Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace github.com/dgrijalva/jwt-go with something without open CVEs #1250

Closed
zepatrik opened this issue Apr 21, 2021 · 1 comment
Closed

Replace github.com/dgrijalva/jwt-go with something without open CVEs #1250

zepatrik opened this issue Apr 21, 2021 · 1 comment
Assignees
@Benehiko
Labels
help wanted We are looking for help on this one. upstream Issue is caused by an upstream dependency.

Comments

@zepatrik
Copy link
Member

This https://nvd.nist.gov/vuln/detail/CVE-2020-26160 is not fixed since over a year now, as the library seems abandoned. We can either use a fixed fork of it (e.g. github.com/form3tech-oss/jwt-go) or look for something different that is actually maintained.
This shows up in nancy recently, see e.g. https://app.circleci.com/pipelines/github/ory/keto/1112/workflows/e646084f-2afa-455f-8437-445d1dac190a/jobs/7654
@zepatrik zepatrik added the upstream Issue is caused by an upstream dependency. label Apr 21, 2021
@aeneasr aeneasr added good first issue A good issue to tackle when being a novice to the project. help wanted We are looking for help on this one. labels Apr 22, 2021
@aeneasr aeneasr removed the good first issue A good issue to tackle when being a novice to the project. label Apr 22, 2021
@aeneasr
Copy link
Member

aeneasr commented Apr 22, 2021

Yes we should move to github.com/form3tech-oss/jwt-go . All we have to do really is to replace the dependency.

@Benehiko Benehiko mentioned this issue Apr 22, 2021
Merged
5 tasks
@github-actions github-actions bot mentioned this issue Apr 24, 2021
Closed
1 task
harnash pushed a commit to Wikia/kratos that referenced this issue Apr 29, 2021
@Benehiko @harnash
fix: replace jwt module (ory#1254)
f27b366 
Closes ory#1250
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Benehiko Benehiko

Labels
help wanted We are looking for help on this one. upstream Issue is caused by an upstream dependency.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@aeneasr @zepatrik @Benehiko