Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace square/go-jose by go-jose/go-jose #13526

Closed
simondeziel opened this issue Jun 1, 2024 · 5 comments
Closed

Replace square/go-jose by go-jose/go-jose #13526

simondeziel opened this issue Jun 1, 2024 · 5 comments
Assignees
@markylaing
Labels
Bug Confirmed to be a bug
Milestone
lxd-6.2

Comments

@simondeziel
Copy link
Member

square/go-jose.v2 is affected by https://github.com/canonical/lxd/security/dependabot/13 and the module is deprecated and superseded/replaced by go-jose/go-jose:

https://github.com/square/go-jose?tab=readme-ov-file:

Go JOSE v1/v2 (DEPRECATED)
Development of Go JOSE has continued in a new organization:

https://github.com/go-jose/go-jose

We already depend on github.com/go-jose/go-jose/v4 for LXD and github.com/go-jose/go-jose/v3 for the mini-oidc.

Ideally, we'd probably settle on github.com/go-jose/go-jose/v4 for all.
@simondeziel simondeziel mentioned this issue Jun 1, 2024
Closed
@MusicDin
Copy link
Member

MusicDin commented Jun 3, 2024

This deprecated dependency is from zitadel/oidc.

$ go mod why -m gopkg.in/square/go-jose.v2
# gopkg.in/square/go-jose.v2
github.com/canonical/lxd/client
github.com/zitadel/oidc/v2/pkg/client/rp
gopkg.in/square/go-jose.v2

Is there any blocker that prevents us from moving to zitadel/oidc/v3?

@markylaing
Copy link
Contributor

Is there any blocker that prevents us from moving to zitadel/oidc/v3?

This is on my to-do list for this pulse 😃

@tomponline tomponline added the Bug Confirmed to be a bug label Jun 5, 2024
@tomponline tomponline added this to the lxd-6.2 milestone Jun 5, 2024
simondeziel added a commit to simondeziel/lxd that referenced this issue Jun 7, 2024
@simondeziel
gomod: temporarily replace gopkg.in/square/go-jose.v2 by gopkg.in/go-…
2862d25 
…jose/go-jose.v2

This buys us time until canonical#13526 is properly fixed.

Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
@simondeziel
Copy link
Member Author

#13566 is a temporary fix for the security issue but it would be nice to keep this issue around until a proper fix lands.

tomponline pushed a commit to tomponline/lxd that referenced this issue Jun 11, 2024
@simondeziel @tomponline
gomod: temporarily replace gopkg.in/square/go-jose.v2 by gopkg.in/go-…
fa0baf7 
…jose/go-jose.v2

This buys us time until canonical#13526 is properly fixed.

Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
@tomponline
Copy link
Member

@markylaing @simondeziel did this get completed by #13602 ?

@MusicDin
Copy link
Member

Yes, this is done. There is no square/go-jose dependency anymore and security issue is also closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@markylaing markylaing

Labels
Bug Confirmed to be a bug
Projects
None yet
Milestone
lxd-6.2
Development

No branches or pull requests
4 participants
@tomponline @simondeziel @markylaing @MusicDin