError = uintptr(^uint32(0))
+
+var (
+	// todo(helsaawy): create custom error types to store the desired vs actual size and addr family?
+
+	ErrBufferSize     = errors.New("buffer size")
+	ErrAddrFamily     = errors.New("address family")
+	ErrInvalidPointer = errors.New("invalid pointer")
+	ErrSocketClosed   = fmt.Errorf("socket closed: %w", net.ErrClosed)
+)
+
+// todo(helsaawy): replace these with generics, ie: GetSockName[S RawSockaddr](s windows.Handle) (S, error)
+
+// GetSockName writes the local address of socket s to the [RawSockaddr] rsa.
+// If rsa is not large enough, the [windows.WSAEFAULT] is returned.
+func GetSockName(s windows.Handle, rsa RawSockaddr) error {
+	ptr, l, err := rsa.Sockaddr()
+	if err != nil {
+		return fmt.Errorf("could not retrieve socket pointer and size: %w", err)
+	}
+
+	// although getsockname returns WSAEFAULT if the buffer is too small, it does not set
+	// &l to the correct size, so--apart from doubling the buffer repeatedly--there is no remedy
+	return getsockname(s, ptr, &l)
+}
+
+// GetPeerName returns the remote address the socket is connected to.
+//
+// See [GetSockName] for more information.
+func GetPeerName(s windows.Handle, rsa RawSockaddr) error {
+	ptr, l, err := rsa.Sockaddr()
+	if err != nil {
+		return fmt.Errorf("could not retrieve socket pointer and size: %w", err)
+	}
+
+	return getpeername(s, ptr, &l)
+}
+
+func Bind(s windows.Handle, rsa RawSockaddr) (err error) {
+	ptr, l, err := rsa.Sockaddr()
+	if err != nil {
+		return fmt.Errorf("could not retrieve socket pointer and size: %w", err)
+	}
+
+	return bind(s, ptr, l)
+}
+
+// "golang.org/x/sys/windows".ConnectEx and .Bind only accept internal implementations of the
+// their sockaddr interface, so they cannot be used with HvsockAddr
+// Replicate functionality here from
+// https://cs.opensource.google/go/x/sys/+/master:windows/syscall_windows.go
+
+// The function pointers to `AcceptEx`, `ConnectEx` and `GetAcceptExSockaddrs` must be loaded at
+// runtime via a WSAIoctl call:
+// https://docs.microsoft.com/en-us/windows/win32/api/Mswsock/nc-mswsock-lpfn_connectex#remarks
+
+type runtimeFunc struct {
+	id   guid.GUID
+	once sync.Once
+	addr uintptr
+	err  error
+}
+
+func (f *runtimeFunc) Load() error {
+	f.once.Do(func() {
+		var s windows.Handle
+		s, f.err = windows.Socket(windows.AF_INET, windows.SOCK_STREAM, windows.IPPROTO_TCP)
+		if f.err != nil {
+			return
+		}
+		defer windows.CloseHandle(s) //nolint:errcheck
+
+		var n uint32
+		f.err = windows.WSAIoctl(s,
+			windows.SIO_GET_EXTENSION_FUNCTION_POINTER,
+			(*byte)(unsafe.Pointer(&f.id)),
+			uint32(unsafe.Sizeof(f.id)),
+			(*byte)(unsafe.Pointer(&f.addr)),
+			uint32(unsafe.Sizeof(f.addr)),
+			&n,
+			nil, // overlapped
+			0,   // completionRoutine
+		)
+	})
+	return f.err
+}
+
+var (
+	// todo: add `AcceptEx` and `GetAcceptExSockaddrs`
+	WSAID_CONNECTEX = guid.GUID{ //revive:disable-line:var-naming ALL_CAPS
+		Data1: 0x25a207b9,
+		Data2: 0xddf3,
+		Data3: 0x4660,
+		Data4: [8]byte{0x8e, 0xe9, 0x76, 0xe5, 0x8c, 0x74, 0x06, 0x3e},
+	}
+
+	connectExFunc = runtimeFunc{id: WSAID_CONNECTEX}
+)
+
+func ConnectEx(
+	fd windows.Handle,
+	rsa RawSockaddr,
+	sendBuf *byte,
+	sendDataLen uint32,
+	bytesSent *uint32,
+	overlapped *windows.Overlapped,
+) error {
+	if err := connectExFunc.Load(); err != nil {
+		return fmt.Errorf("failed to load ConnectEx function pointer: %w", err)
+	}
+	ptr, n, err := rsa.Sockaddr()
+	if err != nil {
+		return err
+	}
+	return connectEx(fd, ptr, n, sendBuf, sendDataLen, bytesSent, overlapped)
+}
+
+// BOOL LpfnConnectex(
+//   [in]           SOCKET s,
+//   [in]           const sockaddr *name,
+//   [in]           int namelen,
+//   [in, optional] PVOID lpSendBuffer,
+//   [in]           DWORD dwSendDataLength,
+//   [out]          LPDWORD lpdwBytesSent,
+//   [in]           LPOVERLAPPED lpOverlapped
+// )
+
+func connectEx(
+	s windows.Handle,
+	name unsafe.Pointer,
+	namelen int32,
+	sendBuf *byte,
+	sendDataLen uint32,
+	bytesSent *uint32,
+	overlapped *windows.Overlapped,
+) (err error) {
+	// todo: after upgrading to 1.18, switch from syscall.Syscall9 to syscall.SyscallN
+	r1, _, e1 := syscall.Syscall9(connectExFunc.addr,
+		7,
+		uintptr(s),
+		uintptr(name),
+		uintptr(namelen),
+		uintptr(unsafe.Pointer(sendBuf)),
+		uintptr(sendDataLen),
+		uintptr(unsafe.Pointer(bytesSent)),
+		uintptr(unsafe.Pointer(overlapped)),
+		0,
+		0)
+	if r1 == 0 {
+		if e1 != 0 {
+			err = error(e1)
+		} else {
+			err = syscall.EINVAL
+		}
+	}
+	return err
+}
--- a/vendor/github.com/Microsoft/go-winio/internal/socket/zsyscall_windows.go
+++ b/vendor/github.com/Microsoft/go-winio/internal/socket/zsyscall_windows.go
@ -0,0 +1,72 @@
+//go:build windows
+
+// Code generated by 'go generate' using "github.com/Microsoft/go-winio/tools/mkwinsyscall"; DO NOT EDIT.
+
+package socket
+
+import (
+	"syscall"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+var _ unsafe.Pointer
+
+// Do the interface allocations only once for common
+// Errno values.
+const (
+	errnoERROR_IO_PENDING = 997
+)
+
+var (
+	errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING)
+	errERROR_EINVAL     error = syscall.EINVAL
+)
+
+// errnoErr returns common boxed Errno values, to prevent
+// allocations at runtime.
+func errnoErr(e syscall.Errno) error {
+	switch e {
+	case 0:
+		return errERROR_EINVAL
+	case errnoERROR_IO_PENDING:
+		return errERROR_IO_PENDING
+	}
+	// TODO: add more here, after collecting data on the common
+	// error values see on Windows. (perhaps when running
+	// all.bat?)
+	return e
+}
+
+var (
+	modws2_32 = windows.NewLazySystemDLL("ws2_32.dll")
+
+	procbind        = modws2_32.NewProc("bind")
+	procgetpeername = modws2_32.NewProc("getpeername")
+	procgetsockname = modws2_32.NewProc("getsockname")
+)
+
+func bind(s windows.Handle, name unsafe.Pointer, namelen int32) (err error) {
+	r1, _, e1 := syscall.Syscall(procbind.Addr(), 3, uintptr(s), uintptr(name), uintptr(namelen))
+	if r1 == socketError {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func getpeername(s windows.Handle, name unsafe.Pointer, namelen *int32) (err error) {
+	r1, _, e1 := syscall.Syscall(procgetpeername.Addr(), 3, uintptr(s), uintptr(name), uintptr(unsafe.Pointer(namelen)))
+	if r1 == socketError {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func getsockname(s windows.Handle, name unsafe.Pointer, namelen *int32) (err error) {
+	r1, _, e1 := syscall.Syscall(procgetsockname.Addr(), 3, uintptr(s), uintptr(name), uintptr(unsafe.Pointer(namelen)))
+	if r1 == socketError {
+		err = errnoErr(e1)
+	}
+	return
+}
--- a/vendor/github.com/Microsoft/go-winio/internal/stringbuffer/wstring.go
+++ b/vendor/github.com/Microsoft/go-winio/internal/stringbuffer/wstring.go
@ -0,0 +1,132 @@
+package stringbuffer
+
+import (
+	"sync"
+	"unicode/utf16"
+)
+
+// TODO: worth exporting and using in mkwinsyscall?
+
+// Uint16BufferSize is the buffer size in the pool, chosen somewhat arbitrarily to accommodate
+// large path strings:
+// MAX_PATH (260) + size of volume GUID prefix (49) + null terminator = 310.
+const MinWStringCap = 310
+
+// use *[]uint16 since []uint16 creates an extra allocation where the slice header
+// is copied to heap and then referenced via pointer in the interface header that sync.Pool
+// stores.
+var pathPool = sync.Pool{ // if go1.18+ adds Pool[T], use that to store []uint16 directly
+	New: func() interface{} {
+		b := make([]uint16, MinWStringCap)
+		return &b
+	},
+}
+
+func newBuffer() []uint16 { return *(pathPool.Get().(*[]uint16)) }
+
+// freeBuffer copies the slice header data, and puts a pointer to that in the pool.
+// This avoids taking a pointer to the slice header in WString, which can be set to nil.
+func freeBuffer(b []uint16) { pathPool.Put(&b) }
+
+// WString is a wide string buffer ([]uint16) meant for storing UTF-16 encoded strings
+// for interacting with Win32 APIs.
+// Sizes are specified as uint32 and not int.
+//
+// It is not thread safe.
+type WString struct {
+	// type-def allows casting to []uint16 directly, use struct to prevent that and allow adding fields in the future.
+
+	// raw buffer
+	b []uint16
+}
+
+// NewWString returns a [WString] allocated from a shared pool with an
+// initial capacity of at least [MinWStringCap].
+// Since the buffer may have been previously used, its contents are not guaranteed to be empty.
+//
+// The buffer should be freed via [WString.Free]
+func NewWString() *WString {
+	return &WString{
+		b: newBuffer(),
+	}
+}
+
+func (b *WString) Free() {
+	if b.empty() {
+		return
+	}
+	freeBuffer(b.b)
+	b.b = nil
+}
+
+// ResizeTo grows the buffer to at least c and returns the new capacity, freeing the
+// previous buffer back into pool.
+func (b *WString) ResizeTo(c uint32) uint32 {
+	// allready sufficient (or n is 0)
+	if c <= b.Cap() {
+		return b.Cap()
+	}
+
+	if c <= MinWStringCap {
+		c = MinWStringCap
+	}
+	// allocate at-least double buffer size, as is done in [bytes.Buffer] and other places
+	if c <= 2*b.Cap() {
+		c = 2 * b.Cap()
+	}
+
+	b2 := make([]uint16, c)
+	if !b.empty() {
+		copy(b2, b.b)
+		freeBuffer(b.b)
+	}
+	b.b = b2
+	return c
+}
+
+// Buffer returns the underlying []uint16 buffer.
+func (b *WString) Buffer() []uint16 {
+	if b.empty() {
+		return nil
+	}
+	return b.b
+}
+
+// Pointer returns a pointer to the first uint16 in the buffer.
+// If the [WString.Free] has already been called, the pointer will be nil.
+func (b *WString) Pointer() *uint16 {
+	if b.empty() {
+		return nil
+	}
+	return &b.b[0]
+}
+
+// String returns the returns the UTF-8 encoding of the UTF-16 string in the buffer.
+//
+// It assumes that the data is null-terminated.
+func (b *WString) String() string {
+	// Using [windows.UTF16ToString] would require importing "golang.org/x/sys/windows"
+	// and would make this code Windows-only, which makes no sense.
+	// So copy UTF16ToString code into here.
+	// If other windows-specific code is added, switch to [windows.UTF16ToString]
+
+	s := b.b
+	for i, v := range s {
+		if v == 0 {
+			s = s[:i]
+			break
+		}
+	}
+	return string(utf16.Decode(s))
+}
+
+// Cap returns the underlying buffer capacity.
+func (b *WString) Cap() uint32 {
+	if b.empty() {
+		return 0
+	}
+	return b.cap()
+}
+
+func (b *WString) cap() uint32 { return uint32(cap(b.b)) }
+func (b *WString) empty() bool { return b == nil || b.cap() == 0 }
--- a/vendor/github.com/Microsoft/go-winio/pipe.go
+++ b/vendor/github.com/Microsoft/go-winio/pipe.go
@ -1,3 +1,4 @@
+//go:build windows
 // +build windows

 package winio
@ -13,18 +14,21 @@ import (
 	"syscall"
 	"time"
 	"unsafe"
+
+	"golang.org/x/sys/windows"
+
+	"github.com/Microsoft/go-winio/internal/fs"
 )

 //sys connectNamedPipe(pipe syscall.Handle, o *syscall.Overlapped) (err error) = ConnectNamedPipe
 //sys createNamedPipe(name string, flags uint32, pipeMode uint32, maxInstances uint32, outSize uint32, inSize uint32, defaultTimeout uint32, sa *syscall.SecurityAttributes) (handle syscall.Handle, err error)  [failretval==syscall.InvalidHandle] = CreateNamedPipeW
-//sys createFile(name string, access uint32, mode uint32, sa *syscall.SecurityAttributes, createmode uint32, attrs uint32, templatefile syscall.Handle) (handle syscall.Handle, err error) [failretval==syscall.InvalidHandle] = CreateFileW
 //sys getNamedPipeInfo(pipe syscall.Handle, flags *uint32, outSize *uint32, inSize *uint32, maxInstances *uint32) (err error) = GetNamedPipeInfo
 //sys getNamedPipeHandleState(pipe syscall.Handle, state *uint32, curInstances *uint32, maxCollectionCount *uint32, collectDataTimeout *uint32, userName *uint16, maxUserNameSize uint32) (err error) = GetNamedPipeHandleStateW
 //sys localAlloc(uFlags uint32, length uint32) (ptr uintptr) = LocalAlloc
-//sys ntCreateNamedPipeFile(pipe *syscall.Handle, access uint32, oa *objectAttributes, iosb *ioStatusBlock, share uint32, disposition uint32, options uint32, typ uint32, readMode uint32, completionMode uint32, maxInstances uint32, inboundQuota uint32, outputQuota uint32, timeout *int64) (status ntstatus) = ntdll.NtCreateNamedPipeFile
-//sys rtlNtStatusToDosError(status ntstatus) (winerr error) = ntdll.RtlNtStatusToDosErrorNoTeb
-//sys rtlDosPathNameToNtPathName(name *uint16, ntName *unicodeString, filePart uintptr, reserved uintptr) (status ntstatus) = ntdll.RtlDosPathNameToNtPathName_U
-//sys rtlDefaultNpAcl(dacl *uintptr) (status ntstatus) = ntdll.RtlDefaultNpAcl
+//sys ntCreateNamedPipeFile(pipe *syscall.Handle, access uint32, oa *objectAttributes, iosb *ioStatusBlock, share uint32, disposition uint32, options uint32, typ uint32, readMode uint32, completionMode uint32, maxInstances uint32, inboundQuota uint32, outputQuota uint32, timeout *int64) (status ntStatus) = ntdll.NtCreateNamedPipeFile
+//sys rtlNtStatusToDosError(status ntStatus) (winerr error) = ntdll.RtlNtStatusToDosErrorNoTeb
+//sys rtlDosPathNameToNtPathName(name *uint16, ntName *unicodeString, filePart uintptr, reserved uintptr) (status ntStatus) = ntdll.RtlDosPathNameToNtPathName_U
+//sys rtlDefaultNpAcl(dacl *uintptr) (status ntStatus) = ntdll.RtlDefaultNpAcl

 type ioStatusBlock struct {
 	Status, Information uintptr
@ -51,45 +55,22 @@ type securityDescriptor struct {
 	Control  uint16
 	Owner    uintptr
 	Group    uintptr
-	Sacl     uintptr
-	Dacl     uintptr
+	Sacl     uintptr //revive:disable-line:var-naming SACL, not Sacl
+	Dacl     uintptr //revive:disable-line:var-naming DACL, not Dacl
 }

-type ntstatus int32
+type ntStatus int32

-func (status ntstatus) Err() error {
+func (status ntStatus) Err() error {
 	if status >= 0 {
 		return nil
 	}
 	return rtlNtStatusToDosError(status)
 }

-const (
-	cERROR_PIPE_BUSY      = syscall.Errno(231)
-	cERROR_NO_DATA        = syscall.Errno(232)
-	cERROR_PIPE_CONNECTED = syscall.Errno(535)
-	cERROR_SEM_TIMEOUT    = syscall.Errno(121)
-
-	cSECURITY_SQOS_PRESENT = 0x100000
-	cSECURITY_ANONYMOUS    = 0
-
-	cPIPE_TYPE_MESSAGE = 4
-
-	cPIPE_READMODE_MESSAGE = 2
-
-	cFILE_OPEN   = 1
-	cFILE_CREATE = 2
-
-	cFILE_PIPE_MESSAGE_TYPE          = 1
-	cFILE_PIPE_REJECT_REMOTE_CLIENTS = 2
-
-	cSE_DACL_PRESENT = 4
-)
-
 var (
 	// ErrPipeListenerClosed is returned for pipe operations on listeners that have been closed.
-	// This error should match net.errClosing since docker takes a dependency on its text.
-	ErrPipeListenerClosed = errors.New("use of closed network connection")
+	ErrPipeListenerClosed = net.ErrClosed

 	errPipeWriteClosed = errors.New("pipe has been closed for write")
 )
@ -116,9 +97,10 @@ func (f *win32Pipe) RemoteAddr() net.Addr {
 }

 func (f *win32Pipe) SetDeadline(t time.Time) error {
-	f.SetReadDeadline(t)
-	f.SetWriteDeadline(t)
-	return nil
+	if err := f.SetReadDeadline(t); err != nil {
+		return err
+	}
+	return f.SetWriteDeadline(t)
 }

 // CloseWrite closes the write side of a message pipe in byte mode.
@ -157,14 +139,14 @@ func (f *win32MessageBytePipe) Read(b []byte) (int, error) {
 		return 0, io.EOF
 	}
 	n, err := f.win32File.Read(b)
-	if err == io.EOF {
+	if err == io.EOF { //nolint:errorlint
 		// If this was the result of a zero-byte read, then
 		// it is possible that the read was due to a zero-size
 		// message. Since we are simulating CloseWrite with a
 		// zero-byte message, ensure that all future Read() calls
 		// also return EOF.
 		f.readEOF = true
-	} else if err == syscall.ERROR_MORE_DATA {
+	} else if err == syscall.ERROR_MORE_DATA { //nolint:errorlint // err is Errno
 		// ERROR_MORE_DATA indicates that the pipe's read mode is message mode
 		// and the message still has more bytes. Treat this as a success, since
 		// this package presents all named pipes as byte streams.
@ -173,7 +155,7 @@ func (f *win32MessageBytePipe) Read(b []byte) (int, error) {
 	return n, err
 }

-func (s pipeAddress) Network() string {
+func (pipeAddress) Network() string {
 	return "pipe"
 }

@ -182,18 +164,25 @@ func (s pipeAddress) String() string {
 }

 // tryDialPipe attempts to dial the pipe at `path` until `ctx` cancellation or timeout.
-func tryDialPipe(ctx context.Context, path *string, access uint32) (syscall.Handle, error) {
+func tryDialPipe(ctx context.Context, path *string, access fs.AccessMask) (syscall.Handle, error) {
 	for {
-
 		select {
 		case <-ctx.Done():
 			return syscall.Handle(0), ctx.Err()
 		default:
-			h, err := createFile(*path, access, 0, nil, syscall.OPEN_EXISTING, syscall.FILE_FLAG_OVERLAPPED|cSECURITY_SQOS_PRESENT|cSECURITY_ANONYMOUS, 0)
+			wh, err := fs.CreateFile(*path,
+				access,
+				0,   // mode
+				nil, // security attributes
+				fs.OPEN_EXISTING,
+				fs.FILE_FLAG_OVERLAPPED|fs.SECURITY_SQOS_PRESENT|fs.SECURITY_ANONYMOUS,
+				0, // template file handle
+			)
+			h := syscall.Handle(wh)
 			if err == nil {
 				return h, nil
 			}
-			if err != cERROR_PIPE_BUSY {
+			if err != windows.ERROR_PIPE_BUSY { //nolint:errorlint // err is Errno
 				return h, &os.PathError{Err: err, Op: "open", Path: *path}
 			}
 			// Wait 10 msec and try again. This is a rather simplistic
@ -213,9 +202,10 @@ func DialPipe(path string, timeout *time.Duration) (net.Conn, error) {
 	} else {
 		absTimeout = time.Now().Add(2 * time.Second)
 	}
-	ctx, _ := context.WithDeadline(context.Background(), absTimeout)
+	ctx, cancel := context.WithDeadline(context.Background(), absTimeout)
+	defer cancel()
 	conn, err := DialPipeContext(ctx, path)
-	if err == context.DeadlineExceeded {
+	if errors.Is(err, context.DeadlineExceeded) {
 		return nil, ErrTimeout
 	}
 	return conn, err
@ -232,7 +222,7 @@ func DialPipeContext(ctx context.Context, path string) (net.Conn, error) {
 func DialPipeAccess(ctx context.Context, path string, access uint32) (net.Conn, error) {
 	var err error
 	var h syscall.Handle
-	h, err = tryDialPipe(ctx, &path, access)
+	h, err = tryDialPipe(ctx, &path, fs.AccessMask(access))
 	if err != nil {
 		return nil, err
 	}
@ -251,7 +241,7 @@ func DialPipeAccess(ctx context.Context, path string, access uint32) (net.Conn,

 	// If the pipe is in message mode, return a message byte pipe, which
 	// supports CloseWrite().
-	if flags&cPIPE_TYPE_MESSAGE != 0 {
+	if flags&windows.PIPE_TYPE_MESSAGE != 0 {
 		return &win32MessageBytePipe{
 			win32Pipe: win32Pipe{win32File: f, path: path},
 		}, nil
@ -283,17 +273,22 @@ func makeServerPipeHandle(path string, sd []byte, c *PipeConfig, first bool) (sy
 	oa.Length = unsafe.Sizeof(oa)

 	var ntPath unicodeString
-	if err := rtlDosPathNameToNtPathName(&path16[0], &ntPath, 0, 0).Err(); err != nil {
+	if err := rtlDosPathNameToNtPathName(&path16[0],
+		&ntPath,
+		0,
+		0,
+	).Err(); err != nil {
 		return 0, &os.PathError{Op: "open", Path: path, Err: err}
 	}
 	defer localFree(ntPath.Buffer)
 	oa.ObjectName = &ntPath
+	oa.Attributes = windows.OBJ_CASE_INSENSITIVE

 	// The security descriptor is only needed for the first pipe.
 	if first {
 		if sd != nil {
-			len := uint32(len(sd))
-			sdb := localAlloc(0, len)
+			l := uint32(len(sd))
+			sdb := localAlloc(0, l)
 			defer localFree(sdb)
 			copy((*[0xffff]byte)(unsafe.Pointer(sdb))[:], sd)
 			oa.SecurityDescriptor = (*securityDescriptor)(unsafe.Pointer(sdb))
@ -301,28 +296,28 @@ func makeServerPipeHandle(path string, sd []byte, c *PipeConfig, first bool) (sy
 			// Construct the default named pipe security descriptor.
 			var dacl uintptr
 			if err := rtlDefaultNpAcl(&dacl).Err(); err != nil {
-				return 0, fmt.Errorf("getting default named pipe ACL: %s", err)
+				return 0, fmt.Errorf("getting default named pipe ACL: %w", err)
 			}
 			defer localFree(dacl)

 			sdb := &securityDescriptor{
 				Revision: 1,
-				Control:  cSE_DACL_PRESENT,
+				Control:  windows.SE_DACL_PRESENT,
 				Dacl:     dacl,
 			}
 			oa.SecurityDescriptor = sdb
 		}
 	}

-	typ := uint32(cFILE_PIPE_REJECT_REMOTE_CLIENTS)
+	typ := uint32(windows.FILE_PIPE_REJECT_REMOTE_CLIENTS)
 	if c.MessageMode {
-		typ |= cFILE_PIPE_MESSAGE_TYPE
+		typ |= windows.FILE_PIPE_MESSAGE_TYPE
 	}

-	disposition := uint32(cFILE_OPEN)
+	disposition := uint32(windows.FILE_OPEN)
 	access := uint32(syscall.GENERIC_READ | syscall.GENERIC_WRITE | syscall.SYNCHRONIZE)
 	if first {
-		disposition = cFILE_CREATE
+		disposition = windows.FILE_CREATE
 		// By not asking for read or write access, the named pipe file system
 		// will put this pipe into an initially disconnected state, blocking
 		// client connections until the next call with first == false.
@ -335,7 +330,20 @@ func makeServerPipeHandle(path string, sd []byte, c *PipeConfig, first bool) (sy
 		h    syscall.Handle
 		iosb ioStatusBlock
 	)
-	err = ntCreateNamedPipeFile(&h, access, &oa, &iosb, syscall.FILE_SHARE_READ|syscall.FILE_SHARE_WRITE, disposition, 0, typ, 0, 0, 0xffffffff, uint32(c.InputBufferSize), uint32(c.OutputBufferSize), &timeout).Err()
+	err = ntCreateNamedPipeFile(&h,
+		access,
+		&oa,
+		&iosb,
+		syscall.FILE_SHARE_READ|syscall.FILE_SHARE_WRITE,
+		disposition,
+		0,
+		typ,
+		0,
+		0,
+		0xffffffff,
+		uint32(c.InputBufferSize),
+		uint32(c.OutputBufferSize),
+		&timeout).Err()
 	if err != nil {
 		return 0, &os.PathError{Op: "open", Path: path, Err: err}
 	}
@ -380,7 +388,7 @@ func (l *win32PipeListener) makeConnectedServerPipe() (*win32File, error) {
 		p.Close()
 		p = nil
 		err = <-ch
-		if err == nil || err == ErrFileClosed {
+		if err == nil || err == ErrFileClosed { //nolint:errorlint // err is Errno
 			err = ErrPipeListenerClosed
 		}
 	}
@ -402,12 +410,12 @@ func (l *win32PipeListener) listenerRoutine() {
 				p, err = l.makeConnectedServerPipe()
 				// If the connection was immediately closed by the client, try
 				// again.
-				if err != cERROR_NO_DATA {
+				if err != windows.ERROR_NO_DATA { //nolint:errorlint // err is Errno
 					break
 				}
 			}
 			responseCh <- acceptResponse{p, err}
-			closed = err == ErrPipeListenerClosed
+			closed = err == ErrPipeListenerClosed //nolint:errorlint // err is Errno
 		}
 	}
 	syscall.Close(l.firstHandle)
@ -469,15 +477,15 @@ func ListenPipe(path string, c *PipeConfig) (net.Listener, error) {
 }

 func connectPipe(p *win32File) error {
-	c, err := p.prepareIo()
+	c, err := p.prepareIO()
 	if err != nil {
 		return err
 	}
 	defer p.wg.Done()

 	err = connectNamedPipe(p.handle, &c.o)
-	_, err = p.asyncIo(c, nil, 0, err)
-	if err != nil && err != cERROR_PIPE_CONNECTED {
+	_, err = p.asyncIO(c, nil, 0, err)
+	if err != nil && err != windows.ERROR_PIPE_CONNECTED { //nolint:errorlint // err is Errno
 		return err
 	}
 	return nil
--- a/vendor/github.com/Microsoft/go-winio/pkg/guid/guid.go
+++ b/vendor/github.com/Microsoft/go-winio/pkg/guid/guid.go
@ -1,5 +1,3 @@
-// +build windows
-
 // Package guid provides a GUID type. The backing structure for a GUID is
 // identical to that used by the golang.org/x/sys/windows GUID type.
 // There are two main binary encodings used for a GUID, the big-endian encoding,
@ -9,24 +7,26 @@ package guid

 import (
 	"crypto/rand"
-	"crypto/sha1"
+	"crypto/sha1" //nolint:gosec // not used for secure application
 	"encoding"
 	"encoding/binary"
 	"fmt"
 	"strconv"
 )

+//go:generate go run golang.org/x/tools/cmd/stringer -type=Variant -trimprefix=Variant -linecomment
+
 // Variant specifies which GUID variant (or "type") of the GUID. It determines
 // how the entirety of the rest of the GUID is interpreted.
 type Variant uint8

-// The variants specified by RFC 4122.
+// The variants specified by RFC 4122 section 4.1.1.
 const (
 	// VariantUnknown specifies a GUID variant which does not conform to one of
 	// the variant encodings specified in RFC 4122.
 	VariantUnknown Variant = iota
 	VariantNCS
-	VariantRFC4122
+	VariantRFC4122 // RFC 4122
 	VariantMicrosoft
 	VariantFuture
 )
@ -36,6 +36,10 @@ const (
 // hash of an input string.
 type Version uint8

+func (v Version) String() string {
+	return strconv.FormatUint(uint64(v), 10)
+}
+
 var _ = (encoding.TextMarshaler)(GUID{})
 var _ = (encoding.TextUnmarshaler)(&GUID{})

@ -61,7 +65,7 @@ func NewV4() (GUID, error) {
 // big-endian UTF16 stream of bytes. If that is desired, the string can be
 // encoded as such before being passed to this function.
 func NewV5(namespace GUID, name []byte) (GUID, error) {
-	b := sha1.New()
+	b := sha1.New() //nolint:gosec // not used for secure application
 	namespaceBytes := namespace.ToArray()
 	b.Write(namespaceBytes[:])
 	b.Write(name)
--- a/vendor/github.com/Microsoft/go-winio/pkg/guid/guid_nonwindows.go
+++ b/vendor/github.com/Microsoft/go-winio/pkg/guid/guid_nonwindows.go
@ -1,3 +1,4 @@
+//go:build !windows
 // +build !windows

 package guid
--- a/vendor/github.com/Microsoft/go-winio/pkg/guid/guid_windows.go
+++ b/vendor/github.com/Microsoft/go-winio/pkg/guid/guid_windows.go
@ -1,3 +1,6 @@
+//go:build windows
+// +build windows
+
 package guid

 import "golang.org/x/sys/windows"
--- a/vendor/github.com/Microsoft/go-winio/pkg/guid/variant_string.go
+++ b/vendor/github.com/Microsoft/go-winio/pkg/guid/variant_string.go
@ -0,0 +1,27 @@
+// Code generated by "stringer -type=Variant -trimprefix=Variant -linecomment"; DO NOT EDIT.
+
+package guid
+
+import "strconv"
+
+func _() {
+	// An "invalid array index" compiler error signifies that the constant values have changed.
+	// Re-run the stringer command to generate them again.
+	var x [1]struct{}
+	_ = x[VariantUnknown-0]
+	_ = x[VariantNCS-1]
+	_ = x[VariantRFC4122-2]
+	_ = x[VariantMicrosoft-3]
+	_ = x[VariantFuture-4]
+}
+
+const _Variant_name = "UnknownNCSRFC 4122MicrosoftFuture"
+
+var _Variant_index = [...]uint8{0, 7, 10, 18, 27, 33}
+
+func (i Variant) String() string {
+	if i >= Variant(len(_Variant_index)-1) {
+		return "Variant(" + strconv.FormatInt(int64(i), 10) + ")"
+	}
+	return _Variant_name[_Variant_index[i]:_Variant_index[i+1]]
+}
--- a/vendor/github.com/Microsoft/go-winio/privilege.go
+++ b/vendor/github.com/Microsoft/go-winio/privilege.go
@ -1,3 +1,4 @@
+//go:build windows
 // +build windows

 package winio
@ -24,22 +25,17 @@ import (
 //sys lookupPrivilegeDisplayName(systemName string, name *uint16, buffer *uint16, size *uint32, languageId *uint32) (err error) = advapi32.LookupPrivilegeDisplayNameW

 const (
-	SE_PRIVILEGE_ENABLED = 2
+	//revive:disable-next-line:var-naming ALL_CAPS
+	SE_PRIVILEGE_ENABLED = windows.SE_PRIVILEGE_ENABLED

-	ERROR_NOT_ALL_ASSIGNED syscall.Errno = 1300
+	//revive:disable-next-line:var-naming ALL_CAPS
+	ERROR_NOT_ALL_ASSIGNED syscall.Errno = windows.ERROR_NOT_ALL_ASSIGNED

 	SeBackupPrivilege   = "SeBackupPrivilege"
 	SeRestorePrivilege  = "SeRestorePrivilege"
 	SeSecurityPrivilege = "SeSecurityPrivilege"
 )

-const (
-	securityAnonymous = iota
-	securityIdentification
-	securityImpersonation
-	securityDelegation
-)
-
 var (
 	privNames     = make(map[string]uint64)
 	privNameMutex sync.Mutex
@ -51,11 +47,9 @@ type PrivilegeError struct {
 }

 func (e *PrivilegeError) Error() string {
-	s := ""
+	s := "Could not enable privilege "
 	if len(e.privileges) > 1 {
 		s = "Could not enable privileges "
-	} else {
-		s = "Could not enable privilege "
 	}
 	for i, p := range e.privileges {
 		if i != 0 {
@ -94,7 +88,7 @@ func RunWithPrivileges(names []string, fn func() error) error {
 }

 func mapPrivileges(names []string) ([]uint64, error) {
-	var privileges []uint64
+	privileges := make([]uint64, 0, len(names))
 	privNameMutex.Lock()
 	defer privNameMutex.Unlock()
 	for _, name := range names {
@ -127,7 +121,7 @@ func enableDisableProcessPrivilege(names []string, action uint32) error {
 		return err
 	}

-	p, _ := windows.GetCurrentProcess()
+	p := windows.CurrentProcess()
 	var token windows.Token
 	err = windows.OpenProcessToken(p, windows.TOKEN_ADJUST_PRIVILEGES|windows.TOKEN_QUERY, &token)
 	if err != nil {
@ -140,10 +134,10 @@ func enableDisableProcessPrivilege(names []string, action uint32) error {

 func adjustPrivileges(token windows.Token, privileges []uint64, action uint32) error {
 	var b bytes.Buffer
-	binary.Write(&b, binary.LittleEndian, uint32(len(privileges)))
+	_ = binary.Write(&b, binary.LittleEndian, uint32(len(privileges)))
 	for _, p := range privileges {
-		binary.Write(&b, binary.LittleEndian, p)
-		binary.Write(&b, binary.LittleEndian, action)
+		_ = binary.Write(&b, binary.LittleEndian, p)
+		_ = binary.Write(&b, binary.LittleEndian, action)
 	}
 	prevState := make([]byte, b.Len())
 	reqSize := uint32(0)
@ -151,7 +145,7 @@ func adjustPrivileges(token windows.Token, privileges []uint64, action uint32) e
 	if !success {
 		return err
 	}
-	if err == ERROR_NOT_ALL_ASSIGNED {
+	if err == ERROR_NOT_ALL_ASSIGNED { //nolint:errorlint // err is Errno
 		return &PrivilegeError{privileges}
 	}
 	return nil
@ -177,7 +171,7 @@ func getPrivilegeName(luid uint64) string {
 }

 func newThreadToken() (windows.Token, error) {
-	err := impersonateSelf(securityImpersonation)
+	err := impersonateSelf(windows.SecurityImpersonation)
 	if err != nil {
 		return 0, err
 	}
--- a/vendor/github.com/Microsoft/go-winio/reparse.go
+++ b/vendor/github.com/Microsoft/go-winio/reparse.go
@ -1,3 +1,6 @@
+//go:build windows
+// +build windows
+
 package winio

 import (
@ -113,16 +116,16 @@ func EncodeReparsePoint(rp *ReparsePoint) []byte {
 	}

 	var b bytes.Buffer
-	binary.Write(&b, binary.LittleEndian, &data)
+	_ = binary.Write(&b, binary.LittleEndian, &data)
 	if !rp.IsMountPoint {
 		flags := uint32(0)
 		if relative {
 			flags |= 1
 		}
-		binary.Write(&b, binary.LittleEndian, flags)
+		_ = binary.Write(&b, binary.LittleEndian, flags)
 	}

-	binary.Write(&b, binary.LittleEndian, ntTarget16)
-	binary.Write(&b, binary.LittleEndian, target16)
+	_ = binary.Write(&b, binary.LittleEndian, ntTarget16)
+	_ = binary.Write(&b, binary.LittleEndian, target16)
 	return b.Bytes()
 }
--- a/vendor/github.com/Microsoft/go-winio/sd.go
+++ b/vendor/github.com/Microsoft/go-winio/sd.go
@ -1,23 +1,25 @@
+//go:build windows
 // +build windows

 package winio

 import (
+	"errors"
 	"syscall"
 	"unsafe"
+
+	"golang.org/x/sys/windows"
 )

 //sys lookupAccountName(systemName *uint16, accountName string, sid *byte, sidSize *uint32, refDomain *uint16, refDomainSize *uint32, sidNameUse *uint32) (err error) = advapi32.LookupAccountNameW
+//sys lookupAccountSid(systemName *uint16, sid *byte, name *uint16, nameSize *uint32, refDomain *uint16, refDomainSize *uint32, sidNameUse *uint32) (err error) = advapi32.LookupAccountSidW
 //sys convertSidToStringSid(sid *byte, str **uint16) (err error) = advapi32.ConvertSidToStringSidW
+//sys convertStringSidToSid(str *uint16, sid **byte) (err error) = advapi32.ConvertStringSidToSidW
 //sys convertStringSecurityDescriptorToSecurityDescriptor(str string, revision uint32, sd *uintptr, size *uint32) (err error) = advapi32.ConvertStringSecurityDescriptorToSecurityDescriptorW
 //sys convertSecurityDescriptorToStringSecurityDescriptor(sd *byte, revision uint32, secInfo uint32, sddl **uint16, sddlSize *uint32) (err error) = advapi32.ConvertSecurityDescriptorToStringSecurityDescriptorW
 //sys localFree(mem uintptr) = LocalFree
 //sys getSecurityDescriptorLength(sd uintptr) (len uint32) = advapi32.GetSecurityDescriptorLength

-const (
-	cERROR_NONE_MAPPED = syscall.Errno(1332)
-)
-
 type AccountLookupError struct {
 	Name string
 	Err  error
@ -28,8 +30,10 @@ func (e *AccountLookupError) Error() string {
 		return "lookup account: empty account name specified"
 	}
 	var s string
-	switch e.Err {
-	case cERROR_NONE_MAPPED:
+	switch {
+	case errors.Is(e.Err, windows.ERROR_INVALID_SID):
+		s = "the security ID structure is invalid"
+	case errors.Is(e.Err, windows.ERROR_NONE_MAPPED):
 		s = "not found"
 	default:
 		s = e.Err.Error()
@ -37,6 +41,8 @@ func (e *AccountLookupError) Error() string {
 	return "lookup account " + e.Name + ": " + s
 }

+func (e *AccountLookupError) Unwrap() error { return e.Err }
+
 type SddlConversionError struct {
 	Sddl string
 	Err  error
@ -46,15 +52,19 @@ func (e *SddlConversionError) Error() string {
 	return "convert " + e.Sddl + ": " + e.Err.Error()
 }

+func (e *SddlConversionError) Unwrap() error { return e.Err }
+
 // LookupSidByName looks up the SID of an account by name
+//
+//revive:disable-next-line:var-naming SID, not Sid
 func LookupSidByName(name string) (sid string, err error) {
 	if name == "" {
-		return "", &AccountLookupError{name, cERROR_NONE_MAPPED}
+		return "", &AccountLookupError{name, windows.ERROR_NONE_MAPPED}
 	}

 	var sidSize, sidNameUse, refDomainSize uint32
 	err = lookupAccountName(nil, name, nil, &sidSize, nil, &refDomainSize, &sidNameUse)
-	if err != nil && err != syscall.ERROR_INSUFFICIENT_BUFFER {
+	if err != nil && err != syscall.ERROR_INSUFFICIENT_BUFFER { //nolint:errorlint // err is Errno
 		return "", &AccountLookupError{name, err}
 	}
 	sidBuffer := make([]byte, sidSize)
@ -73,6 +83,42 @@ func LookupSidByName(name string) (sid string, err error) {
 	return sid, nil
 }

+// LookupNameBySid looks up the name of an account by SID
+//
+//revive:disable-next-line:var-naming SID, not Sid
+func LookupNameBySid(sid string) (name string, err error) {
+	if sid == "" {
+		return "", &AccountLookupError{sid, windows.ERROR_NONE_MAPPED}
+	}
+
+	sidBuffer, err := windows.UTF16PtrFromString(sid)
+	if err != nil {
+		return "", &AccountLookupError{sid, err}
+	}
+
+	var sidPtr *byte
+	if err = convertStringSidToSid(sidBuffer, &sidPtr); err != nil {
+		return "", &AccountLookupError{sid, err}
+	}
+	defer localFree(uintptr(unsafe.Pointer(sidPtr)))
+
+	var nameSize, refDomainSize, sidNameUse uint32
+	err = lookupAccountSid(nil, sidPtr, nil, &nameSize, nil, &refDomainSize, &sidNameUse)
+	if err != nil && err != windows.ERROR_INSUFFICIENT_BUFFER { //nolint:errorlint // err is Errno
+		return "", &AccountLookupError{sid, err}
+	}
+
+	nameBuffer := make([]uint16, nameSize)
+	refDomainBuffer := make([]uint16, refDomainSize)
+	err = lookupAccountSid(nil, sidPtr, &nameBuffer[0], &nameSize, &refDomainBuffer[0], &refDomainSize, &sidNameUse)
+	if err != nil {
+		return "", &AccountLookupError{sid, err}
+	}
+
+	name = windows.UTF16ToString(nameBuffer)
+	return name, nil
+}
+
 func SddlToSecurityDescriptor(sddl string) ([]byte, error) {
 	var sdBuffer uintptr
 	err := convertStringSecurityDescriptorToSecurityDescriptor(sddl, 1, &sdBuffer, nil)
@ -87,7 +133,7 @@ func SddlToSecurityDescriptor(sddl string) ([]byte, error) {

 func SecurityDescriptorToSddl(sd []byte) (string, error) {
 	var sddl *uint16
-	// The returned string length seems to including an aribtrary number of terminating NULs.
+	// The returned string length seems to include an arbitrary number of terminating NULs.
 	// Don't use it.
 	err := convertSecurityDescriptorToStringSecurityDescriptor(&sd[0], 1, 0xff, &sddl, nil)
 	if err != nil {
--- a/vendor/github.com/Microsoft/go-winio/syscall.go
+++ b/vendor/github.com/Microsoft/go-winio/syscall.go
@ -1,3 +1,5 @@
+//go:build windows
+
 package winio

-//go:generate go run golang.org/x/sys/windows/mkwinsyscall -output zsyscall_windows.go file.go pipe.go sd.go fileinfo.go privilege.go backup.go hvsock.go
+//go:generate go run github.com/Microsoft/go-winio/tools/mkwinsyscall -output zsyscall_windows.go ./*.go
--- a/vendor/github.com/Microsoft/go-winio/tools.go
+++ b/vendor/github.com/Microsoft/go-winio/tools.go
@ -0,0 +1,5 @@
+//go:build tools
+
+package winio
+
+import _ "golang.org/x/tools/cmd/stringer"
--- a/vendor/github.com/Microsoft/go-winio/zsyscall_windows.go
+++ b/vendor/github.com/Microsoft/go-winio/zsyscall_windows.go
@ -1,4 +1,6 @@
-// Code generated by 'go generate'; DO NOT EDIT.
+//go:build windows
+
+// Code generated by 'go generate' using "github.com/Microsoft/go-winio/tools/mkwinsyscall"; DO NOT EDIT.

 package winio

@ -47,9 +49,11 @@ var (
 	procConvertSecurityDescriptorToStringSecurityDescriptorW = modadvapi32.NewProc("ConvertSecurityDescriptorToStringSecurityDescriptorW")
 	procConvertSidToStringSidW                               = modadvapi32.NewProc("ConvertSidToStringSidW")
 	procConvertStringSecurityDescriptorToSecurityDescriptorW = modadvapi32.NewProc("ConvertStringSecurityDescriptorToSecurityDescriptorW")
+	procConvertStringSidToSidW                               = modadvapi32.NewProc("ConvertStringSidToSidW")
 	procGetSecurityDescriptorLength                          = modadvapi32.NewProc("GetSecurityDescriptorLength")
 	procImpersonateSelf                                      = modadvapi32.NewProc("ImpersonateSelf")
 	procLookupAccountNameW                                   = modadvapi32.NewProc("LookupAccountNameW")
+	procLookupAccountSidW                                    = modadvapi32.NewProc("LookupAccountSidW")
 	procLookupPrivilegeDisplayNameW                          = modadvapi32.NewProc("LookupPrivilegeDisplayNameW")
 	procLookupPrivilegeNameW                                 = modadvapi32.NewProc("LookupPrivilegeNameW")
 	procLookupPrivilegeValueW                                = modadvapi32.NewProc("LookupPrivilegeValueW")
@ -59,7 +63,6 @@ var (
 	procBackupWrite                                          = modkernel32.NewProc("BackupWrite")
 	procCancelIoEx                                           = modkernel32.NewProc("CancelIoEx")
 	procConnectNamedPipe                                     = modkernel32.NewProc("ConnectNamedPipe")
-	procCreateFileW                                          = modkernel32.NewProc("CreateFileW")
 	procCreateIoCompletionPort                               = modkernel32.NewProc("CreateIoCompletionPort")
 	procCreateNamedPipeW                                     = modkernel32.NewProc("CreateNamedPipeW")
 	procGetCurrentThread                                     = modkernel32.NewProc("GetCurrentThread")
@ -74,7 +77,6 @@ var (
 	procRtlDosPathNameToNtPathName_U                         = modntdll.NewProc("RtlDosPathNameToNtPathName_U")
 	procRtlNtStatusToDosErrorNoTeb                           = modntdll.NewProc("RtlNtStatusToDosErrorNoTeb")
 	procWSAGetOverlappedResult                               = modws2_32.NewProc("WSAGetOverlappedResult")
-	procbind                                                 = modws2_32.NewProc("bind")
 )

 func adjustTokenPrivileges(token windows.Token, releaseAll bool, input *byte, outputSize uint32, output *byte, requiredSize *uint32) (success bool, err error) {
@ -123,6 +125,14 @@ func _convertStringSecurityDescriptorToSecurityDescriptor(str *uint16, revision
 	return
 }

+func convertStringSidToSid(str *uint16, sid **byte) (err error) {
+	r1, _, e1 := syscall.Syscall(procConvertStringSidToSidW.Addr(), 2, uintptr(unsafe.Pointer(str)), uintptr(unsafe.Pointer(sid)), 0)
+	if r1 == 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
 func getSecurityDescriptorLength(sd uintptr) (len uint32) {
 	r0, _, _ := syscall.Syscall(procGetSecurityDescriptorLength.Addr(), 1, uintptr(sd), 0, 0)
 	len = uint32(r0)
@ -154,6 +164,14 @@ func _lookupAccountName(systemName *uint16, accountName *uint16, sid *byte, sidS
 	return
 }

+func lookupAccountSid(systemName *uint16, sid *byte, name *uint16, nameSize *uint32, refDomain *uint16, refDomainSize *uint32, sidNameUse *uint32) (err error) {
+	r1, _, e1 := syscall.Syscall9(procLookupAccountSidW.Addr(), 7, uintptr(unsafe.Pointer(systemName)), uintptr(unsafe.Pointer(sid)), uintptr(unsafe.Pointer(name)), uintptr(unsafe.Pointer(nameSize)), uintptr(unsafe.Pointer(refDomain)), uintptr(unsafe.Pointer(refDomainSize)), uintptr(unsafe.Pointer(sidNameUse)), 0, 0)
+	if r1 == 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
 func lookupPrivilegeDisplayName(systemName string, name *uint16, buffer *uint16, size *uint32, languageId *uint32) (err error) {
 	var _p0 *uint16
 	_p0, err = syscall.UTF16PtrFromString(systemName)
@ -286,24 +304,6 @@ func connectNamedPipe(pipe syscall.Handle, o *syscall.Overlapped) (err error) {
 	return
 }

-func createFile(name string, access uint32, mode uint32, sa *syscall.SecurityAttributes, createmode uint32, attrs uint32, templatefile syscall.Handle) (handle syscall.Handle, err error) {
-	var _p0 *uint16
-	_p0, err = syscall.UTF16PtrFromString(name)
-	if err != nil {
-		return
-	}
-	return _createFile(_p0, access, mode, sa, createmode, attrs, templatefile)
-}
-
-func _createFile(name *uint16, access uint32, mode uint32, sa *syscall.SecurityAttributes, createmode uint32, attrs uint32, templatefile syscall.Handle) (handle syscall.Handle, err error) {
-	r0, _, e1 := syscall.Syscall9(procCreateFileW.Addr(), 7, uintptr(unsafe.Pointer(name)), uintptr(access), uintptr(mode), uintptr(unsafe.Pointer(sa)), uintptr(createmode), uintptr(attrs), uintptr(templatefile), 0, 0)
-	handle = syscall.Handle(r0)
-	if handle == syscall.InvalidHandle {
-		err = errnoErr(e1)
-	}
-	return
-}
-
 func createIoCompletionPort(file syscall.Handle, port syscall.Handle, key uintptr, threadCount uint32) (newport syscall.Handle, err error) {
 	r0, _, e1 := syscall.Syscall6(procCreateIoCompletionPort.Addr(), 4, uintptr(file), uintptr(port), uintptr(key), uintptr(threadCount), 0, 0)
 	newport = syscall.Handle(r0)
@ -380,25 +380,25 @@ func setFileCompletionNotificationModes(h syscall.Handle, flags uint8) (err erro
 	return
 }

-func ntCreateNamedPipeFile(pipe *syscall.Handle, access uint32, oa *objectAttributes, iosb *ioStatusBlock, share uint32, disposition uint32, options uint32, typ uint32, readMode uint32, completionMode uint32, maxInstances uint32, inboundQuota uint32, outputQuota uint32, timeout *int64) (status ntstatus) {
+func ntCreateNamedPipeFile(pipe *syscall.Handle, access uint32, oa *objectAttributes, iosb *ioStatusBlock, share uint32, disposition uint32, options uint32, typ uint32, readMode uint32, completionMode uint32, maxInstances uint32, inboundQuota uint32, outputQuota uint32, timeout *int64) (status ntStatus) {
 	r0, _, _ := syscall.Syscall15(procNtCreateNamedPipeFile.Addr(), 14, uintptr(unsafe.Pointer(pipe)), uintptr(access), uintptr(unsafe.Pointer(oa)), uintptr(unsafe.Pointer(iosb)), uintptr(share), uintptr(disposition), uintptr(options), uintptr(typ), uintptr(readMode), uintptr(completionMode), uintptr(maxInstances), uintptr(inboundQuota), uintptr(outputQuota), uintptr(unsafe.Pointer(timeout)), 0)
-	status = ntstatus(r0)
+	status = ntStatus(r0)
 	return
 }

-func rtlDefaultNpAcl(dacl *uintptr) (status ntstatus) {
+func rtlDefaultNpAcl(dacl *uintptr) (status ntStatus) {
 	r0, _, _ := syscall.Syscall(procRtlDefaultNpAcl.Addr(), 1, uintptr(unsafe.Pointer(dacl)), 0, 0)
-	status = ntstatus(r0)
+	status = ntStatus(r0)
 	return
 }

-func rtlDosPathNameToNtPathName(name *uint16, ntName *unicodeString, filePart uintptr, reserved uintptr) (status ntstatus) {
+func rtlDosPathNameToNtPathName(name *uint16, ntName *unicodeString, filePart uintptr, reserved uintptr) (status ntStatus) {
 	r0, _, _ := syscall.Syscall6(procRtlDosPathNameToNtPathName_U.Addr(), 4, uintptr(unsafe.Pointer(name)), uintptr(unsafe.Pointer(ntName)), uintptr(filePart), uintptr(reserved), 0, 0)
-	status = ntstatus(r0)
+	status = ntStatus(r0)
 	return
 }

-func rtlNtStatusToDosError(status ntstatus) (winerr error) {
+func rtlNtStatusToDosError(status ntStatus) (winerr error) {
 	r0, _, _ := syscall.Syscall(procRtlNtStatusToDosErrorNoTeb.Addr(), 1, uintptr(status), 0, 0)
 	if r0 != 0 {
 		winerr = syscall.Errno(r0)
@ -417,11 +417,3 @@ func wsaGetOverlappedResult(h syscall.Handle, o *syscall.Overlapped, bytes *uint
 	}
 	return
 }
-
-func bind(s syscall.Handle, name unsafe.Pointer, namelen int32) (err error) {
-	r1, _, e1 := syscall.Syscall(procbind.Addr(), 3, uintptr(s), uintptr(name), uintptr(namelen))
-	if r1 == socketError {
-		err = errnoErr(e1)
-	}
-	return
-}
--- a/vendor/github.com/ProtonMail/go-crypto/bitcurves/bitcurve.go
+++ b/vendor/github.com/ProtonMail/go-crypto/bitcurves/bitcurve.go
@ -191,7 +191,7 @@ func (bitCurve *BitCurve) doubleJacobian(x, y, z *big.Int) (*big.Int, *big.Int,
 	return x3, y3, z3
 }

-//TODO: double check if it is okay
+// TODO: double check if it is okay
 // ScalarMult returns k*(Bx,By) where k is a number in big-endian form.
 func (bitCurve *BitCurve) ScalarMult(Bx, By *big.Int, k []byte) (*big.Int, *big.Int) {
 	// We have a slight problem in that the identity of the group (the
@ -239,7 +239,7 @@ func (bitCurve *BitCurve) ScalarBaseMult(k []byte) (*big.Int, *big.Int) {

 var mask = []byte{0xff, 0x1, 0x3, 0x7, 0xf, 0x1f, 0x3f, 0x7f}

-//TODO: double check if it is okay
+// TODO: double check if it is okay
 // GenerateKey returns a public/private key pair. The private key is generated
 // using the given reader, which must return random data.
 func (bitCurve *BitCurve) GenerateKey(rand io.Reader) (priv []byte, x, y *big.Int, err error) {
--- a/vendor/github.com/ProtonMail/go-crypto/brainpool/rcurve.go
+++ b/vendor/github.com/ProtonMail/go-crypto/brainpool/rcurve.go
@ -80,4 +80,4 @@ func (curve *rcurve) ScalarMult(x1, y1 *big.Int, scalar []byte) (x, y *big.Int)

 func (curve *rcurve) ScalarBaseMult(scalar []byte) (x, y *big.Int) {
 	return curve.fromTwisted(curve.twisted.ScalarBaseMult(scalar))
-}
+}
--- a/vendor/github.com/ProtonMail/go-crypto/eax/eax.go
+++ b/vendor/github.com/ProtonMail/go-crypto/eax/eax.go
@ -67,7 +67,7 @@ func (e *eax) Seal(dst, nonce, plaintext, adata []byte) []byte {
 	if len(nonce) > e.nonceSize {
 		panic("crypto/eax: Nonce too long for this instance")
 	}
-	ret, out := byteutil.SliceForAppend(dst, len(plaintext) + e.tagSize)
+	ret, out := byteutil.SliceForAppend(dst, len(plaintext)+e.tagSize)
 	omacNonce := e.omacT(0, nonce)
 	omacAdata := e.omacT(1, adata)

@ -85,7 +85,7 @@ func (e *eax) Seal(dst, nonce, plaintext, adata []byte) []byte {
 	return ret
 }

-func (e* eax) Open(dst, nonce, ciphertext, adata []byte) ([]byte, error) {
+func (e *eax) Open(dst, nonce, ciphertext, adata []byte) ([]byte, error) {
 	if len(nonce) > e.nonceSize {
 		panic("crypto/eax: Nonce too long for this instance")
 	}
--- a/vendor/github.com/ProtonMail/go-crypto/internal/byteutil/byteutil.go
+++ b/vendor/github.com/ProtonMail/go-crypto/internal/byteutil/byteutil.go
@ -41,7 +41,7 @@ func ShiftNBytesLeft(dst, x []byte, n int) {
 	bits := uint(n % 8)
 	l := len(dst)
 	for i := 0; i < l-1; i++ {
-		dst[i] = (dst[i] << bits) | (dst[i+1] >> uint(8 - bits))
+		dst[i] = (dst[i] << bits) | (dst[i+1] >> uint(8-bits))
 	}
 	dst[l-1] = dst[l-1] << bits

@ -56,7 +56,6 @@ func XorBytesMut(X, Y []byte) {
 	}
 }

-
 // XorBytes assumes equal input length, puts X XOR Y into Z
 func XorBytes(Z, X, Y []byte) {
 	for i := 0; i < len(X); i++ {
@ -67,10 +66,10 @@ func XorBytes(Z, X, Y []byte) {
 // RightXor XORs smaller input (assumed Y) at the right of the larger input (assumed X)
 func RightXor(X, Y []byte) []byte {
 	offset := len(X) - len(Y)
-	xored := make([]byte, len(X));
+	xored := make([]byte, len(X))
 	copy(xored, X)
 	for i := 0; i < len(Y); i++ {
-		xored[offset + i] ^= Y[i]
+		xored[offset+i] ^= Y[i]
 	}
 	return xored
 }
@ -89,4 +88,3 @@ func SliceForAppend(in []byte, n int) (head, tail []byte) {
 	tail = head[len(in):]
 	return
 }
-
--- a/vendor/github.com/ProtonMail/go-crypto/ocb/ocb.go
+++ b/vendor/github.com/ProtonMail/go-crypto/ocb/ocb.go
@ -93,13 +93,13 @@ func NewOCBWithNonceAndTagSize(
 		return nil, ocbError("Custom tag length exceeds blocksize")
 	}
 	return &ocb{
-		block:        block,
-		tagSize:      tagSize,
-		nonceSize:    nonceSize,
-		mask:         initializeMaskTable(block),
+		block:     block,
+		tagSize:   tagSize,
+		nonceSize: nonceSize,
+		mask:      initializeMaskTable(block),
 		reusableKtop: reusableKtop{
 			noncePrefix: nil,
-			Ktop: nil,
+			Ktop:        nil,
 		},
 	}, nil
 }
--- a/vendor/github.com/ProtonMail/go-crypto/ocb/rfc7253_test_vectors_suite_b.go
+++ b/vendor/github.com/ProtonMail/go-crypto/ocb/rfc7253_test_vectors_suite_b.go
@ -4,21 +4,22 @@ package ocb
 var rfc7253TestVectorTaglen96 = struct {
 	key, nonce, header, plaintext, ciphertext string
 }{"0F0E0D0C0B0A09080706050403020100",
-		"BBAA9988776655443322110D",
-		"000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021222324252627",
-		"000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021222324252627",
-		"1792A4E31E0755FB03E31B22116E6C2DDF9EFD6E33D536F1A0124B0A55BAE884ED93481529C76B6AD0C515F4D1CDD4FDAC4F02AA"}
+	"BBAA9988776655443322110D",
+	"000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021222324252627",
+	"000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021222324252627",
+	"1792A4E31E0755FB03E31B22116E6C2DDF9EFD6E33D536F1A0124B0A55BAE884ED93481529C76B6AD0C515F4D1CDD4FDAC4F02AA"}

 var rfc7253AlgorithmTest = []struct {
 	KEYLEN, TAGLEN int
-	OUTPUT string }{
-		{128, 128, "67E944D23256C5E0B6C61FA22FDF1EA2"},
-		{192, 128, "F673F2C3E7174AAE7BAE986CA9F29E17"},
-		{256, 128, "D90EB8E9C977C88B79DD793D7FFA161C"},
-		{128, 96, "77A3D8E73589158D25D01209"},
-		{192, 96, "05D56EAD2752C86BE6932C5E"},
-		{256, 96, "5458359AC23B0CBA9E6330DD"},
-		{128, 64, "192C9B7BD90BA06A"},
-		{192, 64, "0066BC6E0EF34E24"},
-		{256, 64, "7D4EA5D445501CBE"},
-	}
+	OUTPUT         string
+}{
+	{128, 128, "67E944D23256C5E0B6C61FA22FDF1EA2"},
+	{192, 128, "F673F2C3E7174AAE7BAE986CA9F29E17"},
+	{256, 128, "D90EB8E9C977C88B79DD793D7FFA161C"},
+	{128, 96, "77A3D8E73589158D25D01209"},
+	{192, 96, "05D56EAD2752C86BE6932C5E"},
+	{256, 96, "5458359AC23B0CBA9E6330DD"},
+	{128, 64, "192C9B7BD90BA06A"},
+	{192, 64, "0066BC6E0EF34E24"},
+	{256, 64, "7D4EA5D445501CBE"},
+}
--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/armor/armor.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/armor/armor.go
@ -10,19 +10,22 @@ import (
 	"bufio"
 	"bytes"
 	"encoding/base64"
-	"github.com/ProtonMail/go-crypto/openpgp/errors"
 	"io"
+
+	"github.com/ProtonMail/go-crypto/openpgp/errors"
 )

 // A Block represents an OpenPGP armored structure.
 //
 // The encoded form is:
-//    -----BEGIN Type-----
-//    Headers
 //
-//    base64-encoded Bytes
-//    '=' base64 encoded checksum
-//    -----END Type-----
+//	-----BEGIN Type-----
+//	Headers
+//
+//	base64-encoded Bytes
+//	'=' base64 encoded checksum
+//	-----END Type-----
+//
 // where Headers is a possibly empty sequence of Key: Value lines.
 //
 // Since the armored data can be very large, this package presents a streaming
@ -206,12 +209,16 @@ TryNextBlock:
 			break
 		}

-		i := bytes.Index(line, []byte(": "))
+		i := bytes.Index(line, []byte(":"))
 		if i == -1 {
 			goto TryNextBlock
 		}
 		lastKey = string(line[:i])
-		p.Header[lastKey] = string(line[i+2:])
+		var value string
+		if len(line) > i+2 {
+			value = string(line[i+2:])
+		}
+		p.Header[lastKey] = value
 	}

 	p.lReader.in = r
--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/armor/encode.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/armor/encode.go
@ -96,7 +96,8 @@ func (l *lineBreaker) Close() (err error) {
 // trailer.
 //
 // It's built into a stack of io.Writers:
-//    encoding -> base64 encoder -> lineBreaker -> out
+//
+//	encoding -> base64 encoder -> lineBreaker -> out
 type encoding struct {
 	out       io.Writer
 	breaker   *lineBreaker
--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/ecdh/ecdh.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/ecdh/ecdh.go
@ -34,7 +34,7 @@ type PrivateKey struct {

 func NewPublicKey(curve ecc.ECDHCurve, kdfHash algorithm.Hash, kdfCipher algorithm.Cipher) *PublicKey {
 	return &PublicKey{
-		curve:     curve,
+		curve: curve,
 		KDF: KDF{
 			Hash:   kdfHash,
 			Cipher: kdfCipher,
@ -167,7 +167,7 @@ func buildKey(pub *PublicKey, zb []byte, curveOID, fingerprint []byte, stripLead
 	if _, err := param.Write(fingerprint[:20]); err != nil {
 		return nil, err
 	}
-	if param.Len() - len(curveOID) != 45 {
+	if param.Len()-len(curveOID) != 45 {
 		return nil, errors.New("ecdh: malformed KDF Param")
 	}

@ -181,15 +181,19 @@ func buildKey(pub *PublicKey, zb []byte, curveOID, fingerprint []byte, stripLead
 	j := zbLen - 1
 	if stripLeading {
 		// Work around old go crypto bug where the leading zeros are missing.
-		for ; i < zbLen && zb[i] == 0; i++ {}
+		for i < zbLen && zb[i] == 0 {
+			i++
+		}
 	}
 	if stripTrailing {
 		// Work around old OpenPGP.js bug where insignificant trailing zeros in
 		// this little-endian number are missing.
 		// (See https://github.com/openpgpjs/openpgpjs/pull/853.)
-		for ; j >= 0 && zb[j] == 0; j-- {}
+		for j >= 0 && zb[j] == 0 {
+			j--
+		}
 	}
-	if _, err := h.Write(zb[i:j+1]); err != nil {
+	if _, err := h.Write(zb[i : j+1]); err != nil {
 		return nil, err
 	}
 	if _, err := h.Write(param.Bytes()); err != nil {
--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/ecdsa/ecdsa.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/ecdsa/ecdsa.go
@ -10,7 +10,7 @@ import (
 )

 type PublicKey struct {
-	X, Y *big.Int
+	X, Y  *big.Int
 	curve ecc.ECDSACurve
 }

--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/eddsa/eddsa.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/eddsa/eddsa.go
@ -9,7 +9,7 @@ import (
 )

 type PublicKey struct {
-	X []byte
+	X     []byte
 	curve ecc.EdDSACurve
 }

--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/elgamal/elgamal.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/elgamal/elgamal.go
@ -71,8 +71,8 @@ func Encrypt(random io.Reader, pub *PublicKey, msg []byte) (c1, c2 *big.Int, err
 // returns the plaintext of the message. An error can result only if the
 // ciphertext is invalid. Users should keep in mind that this is a padding
 // oracle and thus, if exposed to an adaptive chosen ciphertext attack, can
-// be used to break the cryptosystem.  See ``Chosen Ciphertext Attacks
-// Against Protocols Based on the RSA Encryption Standard PKCS #1'', Daniel
+// be used to break the cryptosystem.  See “Chosen Ciphertext Attacks
+// Against Protocols Based on the RSA Encryption Standard PKCS #1”, Daniel
 // Bleichenbacher, Advances in Cryptology (Crypto '98),
 func Decrypt(priv *PrivateKey, c1, c2 *big.Int) (msg []byte, err error) {
 	s := new(big.Int).Exp(c1, priv.X, priv.P)
--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/hash.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/hash.go
@ -0,0 +1,24 @@
+package openpgp
+
+import (
+	"crypto"
+
+	"github.com/ProtonMail/go-crypto/openpgp/internal/algorithm"
+)
+
+// HashIdToHash returns a crypto.Hash which corresponds to the given OpenPGP
+// hash id.
+func HashIdToHash(id byte) (h crypto.Hash, ok bool) {
+	return algorithm.HashIdToHash(id)
+}
+
+// HashIdToString returns the name of the hash function corresponding to the
+// given OpenPGP hash id.
+func HashIdToString(id byte) (name string, ok bool) {
+	return algorithm.HashIdToString(id)
+}
+
+// HashToHashId returns an OpenPGP hash id which corresponds the given Hash.
+func HashToHashId(h crypto.Hash) (id byte, ok bool) {
+	return algorithm.HashToHashId(h)
+}
--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/internal/algorithm/aead.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/internal/algorithm/aead.go
@ -16,7 +16,7 @@ type AEADMode uint8
 const (
 	AEADModeEAX = AEADMode(1)
 	AEADModeOCB = AEADMode(2)
-	AEADModeGCM = AEADMode(100)
+	AEADModeGCM = AEADMode(3)
 )

 // TagLength returns the length in bytes of authentication tags.
--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/internal/algorithm/hash.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/internal/algorithm/hash.go
@ -32,26 +32,25 @@ type Hash interface {

 // The following vars mirror the crypto/Hash supported hash functions.
 var (
-	MD5       Hash = cryptoHash{1, crypto.MD5}
-	SHA1      Hash = cryptoHash{2, crypto.SHA1}
-	RIPEMD160 Hash = cryptoHash{3, crypto.RIPEMD160}
-	SHA256    Hash = cryptoHash{8, crypto.SHA256}
-	SHA384    Hash = cryptoHash{9, crypto.SHA384}
-	SHA512    Hash = cryptoHash{10, crypto.SHA512}
-	SHA224    Hash = cryptoHash{11, crypto.SHA224}
+	SHA1     Hash = cryptoHash{2, crypto.SHA1}
+	SHA256   Hash = cryptoHash{8, crypto.SHA256}
+	SHA384   Hash = cryptoHash{9, crypto.SHA384}
+	SHA512   Hash = cryptoHash{10, crypto.SHA512}
+	SHA224   Hash = cryptoHash{11, crypto.SHA224}
+	SHA3_256 Hash = cryptoHash{12, crypto.SHA3_256}
+	SHA3_512 Hash = cryptoHash{14, crypto.SHA3_512}
 )

 // HashById represents the different hash functions specified for OpenPGP. See
 // http://www.iana.org/assignments/pgp-parameters/pgp-parameters.xhtml#pgp-parameters-14
 var (
 	HashById = map[uint8]Hash{
-		MD5.Id():       MD5,
-		SHA1.Id():      SHA1,
-		RIPEMD160.Id(): RIPEMD160,
-		SHA256.Id():    SHA256,
-		SHA384.Id():    SHA384,
-		SHA512.Id():    SHA512,
-		SHA224.Id():    SHA224,
+		SHA256.Id():   SHA256,
+		SHA384.Id():   SHA384,
+		SHA512.Id():   SHA512,
+		SHA224.Id():   SHA224,
+		SHA3_256.Id(): SHA3_256,
+		SHA3_512.Id(): SHA3_512,
 	}
 )

@ -68,13 +67,12 @@ func (h cryptoHash) Id() uint8 {
 }

 var hashNames = map[uint8]string{
-	MD5.Id():       "MD5",
-	SHA1.Id():      "SHA1",
-	RIPEMD160.Id(): "RIPEMD160",
-	SHA256.Id():    "SHA256",
-	SHA384.Id():    "SHA384",
-	SHA512.Id():    "SHA512",
-	SHA224.Id():    "SHA224",
+	SHA256.Id():   "SHA256",
+	SHA384.Id():   "SHA384",
+	SHA512.Id():   "SHA512",
+	SHA224.Id():   "SHA224",
+	SHA3_256.Id(): "SHA3-256",
+	SHA3_512.Id(): "SHA3-512",
 }

 func (h cryptoHash) String() string {
@ -84,3 +82,62 @@ func (h cryptoHash) String() string {
 	}
 	return s
 }
+
+// HashIdToHash returns a crypto.Hash which corresponds to the given OpenPGP
+// hash id.
+func HashIdToHash(id byte) (h crypto.Hash, ok bool) {
+	if hash, ok := HashById[id]; ok {
+		return hash.HashFunc(), true
+	}
+	return 0, false
+}
+
+// HashIdToHashWithSha1 returns a crypto.Hash which corresponds to the given OpenPGP
+// hash id, allowing sha1.
+func HashIdToHashWithSha1(id byte) (h crypto.Hash, ok bool) {
+	if hash, ok := HashById[id]; ok {
+		return hash.HashFunc(), true
+	}
+
+	if id == SHA1.Id() {
+		return SHA1.HashFunc(), true
+	}
+
+	return 0, false
+}
+
+// HashIdToString returns the name of the hash function corresponding to the
+// given OpenPGP hash id.
+func HashIdToString(id byte) (name string, ok bool) {
+	if hash, ok := HashById[id]; ok {
+		return hash.String(), true
+	}
+	return "", false
+}
+
+// HashToHashId returns an OpenPGP hash id which corresponds the given Hash.
+func HashToHashId(h crypto.Hash) (id byte, ok bool) {
+	for id, hash := range HashById {
+		if hash.HashFunc() == h {
+			return id, true
+		}
+	}
+
+	return 0, false
+}
+
+// HashToHashIdWithSha1 returns an OpenPGP hash id which corresponds the given Hash,
+// allowing instances of SHA1
+func HashToHashIdWithSha1(h crypto.Hash) (id byte, ok bool) {
+	for id, hash := range HashById {
+		if hash.HashFunc() == h {
+			return id, true
+		}
+	}
+
+	if h == SHA1.HashFunc() {
+		return SHA1.Id(), true
+	}
+
+	return 0, false
+}
--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/curve25519.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/curve25519.go
@ -9,7 +9,7 @@ import (
 	x25519lib "github.com/cloudflare/circl/dh/x25519"
 )

-type curve25519 struct {}
+type curve25519 struct{}

 func NewCurve25519() *curve25519 {
 	return &curve25519{}
@ -21,14 +21,14 @@ func (c *curve25519) GetCurveName() string {

 // MarshalBytePoint encodes the public point from native format, adding the prefix.
 // See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.6
-func (c *curve25519) MarshalBytePoint(point [] byte) []byte {
+func (c *curve25519) MarshalBytePoint(point []byte) []byte {
 	return append([]byte{0x40}, point...)
 }

 // UnmarshalBytePoint decodes the public point to native format, removing the prefix.
 // See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.6
 func (c *curve25519) UnmarshalBytePoint(point []byte) []byte {
-	if len(point) != x25519lib.Size + 1 {
+	if len(point) != x25519lib.Size+1 {
 		return nil
 	}

--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/curve_info.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/curve_info.go
@ -11,76 +11,76 @@ import (

 type CurveInfo struct {
 	GenName string
-	Oid *encoding.OID
-	Curve Curve
+	Oid     *encoding.OID
+	Curve   Curve
 }

 var Curves = []CurveInfo{
 	{
 		// NIST P-256
 		GenName: "P256",
-		Oid: encoding.NewOID([]byte{0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07}),
-		Curve: NewGenericCurve(elliptic.P256()),
+		Oid:     encoding.NewOID([]byte{0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07}),
+		Curve:   NewGenericCurve(elliptic.P256()),
 	},
 	{
 		// NIST P-384
 		GenName: "P384",
-		Oid: encoding.NewOID([]byte{0x2B, 0x81, 0x04, 0x00, 0x22}),
-		Curve: NewGenericCurve(elliptic.P384()),
+		Oid:     encoding.NewOID([]byte{0x2B, 0x81, 0x04, 0x00, 0x22}),
+		Curve:   NewGenericCurve(elliptic.P384()),
 	},
 	{
 		// NIST P-521
 		GenName: "P521",
-		Oid: encoding.NewOID([]byte{0x2B, 0x81, 0x04, 0x00, 0x23}),
-		Curve: NewGenericCurve(elliptic.P521()),
+		Oid:     encoding.NewOID([]byte{0x2B, 0x81, 0x04, 0x00, 0x23}),
+		Curve:   NewGenericCurve(elliptic.P521()),
 	},
 	{
 		// SecP256k1
 		GenName: "SecP256k1",
-		Oid: encoding.NewOID([]byte{0x2B, 0x81, 0x04, 0x00, 0x0A}),
-		Curve: NewGenericCurve(bitcurves.S256()),
+		Oid:     encoding.NewOID([]byte{0x2B, 0x81, 0x04, 0x00, 0x0A}),
+		Curve:   NewGenericCurve(bitcurves.S256()),
 	},
 	{
 		// Curve25519
 		GenName: "Curve25519",
-		Oid: encoding.NewOID([]byte{0x2B, 0x06, 0x01, 0x04, 0x01, 0x97, 0x55, 0x01, 0x05, 0x01}),
-		Curve: NewCurve25519(),
+		Oid:     encoding.NewOID([]byte{0x2B, 0x06, 0x01, 0x04, 0x01, 0x97, 0x55, 0x01, 0x05, 0x01}),
+		Curve:   NewCurve25519(),
 	},
 	{
 		// X448
 		GenName: "Curve448",
-		Oid: encoding.NewOID([]byte{0x2B, 0x65, 0x6F}),
-		Curve: NewX448(),
+		Oid:     encoding.NewOID([]byte{0x2B, 0x65, 0x6F}),
+		Curve:   NewX448(),
 	},
 	{
 		// Ed25519
 		GenName: "Curve25519",
-		Oid: encoding.NewOID([]byte{0x2B, 0x06, 0x01, 0x04, 0x01, 0xDA, 0x47, 0x0F, 0x01}),
-		Curve: NewEd25519(),
+		Oid:     encoding.NewOID([]byte{0x2B, 0x06, 0x01, 0x04, 0x01, 0xDA, 0x47, 0x0F, 0x01}),
+		Curve:   NewEd25519(),
 	},
 	{
 		// Ed448
 		GenName: "Curve448",
-		Oid: encoding.NewOID([]byte{0x2B, 0x65, 0x71}),
-		Curve: NewEd448(),
+		Oid:     encoding.NewOID([]byte{0x2B, 0x65, 0x71}),
+		Curve:   NewEd448(),
 	},
 	{
 		// BrainpoolP256r1
 		GenName: "BrainpoolP256",
-		Oid: encoding.NewOID([]byte{0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x07}),
-		Curve: NewGenericCurve(brainpool.P256r1()),
+		Oid:     encoding.NewOID([]byte{0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x07}),
+		Curve:   NewGenericCurve(brainpool.P256r1()),
 	},
 	{
 		// BrainpoolP384r1
 		GenName: "BrainpoolP384",
-		Oid: encoding.NewOID([]byte{0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x0B}),
-		Curve: NewGenericCurve(brainpool.P384r1()),
+		Oid:     encoding.NewOID([]byte{0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x0B}),
+		Curve:   NewGenericCurve(brainpool.P384r1()),
 	},
 	{
 		// BrainpoolP512r1
 		GenName: "BrainpoolP512",
-		Oid: encoding.NewOID([]byte{0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x0D}),
-		Curve: NewGenericCurve(brainpool.P512r1()),
+		Oid:     encoding.NewOID([]byte{0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x0D}),
+		Curve:   NewGenericCurve(brainpool.P512r1()),
 	},
 }

--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/curves.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/curves.go
@ -38,7 +38,7 @@ type EdDSACurve interface {
 type ECDHCurve interface {
 	Curve
 	MarshalBytePoint([]byte) (encoded []byte)
-	UnmarshalBytePoint(encoded []byte) ([]byte)
+	UnmarshalBytePoint(encoded []byte) []byte
 	MarshalByteSecret(d []byte) []byte
 	UnmarshalByteSecret(d []byte) []byte
 	GenerateECDH(rand io.Reader) (point []byte, secret []byte, err error)
--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/ed25519.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/ed25519.go
@ -10,7 +10,8 @@ import (
 )

 const ed25519Size = 32
-type ed25519 struct {}
+
+type ed25519 struct{}

 func NewEd25519() *ed25519 {
 	return &ed25519{}
@ -29,7 +30,7 @@ func (c *ed25519) MarshalBytePoint(x []byte) []byte {
 // UnmarshalBytePoint decodes a point from prefixed format to native.
 // See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.5
 func (c *ed25519) UnmarshalBytePoint(point []byte) (x []byte) {
-	if len(point) != ed25519lib.PublicKeySize + 1 {
+	if len(point) != ed25519lib.PublicKeySize+1 {
 		return nil
 	}

@ -52,7 +53,7 @@ func (c *ed25519) UnmarshalByteSecret(s []byte) (d []byte) {

 	// Handle stripped leading zeroes
 	d = make([]byte, ed25519lib.SeedSize)
-	copy(d[ed25519lib.SeedSize - len(s):], s)
+	copy(d[ed25519lib.SeedSize-len(s):], s)
 	return
 }

--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/ed448.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/ed448.go
@ -9,7 +9,7 @@ import (
 	ed448lib "github.com/cloudflare/circl/sign/ed448"
 )

-type ed448 struct {}
+type ed448 struct{}

 func NewEd448() *ed448 {
 	return &ed448{}
@ -29,7 +29,7 @@ func (c *ed448) MarshalBytePoint(x []byte) []byte {
 // UnmarshalBytePoint decodes a point from prefixed format to native.
 // See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.5
 func (c *ed448) UnmarshalBytePoint(point []byte) (x []byte) {
-	if len(point) != ed448lib.PublicKeySize + 1 {
+	if len(point) != ed448lib.PublicKeySize+1 {
 		return nil
 	}

@ -48,7 +48,7 @@ func (c *ed448) MarshalByteSecret(d []byte) []byte {
 // See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.5
 func (c *ed448) UnmarshalByteSecret(s []byte) (d []byte) {
 	// Check prefixed size
-	if len(s) != ed448lib.SeedSize + 1 {
+	if len(s) != ed448lib.SeedSize+1 {
 		return nil
 	}

@ -66,7 +66,7 @@ func (c *ed448) MarshalSignature(sig []byte) (r, s []byte) {
 // UnmarshalSignature decodes R and S in the native format. Only R is used, in prefixed native format.
 // See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.2.3.3.2
 func (c *ed448) UnmarshalSignature(r, s []byte) (sig []byte) {
-	if len(r) != ed448lib.SignatureSize + 1 {
+	if len(r) != ed448lib.SignatureSize+1 {
 		return nil
 	}

--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/x448.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/x448.go
@ -9,7 +9,7 @@ import (
 	x448lib "github.com/cloudflare/circl/dh/x448"
 )

-type x448 struct {}
+type x448 struct{}

 func NewX448() *x448 {
 	return &x448{}
@ -28,7 +28,7 @@ func (c *x448) MarshalBytePoint(point []byte) []byte {
 // UnmarshalBytePoint decodes a point from prefixed format to native.
 // See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.6
 func (c *x448) UnmarshalBytePoint(point []byte) []byte {
-	if len(point) != x448lib.Size + 1 {
+	if len(point) != x448lib.Size+1 {
 		return nil
 	}

@ -44,7 +44,7 @@ func (c *x448) MarshalByteSecret(d []byte) []byte {
 // UnmarshalByteSecret decodes a scalar from prefixed format to native.
 // See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.6.1.2
 func (c *x448) UnmarshalByteSecret(d []byte) []byte {
-	if len(d) != x448lib.Size + 1 {
+	if len(d) != x448lib.Size+1 {
 		return nil
 	}

@ -73,7 +73,9 @@ func (c *x448) GenerateECDH(rand io.Reader) (point []byte, secret []byte, err er
 func (c *x448) Encaps(rand io.Reader, point []byte) (ephemeral, sharedSecret []byte, err error) {
 	var pk, ss x448lib.Key
 	seed, e, err := c.generateKeyPairBytes(rand)
-
+	if err != nil {
+		return nil, nil, err
+	}
 	copy(pk[:], point)
 	x448lib.Shared(&ss, &seed, &pk)

--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/key_generation.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/key_generation.go
@ -82,27 +82,24 @@ func (t *Entity) addUserId(name, comment, email string, config *packet.Config, c

 	isPrimaryId := len(t.Identities) == 0

-	selfSignature := &packet.Signature{
-		Version:           primary.PublicKey.Version,
-		SigType:           packet.SigTypePositiveCert,
-		PubKeyAlgo:        primary.PublicKey.PubKeyAlgo,
-		Hash:              config.Hash(),
-		CreationTime:      creationTime,
-		KeyLifetimeSecs:   &keyLifetimeSecs,
-		IssuerKeyId:       &primary.PublicKey.KeyId,
-		IssuerFingerprint: primary.PublicKey.Fingerprint,
-		IsPrimaryId:       &isPrimaryId,
-		FlagsValid:        true,
-		FlagSign:          true,
-		FlagCertify:       true,
-		MDC:               true, // true by default, see 5.8 vs. 5.14
-		AEAD:              config.AEAD() != nil,
-		V5Keys:            config != nil && config.V5Keys,
-	}
+	selfSignature := createSignaturePacket(&primary.PublicKey, packet.SigTypePositiveCert, config)
+	selfSignature.CreationTime = creationTime
+	selfSignature.KeyLifetimeSecs = &keyLifetimeSecs
+	selfSignature.IsPrimaryId = &isPrimaryId
+	selfSignature.FlagsValid = true
+	selfSignature.FlagSign = true
+	selfSignature.FlagCertify = true
+	selfSignature.SEIPDv1 = true // true by default, see 5.8 vs. 5.14
+	selfSignature.SEIPDv2 = config.AEAD() != nil

 	// Set the PreferredHash for the SelfSignature from the packet.Config.
 	// If it is not the must-implement algorithm from rfc4880bis, append that.
-	selfSignature.PreferredHash = []uint8{hashToHashId(config.Hash())}
+	hash, ok := algorithm.HashToHashId(config.Hash())
+	if !ok {
+		return errors.UnsupportedError("unsupported preferred hash function")
+	}
+
+	selfSignature.PreferredHash = []uint8{hash}
 	if config.Hash() != crypto.SHA256 {
 		selfSignature.PreferredHash = append(selfSignature.PreferredHash, hashToHashId(crypto.SHA256))
 	}
@ -123,9 +120,16 @@ func (t *Entity) addUserId(name, comment, email string, config *packet.Config, c
 	}

 	// And for DefaultMode.
-	selfSignature.PreferredAEAD = []uint8{uint8(config.AEAD().Mode())}
-	if config.AEAD().Mode() != packet.AEADModeEAX {
-		selfSignature.PreferredAEAD = append(selfSignature.PreferredAEAD, uint8(packet.AEADModeEAX))
+	modes := []uint8{uint8(config.AEAD().Mode())}
+	if config.AEAD().Mode() != packet.AEADModeOCB {
+		modes = append(modes, uint8(packet.AEADModeOCB))
+	}
+
+	// For preferred (AES256, GCM), we'll generate (AES256, GCM), (AES256, OCB), (AES128, GCM), (AES128, OCB)
+	for _, cipher := range selfSignature.PreferredSymmetric {
+		for _, mode := range modes {
+			selfSignature.PreferredCipherSuites = append(selfSignature.PreferredCipherSuites, [2]uint8{cipher, mode})
+		}
 	}

 	// User ID binding signature
@ -153,42 +157,30 @@ func (e *Entity) AddSigningSubkey(config *packet.Config) error {
 		return err
 	}
 	sub := packet.NewSignerPrivateKey(creationTime, subPrivRaw)
+	sub.IsSubkey = true
+	if config != nil && config.V5Keys {
+		sub.UpgradeToV5()
+	}

 	subkey := Subkey{
 		PublicKey:  &sub.PublicKey,
 		PrivateKey: sub,
-		Sig: &packet.Signature{
-			Version:         e.PrimaryKey.Version,
-			CreationTime:    creationTime,
-			KeyLifetimeSecs: &keyLifetimeSecs,
-			SigType:         packet.SigTypeSubkeyBinding,
-			PubKeyAlgo:      e.PrimaryKey.PubKeyAlgo,
-			Hash:            config.Hash(),
-			FlagsValid:      true,
-			FlagSign:        true,
-			IssuerKeyId:     &e.PrimaryKey.KeyId,
-			EmbeddedSignature: &packet.Signature{
-				Version:      e.PrimaryKey.Version,
-				CreationTime: creationTime,
-				SigType:      packet.SigTypePrimaryKeyBinding,
-				PubKeyAlgo:   sub.PublicKey.PubKeyAlgo,
-				Hash:         config.Hash(),
-				IssuerKeyId:  &e.PrimaryKey.KeyId,
-			},
-		},
-	}
-	if config != nil && config.V5Keys {
-		subkey.PublicKey.UpgradeToV5()
 	}
+	subkey.Sig = createSignaturePacket(e.PrimaryKey, packet.SigTypeSubkeyBinding, config)
+	subkey.Sig.CreationTime = creationTime
+	subkey.Sig.KeyLifetimeSecs = &keyLifetimeSecs
+	subkey.Sig.FlagsValid = true
+	subkey.Sig.FlagSign = true
+	subkey.Sig.EmbeddedSignature = createSignaturePacket(subkey.PublicKey, packet.SigTypePrimaryKeyBinding, config)
+	subkey.Sig.EmbeddedSignature.CreationTime = creationTime

 	err = subkey.Sig.EmbeddedSignature.CrossSignKey(subkey.PublicKey, e.PrimaryKey, subkey.PrivateKey, config)
 	if err != nil {
 		return err
 	}

-	subkey.PublicKey.IsSubkey = true
-	subkey.PrivateKey.IsSubkey = true
-	if err = subkey.Sig.SignKey(subkey.PublicKey, e.PrivateKey, config); err != nil {
+	err = subkey.Sig.SignKey(subkey.PublicKey, e.PrivateKey, config)
+	if err != nil {
 		return err
 	}

@ -210,30 +202,24 @@ func (e *Entity) addEncryptionSubkey(config *packet.Config, creationTime time.Ti
 		return err
 	}
 	sub := packet.NewDecrypterPrivateKey(creationTime, subPrivRaw)
+	sub.IsSubkey = true
+	if config != nil && config.V5Keys {
+		sub.UpgradeToV5()
+	}

 	subkey := Subkey{
 		PublicKey:  &sub.PublicKey,
 		PrivateKey: sub,
-		Sig: &packet.Signature{
-			Version:                   e.PrimaryKey.Version,
-			CreationTime:              creationTime,
-			KeyLifetimeSecs:           &keyLifetimeSecs,
-			SigType:                   packet.SigTypeSubkeyBinding,
-			PubKeyAlgo:                e.PrimaryKey.PubKeyAlgo,
-			Hash:                      config.Hash(),
-			FlagsValid:                true,
-			FlagEncryptStorage:        true,
-			FlagEncryptCommunications: true,
-			IssuerKeyId:               &e.PrimaryKey.KeyId,
-		},
-	}
-	if config != nil && config.V5Keys {
-		subkey.PublicKey.UpgradeToV5()
 	}
+	subkey.Sig = createSignaturePacket(e.PrimaryKey, packet.SigTypeSubkeyBinding, config)
+	subkey.Sig.CreationTime = creationTime
+	subkey.Sig.KeyLifetimeSecs = &keyLifetimeSecs
+	subkey.Sig.FlagsValid = true
+	subkey.Sig.FlagEncryptStorage = true
+	subkey.Sig.FlagEncryptCommunications = true

-	subkey.PublicKey.IsSubkey = true
-	subkey.PrivateKey.IsSubkey = true
-	if err = subkey.Sig.SignKey(subkey.PublicKey, e.PrivateKey, config); err != nil {
+	err = subkey.Sig.SignKey(subkey.PublicKey, e.PrivateKey, config)
+	if err != nil {
 		return err
 	}

--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/keys.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/keys.go
@ -150,11 +150,9 @@ func (e *Entity) EncryptionKey(now time.Time) (Key, bool) {
 		return Key{e, subkey.PublicKey, subkey.PrivateKey, subkey.Sig, subkey.Revocations}, true
 	}

-	// If we don't have any candidate subkeys for encryption and
-	// the primary key doesn't have any usage metadata then we
-	// assume that the primary key is ok. Or, if the primary key is
-	// marked as ok to encrypt with, then we can obviously use it.
-	if !i.SelfSignature.FlagsValid || i.SelfSignature.FlagEncryptCommunications &&
+	// If we don't have any subkeys for encryption and the primary key
+	// is marked as OK to encrypt with, then we can use it.
+	if i.SelfSignature.FlagsValid && i.SelfSignature.FlagEncryptCommunications &&
 		e.PrimaryKey.PubKeyAlgo.CanEncrypt() {
 		return Key{e, e.PrimaryKey, e.PrivateKey, i.SelfSignature, e.Revocations}, true
 	}
@ -162,7 +160,6 @@ func (e *Entity) EncryptionKey(now time.Time) (Key, bool) {
 	return Key{}, false
 }

-
 // CertificationKey return the best candidate Key for certifying a key with this
 // Entity.
 func (e *Entity) CertificationKey(now time.Time) (Key, bool) {
@ -203,8 +200,8 @@ func (e *Entity) signingKeyByIdUsage(now time.Time, id uint64, flags int) (Key,
 	var maxTime time.Time
 	for idx, subkey := range e.Subkeys {
 		if subkey.Sig.FlagsValid &&
-			(flags & packet.KeyFlagCertify == 0 || subkey.Sig.FlagCertify) &&
-			(flags & packet.KeyFlagSign == 0 || subkey.Sig.FlagSign) &&
+			(flags&packet.KeyFlagCertify == 0 || subkey.Sig.FlagCertify) &&
+			(flags&packet.KeyFlagSign == 0 || subkey.Sig.FlagSign) &&
 			subkey.PublicKey.PubKeyAlgo.CanSign() &&
 			!subkey.PublicKey.KeyExpired(subkey.Sig, now) &&
 			!subkey.Sig.SigExpired(now) &&
@ -221,12 +218,11 @@ func (e *Entity) signingKeyByIdUsage(now time.Time, id uint64, flags int) (Key,
 		return Key{e, subkey.PublicKey, subkey.PrivateKey, subkey.Sig, subkey.Revocations}, true
 	}

-	// If we have no candidate subkey then we assume that it's ok to sign
-	// with the primary key.  Or, if the primary key is marked as ok to
-	// sign with, then we can use it.
-	if !i.SelfSignature.FlagsValid || (
-			(flags & packet.KeyFlagCertify == 0 || i.SelfSignature.FlagCertify) &&
-			(flags & packet.KeyFlagSign == 0 || i.SelfSignature.FlagSign)) &&
+	// If we don't have any subkeys for signing and the primary key
+	// is marked as OK to sign with, then we can use it.
+	if i.SelfSignature.FlagsValid &&
+		(flags&packet.KeyFlagCertify == 0 || i.SelfSignature.FlagCertify) &&
+		(flags&packet.KeyFlagSign == 0 || i.SelfSignature.FlagSign) &&
 		e.PrimaryKey.PubKeyAlgo.CanSign() &&
 		(id == 0 || e.PrimaryKey.KeyId == id) {
 		return Key{e, e.PrimaryKey, e.PrivateKey, i.SelfSignature, e.Revocations}, true
@ -256,6 +252,44 @@ func (e *Entity) Revoked(now time.Time) bool {
 	return revoked(e.Revocations, now)
 }

+// EncryptPrivateKeys encrypts all non-encrypted keys in the entity with the same key
+// derived from the provided passphrase. Public keys and dummy keys are ignored,
+// and don't cause an error to be returned.
+func (e *Entity) EncryptPrivateKeys(passphrase []byte, config *packet.Config) error {
+	var keysToEncrypt []*packet.PrivateKey
+	// Add entity private key to encrypt.
+	if e.PrivateKey != nil && !e.PrivateKey.Dummy() && !e.PrivateKey.Encrypted {
+		keysToEncrypt = append(keysToEncrypt,  e.PrivateKey)
+	}
+
+	// Add subkeys to encrypt.
+	for _, sub := range e.Subkeys {
+		if sub.PrivateKey != nil && !sub.PrivateKey.Dummy() && !sub.PrivateKey.Encrypted {
+			keysToEncrypt = append(keysToEncrypt, sub.PrivateKey)
+		}
+	}
+	return packet.EncryptPrivateKeys(keysToEncrypt, passphrase, config)
+}
+
+// DecryptPrivateKeys decrypts all encrypted keys in the entitiy with the given passphrase.
+// Avoids recomputation of similar s2k key derivations. Public keys and dummy keys are ignored,
+// and don't cause an error to be returned.
+func (e *Entity) DecryptPrivateKeys(passphrase []byte) error {
+	var keysToDecrypt []*packet.PrivateKey
+	// Add entity private key to decrypt.
+	if e.PrivateKey != nil && !e.PrivateKey.Dummy() && e.PrivateKey.Encrypted {
+		keysToDecrypt = append(keysToDecrypt, e.PrivateKey)
+	}
+
+	// Add subkeys to decrypt.
+	for _, sub := range e.Subkeys {
+		if sub.PrivateKey != nil && !sub.PrivateKey.Dummy() && sub.PrivateKey.Encrypted {
+			keysToDecrypt = append(keysToDecrypt,  sub.PrivateKey)
+		}
+	}
+	return packet.DecryptPrivateKeys(keysToDecrypt, passphrase)
+}
+
 // Revoked returns whether the identity has been revoked by a self-signature.
 // Note that third-party revocation signatures are not supported.
 func (i *Identity) Revoked(now time.Time) bool {
@ -303,7 +337,11 @@ func (el EntityList) KeysById(id uint64) (keys []Key) {
 // the bitwise-OR of packet.KeyFlag* values.
 func (el EntityList) KeysByIdUsage(id uint64, requiredUsage byte) (keys []Key) {
 	for _, key := range el.KeysById(id) {
-		if key.SelfSignature != nil && key.SelfSignature.FlagsValid && requiredUsage != 0 {
+		if requiredUsage != 0 {
+			if key.SelfSignature == nil || !key.SelfSignature.FlagsValid {
+				continue
+			}
+
 			var usage byte
 			if key.SelfSignature.FlagCertify {
 				usage |= packet.KeyFlagCertify
@ -331,7 +369,7 @@ func (el EntityList) KeysByIdUsage(id uint64, requiredUsage byte) (keys []Key) {
 func (el EntityList) DecryptionKeys() (keys []Key) {
 	for _, e := range el {
 		for _, subKey := range e.Subkeys {
-			if subKey.PrivateKey != nil && (!subKey.Sig.FlagsValid || subKey.Sig.FlagEncryptStorage || subKey.Sig.FlagEncryptCommunications) {
+			if subKey.PrivateKey != nil && subKey.Sig.FlagsValid && (subKey.Sig.FlagEncryptStorage || subKey.Sig.FlagEncryptCommunications) {
 				keys = append(keys, Key{e, subKey.PublicKey, subKey.PrivateKey, subKey.Sig, subKey.Revocations})
 			}
 		}
@ -466,7 +504,7 @@ EachPacket:
 			// Else, ignoring the signature as it does not follow anything
 			// we would know to attach it to.
 		case *packet.PrivateKey:
-			if pkt.IsSubkey == false {
+			if !pkt.IsSubkey {
 				packets.Unread(p)
 				break EachPacket
 			}
@ -475,7 +513,7 @@ EachPacket:
 				return nil, err
 			}
 		case *packet.PublicKey:
-			if pkt.IsSubkey == false {
+			if !pkt.IsSubkey {
 				packets.Unread(p)
 				break EachPacket
 			}
@ -751,18 +789,7 @@ func (e *Entity) SignIdentity(identity string, signer *Entity, config *packet.Co
 		return errors.InvalidArgumentError("given identity string not found in Entity")
 	}

-	sig := &packet.Signature{
-		Version:      certificationKey.PrivateKey.Version,
-		SigType:      packet.SigTypeGenericCert,
-		PubKeyAlgo:   certificationKey.PrivateKey.PubKeyAlgo,
-		Hash:         config.Hash(),
-		CreationTime: config.Now(),
-		IssuerKeyId:  &certificationKey.PrivateKey.KeyId,
-	}
-
-	if config.SigLifetime() != 0 {
-		sig.SigLifetimeSecs = &config.SigLifetimeSecs
-	}
+	sig := createSignaturePacket(certificationKey.PublicKey, packet.SigTypeGenericCert, config)

 	signingUserID := config.SigningUserId()
 	if signingUserID != "" {
@ -783,16 +810,9 @@ func (e *Entity) SignIdentity(identity string, signer *Entity, config *packet.Co
 // specified reason code and text (RFC4880 section-5.2.3.23).
 // If config is nil, sensible defaults will be used.
 func (e *Entity) RevokeKey(reason packet.ReasonForRevocation, reasonText string, config *packet.Config) error {
-	revSig := &packet.Signature{
-		Version:              e.PrimaryKey.Version,
-		CreationTime:         config.Now(),
-		SigType:              packet.SigTypeKeyRevocation,
-		PubKeyAlgo:           e.PrimaryKey.PubKeyAlgo,
-		Hash:                 config.Hash(),
-		RevocationReason:     &reason,
-		RevocationReasonText: reasonText,
-		IssuerKeyId:          &e.PrimaryKey.KeyId,
-	}
+	revSig := createSignaturePacket(e.PrimaryKey, packet.SigTypeKeyRevocation, config)
+	revSig.RevocationReason = &reason
+	revSig.RevocationReasonText = reasonText

 	if err := revSig.RevokeKey(e.PrimaryKey, e.PrivateKey, config); err != nil {
 		return err
@ -809,16 +829,9 @@ func (e *Entity) RevokeSubkey(sk *Subkey, reason packet.ReasonForRevocation, rea
 		return errors.InvalidArgumentError("given subkey is not associated with this key")
 	}

-	revSig := &packet.Signature{
-		Version:              e.PrimaryKey.Version,
-		CreationTime:         config.Now(),
-		SigType:              packet.SigTypeSubkeyRevocation,
-		PubKeyAlgo:           e.PrimaryKey.PubKeyAlgo,
-		Hash:                 config.Hash(),
-		RevocationReason:     &reason,
-		RevocationReasonText: reasonText,
-		IssuerKeyId:          &e.PrimaryKey.KeyId,
-	}
+	revSig := createSignaturePacket(e.PrimaryKey, packet.SigTypeSubkeyRevocation, config)
+	revSig.RevocationReason = &reason
+	revSig.RevocationReasonText = reasonText

 	if err := revSig.RevokeSubkey(sk.PublicKey, e.PrivateKey, config); err != nil {
 		return err
--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/keys_test_data.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/keys_test_data.go
@ -518,3 +518,21 @@ XLCBln+wdewpU4ChEffMUDRBfqfQco/YsMqWV7bHJHAO0eC/DMKCjyU90xdH7R/d
 QgqsfguR1PqPuJxpXV4bSr6CGAAAAA==
 =MSvh
 -----END PGP PRIVATE KEY BLOCK-----`
+
+const keyWithNotation = `-----BEGIN PGP PRIVATE KEY BLOCK-----
+
+xVgEY9gIshYJKwYBBAHaRw8BAQdAF25fSM8OpFlXZhop4Qpqo5ywGZ4jgWlR
+ppjhIKDthREAAQC+LFpzFcMJYcjxGKzBGHN0Px2jU4d04YSRnFAik+lVVQ6u
+zRdUZXN0IDx0ZXN0QGV4YW1wbGUuY29tPsLACgQQFgoAfAUCY9gIsgQLCQcI
+CRD/utJOCym8pR0UgAAAAAAQAAR0ZXh0QGV4YW1wbGUuY29tdGVzdB8UAAAA
+AAASAARiaW5hcnlAZXhhbXBsZS5jb20AAQIDAxUICgQWAAIBAhkBAhsDAh4B
+FiEEEMCQTUVGKgCX5rDQ/7rSTgspvKUAAPl5AP9Npz90LxzrB97Qr2DrGwfG
+wuYn4FSYwtuPfZHHeoIabwD/QEbvpQJ/NBb9EAZuow4Rirlt1yv19mmnF+j5
+8yUzhQjHXQRj2AiyEgorBgEEAZdVAQUBAQdARXAo30DmKcyUg6co7OUm0RNT
+z9iqFbDBzA8A47JEt1MDAQgHAAD/XKK3lBm0SqMR558HLWdBrNG6NqKuqb5X
+joCML987ZNgRD8J4BBgWCAAqBQJj2AiyCRD/utJOCym8pQIbDBYhBBDAkE1F
+RioAl+aw0P+60k4LKbylAADRxgEAg7UfBDiDPp5LHcW9D+SgFHk6+GyEU4ev
+VppQxdtxPvAA/34snHBX7Twnip1nMt7P4e2hDiw/hwQ7oqioOvc6jMkP
+=Z8YJ
+-----END PGP PRIVATE KEY BLOCK-----
+`
--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/aead_config.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/aead_config.go
@ -4,6 +4,14 @@ package packet

 import "math/bits"

+// CipherSuite contains a combination of Cipher and Mode
+type CipherSuite struct {
+	// The cipher function
+	Cipher CipherFunction
+	// The AEAD mode of operation.
+	Mode AEADMode
+}
+
 // AEADConfig collects a number of AEAD parameters along with sensible defaults.
 // A nil AEADConfig is valid and results in all default values.
 type AEADConfig struct {
@ -15,12 +23,13 @@ type AEADConfig struct {

 // Mode returns the AEAD mode of operation.
 func (conf *AEADConfig) Mode() AEADMode {
+	// If no preference is specified, OCB is used (which is mandatory to implement).
 	if conf == nil || conf.DefaultMode == 0 {
-		return AEADModeEAX
+		return AEADModeOCB
 	}
+
 	mode := conf.DefaultMode
-	if mode != AEADModeEAX && mode != AEADModeOCB &&
-		mode != AEADModeExperimentalGCM {
+	if mode != AEADModeEAX && mode != AEADModeOCB && mode != AEADModeGCM {
 		panic("AEAD mode unsupported")
 	}
 	return mode
@ -28,6 +37,8 @@ func (conf *AEADConfig) Mode() AEADMode {

 // ChunkSizeByte returns the byte indicating the chunk size. The effective
 // chunk size is computed with the formula uint64(1) << (chunkSizeByte + 6)
+// limit to 16 = 4 MiB
+// https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#section-5.13.2
 func (conf *AEADConfig) ChunkSizeByte() byte {
 	if conf == nil || conf.ChunkSize == 0 {
 		return 12 // 1 << (12 + 6) == 262144 bytes
@ -38,8 +49,8 @@ func (conf *AEADConfig) ChunkSizeByte() byte {
 	switch {
 	case exponent < 6:
 		exponent = 6
-	case exponent > 27:
-		exponent = 27
+	case exponent > 16:
+		exponent = 16
 	}

 	return byte(exponent - 6)
--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/aead_crypter.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/aead_crypter.go
@ -0,0 +1,264 @@
+// Copyright (C) 2019 ProtonTech AG
+
+package packet
+
+import (
+	"bytes"
+	"crypto/cipher"
+	"encoding/binary"
+	"io"
+
+	"github.com/ProtonMail/go-crypto/openpgp/errors"
+)
+
+// aeadCrypter is an AEAD opener/sealer, its configuration, and data for en/decryption.
+type aeadCrypter struct {
+	aead           cipher.AEAD
+	chunkSize      int
+	initialNonce   []byte
+	associatedData []byte       // Chunk-independent associated data
+	chunkIndex     []byte       // Chunk counter
+	packetTag      packetType   // SEIP packet (v2) or AEAD Encrypted Data packet
+	bytesProcessed int          // Amount of plaintext bytes encrypted/decrypted
+	buffer         bytes.Buffer // Buffered bytes across chunks
+}
+
+// computeNonce takes the incremental index and computes an eXclusive OR with
+// the least significant 8 bytes of the receivers' initial nonce (see sec.
+// 5.16.1 and 5.16.2). It returns the resulting nonce.
+func (wo *aeadCrypter) computeNextNonce() (nonce []byte) {
+	if wo.packetTag == packetTypeSymmetricallyEncryptedIntegrityProtected {
+		return append(wo.initialNonce, wo.chunkIndex...)
+	}
+
+	nonce = make([]byte, len(wo.initialNonce))
+	copy(nonce, wo.initialNonce)
+	offset := len(wo.initialNonce) - 8
+	for i := 0; i < 8; i++ {
+		nonce[i+offset] ^= wo.chunkIndex[i]
+	}
+	return
+}
+
+// incrementIndex performs an integer increment by 1 of the integer represented by the
+// slice, modifying it accordingly.
+func (wo *aeadCrypter) incrementIndex() error {
+	index := wo.chunkIndex
+	if len(index) == 0 {
+		return errors.AEADError("Index has length 0")
+	}
+	for i := len(index) - 1; i >= 0; i-- {
+		if index[i] < 255 {
+			index[i]++
+			return nil
+		}
+		index[i] = 0
+	}
+	return errors.AEADError("cannot further increment index")
+}
+
+// aeadDecrypter reads and decrypts bytes. It buffers extra decrypted bytes when
+// necessary, similar to aeadEncrypter.
+type aeadDecrypter struct {
+	aeadCrypter           // Embedded ciphertext opener
+	reader      io.Reader // 'reader' is a partialLengthReader
+	peekedBytes []byte    // Used to detect last chunk
+	eof         bool
+}
+
+// Read decrypts bytes and reads them into dst. It decrypts when necessary and
+// buffers extra decrypted bytes. It returns the number of bytes copied into dst
+// and an error.
+func (ar *aeadDecrypter) Read(dst []byte) (n int, err error) {
+	// Return buffered plaintext bytes from previous calls
+	if ar.buffer.Len() > 0 {
+		return ar.buffer.Read(dst)
+	}
+
+	// Return EOF if we've previously validated the final tag
+	if ar.eof {
+		return 0, io.EOF
+	}
+
+	// Read a chunk
+	tagLen := ar.aead.Overhead()
+	cipherChunkBuf := new(bytes.Buffer)
+	_, errRead := io.CopyN(cipherChunkBuf, ar.reader, int64(ar.chunkSize+tagLen))
+	cipherChunk := cipherChunkBuf.Bytes()
+	if errRead != nil && errRead != io.EOF {
+		return 0, errRead
+	}
+	decrypted, errChunk := ar.openChunk(cipherChunk)
+	if errChunk != nil {
+		return 0, errChunk
+	}
+
+	// Return decrypted bytes, buffering if necessary
+	if len(dst) < len(decrypted) {
+		n = copy(dst, decrypted[:len(dst)])
+		ar.buffer.Write(decrypted[len(dst):])
+	} else {
+		n = copy(dst, decrypted)
+	}
+
+	// Check final authentication tag
+	if errRead == io.EOF {
+		errChunk := ar.validateFinalTag(ar.peekedBytes)
+		if errChunk != nil {
+			return n, errChunk
+		}
+		ar.eof = true // Mark EOF for when we've returned all buffered data
+	}
+	return
+}
+
+// Close is noOp. The final authentication tag of the stream was already
+// checked in the last Read call. In the future, this function could be used to
+// wipe the reader and peeked, decrypted bytes, if necessary.
+func (ar *aeadDecrypter) Close() (err error) {
+	return nil
+}
+
+// openChunk decrypts and checks integrity of an encrypted chunk, returning
+// the underlying plaintext and an error. It accesses peeked bytes from next
+// chunk, to identify the last chunk and decrypt/validate accordingly.
+func (ar *aeadDecrypter) openChunk(data []byte) ([]byte, error) {
+	tagLen := ar.aead.Overhead()
+	// Restore carried bytes from last call
+	chunkExtra := append(ar.peekedBytes, data...)
+	// 'chunk' contains encrypted bytes, followed by an authentication tag.
+	chunk := chunkExtra[:len(chunkExtra)-tagLen]
+	ar.peekedBytes = chunkExtra[len(chunkExtra)-tagLen:]
+
+	adata := ar.associatedData
+	if ar.aeadCrypter.packetTag == packetTypeAEADEncrypted {
+		adata = append(ar.associatedData, ar.chunkIndex...)
+	}
+
+	nonce := ar.computeNextNonce()
+	plainChunk, err := ar.aead.Open(nil, nonce, chunk, adata)
+	if err != nil {
+		return nil, err
+	}
+	ar.bytesProcessed += len(plainChunk)
+	if err = ar.aeadCrypter.incrementIndex(); err != nil {
+		return nil, err
+	}
+	return plainChunk, nil
+}
+
+// Checks the summary tag. It takes into account the total decrypted bytes into
+// the associated data. It returns an error, or nil if the tag is valid.
+func (ar *aeadDecrypter) validateFinalTag(tag []byte) error {
+	// Associated: tag, version, cipher, aead, chunk size, ...
+	amountBytes := make([]byte, 8)
+	binary.BigEndian.PutUint64(amountBytes, uint64(ar.bytesProcessed))
+
+	adata := ar.associatedData
+	if ar.aeadCrypter.packetTag == packetTypeAEADEncrypted {
+		// ... index ...
+		adata = append(ar.associatedData, ar.chunkIndex...)
+	}
+
+	// ... and total number of encrypted octets
+	adata = append(adata, amountBytes...)
+	nonce := ar.computeNextNonce()
+	_, err := ar.aead.Open(nil, nonce, tag, adata)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// aeadEncrypter encrypts and writes bytes. It encrypts when necessary according
+// to the AEAD block size, and buffers the extra encrypted bytes for next write.
+type aeadEncrypter struct {
+	aeadCrypter                // Embedded plaintext sealer
+	writer      io.WriteCloser // 'writer' is a partialLengthWriter
+}
+
+// Write encrypts and writes bytes. It encrypts when necessary and buffers extra
+// plaintext bytes for next call. When the stream is finished, Close() MUST be
+// called to append the final tag.
+func (aw *aeadEncrypter) Write(plaintextBytes []byte) (n int, err error) {
+	// Append plaintextBytes to existing buffered bytes
+	n, err = aw.buffer.Write(plaintextBytes)
+	if err != nil {
+		return n, err
+	}
+	// Encrypt and write chunks
+	for aw.buffer.Len() >= aw.chunkSize {
+		plainChunk := aw.buffer.Next(aw.chunkSize)
+		encryptedChunk, err := aw.sealChunk(plainChunk)
+		if err != nil {
+			return n, err
+		}
+		_, err = aw.writer.Write(encryptedChunk)
+		if err != nil {
+			return n, err
+		}
+	}
+	return
+}
+
+// Close encrypts and writes the remaining buffered plaintext if any, appends
+// the final authentication tag, and closes the embedded writer. This function
+// MUST be called at the end of a stream.
+func (aw *aeadEncrypter) Close() (err error) {
+	// Encrypt and write a chunk if there's buffered data left, or if we haven't
+	// written any chunks yet.
+	if aw.buffer.Len() > 0 || aw.bytesProcessed == 0 {
+		plainChunk := aw.buffer.Bytes()
+		lastEncryptedChunk, err := aw.sealChunk(plainChunk)
+		if err != nil {
+			return err
+		}
+		_, err = aw.writer.Write(lastEncryptedChunk)
+		if err != nil {
+			return err
+		}
+	}
+	// Compute final tag (associated data: packet tag, version, cipher, aead,
+	// chunk size...
+	adata := aw.associatedData
+
+	if aw.aeadCrypter.packetTag == packetTypeAEADEncrypted {
+		// ... index ...
+		adata = append(aw.associatedData, aw.chunkIndex...)
+	}
+
+	// ... and total number of encrypted octets
+	amountBytes := make([]byte, 8)
+	binary.BigEndian.PutUint64(amountBytes, uint64(aw.bytesProcessed))
+	adata = append(adata, amountBytes...)
+
+	nonce := aw.computeNextNonce()
+	finalTag := aw.aead.Seal(nil, nonce, nil, adata)
+	_, err = aw.writer.Write(finalTag)
+	if err != nil {
+		return err
+	}
+	return aw.writer.Close()
+}
+
+// sealChunk Encrypts and authenticates the given chunk.
+func (aw *aeadEncrypter) sealChunk(data []byte) ([]byte, error) {
+	if len(data) > aw.chunkSize {
+		return nil, errors.AEADError("chunk exceeds maximum length")
+	}
+	if aw.associatedData == nil {
+		return nil, errors.AEADError("can't seal without headers")
+	}
+	adata := aw.associatedData
+	if aw.aeadCrypter.packetTag == packetTypeAEADEncrypted {
+		adata = append(aw.associatedData, aw.chunkIndex...)
+	}
+
+	nonce := aw.computeNextNonce()
+	encrypted := aw.aead.Seal(nil, nonce, data, adata)
+	aw.bytesProcessed += len(data)
+	if err := aw.aeadCrypter.incrementIndex(); err != nil {
+		return nil, err
+	}
+	return encrypted, nil
+}
--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/aead_encrypted.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/aead_encrypted.go
@ -3,17 +3,14 @@
 package packet

 import (
-	"bytes"
-	"crypto/cipher"
-	"crypto/rand"
-	"encoding/binary"
 	"io"

 	"github.com/ProtonMail/go-crypto/openpgp/errors"
 	"github.com/ProtonMail/go-crypto/openpgp/internal/algorithm"
 )

-// AEADEncrypted represents an AEAD Encrypted Packet (tag 20, RFC4880bis-5.16).
+// AEADEncrypted represents an AEAD Encrypted Packet.
+// See https://www.ietf.org/archive/id/draft-koch-openpgp-2015-rfc4880bis-00.html#name-aead-encrypted-data-packet-t
 type AEADEncrypted struct {
 	cipher        CipherFunction
 	mode          AEADMode
@ -25,33 +22,6 @@ type AEADEncrypted struct {
 // Only currently defined version
 const aeadEncryptedVersion = 1

-// An AEAD opener/sealer, its configuration, and data for en/decryption.
-type aeadCrypter struct {
-	aead           cipher.AEAD
-	chunkSize      int
-	initialNonce   []byte
-	associatedData []byte       // Chunk-independent associated data
-	chunkIndex     []byte       // Chunk counter
-	bytesProcessed int          // Amount of plaintext bytes encrypted/decrypted
-	buffer         bytes.Buffer // Buffered bytes across chunks
-}
-
-// aeadEncrypter encrypts and writes bytes. It encrypts when necessary according
-// to the AEAD block size, and buffers the extra encrypted bytes for next write.
-type aeadEncrypter struct {
-	aeadCrypter                // Embedded plaintext sealer
-	writer      io.WriteCloser // 'writer' is a partialLengthWriter
-}
-
-// aeadDecrypter reads and decrypts bytes. It buffers extra decrypted bytes when
-// necessary, similar to aeadEncrypter.
-type aeadDecrypter struct {
-	aeadCrypter           // Embedded ciphertext opener
-	reader      io.Reader // 'reader' is a partialLengthReader
-	peekedBytes []byte    // Used to detect last chunk
-	eof         bool
-}
-
 func (ae *AEADEncrypted) parse(buf io.Reader) error {
 	headerData := make([]byte, 4)
 	if n, err := io.ReadFull(buf, headerData); n < 4 {
@ -59,10 +29,14 @@ func (ae *AEADEncrypted) parse(buf io.Reader) error {
 	}
 	// Read initial nonce
 	mode := AEADMode(headerData[2])
-	nonceLen := mode.NonceLength()
-	if nonceLen == 0 {
+	nonceLen := mode.IvLength()
+
+	// This packet supports only EAX and OCB
+	// https://www.ietf.org/archive/id/draft-koch-openpgp-2015-rfc4880bis-00.html#name-aead-encrypted-data-packet-t
+	if nonceLen == 0 || mode > AEADModeOCB {
 		return errors.AEADError("unknown mode")
 	}
+
 	initialNonce := make([]byte, nonceLen)
 	if n, err := io.ReadFull(buf, initialNonce); n < nonceLen {
 		return errors.AEADError("could not read aead nonce:" + err.Error())
@ -75,7 +49,7 @@ func (ae *AEADEncrypted) parse(buf io.Reader) error {
 	}
 	ae.cipher = CipherFunction(c)
 	ae.mode = mode
-	ae.chunkSizeByte = byte(headerData[3])
+	ae.chunkSizeByte = headerData[3]
 	return nil
 }

@ -105,225 +79,13 @@ func (ae *AEADEncrypted) decrypt(key []byte) (io.ReadCloser, error) {
 			initialNonce:   ae.initialNonce,
 			associatedData: ae.associatedData(),
 			chunkIndex:     make([]byte, 8),
+			packetTag:      packetTypeAEADEncrypted,
 		},
 		reader:      ae.Contents,
 		peekedBytes: peekedBytes}, nil
 }

-// Read decrypts bytes and reads them into dst. It decrypts when necessary and
-// buffers extra decrypted bytes. It returns the number of bytes copied into dst
-// and an error.
-func (ar *aeadDecrypter) Read(dst []byte) (n int, err error) {
-	// Return buffered plaintext bytes from previous calls
-	if ar.buffer.Len() > 0 {
-		return ar.buffer.Read(dst)
-	}
-
-	// Return EOF if we've previously validated the final tag
-	if ar.eof {
-		return 0, io.EOF
-	}
-
-	// Read a chunk
-	tagLen := ar.aead.Overhead()
-	cipherChunkBuf := new(bytes.Buffer)
-	_, errRead := io.CopyN(cipherChunkBuf, ar.reader, int64(ar.chunkSize + tagLen))
-	cipherChunk := cipherChunkBuf.Bytes()
-	if errRead != nil && errRead != io.EOF {
-		return 0, errRead
-	}
-	decrypted, errChunk := ar.openChunk(cipherChunk)
-	if errChunk != nil {
-		return 0, errChunk
-	}
-
-	// Return decrypted bytes, buffering if necessary
-	if len(dst) < len(decrypted) {
-		n = copy(dst, decrypted[:len(dst)])
-		ar.buffer.Write(decrypted[len(dst):])
-	} else {
-		n = copy(dst, decrypted)
-	}
-
-	// Check final authentication tag
-	if errRead == io.EOF {
-		errChunk := ar.validateFinalTag(ar.peekedBytes)
-		if errChunk != nil {
-			return n, errChunk
-		}
-		ar.eof = true // Mark EOF for when we've returned all buffered data
-	}
-	return
-}
-
-// Close is noOp. The final authentication tag of the stream was already
-// checked in the last Read call. In the future, this function could be used to
-// wipe the reader and peeked, decrypted bytes, if necessary.
-func (ar *aeadDecrypter) Close() (err error) {
-	return nil
-}
-
-// SerializeAEADEncrypted initializes the aeadCrypter and returns a writer.
-// This writer encrypts and writes bytes (see aeadEncrypter.Write()).
-func SerializeAEADEncrypted(w io.Writer, key []byte, cipher CipherFunction, mode AEADMode, config *Config) (io.WriteCloser, error) {
-	writeCloser := noOpCloser{w}
-	writer, err := serializeStreamHeader(writeCloser, packetTypeAEADEncrypted)
-	if err != nil {
-		return nil, err
-	}
-
-	// Data for en/decryption: tag, version, cipher, aead mode, chunk size
-	aeadConf := config.AEAD()
-	prefix := []byte{
-		0xD4,
-		aeadEncryptedVersion,
-		byte(config.Cipher()),
-		byte(aeadConf.Mode()),
-		aeadConf.ChunkSizeByte(),
-	}
-	n, err := writer.Write(prefix[1:])
-	if err != nil || n < 4 {
-		return nil, errors.AEADError("could not write AEAD headers")
-	}
-	// Sample nonce
-	nonceLen := aeadConf.Mode().NonceLength()
-	nonce := make([]byte, nonceLen)
-	n, err = rand.Read(nonce)
-	if err != nil {
-		panic("Could not sample random nonce")
-	}
-	_, err = writer.Write(nonce)
-	if err != nil {
-		return nil, err
-	}
-	blockCipher := CipherFunction(config.Cipher()).new(key)
-	alg := AEADMode(aeadConf.Mode()).new(blockCipher)
-
-	chunkSize := decodeAEADChunkSize(aeadConf.ChunkSizeByte())
-	return &aeadEncrypter{
-		aeadCrypter: aeadCrypter{
-			aead:           alg,
-			chunkSize:      chunkSize,
-			associatedData: prefix,
-			chunkIndex:     make([]byte, 8),
-			initialNonce:   nonce,
-		},
-		writer: writer}, nil
-}
-
-// Write encrypts and writes bytes. It encrypts when necessary and buffers extra
-// plaintext bytes for next call. When the stream is finished, Close() MUST be
-// called to append the final tag.
-func (aw *aeadEncrypter) Write(plaintextBytes []byte) (n int, err error) {
-	// Append plaintextBytes to existing buffered bytes
-	n, err = aw.buffer.Write(plaintextBytes)
-	if err != nil {
-		return n, err
-	}
-	// Encrypt and write chunks
-	for aw.buffer.Len() >= aw.chunkSize {
-		plainChunk := aw.buffer.Next(aw.chunkSize)
-		encryptedChunk, err := aw.sealChunk(plainChunk)
-		if err != nil {
-			return n, err
-		}
-		_, err = aw.writer.Write(encryptedChunk)
-		if err != nil {
-			return n, err
-		}
-	}
-	return
-}
-
-// Close encrypts and writes the remaining buffered plaintext if any, appends
-// the final authentication tag, and closes the embedded writer. This function
-// MUST be called at the end of a stream.
-func (aw *aeadEncrypter) Close() (err error) {
-	// Encrypt and write a chunk if there's buffered data left, or if we haven't
-	// written any chunks yet.
-	if aw.buffer.Len() > 0 || aw.bytesProcessed == 0 {
-		plainChunk := aw.buffer.Bytes()
-		lastEncryptedChunk, err := aw.sealChunk(plainChunk)
-		if err != nil {
-			return err
-		}
-		_, err = aw.writer.Write(lastEncryptedChunk)
-		if err != nil {
-			return err
-		}
-	}
-	// Compute final tag (associated data: packet tag, version, cipher, aead,
-	// chunk size, index, total number of encrypted octets).
-	adata := append(aw.associatedData[:], aw.chunkIndex[:]...)
-	adata = append(adata, make([]byte, 8)...)
-	binary.BigEndian.PutUint64(adata[13:], uint64(aw.bytesProcessed))
-	nonce := aw.computeNextNonce()
-	finalTag := aw.aead.Seal(nil, nonce, nil, adata)
-	_, err = aw.writer.Write(finalTag)
-	if err != nil {
-		return err
-	}
-	return aw.writer.Close()
-}
-
-// sealChunk Encrypts and authenticates the given chunk.
-func (aw *aeadEncrypter) sealChunk(data []byte) ([]byte, error) {
-	if len(data) > aw.chunkSize {
-		return nil, errors.AEADError("chunk exceeds maximum length")
-	}
-	if aw.associatedData == nil {
-		return nil, errors.AEADError("can't seal without headers")
-	}
-	adata := append(aw.associatedData, aw.chunkIndex...)
-	nonce := aw.computeNextNonce()
-	encrypted := aw.aead.Seal(nil, nonce, data, adata)
-	aw.bytesProcessed += len(data)
-	if err := aw.aeadCrypter.incrementIndex(); err != nil {
-		return nil, err
-	}
-	return encrypted, nil
-}
-
-// openChunk decrypts and checks integrity of an encrypted chunk, returning
-// the underlying plaintext and an error. It access peeked bytes from next
-// chunk, to identify the last chunk and decrypt/validate accordingly.
-func (ar *aeadDecrypter) openChunk(data []byte) ([]byte, error) {
-	tagLen := ar.aead.Overhead()
-	// Restore carried bytes from last call
-	chunkExtra := append(ar.peekedBytes, data...)
-	// 'chunk' contains encrypted bytes, followed by an authentication tag.
-	chunk := chunkExtra[:len(chunkExtra)-tagLen]
-	ar.peekedBytes = chunkExtra[len(chunkExtra)-tagLen:]
-	adata := append(ar.associatedData, ar.chunkIndex...)
-	nonce := ar.computeNextNonce()
-	plainChunk, err := ar.aead.Open(nil, nonce, chunk, adata)
-	if err != nil {
-		return nil, err
-	}
-	ar.bytesProcessed += len(plainChunk)
-	if err = ar.aeadCrypter.incrementIndex(); err != nil {
-		return nil, err
-	}
-	return plainChunk, nil
-}
-
-// Checks the summary tag. It takes into account the total decrypted bytes into
-// the associated data. It returns an error, or nil if the tag is valid.
-func (ar *aeadDecrypter) validateFinalTag(tag []byte) error {
-	// Associated: tag, version, cipher, aead, chunk size, index, and octets
-	amountBytes := make([]byte, 8)
-	binary.BigEndian.PutUint64(amountBytes, uint64(ar.bytesProcessed))
-	adata := append(ar.associatedData, ar.chunkIndex...)
-	adata = append(adata, amountBytes...)
-	nonce := ar.computeNextNonce()
-	_, err := ar.aead.Open(nil, nonce, tag, adata)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-// Associated data for chunks: tag, version, cipher, mode, chunk size byte
+// associatedData for chunks: tag, version, cipher, mode, chunk size byte
 func (ae *AEADEncrypted) associatedData() []byte {
 	return []byte{
 		0xD4,
@ -332,33 +94,3 @@ func (ae *AEADEncrypted) associatedData() []byte {
 		byte(ae.mode),
 		ae.chunkSizeByte}
 }
-
-// computeNonce takes the incremental index and computes an eXclusive OR with
-// the least significant 8 bytes of the receivers' initial nonce (see sec.
-// 5.16.1 and 5.16.2). It returns the resulting nonce.
-func (wo *aeadCrypter) computeNextNonce() (nonce []byte) {
-	nonce = make([]byte, len(wo.initialNonce))
-	copy(nonce, wo.initialNonce)
-	offset := len(wo.initialNonce) - 8
-	for i := 0; i < 8; i++ {
-		nonce[i+offset] ^= wo.chunkIndex[i]
-	}
-	return
-}
-
-// incrementIndex performs an integer increment by 1 of the integer represented by the
-// slice, modifying it accordingly.
-func (wo *aeadCrypter) incrementIndex() error {
-	index := wo.chunkIndex
-	if len(index) == 0 {
-		return errors.AEADError("Index has length 0")
-	}
-	for i := len(index) - 1; i >= 0; i-- {
-		if index[i] < 255 {
-			index[i]++
-			return nil
-		}
-		index[i] = 0
-	}
-	return errors.AEADError("cannot further increment index")
-}
--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/config.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/config.go
@ -10,6 +10,8 @@ import (
 	"io"
 	"math/big"
 	"time"
+
+	"github.com/ProtonMail/go-crypto/openpgp/s2k"
 )

 // Config collects a number of parameters along with sensible defaults.
@ -33,16 +35,24 @@ type Config struct {
 	DefaultCompressionAlgo CompressionAlgo
 	// CompressionConfig configures the compression settings.
 	CompressionConfig *CompressionConfig
-	// S2KCount is only used for symmetric encryption. It
-	// determines the strength of the passphrase stretching when
+	// S2K (String to Key) config, used for key derivation in the context of secret key encryption
+	// and password-encrypted data.
+	// If nil, the default configuration is used
+	S2KConfig *s2k.Config
+	// Iteration count for Iterated S2K (String to Key).
+	// Only used if sk2.Mode is nil.
+	// This value is duplicated here from s2k.Config for backwards compatibility.
+	// It determines the strength of the passphrase stretching when
 	// the said passphrase is hashed to produce a key. S2KCount
-	// should be between 1024 and 65011712, inclusive. If Config
-	// is nil or S2KCount is 0, the value 65536 used. Not all
+	// should be between 65536 and 65011712, inclusive. If Config
+	// is nil or S2KCount is 0, the value 16777216 used. Not all
 	// values in the above range can be represented. S2KCount will
 	// be rounded up to the next representable value if it cannot
 	// be encoded exactly. When set, it is strongly encrouraged to
 	// use a value that is at least 65536. See RFC 4880 Section
 	// 3.7.1.3.
+	//
+	// Deprecated: SK2Count should be configured in S2KConfig instead.
 	S2KCount int
 	// RSABits is the number of bits in new RSA keys made with NewEntity.
 	// If zero, then 2048 bit keys are created.
@ -85,6 +95,21 @@ type Config struct {
 	// when producing a generic certification signature onto an existing user ID.
 	// The identity must be present in the signer Entity.
 	SigningIdentity string
+	// InsecureAllowUnauthenticatedMessages controls, whether it is tolerated to read
+	// encrypted messages without Modification Detection Code (MDC).
+	// MDC is mandated by the IETF OpenPGP Crypto Refresh draft and has long been implemented
+	// in most OpenPGP implementations. Messages without MDC are considered unnecessarily
+	// insecure and should be prevented whenever possible.
+	// In case one needs to deal with messages from very old OpenPGP implementations, there
+	// might be no other way than to tolerate the missing MDC. Setting this flag, allows this
+	// mode of operation. It should be considered a measure of last resort.
+	InsecureAllowUnauthenticatedMessages bool
+	// KnownNotations is a map of Notation Data names to bools, which controls
+	// the notation names that are allowed to be present in critical Notation Data
+	// signature subpackets.
+	KnownNotations map[string]bool
+	// SignatureNotations is a list of Notations to be added to any signatures.
+	SignatureNotations []*Notation
 }

 func (c *Config) Random() io.Reader {
@ -110,9 +135,9 @@ func (c *Config) Cipher() CipherFunction {

 func (c *Config) Now() time.Time {
 	if c == nil || c.Time == nil {
-		return time.Now()
+		return time.Now().Truncate(time.Second)
 	}
-	return c.Time()
+	return c.Time().Truncate(time.Second)
 }

 // KeyLifetime returns the validity period of the key.
@ -138,13 +163,6 @@ func (c *Config) Compression() CompressionAlgo {
 	return c.DefaultCompressionAlgo
 }

-func (c *Config) PasswordHashIterations() int {
-	if c == nil || c.S2KCount == 0 {
-		return 0
-	}
-	return c.S2KCount
-}
-
 func (c *Config) RSAModulusBits() int {
 	if c == nil || c.RSABits == 0 {
 		return 2048
@ -166,6 +184,27 @@ func (c *Config) CurveName() Curve {
 	return c.Curve
 }

+// Deprecated: The hash iterations should now be queried via the S2K() method.
+func (c *Config) PasswordHashIterations() int {
+	if c == nil || c.S2KCount == 0 {
+		return 0
+	}
+	return c.S2KCount
+}
+
+func (c *Config) S2K() *s2k.Config {
+	if c == nil {
+		return nil
+	}
+	// for backwards compatibility
+	if c != nil && c.S2KCount > 0 && c.S2KConfig == nil {
+		return &s2k.Config{
+			S2KCount: c.S2KCount,
+		}
+	}
+	return c.S2KConfig
+}
+
 func (c *Config) AEAD() *AEADConfig {
 	if c == nil {
 		return nil
@ -186,3 +225,24 @@ func (c *Config) SigningUserId() string {
 	}
 	return c.SigningIdentity
 }
+
+func (c *Config) AllowUnauthenticatedMessages() bool {
+	if c == nil {
+		return false
+	}
+	return c.InsecureAllowUnauthenticatedMessages
+}
+
+func (c *Config) KnownNotation(notationName string) bool {
+	if c == nil {
+		return false
+	}
+	return c.KnownNotations[notationName]
+}
+
+func (c *Config) Notations() []*Notation {
+	if c == nil {
+		return nil
+	}
+	return c.SignatureNotations
+}
--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/encrypted_key.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/encrypted_key.go
@ -25,7 +25,7 @@ const encryptedKeyVersion = 3
 type EncryptedKey struct {
 	KeyId      uint64
 	Algo       PublicKeyAlgorithm
-	CipherFunc CipherFunction // only valid after a successful Decrypt
+	CipherFunc CipherFunction // only valid after a successful Decrypt for a v3 packet
 	Key        []byte         // only valid after a successful Decrypt

 	encryptedMPI1, encryptedMPI2 encoding.Field
@ -123,6 +123,10 @@ func (e *EncryptedKey) Decrypt(priv *PrivateKey, config *Config) error {
 	}

 	e.CipherFunc = CipherFunction(b[0])
+	if !e.CipherFunc.IsSupported() {
+		return errors.UnsupportedError("unsupported encryption function")
+	}
+
 	e.Key = b[1 : len(b)-2]
 	expectedChecksum := uint16(b[len(b)-2])<<8 | uint16(b[len(b)-1])
 	checksum := checksumKeyMaterial(e.Key)
--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/notation.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/notation.go
@ -0,0 +1,29 @@
+package packet
+
+// Notation type represents a Notation Data subpacket
+// see https://tools.ietf.org/html/rfc4880#section-5.2.3.16
+type Notation struct {
+	Name            string
+	Value           []byte
+	IsCritical      bool
+	IsHumanReadable bool
+}
+
+func (notation *Notation) getData() []byte {
+	nameData := []byte(notation.Name)
+	nameLen := len(nameData)
+	valueLen := len(notation.Value)
+
+	data := make([]byte, 8+nameLen+valueLen)
+	if notation.IsHumanReadable {
+		data[0] = 0x80
+	}
+
+	data[4] = byte(nameLen >> 8)
+	data[5] = byte(nameLen)
+	data[6] = byte(valueLen >> 8)
+	data[7] = byte(valueLen)
+	copy(data[8:8+nameLen], nameData)
+	copy(data[8+nameLen:], notation.Value)
+	return data
+}
--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/one_pass_signature.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/one_pass_signature.go
@ -8,7 +8,7 @@ import (
 	"crypto"
 	"encoding/binary"
 	"github.com/ProtonMail/go-crypto/openpgp/errors"
-	"github.com/ProtonMail/go-crypto/openpgp/s2k"
+	"github.com/ProtonMail/go-crypto/openpgp/internal/algorithm"
 	"io"
 	"strconv"
 )
@ -37,7 +37,7 @@ func (ops *OnePassSignature) parse(r io.Reader) (err error) {
 	}

 	var ok bool
-	ops.Hash, ok = s2k.HashIdToHash(buf[2])
+	ops.Hash, ok = algorithm.HashIdToHashWithSha1(buf[2])
 	if !ok {
 		return errors.UnsupportedError("hash function: " + strconv.Itoa(int(buf[2])))
 	}
@ -55,7 +55,7 @@ func (ops *OnePassSignature) Serialize(w io.Writer) error {
 	buf[0] = onePassSignatureVersion
 	buf[1] = uint8(ops.SigType)
 	var ok bool
-	buf[2], ok = s2k.HashToHashId(ops.Hash)
+	buf[2], ok = algorithm.HashToHashIdWithSha1(ops.Hash)
 	if !ok {
 		return errors.UnsupportedError("hash type: " + strconv.Itoa(int(ops.Hash)))
 	}
--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/opaque.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/opaque.go
@ -84,8 +84,9 @@ func (or *OpaqueReader) Next() (op *OpaquePacket, err error) {
 // OpaqueSubpacket represents an unparsed OpenPGP subpacket,
 // as found in signature and user attribute packets.
 type OpaqueSubpacket struct {
-	SubType  uint8
-	Contents []byte
+	SubType       uint8
+	EncodedLength []byte // Store the original encoded length for signature verifications.
+	Contents      []byte
 }

 // OpaqueSubpackets extracts opaque, unparsed OpenPGP subpackets from
@ -109,6 +110,7 @@ func OpaqueSubpackets(contents []byte) (result []*OpaqueSubpacket, err error) {
 func nextSubpacket(contents []byte) (subHeaderLen int, subPacket *OpaqueSubpacket, err error) {
 	// RFC 4880, section 5.2.3.1
 	var subLen uint32
+	var encodedLength []byte
 	if len(contents) < 1 {
 		goto Truncated
 	}
@ -119,6 +121,7 @@ func nextSubpacket(contents []byte) (subHeaderLen int, subPacket *OpaqueSubpacke
 		if len(contents) < subHeaderLen {
 			goto Truncated
 		}
+		encodedLength = contents[0:1]
 		subLen = uint32(contents[0])
 		contents = contents[1:]
 	case contents[0] < 255:
@ -126,6 +129,7 @@ func nextSubpacket(contents []byte) (subHeaderLen int, subPacket *OpaqueSubpacke
 		if len(contents) < subHeaderLen {
 			goto Truncated
 		}
+		encodedLength = contents[0:2]
 		subLen = uint32(contents[0]-192)<<8 + uint32(contents[1]) + 192
 		contents = contents[2:]
 	default:
@ -133,16 +137,19 @@ func nextSubpacket(contents []byte) (subHeaderLen int, subPacket *OpaqueSubpacke
 		if len(contents) < subHeaderLen {
 			goto Truncated
 		}
+		encodedLength = contents[0:5]
 		subLen = uint32(contents[1])<<24 |
 			uint32(contents[2])<<16 |
 			uint32(contents[3])<<8 |
 			uint32(contents[4])
 		contents = contents[5:]
+
 	}
 	if subLen > uint32(len(contents)) || subLen == 0 {
 		goto Truncated
 	}
 	subPacket.SubType = contents[0]
+	subPacket.EncodedLength = encodedLength
 	subPacket.Contents = contents[1:subLen]
 	return
 Truncated:
@ -152,7 +159,9 @@ Truncated:

 func (osp *OpaqueSubpacket) Serialize(w io.Writer) (err error) {
 	buf := make([]byte, 6)
-	n := serializeSubpacketLength(buf, len(osp.Contents)+1)
+	copy(buf, osp.EncodedLength)
+	n := len(osp.EncodedLength)
+
 	buf[n] = osp.SubType
 	if _, err = w.Write(buf[:n+1]); err != nil {
 		return
--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/packet.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/packet.go
@ -302,21 +302,21 @@ func consumeAll(r io.Reader) (n int64, err error) {
 type packetType uint8

 const (
-	packetTypeEncryptedKey              packetType = 1
-	packetTypeSignature                 packetType = 2
-	packetTypeSymmetricKeyEncrypted     packetType = 3
-	packetTypeOnePassSignature          packetType = 4
-	packetTypePrivateKey                packetType = 5
-	packetTypePublicKey                 packetType = 6
-	packetTypePrivateSubkey             packetType = 7
-	packetTypeCompressed                packetType = 8
-	packetTypeSymmetricallyEncrypted    packetType = 9
-	packetTypeLiteralData               packetType = 11
-	packetTypeUserId                    packetType = 13
-	packetTypePublicSubkey              packetType = 14
-	packetTypeUserAttribute             packetType = 17
-	packetTypeSymmetricallyEncryptedMDC packetType = 18
-	packetTypeAEADEncrypted             packetType = 20
+	packetTypeEncryptedKey                             packetType = 1
+	packetTypeSignature                                packetType = 2
+	packetTypeSymmetricKeyEncrypted                    packetType = 3
+	packetTypeOnePassSignature                         packetType = 4
+	packetTypePrivateKey                               packetType = 5
+	packetTypePublicKey                                packetType = 6
+	packetTypePrivateSubkey                            packetType = 7
+	packetTypeCompressed                               packetType = 8
+	packetTypeSymmetricallyEncrypted                   packetType = 9
+	packetTypeLiteralData                              packetType = 11
+	packetTypeUserId                                   packetType = 13
+	packetTypePublicSubkey                             packetType = 14
+	packetTypeUserAttribute                            packetType = 17
+	packetTypeSymmetricallyEncryptedIntegrityProtected packetType = 18
+	packetTypeAEADEncrypted                            packetType = 20
 )

 // EncryptedDataPacket holds encrypted data. It is currently implemented by
@ -361,9 +361,9 @@ func Read(r io.Reader) (p Packet, err error) {
 		p = new(UserId)
 	case packetTypeUserAttribute:
 		p = new(UserAttribute)
-	case packetTypeSymmetricallyEncryptedMDC:
+	case packetTypeSymmetricallyEncryptedIntegrityProtected:
 		se := new(SymmetricallyEncrypted)
-		se.MDC = true
+		se.IntegrityProtected = true
 		p = se
 	case packetTypeAEADEncrypted:
 		p = new(AEADEncrypted)
@ -384,18 +384,18 @@ func Read(r io.Reader) (p Packet, err error) {
 type SignatureType uint8

 const (
-	SigTypeBinary            SignatureType = 0x00
-	SigTypeText                            = 0x01
-	SigTypeGenericCert                     = 0x10
-	SigTypePersonaCert                     = 0x11
-	SigTypeCasualCert                      = 0x12
-	SigTypePositiveCert                    = 0x13
-	SigTypeSubkeyBinding                   = 0x18
-	SigTypePrimaryKeyBinding               = 0x19
-	SigTypeDirectSignature                 = 0x1F
-	SigTypeKeyRevocation                   = 0x20
-	SigTypeSubkeyRevocation                = 0x28
-	SigTypeCertificationRevocation         = 0x30
+	SigTypeBinary                  SignatureType = 0x00
+	SigTypeText                                  = 0x01
+	SigTypeGenericCert                           = 0x10
+	SigTypePersonaCert                           = 0x11
+	SigTypeCasualCert                            = 0x12
+	SigTypePositiveCert                          = 0x13
+	SigTypeSubkeyBinding                         = 0x18
+	SigTypePrimaryKeyBinding                     = 0x19
+	SigTypeDirectSignature                       = 0x1F
+	SigTypeKeyRevocation                         = 0x20
+	SigTypeSubkeyRevocation                      = 0x28
+	SigTypeCertificationRevocation               = 0x30
 )

 // PublicKeyAlgorithm represents the different public key system specified for
@ -455,6 +455,11 @@ func (cipher CipherFunction) KeySize() int {
 	return algorithm.CipherFunction(cipher).KeySize()
 }

+// IsSupported returns true if the cipher is supported from the library
+func (cipher CipherFunction) IsSupported() bool {
+	return algorithm.CipherFunction(cipher).KeySize() > 0
+}
+
 // blockSize returns the block size, in bytes, of cipher.
 func (cipher CipherFunction) blockSize() int {
 	return algorithm.CipherFunction(cipher).BlockSize()
@ -490,15 +495,16 @@ const (

 // AEADMode represents the different Authenticated Encryption with Associated
 // Data specified for OpenPGP.
+// See https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#section-9.6
 type AEADMode algorithm.AEADMode

 const (
-	AEADModeEAX             AEADMode = 1
-	AEADModeOCB             AEADMode = 2
-	AEADModeExperimentalGCM AEADMode = 100
+	AEADModeEAX AEADMode = 1
+	AEADModeOCB AEADMode = 2
+	AEADModeGCM AEADMode = 3
 )

-func (mode AEADMode) NonceLength() int {
+func (mode AEADMode) IvLength() int {
 	return algorithm.AEADMode(mode).NonceLength()
 }

@ -527,13 +533,19 @@ const (
 type Curve string

 const (
-	Curve25519 Curve = "Curve25519"
-	Curve448 Curve = "Curve448"
-	CurveNistP256 Curve = "P256"
-	CurveNistP384 Curve = "P384"
-	CurveNistP521 Curve = "P521"
-	CurveSecP256k1 Curve = "SecP256k1"
+	Curve25519         Curve = "Curve25519"
+	Curve448           Curve = "Curve448"
+	CurveNistP256      Curve = "P256"
+	CurveNistP384      Curve = "P384"
+	CurveNistP521      Curve = "P521"
+	CurveSecP256k1     Curve = "SecP256k1"
 	CurveBrainpoolP256 Curve = "BrainpoolP256"
 	CurveBrainpoolP384 Curve = "BrainpoolP384"
 	CurveBrainpoolP512 Curve = "BrainpoolP512"
 )
+
+// TrustLevel represents a trust level per RFC4880 5.2.3.13
+type TrustLevel uint8
+
+// TrustAmount represents a trust amount per RFC4880 5.2.3.13
+type TrustAmount uint8
--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/private_key.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/private_key.go
@ -49,7 +49,7 @@ type PrivateKey struct {
 	s2kParams *s2k.Params
 }

-//S2KType s2k packet type
+// S2KType s2k packet type
 type S2KType uint8

 const (
@ -179,6 +179,9 @@ func (pk *PrivateKey) parse(r io.Reader) (err error) {
 			return
 		}
 		pk.cipher = CipherFunction(buf[0])
+		if pk.cipher != 0 && !pk.cipher.IsSupported() {
+			return errors.UnsupportedError("unsupported cipher function in private key")
+		}
 		pk.s2kParams, err = s2k.ParseIntoParams(r)
 		if err != nil {
 			return
@ -367,8 +370,8 @@ func serializeECDHPrivateKey(w io.Writer, priv *ecdh.PrivateKey) error {
 	return err
 }

-// Decrypt decrypts an encrypted private key using a passphrase.
-func (pk *PrivateKey) Decrypt(passphrase []byte) error {
+// decrypt decrypts an encrypted private key using a decryption key.
+func (pk *PrivateKey) decrypt(decryptionKey []byte) error {
 	if pk.Dummy() {
 		return errors.ErrDummyPrivateKey("dummy key found")
 	}
@ -376,9 +379,7 @@ func (pk *PrivateKey) Decrypt(passphrase []byte) error {
 		return nil
 	}

-	key := make([]byte, pk.cipher.KeySize())
-	pk.s2k(key, passphrase)
-	block := pk.cipher.new(key)
+	block := pk.cipher.new(decryptionKey)
 	cfb := cipher.NewCFBDecrypter(block, pk.iv)

 	data := make([]byte, len(pk.encryptedData))
@ -427,35 +428,79 @@ func (pk *PrivateKey) Decrypt(passphrase []byte) error {
 	return nil
 }

-// Encrypt encrypts an unencrypted private key using a passphrase.
-func (pk *PrivateKey) Encrypt(passphrase []byte) error {
+func (pk *PrivateKey) decryptWithCache(passphrase []byte, keyCache *s2k.Cache) error {
+	if pk.Dummy() {
+		return errors.ErrDummyPrivateKey("dummy key found")
+	}
+	if !pk.Encrypted {
+		return nil
+	}
+
+	key, err := keyCache.GetOrComputeDerivedKey(passphrase, pk.s2kParams, pk.cipher.KeySize())
+	if err != nil {
+		return err
+	}
+	return pk.decrypt(key)
+}
+
+// Decrypt decrypts an encrypted private key using a passphrase.
+func (pk *PrivateKey) Decrypt(passphrase []byte) error {
+	if pk.Dummy() {
+		return errors.ErrDummyPrivateKey("dummy key found")
+	}
+	if !pk.Encrypted {
+		return nil
+	}
+
+	key := make([]byte, pk.cipher.KeySize())
+	pk.s2k(key, passphrase)
+	return pk.decrypt(key)
+}
+
+// DecryptPrivateKeys decrypts all encrypted keys with the given config and passphrase.
+// Avoids recomputation of similar s2k key derivations. 
+func DecryptPrivateKeys(keys []*PrivateKey, passphrase []byte) error {
+	// Create a cache to avoid recomputation of key derviations for the same passphrase.
+	s2kCache := &s2k.Cache{}
+	for _, key := range keys {
+		if key != nil && !key.Dummy() && key.Encrypted {
+			err := key.decryptWithCache(passphrase, s2kCache)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+// encrypt encrypts an unencrypted private key.
+func (pk *PrivateKey) encrypt(key []byte, params *s2k.Params, cipherFunction CipherFunction) error {
+	if pk.Dummy() {
+		return errors.ErrDummyPrivateKey("dummy key found")
+	}
+	if pk.Encrypted {
+		return nil
+	}
+	// check if encryptionKey has the correct size
+	if len(key) != cipherFunction.KeySize() {
+		return errors.InvalidArgumentError("supplied encryption key has the wrong size")
+	}
+	
 	priv := bytes.NewBuffer(nil)
 	err := pk.serializePrivateKey(priv)
 	if err != nil {
 		return err
 	}

-	//Default config of private key encryption
-	pk.cipher = CipherAES256
-	s2kConfig := &s2k.Config{
-		S2KMode:  3, //Iterated
-		S2KCount: 65536,
-		Hash:     crypto.SHA256,
-	}
-
-	pk.s2kParams, err = s2k.Generate(rand.Reader, s2kConfig)
-	if err != nil {
-		return err
-	}
-	privateKeyBytes := priv.Bytes()
-	key := make([]byte, pk.cipher.KeySize())
-
-	pk.sha1Checksum = true
+	pk.cipher = cipherFunction
+	pk.s2kParams = params
 	pk.s2k, err = pk.s2kParams.Function()
 	if err != nil {
 		return err
-	}
-	pk.s2k(key, passphrase)
+	} 
+
+	privateKeyBytes := priv.Bytes()
+	pk.sha1Checksum = true
 	block := pk.cipher.new(key)
 	pk.iv = make([]byte, pk.cipher.blockSize())
 	_, err = rand.Read(pk.iv)
@ -486,6 +531,62 @@ func (pk *PrivateKey) Encrypt(passphrase []byte) error {
 	return err
 }

+// EncryptWithConfig encrypts an unencrypted private key using the passphrase and the config.
+func (pk *PrivateKey) EncryptWithConfig(passphrase []byte, config *Config) error {
+	params, err := s2k.Generate(config.Random(), config.S2K())
+	if err != nil {
+		return err
+	}
+	// Derive an encryption key with the configured s2k function.
+	key := make([]byte, config.Cipher().KeySize())
+	s2k, err := params.Function()
+	if err != nil {
+		return err
+	}
+	s2k(key, passphrase)
+	// Encrypt the private key with the derived encryption key.
+	return pk.encrypt(key, params, config.Cipher())
+}
+
+// EncryptPrivateKeys encrypts all unencrypted keys with the given config and passphrase.
+// Only derives one key from the passphrase, which is then used to encrypt each key.
+func EncryptPrivateKeys(keys []*PrivateKey, passphrase []byte, config *Config) error {
+	params, err := s2k.Generate(config.Random(), config.S2K())
+	if err != nil {
+		return err
+	}
+	// Derive an encryption key with the configured s2k function.
+	encryptionKey := make([]byte, config.Cipher().KeySize())
+	s2k, err := params.Function()
+	if err != nil {
+		return err
+	}
+	s2k(encryptionKey, passphrase)
+	for _, key := range keys {
+		if key != nil && !key.Dummy() && !key.Encrypted {
+			err = key.encrypt(encryptionKey, params, config.Cipher())
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+// Encrypt encrypts an unencrypted private key using a passphrase.
+func (pk *PrivateKey) Encrypt(passphrase []byte) error {
+	// Default config of private key encryption
+	config := &Config{
+		S2KConfig: &s2k.Config{
+			S2KMode:  s2k.IteratedSaltedS2K,
+			S2KCount: 65536,
+			Hash:     crypto.SHA256,
+		} ,
+		DefaultCipher: CipherAES256,
+	}
+	return pk.EncryptWithConfig(passphrase, config)
+}
+
 func (pk *PrivateKey) serializePrivateKey(w io.Writer) (err error) {
 	switch priv := pk.PrivateKey.(type) {
 	case *rsa.PrivateKey:
--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/public_key.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/public_key.go
@ -415,6 +415,10 @@ func (pk *PublicKey) parseEdDSA(r io.Reader) (err error) {
 		return
 	}

+	if len(pk.p.Bytes()) == 0 {
+		return errors.StructuralError("empty EdDSA public key")
+	}
+
 	pub := eddsa.NewPublicKey(c)

 	switch flag := pk.p.Bytes()[0]; flag {
@ -596,7 +600,7 @@ func (pk *PublicKey) VerifySignature(signed hash.Hash, sig *Signature) (err erro
 	}
 	signed.Write(sig.HashSuffix)
 	hashBytes := signed.Sum(nil)
-	if hashBytes[0] != sig.HashTag[0] || hashBytes[1] != sig.HashTag[1] {
+	if sig.Version == 5 && (hashBytes[0] != sig.HashTag[0] || hashBytes[1] != sig.HashTag[1]) {
 		return errors.SignatureError("hash tag doesn't match")
 	}

--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/signature.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/signature.go
@ -17,8 +17,8 @@ import (
 	"github.com/ProtonMail/go-crypto/openpgp/ecdsa"
 	"github.com/ProtonMail/go-crypto/openpgp/eddsa"
 	"github.com/ProtonMail/go-crypto/openpgp/errors"
+	"github.com/ProtonMail/go-crypto/openpgp/internal/algorithm"
 	"github.com/ProtonMail/go-crypto/openpgp/internal/encoding"
-	"github.com/ProtonMail/go-crypto/openpgp/s2k"
 )

 const (
@ -66,11 +66,24 @@ type Signature struct {

 	SigLifetimeSecs, KeyLifetimeSecs                        *uint32
 	PreferredSymmetric, PreferredHash, PreferredCompression []uint8
-	PreferredAEAD                                           []uint8
+	PreferredCipherSuites                                   [][2]uint8
 	IssuerKeyId                                             *uint64
 	IssuerFingerprint                                       []byte
 	SignerUserId                                            *string
 	IsPrimaryId                                             *bool
+	Notations                                               []*Notation
+
+	// TrustLevel and TrustAmount can be set by the signer to assert that
+	// the key is not only valid but also trustworthy at the specified
+	// level.
+	// See RFC 4880, section 5.2.3.13 for details.
+	TrustLevel  TrustLevel
+	TrustAmount TrustAmount
+
+	// TrustRegularExpression can be used in conjunction with trust Signature
+	// packets to limit the scope of the trust that is extended.
+	// See RFC 4880, section 5.2.3.14 for details.
+	TrustRegularExpression *string

 	// PolicyURI can be set to the URI of a document that describes the
 	// policy under which the signature was issued. See RFC 4880, section
@ -89,8 +102,8 @@ type Signature struct {

 	// In a self-signature, these flags are set there is a features subpacket
 	// indicating that the issuer implementation supports these features
-	// (section 5.2.5.25).
-	MDC, AEAD, V5Keys bool
+	// see https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh#features-subpacket
+	SEIPDv1, SEIPDv2 bool

 	// EmbeddedSignature, if non-nil, is a signature of the parent key, by
 	// this key. This prevents an attacker from claiming another's signing
@ -126,7 +139,13 @@ func (sig *Signature) parse(r io.Reader) (err error) {
 	}

 	var ok bool
-	sig.Hash, ok = s2k.HashIdToHash(buf[2])
+
+	if sig.Version < 5 {
+		sig.Hash, ok = algorithm.HashIdToHashWithSha1(buf[2])
+	} else {
+		sig.Hash, ok = algorithm.HashIdToHash(buf[2])
+	}
+
 	if !ok {
 		return errors.UnsupportedError("hash function " + strconv.Itoa(int(buf[2])))
 	}
@ -137,7 +156,11 @@ func (sig *Signature) parse(r io.Reader) (err error) {
 	if err != nil {
 		return
 	}
-	sig.buildHashSuffix(hashedSubpackets)
+	err = sig.buildHashSuffix(hashedSubpackets)
+	if err != nil {
+		return
+	}
+
 	err = parseSignatureSubpackets(sig, hashedSubpackets, true)
 	if err != nil {
 		return
@ -221,9 +244,12 @@ type signatureSubpacketType uint8
 const (
 	creationTimeSubpacket        signatureSubpacketType = 2
 	signatureExpirationSubpacket signatureSubpacketType = 3
+	trustSubpacket               signatureSubpacketType = 5
+	regularExpressionSubpacket   signatureSubpacketType = 6
 	keyExpirationSubpacket       signatureSubpacketType = 9
 	prefSymmetricAlgosSubpacket  signatureSubpacketType = 11
 	issuerSubpacket              signatureSubpacketType = 16
+	notationDataSubpacket        signatureSubpacketType = 20
 	prefHashAlgosSubpacket       signatureSubpacketType = 21
 	prefCompressionSubpacket     signatureSubpacketType = 22
 	primaryUserIdSubpacket       signatureSubpacketType = 25
@ -234,7 +260,7 @@ const (
 	featuresSubpacket            signatureSubpacketType = 30
 	embeddedSignatureSubpacket   signatureSubpacketType = 32
 	issuerFingerprintSubpacket   signatureSubpacketType = 33
-	prefAeadAlgosSubpacket       signatureSubpacketType = 34
+	prefCipherSuitesSubpacket    signatureSubpacketType = 39
 )

 // parseSignatureSubpacket parses a single subpacket. len(subpacket) is >= 1.
@ -245,6 +271,10 @@ func parseSignatureSubpacket(sig *Signature, subpacket []byte, isHashed bool) (r
 		packetType signatureSubpacketType
 		isCritical bool
 	)
+	if len(subpacket) == 0 {
+		err = errors.StructuralError("zero length signature subpacket")
+		return
+	}
 	switch {
 	case subpacket[0] < 192:
 		length = uint32(subpacket[0])
@ -278,12 +308,14 @@ func parseSignatureSubpacket(sig *Signature, subpacket []byte, isHashed bool) (r
 	isCritical = subpacket[0]&0x80 == 0x80
 	subpacket = subpacket[1:]
 	sig.rawSubpackets = append(sig.rawSubpackets, outputSubpacket{isHashed, packetType, isCritical, subpacket})
+	if !isHashed &&
+		packetType != issuerSubpacket &&
+		packetType != issuerFingerprintSubpacket &&
+		packetType != embeddedSignatureSubpacket {
+		return
+	}
 	switch packetType {
 	case creationTimeSubpacket:
-		if !isHashed {
-			err = errors.StructuralError("signature creation time in non-hashed area")
-			return
-		}
 		if len(subpacket) != 4 {
 			err = errors.StructuralError("signature creation time not four bytes")
 			return
@ -292,20 +324,35 @@ func parseSignatureSubpacket(sig *Signature, subpacket []byte, isHashed bool) (r
 		sig.CreationTime = time.Unix(int64(t), 0)
 	case signatureExpirationSubpacket:
 		// Signature expiration time, section 5.2.3.10
-		if !isHashed {
-			return
-		}
 		if len(subpacket) != 4 {
 			err = errors.StructuralError("expiration subpacket with bad length")
 			return
 		}
 		sig.SigLifetimeSecs = new(uint32)
 		*sig.SigLifetimeSecs = binary.BigEndian.Uint32(subpacket)
-	case keyExpirationSubpacket:
-		// Key expiration time, section 5.2.3.6
-		if !isHashed {
+	case trustSubpacket:
+		if len(subpacket) != 2 {
+			err = errors.StructuralError("trust subpacket with bad length")
 			return
 		}
+		// Trust level and amount, section 5.2.3.13
+		sig.TrustLevel = TrustLevel(subpacket[0])
+		sig.TrustAmount = TrustAmount(subpacket[1])
+	case regularExpressionSubpacket:
+		if len(subpacket) == 0 {
+			err = errors.StructuralError("regexp subpacket with bad length")
+			return
+		}
+		// Trust regular expression, section 5.2.3.14
+		// RFC specifies the string should be null-terminated; remove a null byte from the end
+		if subpacket[len(subpacket)-1] != 0x00 {
+			err = errors.StructuralError("expected regular expression to be null-terminated")
+			return
+		}
+		trustRegularExpression := string(subpacket[:len(subpacket)-1])
+		sig.TrustRegularExpression = &trustRegularExpression
+	case keyExpirationSubpacket:
+		// Key expiration time, section 5.2.3.6
 		if len(subpacket) != 4 {
 			err = errors.StructuralError("key expiration subpacket with bad length")
 			return
@ -314,41 +361,52 @@ func parseSignatureSubpacket(sig *Signature, subpacket []byte, isHashed bool) (r
 		*sig.KeyLifetimeSecs = binary.BigEndian.Uint32(subpacket)
 	case prefSymmetricAlgosSubpacket:
 		// Preferred symmetric algorithms, section 5.2.3.7
-		if !isHashed {
-			return
-		}
 		sig.PreferredSymmetric = make([]byte, len(subpacket))
 		copy(sig.PreferredSymmetric, subpacket)
 	case issuerSubpacket:
+		// Issuer, section 5.2.3.5
 		if sig.Version > 4 {
 			err = errors.StructuralError("issuer subpacket found in v5 key")
+			return
 		}
-		// Issuer, section 5.2.3.5
 		if len(subpacket) != 8 {
 			err = errors.StructuralError("issuer subpacket with bad length")
 			return
 		}
 		sig.IssuerKeyId = new(uint64)
 		*sig.IssuerKeyId = binary.BigEndian.Uint64(subpacket)
-	case prefHashAlgosSubpacket:
-		// Preferred hash algorithms, section 5.2.3.8
-		if !isHashed {
+	case notationDataSubpacket:
+		// Notation data, section 5.2.3.16
+		if len(subpacket) < 8 {
+			err = errors.StructuralError("notation data subpacket with bad length")
 			return
 		}
+
+		nameLength := uint32(subpacket[4])<<8 | uint32(subpacket[5])
+		valueLength := uint32(subpacket[6])<<8 | uint32(subpacket[7])
+		if len(subpacket) != int(nameLength)+int(valueLength)+8 {
+			err = errors.StructuralError("notation data subpacket with bad length")
+			return
+		}
+
+		notation := Notation{
+			IsHumanReadable: (subpacket[0] & 0x80) == 0x80,
+			Name:            string(subpacket[8:(nameLength + 8)]),
+			Value:           subpacket[(nameLength + 8):(valueLength + nameLength + 8)],
+			IsCritical:      isCritical,
+		}
+
+		sig.Notations = append(sig.Notations, &notation)
+	case prefHashAlgosSubpacket:
+		// Preferred hash algorithms, section 5.2.3.8
 		sig.PreferredHash = make([]byte, len(subpacket))
 		copy(sig.PreferredHash, subpacket)
 	case prefCompressionSubpacket:
 		// Preferred compression algorithms, section 5.2.3.9
-		if !isHashed {
-			return
-		}
 		sig.PreferredCompression = make([]byte, len(subpacket))
 		copy(sig.PreferredCompression, subpacket)
 	case primaryUserIdSubpacket:
 		// Primary User ID, section 5.2.3.19
-		if !isHashed {
-			return
-		}
 		if len(subpacket) != 1 {
 			err = errors.StructuralError("primary user id subpacket with bad length")
 			return
@ -359,9 +417,6 @@ func parseSignatureSubpacket(sig *Signature, subpacket []byte, isHashed bool) (r
 		}
 	case keyFlagsSubpacket:
 		// Key flags, section 5.2.3.21
-		if !isHashed {
-			return
-		}
 		if len(subpacket) == 0 {
 			err = errors.StructuralError("empty key flags subpacket")
 			return
@ -393,9 +448,6 @@ func parseSignatureSubpacket(sig *Signature, subpacket []byte, isHashed bool) (r
 		sig.SignerUserId = &userId
 	case reasonForRevocationSubpacket:
 		// Reason For Revocation, section 5.2.3.23
-		if !isHashed {
-			return
-		}
 		if len(subpacket) == 0 {
 			err = errors.StructuralError("empty revocation reason subpacket")
 			return
@ -407,18 +459,13 @@ func parseSignatureSubpacket(sig *Signature, subpacket []byte, isHashed bool) (r
 		// Features subpacket, section 5.2.3.24 specifies a very general
 		// mechanism for OpenPGP implementations to signal support for new
 		// features.
-		if !isHashed {
-			return
-		}
 		if len(subpacket) > 0 {
 			if subpacket[0]&0x01 != 0 {
-				sig.MDC = true
+				sig.SEIPDv1 = true
 			}
-			if subpacket[0]&0x02 != 0 {
-				sig.AEAD = true
-			}
-			if subpacket[0]&0x04 != 0 {
-				sig.V5Keys = true
+			// 0x02 and 0x04 are reserved
+			if subpacket[0]&0x08 != 0 {
+				sig.SEIPDv2 = true
 			}
 		}
 	case embeddedSignatureSubpacket:
@ -441,11 +488,12 @@ func parseSignatureSubpacket(sig *Signature, subpacket []byte, isHashed bool) (r
 		}
 	case policyUriSubpacket:
 		// Policy URI, section 5.2.3.20
-		if !isHashed {
-			return
-		}
 		sig.PolicyURI = string(subpacket)
 	case issuerFingerprintSubpacket:
+		if len(subpacket) == 0 {
+			err = errors.StructuralError("empty issuer fingerprint subpacket")
+			return
+		}
 		v, l := subpacket[0], len(subpacket[1:])
 		if v == 5 && l != 32 || v != 5 && l != 20 {
 			return nil, errors.StructuralError("bad fingerprint length")
@ -458,13 +506,19 @@ func parseSignatureSubpacket(sig *Signature, subpacket []byte, isHashed bool) (r
 		} else {
 			*sig.IssuerKeyId = binary.BigEndian.Uint64(subpacket[13:21])
 		}
-	case prefAeadAlgosSubpacket:
-		// Preferred symmetric algorithms, section 5.2.3.8
-		if !isHashed {
+	case prefCipherSuitesSubpacket:
+		// Preferred AEAD cipher suites
+		// See https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#name-preferred-aead-ciphersuites
+		if len(subpacket)%2 != 0 {
+			err = errors.StructuralError("invalid aead cipher suite length")
 			return
 		}
-		sig.PreferredAEAD = make([]byte, len(subpacket))
-		copy(sig.PreferredAEAD, subpacket)
+
+		sig.PreferredCipherSuites = make([][2]byte, len(subpacket)/2)
+
+		for i := 0; i < len(subpacket)/2; i++ {
+			sig.PreferredCipherSuites[i] = [2]uint8{subpacket[2*i], subpacket[2*i+1]}
+		}
 	default:
 		if isCritical {
 			err = errors.UnsupportedError("unknown critical signature subpacket type " + strconv.Itoa(int(packetType)))
@ -562,7 +616,15 @@ func (sig *Signature) SigExpired(currentTime time.Time) bool {

 // buildHashSuffix constructs the HashSuffix member of sig in preparation for signing.
 func (sig *Signature) buildHashSuffix(hashedSubpackets []byte) (err error) {
-	hash, ok := s2k.HashToHashId(sig.Hash)
+	var hashId byte
+	var ok bool
+
+	if sig.Version < 5 {
+		hashId, ok = algorithm.HashToHashIdWithSha1(sig.Hash)
+	} else {
+		hashId, ok = algorithm.HashToHashId(sig.Hash)
+	}
+
 	if !ok {
 		sig.HashSuffix = nil
 		return errors.InvalidArgumentError("hash cannot be represented in OpenPGP: " + strconv.Itoa(int(sig.Hash)))
@ -572,7 +634,7 @@ func (sig *Signature) buildHashSuffix(hashedSubpackets []byte) (err error) {
 		uint8(sig.Version),
 		uint8(sig.SigType),
 		uint8(sig.PubKeyAlgo),
-		uint8(hash),
+		uint8(hashId),
 		uint8(len(hashedSubpackets) >> 8),
 		uint8(len(hashedSubpackets)),
 	})
@ -842,7 +904,7 @@ func (sig *Signature) buildSubpackets(issuer PublicKey) (subpackets []outputSubp
 	if sig.IssuerKeyId != nil && sig.Version == 4 {
 		keyId := make([]byte, 8)
 		binary.BigEndian.PutUint64(keyId, *sig.IssuerKeyId)
-		subpackets = append(subpackets, outputSubpacket{true, issuerSubpacket, true, keyId})
+		subpackets = append(subpackets, outputSubpacket{true, issuerSubpacket, false, keyId})
 	}
 	if sig.IssuerFingerprint != nil {
 		contents := append([]uint8{uint8(issuer.Version)}, sig.IssuerFingerprint...)
@ -885,23 +947,40 @@ func (sig *Signature) buildSubpackets(issuer PublicKey) (subpackets []outputSubp
 		subpackets = append(subpackets, outputSubpacket{true, keyFlagsSubpacket, false, []byte{flags}})
 	}

+	for _, notation := range sig.Notations {
+		subpackets = append(
+			subpackets,
+			outputSubpacket{
+				true,
+				notationDataSubpacket,
+				notation.IsCritical,
+				notation.getData(),
+			})
+	}
+
 	// The following subpackets may only appear in self-signatures.

 	var features = byte(0x00)
-	if sig.MDC {
+	if sig.SEIPDv1 {
 		features |= 0x01
 	}
-	if sig.AEAD {
-		features |= 0x02
-	}
-	if sig.V5Keys {
-		features |= 0x04
+	if sig.SEIPDv2 {
+		features |= 0x08
 	}

 	if features != 0x00 {
 		subpackets = append(subpackets, outputSubpacket{true, featuresSubpacket, false, []byte{features}})
 	}

+	if sig.TrustLevel != 0 {
+		subpackets = append(subpackets, outputSubpacket{true, trustSubpacket, true, []byte{byte(sig.TrustLevel), byte(sig.TrustAmount)}})
+	}
+
+	if sig.TrustRegularExpression != nil {
+		// RFC specifies the string should be null-terminated; add a null byte to the end
+		subpackets = append(subpackets, outputSubpacket{true, regularExpressionSubpacket, true, []byte(*sig.TrustRegularExpression + "\000")})
+	}
+
 	if sig.KeyLifetimeSecs != nil && *sig.KeyLifetimeSecs != 0 {
 		keyLifetime := make([]byte, 4)
 		binary.BigEndian.PutUint32(keyLifetime, *sig.KeyLifetimeSecs)
@ -928,8 +1007,13 @@ func (sig *Signature) buildSubpackets(issuer PublicKey) (subpackets []outputSubp
 		subpackets = append(subpackets, outputSubpacket{true, policyUriSubpacket, false, []uint8(sig.PolicyURI)})
 	}

-	if len(sig.PreferredAEAD) > 0 {
-		subpackets = append(subpackets, outputSubpacket{true, prefAeadAlgosSubpacket, false, sig.PreferredAEAD})
+	if len(sig.PreferredCipherSuites) > 0 {
+		serialized := make([]byte, len(sig.PreferredCipherSuites)*2)
+		for i, cipherSuite := range sig.PreferredCipherSuites {
+			serialized[2*i] = cipherSuite[0]
+			serialized[2*i+1] = cipherSuite[1]
+		}
+		subpackets = append(subpackets, outputSubpacket{true, prefCipherSuitesSubpacket, false, serialized})
 	}

 	// Revocation reason appears only in revocation signatures and is serialized as per section 5.2.3.23.
@ -971,7 +1055,7 @@ func (sig *Signature) AddMetadataToHashSuffix() {
 	n := sig.HashSuffix[len(sig.HashSuffix)-8:]
 	l := uint64(
 		uint64(n[0])<<56 | uint64(n[1])<<48 | uint64(n[2])<<40 | uint64(n[3])<<32 |
-		uint64(n[4])<<24 | uint64(n[5])<<16 | uint64(n[6])<<8 | uint64(n[7]))
+			uint64(n[4])<<24 | uint64(n[5])<<16 | uint64(n[6])<<8 | uint64(n[7]))

 	suffix := bytes.NewBuffer(nil)
 	suffix.Write(sig.HashSuffix[:l])
--- a/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/symmetric_key_encrypted.go
+++ b/vendor/github.com/ProtonMail/go-crypto/openpgp/packet/symmetric_key_encrypted.go
@ -14,8 +14,8 @@ import (
 	"github.com/ProtonMail/go-crypto/openpgp/s2k"
 )

-// This is the largest session key that we'll support. Since no 512-bit cipher
-// has even been seriously used, this is comfortably large.
+// This is the largest session key that we'll support. Since at most 256-bit cipher
+// is supported in OpenPGP, this is large enough to contain also the auth tag.
 const maxSessionKeySizeInBytes = 64

 // SymmetricKeyEncrypted represents a passphrase protected session key. See RFC
@ -25,13 +25,16 @@ type SymmetricKeyEncrypted struct {
 	CipherFunc   CipherFunction
 	Mode         AEADMode
 	s2k          func(out, in []byte)
-	aeadNonce    []byte
-	encryptedKey []byte
+	iv           []byte
+	encryptedKey []byte // Contains also the authentication tag for AEAD
 }

+// parse parses an SymmetricKeyEncrypted packet as specified in
+// https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#name-symmetric-key-encrypted-ses
 func (ske *SymmetricKeyEncrypted) parse(r io.Reader) error {
-	// RFC 4880, section 5.3.
-	var buf [2]byte
+	var buf [1]byte
+
+	// Version
 	if _, err := readFull(r, buf[:]); err != nil {
 		return err
 	}
@ -39,17 +42,22 @@ func (ske *SymmetricKeyEncrypted) parse(r io.Reader) error {
 	if ske.Version != 4 && ske.Version != 5 {
 		return errors.UnsupportedError("unknown SymmetricKeyEncrypted version")
 	}
-	ske.CipherFunc = CipherFunction(buf[1])
-	if ske.CipherFunc.KeySize() == 0 {
-		return errors.UnsupportedError("unknown cipher: " + strconv.Itoa(int(buf[1])))
+
+	// Cipher function
+	if _, err := readFull(r, buf[:]); err != nil {
+		return err
+	}
+	ske.CipherFunc = CipherFunction(buf[0])
+	if !ske.CipherFunc.IsSupported() {
+		return errors.UnsupportedError("unknown cipher: " + strconv.Itoa(int(buf[0])))
 	}

 	if ske.Version == 5 {
-		mode := make([]byte, 1)
-		if _, err := r.Read(mode); err != nil {
+		// AEAD mode
+		if _, err := readFull(r, buf[:]); err != nil {
 			return errors.StructuralError("cannot read AEAD octet from packet")
 		}
-		ske.Mode = AEADMode(mode[0])
+		ske.Mode = AEADMode(buf[0])
 	}

 	var err error
@ -61,13 +69,14 @@ func (ske *SymmetricKeyEncrypted) parse(r io.Reader) error {
 	}

 	if ske.Version == 5 {
-		// AEAD nonce
-		nonce := make([]byte, ske.Mode.NonceLength())
-		_, err := readFull(r, nonce)
-		if err != nil && err != io.ErrUnexpectedEOF {
-			return err
+		// AEAD IV
+		iv := make([]byte, ske.Mode.IvLength())
+		_, err := readFull(r, iv)
+		if err != nil {
+			return errors.StructuralError("cannot read AEAD IV")
 		}
-		ske.aeadNonce = nonce
+
+		ske.iv = iv
 	}

 	encryptedKey := make([]byte, maxSessionKeySizeInBytes)
@ -128,11 +137,10 @@ func (ske *SymmetricKeyEncrypted) decryptV4(key []byte) ([]byte, CipherFunction,
 }

 func (ske *SymmetricKeyEncrypted) decryptV5(key []byte) ([]byte, error) {
-	blockCipher := CipherFunction(ske.CipherFunc).new(key)
-	aead := ske.Mode.new(blockCipher)
-
 	adata := []byte{0xc3, byte(5), byte(ske.CipherFunc), byte(ske.Mode)}
-	plaintextKey, err := aead.Open(nil, ske.aeadNonce, ske.encryptedKey, adata)
+	aead := getEncryptedKeyAeadInstance(ske.CipherFunc, ske.Mode, key, adata)
+
+	plaintextKey, err := aead.Open(nil, ske.iv, ske.encryptedKey, adata)
 	if err != nil {
 		return nil, err
 	}
@ -142,17 +150,12 @@ func (ske *SymmetricKeyEncrypted) decryptV5(key []byte) ([]byte, error) {
 // SerializeSymmetricKeyEncrypted serializes a symmetric key packet to w.
 // The packet contains a random session key, encrypted by a key derived from
 // the given passphrase. The session key is returned and must be passed to
-// SerializeSymmetricallyEncrypted or SerializeAEADEncrypted, depending on
-// whether config.AEADConfig != nil.
+// SerializeSymmetricallyEncrypted.
 // If config is nil, sensible defaults will be used.
 func SerializeSymmetricKeyEncrypted(w io.Writer, passphrase []byte, config *Config) (key []byte, err error) {
 	cipherFunc := config.Cipher()
-	keySize := cipherFunc.KeySize()
-	if keySize == 0 {
-		return nil, errors.UnsupportedError("unknown cipher: " + strconv.Itoa(int(cipherFunc)))
-	}

-	sessionKey := make([]byte, keySize)
+	sessionKey := make([]byte, cipherFunc.KeySize())
 	_, err = io.ReadFull(config.Random(), sessionKey)
 	if err != nil {
 		return
@ -169,9 +172,8 @@ func SerializeSymmetricKeyEncrypted(w io.Writer, passphrase []byte, config *Conf

 // SerializeSymmetricKeyEncryptedReuseKey serializes a symmetric key packet to w.
 // The packet contains the given session key, encrypted by a key derived from
-// the given passphrase. The session key must be passed to
-// SerializeSymmetricallyEncrypted or SerializeAEADEncrypted, depending on
-// whether config.AEADConfig != nil.
+// the given passphrase. The returned session key must be passed to
+// SerializeSymmetricallyEncrypted.
 // If config is nil, sensible defaults will be used.
 func SerializeSymmetricKeyEncryptedReuseKey(w io.Writer, sessionKey []byte, passphrase []byte, config *Config) (err error) {
 	var version int
@ -181,16 +183,17 @@ func SerializeSymmetricKeyEncryptedReuseKey(w io.Writer, sessionKey []byte, pass
 		version = 4
 	}
 	cipherFunc := config.Cipher()
-	keySize := cipherFunc.KeySize()
-	if keySize == 0 {
-		return errors.UnsupportedError("unknown cipher: " + strconv.Itoa(int(cipherFunc)))
+	// cipherFunc must be AES
+	if !cipherFunc.IsSupported() || cipherFunc < CipherAES128 || cipherFunc > CipherAES256 {
+		return errors.UnsupportedError("unsupported cipher: " + strconv.Itoa(int(cipherFunc)))
 	}

+	keySize := cipherFunc.KeySize()
 	s2kBuf := new(bytes.Buffer)
 	keyEncryptingKey := make([]byte, keySize)
 	// s2k.Serialize salts and stretches the passphrase, and writes the
 	// resulting key to keyEncryptingKey and the s2k descriptor to s2kBuf.
-	err = s2k.Serialize(s2kBuf, keyEncryptingKey, config.Random(), passphrase, &s2k.Config{Hash: config.Hash(), S2KCount: config.PasswordHashIterations()})
+	err = s2k.Serialize(s2kBuf, keyEncryptingKey, config.Random(), passphrase, config.S2K())
 	if err != nil {
 		return
 	}
@ -201,20 +204,20 @@ func SerializeSymmetricKeyEncryptedReuseKey(w io.Writer, sessionKey []byte, pass
 	case 4:
 		packetLength = 2 /* header */ + len(s2kBytes) + 1 /* cipher type */ + keySize
 	case 5:
-		nonceLen := config.AEAD().Mode().NonceLength()
+		ivLen := config.AEAD().Mode().IvLength()
 		tagLen := config.AEAD().Mode().TagLength()
-		packetLength = 3 + len(s2kBytes) + nonceLen + keySize + tagLen
+		packetLength = 3 + len(s2kBytes) + ivLen + keySize + tagLen
 	}
 	err = serializeHeader(w, packetTypeSymmetricKeyEncrypted, packetLength)
 	if err != nil {
 		return
 	}

-	buf := make([]byte, 2)
 	// Symmetric Key Encrypted Version
-	buf[0] = byte(version)
+	buf := []byte{byte(version)}
+
 	// Cipher function
-	buf[1] = byte(cipherFunc)
+	buf = append(buf, byte(cipherFunc))

 	if version == 5 {
 		// AEAD mode
@ -241,19 +244,20 @@ func SerializeSymmetricKeyEncryptedReuseKey(w io.Writer, sessionKey []byte, pass
 			return
 		}
 	case 5:
-		blockCipher := cipherFunc.new(keyEncryptingKey)
 		mode := config.AEAD().Mode()
-		aead := mode.new(blockCipher)
-		// Sample nonce using random reader
-		nonce := make([]byte, config.AEAD().Mode().NonceLength())
-		_, err = io.ReadFull(config.Random(), nonce)
+		adata := []byte{0xc3, byte(5), byte(cipherFunc), byte(mode)}
+		aead := getEncryptedKeyAeadInstance(cipherFunc, mode, keyEncryptingKey, adata)
+
+		// Sample iv using random reader
+		iv := make([]byte, config.AEAD().Mode().IvLength())
+		_, err = io.ReadFull(config.Random(), iv)
 		if err != nil {
 			return
 		}
 		// Seal and write (encryptedData includes auth. tag)
-		adata := []byte{0xc3, byte(5), byte(cipherFunc), byte(mode)}
-		encryptedData := aead.Seal(nil, nonce, sessionKey, adata)
-		_, err = w.Write(nonce)
+
+		encryptedData := aead.Seal(nil, iv, sessionKey, adata)
+		_, err = w.Write(iv)
 		if err != nil {
 			return
 		}
@ -265,3 +269,8 @@ func SerializeSymmetricKeyEncryptedReuseKey(w io.Writer, sessionKey []byte, pass

 	return
 }
+
+func getEncryptedKeyAeadInstance(c CipherFunction, mode AEADMode, inputKey, associatedData []byte) (aead cipher.AEAD) {
+	blockCipher := c.new(inputKey)
+	return mode.new(blockCipher)
+}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Chris Allen Lane	7908a678df	Merge pull request #742 from cheat/dependabot/go_modules/github.com/cloudflare/circl-1.3.7 chore(deps): bump github.com/cloudflare/circl from 1.3.6 to 1.3.7	2024-01-08 15:34:48 -05:00
dependabot[bot]	7c0eacb53d	chore(deps): bump github.com/cloudflare/circl from 1.3.6 to 1.3.7 Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.3.6 to 1.3.7. - [Release notes](https://github.com/cloudflare/circl/releases) - [Commits](https://github.com/cloudflare/circl/compare/v1.3.6...v1.3.7) --- updated-dependencies: - dependency-name: github.com/cloudflare/circl dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>	2024-01-08 16:53:49 +00:00
Chris Allen Lane	4bf804ac60	Merge pull request #741 from cheat/dependabot/go_modules/golang.org/x/crypto-0.17.0 chore(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0	2023-12-19 14:51:50 -05:00
dependabot[bot]	33c5918087	chore(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0 Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.16.0 to 0.17.0. - [Commits](https://github.com/golang/crypto/compare/v0.16.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>	2023-12-19 00:07:38 +00:00
Christopher Allen Lane	d34177729d	chore: bump version to 4.4.2	2023-12-15 12:48:39 -05:00
Chris Allen Lane	7fa50328d7	Merge pull request #740 from chrisallenlane/chroma chore(deps): bump chroma to v2 #735	2023-12-13 12:59:52 -05:00
Christopher Allen Lane	1790aec85d	chore(deps): bump chroma to v2 #735 Bump `alecthomas/chroma` to `v2`: https://github.com/cheat/cheat/issues/735	2023-12-13 12:54:32 -05:00
Mikel Olasagasti Uranga	6bf51e758f	Use yaml.v3 rather than .v2 and .v1	2023-12-13 09:57:58 -05:00
Christopher Allen Lane	242da8c89a	chore(build): remove `plan9` support Remove `plan9` support from the `Makefile` because the executable now fails to build.	2023-12-13 09:45:21 -05:00
Chris Allen Lane	2294f40ee0	Merge pull request #739 from chrisallenlane/v4.4.1 V4.4.1	2023-12-13 09:17:16 -05:00
Christopher Allen Lane	fe25019b14	chore: bump version to `4.4.1`	2023-12-13 09:12:14 -05:00
Christopher Allen Lane	bfb071c0b2	chore(lint): various changes to appease revive - Add `package` comments - Rename `opts` to `_` where unused	2023-12-13 09:10:20 -05:00
Christopher Allen Lane	95a4e31b6c	chore(deps): upgrade dependencies Upgrade all dependencies to newest versions.	2023-12-13 08:29:02 -05:00
Chris Allen Lane	0d9c92c8c0	Merge pull request #707 from chrisallenlane/v4.4.0 V4.4.0	2022-11-05 13:11:22 -04:00
Christopher Allen Lane	16c50bb659	chore: bump version to `4.4.0`	2022-11-05 12:56:43 -04:00
Christopher Allen Lane	1a85c9e9c8	feat: platform compatibility Add experimental support for the following platforms: - aix - dragonfly - illumos - ios - netbsd - openbsd - plan9 - solaris	2022-11-05 12:00:43 -04:00
Christopher Allen Lane	c9ccefa607	chore(deps): remove `yaml.v1` Remove errant `yaml.v1` dependency, and use `yaml.v2` everywhere.	2022-11-05 11:39:48 -04:00
Christopher Allen Lane	3a6b6e58f0	chore(deps): update dependencies `make vendor-update`	2022-11-05 10:15:15 -04:00
Christopher Allen Lane	2edc0ee299	chore: add a comment Add a small comment regarding a tricky edge-case in `gitdir.go`.	2022-08-28 06:54:29 -04:00