Bump spomky-labs/otphp from 11.3.0 to 11.5.0

[dependabot]

Bumps spomky-labs/otphp from 11.3.0 to 11.5.0.

Release notes

Sourced from spomky-labs/otphp's releases.

11.5.0

Release Notes for 11.5.0

Feature release (minor)

11.5.0

• Total issues resolved: 0
• Total pull requests resolved: 2
• Total contributors: 2

enhancement

• 280: fix: enforce minimum digest length thanks to @​Spomky

DX,UX

• 276: docs: replace deprecated Google Charts example with local BaconQrCode thanks to @​guillaumedelre

11.4.3

🔒 Security release

This release fixes two medium-severity advisories affecting Factory::loadFromProvisioningUri() — the entry point used to load third-party otpauth:// provisioning URIs. All versions < 11.4.3 are affected; upgrade to 11.4.3.

• GHSA-g7m4-839x-ch6v — an unbounded digits value made 10 ** digits overflow, raising an uncatchable DivisionByZeroError in at()/now()/verify(). digits is now bounded to 1..10.
• GHSA-2jx3-65f3-xr8r — a hostile URI key could mass-assign internal properties (state corruption, TypeError, readonly Error). Only label/issuer are now written; any failure surfaces as the documented InvalidProvisioningUriException.

---

Release Notes for 11.4.3

11.4.x bugfix release (patch)

11.4.3

• Total issues resolved: 0
• Total pull requests resolved: 1
• Total contributors: 1

bug

• 277: style: coding standards & static analysis on 11.4.x thanks to @​Spomky

11.4.2

Release Notes for 11.4.2

11.4.x bugfix release (patch)

11.4.2

... (truncated)

Commits

• 877683d fix: reject digest algorithms shorter than 19 bytes (#280)
• d88e1ce Bump actions/dependency-review-action from 4 to 5 (#279)
• 4969579 Bump renovatebot/github-action from 46.1.12 to 46.1.14 (#278)
• fc03159 docs: fix broken build badge and modernize Poser badges
• e9bb457 ci: fetch full history in the merge-up job
• 24ba0c0 Merge branch '11.4.x' into 11.5.x
• 4666331 style: coding standards & static analysis on 11.4.x (#277)
• d3ec3d0 fix: prevent mass-assignment of internal properties from a provisioning URI (...
• fb651c9 fix: bound the digits parameter to prevent DivisionByZeroError (GHSA-g7m4-839...
• 780a43f docs: replace deprecated Google Charts example with local BaconQrCode (#276)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.