Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[MAINT]/[SECURITY]: bump go-jose to from gopkg.in/square/go-jose.v2 to github.com/go-jose/go-jose/v3 #2343

Merged
merged 1 commit into from
Aug 16, 2024
Merged

[MAINT]/[SECURITY]: bump go-jose to from gopkg.in/square/go-jose.v2 to github.com/go-jose/go-jose/v3 #2343

merged 1 commit into from
Aug 16, 2024

Conversation

AtzeDeVries
Copy link
Contributor

square/go-jose is not maintained anymore. Release v3 is the release to migrate to when you migrate to go-jose/go-jose.
https://github.com/go-jose/go-jose/releases/tag/v3.0.0
Release 4 contains breaking changes

We bump to 3.0.3 because this contains the sec fix:
Limit decompression output size to prevent a DoS. Backport from v4.0.1.

closes: #2341

@AtzeDeVries
[MAINT]: bump go-jose to from gopkg.in/square/go-jose.v2 to github.co…
84c2429 
…m/go-jose/go-jose/v3

square/go-jose is not maintained anymore. Release v3 is the release to migrate to when you migrate to go-jose/go-jose.
https://github.com/go-jose/go-jose/releases/tag/v3.0.0
Release 4 contains breaking changes

We bump to 3.0.3 because this contains the sec fix:
Limit decompression output size to prevent a DoS. Backport from v4.0.1.

closes: integrations#2341
@AtzeDeVries AtzeDeVries changed the title [MAINT]: bump go-jose to from gopkg.in/square/go-jose.v2 to github.com/go-jose/go-jose/v3 [MAINT]/[SECURITY]: bump go-jose to from gopkg.in/square/go-jose.v2 to github.com/go-jose/go-jose/v3 Aug 9, 2024
kfcampbell
kfcampbell approved these changes Aug 16, 2024
View reviewed changes
Copy link
Member

@kfcampbell kfcampbell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for identifying and fixing this!

@kfcampbell kfcampbell merged commit b52ce70 into integrations:main Aug 16, 2024
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kfcampbell kfcampbell kfcampbell approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[MAINT]: go dependency square/go-jose.v2 contains vulnerability. Consider migrating to go-jose/go-jose
2 participants
@AtzeDeVries @kfcampbell