AFAIK the recent attack on GPG of appeding a bunch of signatures to inflate its size causing client sot crash has been addressed upstream. meanwhile there are equivalent commands one can use with the older version to clean a key before importing to avoid this attack.
A PoC poisoning tool has been made by a researcher and released in the wild so discussion is not going to cause more harm then already known.
https://daniel-lange.com/archives/159-Cleaning-a-broken-GnuPG-gpg-key.html
Maybe we can add a few of these setting to gpg.conf