Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): Update go deps #15

Merged
merged 1 commit into from
Nov 6, 2023
Merged

chore(deps): Update go deps #15

merged 1 commit into from
Nov 6, 2023

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Nov 6, 2023

Mend Renovate

This PR contains the following updates:

Package Type Update Change
github.com/bufbuild/protovalidate-go require minor v0.3.4 -> v0.4.0
github.com/cerbos/cerbos/api/genpb require digest f134903 -> 5e254ae
github.com/golangci/golangci-lint require patch v1.55.1 -> v1.55.2
github.com/lestrrat-go/jwx/v2 require patch v2.0.15 -> v2.0.16

Release Notes

bufbuild/protovalidate-go (github.com/bufbuild/protovalidate-go)

v0.4.0

Compare Source

What's Changed

New Contributors

Full Changelog: bufbuild/protovalidate-go@v0.3.4...v0.4.0

golangci/golangci-lint (github.com/golangci/golangci-lint)

v1.55.2

Compare Source

  1. updated linters
    • ireturn: from 0.2.1 to 0.2.2
    • ginkgolinter: from 0.14.0 to 0.14.1
lestrrat-go/jwx (github.com/lestrrat-go/jwx/v2)

v2.0.16

Compare Source

v2.0.16 31 Oct 2023
[Security]
  * [jws] ECDSA signature verification requires us to check if the signature
    is of the desired length of bytes, but this check that used to exist before
    had been removed in #​65, resulting in certain malformed signatures to pass
    verification.

    One of the ways this could happen if R is a 31 byte integer and S is 32 byte integer,
    both containing the correct signature values, but R is not zero-padded.

       Correct = R: [ 0 , ... ] (32 bytes) S: [ ... ] (32 bytes)
       Wrong   = R: [ ... ] (31 bytes)     S: [ ... ] (32 bytes)

    In order for this check to pass, you would still need to have all 63 bytes
    populated with the correct signature. The only modification a bad actor
    may be able to do is to add one more byte at the end, in which case the
    first 32 bytes (including what would have been S's first byte) is used for R,
    and S would contain the rest. But this will only result in the verification to
    fail. Therefore this in itself should not pose any security risk, albeit
    allowing some illegally formated messages to be verified.

  * [jwk] `jwk.Key` objects now have a `Validate()` method to validate the data
    stored in the keys. However, this still does not necessarily mean that the key's
        are valid for use in cryptographic operations. If `Validate()` is successful,
    it only means that the keys are in the right _format_, including the presence
    of required fields and that certain fields have proper length, etc.

[New Features]
  * [jws] Added `jws.WithValidateKey()` to force calling `key.Validate()` before
    signing or verification.

  * [jws] `jws.Sign()` now returns a special type of error that can hold the
    individual errors from the signers. The stringification is still the same
    as before to preserve backwards compatibility.

  * [jwk] Added `jwk.IsKeyValidationError` that checks if an error is an error
    from `key.Validate()`.

[Bug Fixes]
  * [jwt] `jwt.ParseInsecure()` was running verification if you provided a key
    via `jwt.WithKey()` or `jwt.WithKeySet()` (#​1007)

Configuration

📅 Schedule: Branch creation - "before 4am on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@charithe charithe changed the title chore(deps): update go deps chore(deps): Update go deps Nov 6, 2023
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot changed the title chore(deps): Update go deps chore(deps): update go deps Nov 6, 2023
@charithe charithe changed the title chore(deps): update go deps chore(deps): Update go deps Nov 6, 2023
@charithe charithe merged commit c369b4f into main Nov 6, 2023
6 of 7 checks passed
@charithe charithe deleted the renovate/go-deps branch November 6, 2023 18:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant