Bump github.com/zmap/zlint/v3 from 3.6.8 to 3.7.0

[dependabot]

Bumps github.com/zmap/zlint/v3 from 3.6.8 to 3.7.0.

Release notes

Sourced from github.com/zmap/zlint/v3's releases.

v3.7.0

ZLint v3.7.0

The ZMap team is happy to share ZLint v3.7.0.

Thank you to everyone who contributes to ZLint!

New Lints

• e_arpa_domain_not_allowed CAs SHALL NOT issue Certificates containing Domain Names that end in an IP Reverse Zone Suffix
• e_basic_constr_invalid_der Checks the correct DER encoding of the cA field in the BasicConstraints ext
• e_client_auth_not_allowed Checks that Server certs do not contain clientAuth in the EKU extension
• e_cs_aia_missing_ca_issuers_http_url The authorityInformationAccess extension MUST contain the HTTP URL of the Issuing CA's certificate (id-ad-caIssuers)
• e_cs_aia_ocsp_not_http If the CA provides OCSP responses, the authorityInformationAccess extension MUST contain the HTTP URL of the Issuing CA's OCSP responder (id-ad-ocsp)
• e_cs_authority_information_access The authorityInformationAccess extension MUST be present and MUST NOT be marked critical
• e_cs_ecdsa_prohibited_curve If the Key is ECDSA, then the curve MUST be one of NIST P-256, P-384, or P-521
• e_cs_max_validity_period_39_months Code Signing certificate validity must not exceed 39 months for certificates issued before March 1st, 2026
• e_cs_max_validity_period_460_days Code Signing certificate validity must not exceed 460 days for certificates issued on or after March 1st, 2026
• e_cs_signature_algorithm_not_supported Certificates MUST meet the following requirements for algorithm Source: SHA-1*, SHA-256, SHA-384, SHA-512
• e_exactly_one_smime_policy The subscriber cert SHALL include exactly one of the reserved policy OIDs in §7.1.6.1
• e_excessively backdated notBefore [must be] a value within 48 hours of the certificate signing
• e_ext_cannot_be_empty_sequence Extensions whose value is SEQUENCE SIZE (1..MAX) OF must have at least 1 element
• e_ocsp_cert_cdp_forbidden In OCSP certificates, the CDP extension MUST NOT appear
• e_ocsp_cert_cp_forbidden In OCSP certificates, the CP extension MUST NOT appear
• e_ocsp_cert_invalid_ku For OCSP certificates, only digitalSignature is allowed in the KU ext
• e_qcstatem_qctype_oneonly Checks that a QC Statement of the type Id-etsi-qcs-QcType features exactly one of the allowed QcType OIDs
• e_state_or_province_name_must_not_contain_control_characters stateOrProvinceName MUST come from an authoritative data source of plain, human readable, names
• e_subj_email_not_in_san Certificates with email addresses MUST include them in the SAN extension

Bug Fixes

• e_cert_policy_iv_requires_country fixed a bug where IV-issuing policy constrained CAs were inadvertently linted
• e_qcstatem_qctype_web fixed to not return an error for legitimate e-signature and e-seal qualified certificates

Security

• Patched CVE-2025-58181
• Bumped golang.org/x/crypto from 0.36.0 to 0.45.0

Misc

• Added support for Chrome Root Program Policy-based lints as a new lint source
• e_state_or_province_name_must_not_contain_control_characters extended to also check localityName
• cab_dv_conflicts_with_locality, cab_dv_conflicts_with_org, cab_dv_conflicts_with_postal, cab_dv_conflicts_with_province, and cab_dv_conflicts_with_street lints marked as superseded
• e_ca_country_name_invalid CheckApplies logic refactored with additional test coverage
• e_cert_policy_iv_requires_country citation updated to current location
• Broad dependency updates
• Updated gtld_map

Changelog

• e07faf0 Remove Windows as a release target due to compilation errors in zcrypto (#1043)
• 1533c39 Remove FreeBSD as a release target due to compilation errors in zcrypto (#1042)

... (truncated)

Commits

• e07faf0 Remove Windows as a release target due to compilation errors in zcrypto (#1043)
• 1533c39 Remove FreeBSD as a release target due to compilation errors in zcrypto (#1042)
• e17555a Upgrade zcrypto, golang, and golangci-lint to latest (#1039)
• 5dc4eaf Cs add aia lints (#1036)
• 31204be Add lint for checking curve param requirements (#1035)
• da562d2 Add support for Chrome Root Program Policy-based lints, plus a first such lin...
• fe04242 util: gtld_map autopull updates for 2026-04-18T03:19:55 UTC (#1037)
• 12ccc55 refactor ca country check applies, add tests (#1032)
• 215f568 Add cs sig alg lint (#1033)
• 90f1337 Add lint to check for certain extensions to have at least 1 element according...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)