My recommendation is to close them without merging, unless someone feels strongly enough to give it a proper review. I personally don't think they are worth it, as they are just low effort bot posts.
As far as trust, I would trust the ones from dependabot, being a Github service, to not be malicious, but that's all. The others I wouldn't trust at all without reviewing them fully.
Without reviewing, we don't know if the supposed security risk actually applies to OpenPnP, or if the proposed change actually fixes it.
Jason