Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: Bump go-jose dependency and mod tidy #418

Closed
wants to merge 1 commit into from

Conversation

bcandeias
Copy link

This bumps the go-jose dependency to a version that addresses vulnerability CVE-2024-28180.

Tested with the below:

$ go fmt ./... ; go mod tidy ; go build ./... ; go test ./...
go: finding module for package github.com/go-jose/go-jose/v3
go: downloading github.com/go-jose/go-jose/v3 v3.0.3
go: downloading github.com/go-jose/go-jose v2.6.3+incompatible
go: found github.com/go-jose/go-jose/v3 in github.com/go-jose/go-jose/v3 v3.0.3
go: downloading github.com/stretchr/testify v1.8.2
go: downloading golang.org/x/crypto v0.19.0
Run 'go help' for usage.
?   	github.com/coreos/go-oidc/v3/example/idtoken	[no test files]
?   	github.com/coreos/go-oidc/v3/example/userinfo	[no test files]
ok  	github.com/coreos/go-oidc/v3/oidc	1.528s

Closes #417

This bumps the go-jose dependency to a version that addresses
vulnerability CVE-2024-28180.

Closes coreos#417
Copy link
Collaborator

@ericchiang ericchiang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't know why the toolchain directive was added, but I'm not seeing that locally

% go get github.com/go-jose/go-jose/[email protected]
go: downloading github.com/go-jose/go-jose/v3 v3.0.3
go: downloading golang.org/x/crypto v0.19.0
go: upgraded github.com/go-jose/go-jose/v3 v3.0.1 => v3.0.3
go: upgraded golang.org/x/crypto v0.14.0 => v0.19.0
% go mod tidy
go: downloading golang.org/x/net v0.17.0
go: downloading google.golang.org/appengine v1.6.8
% cat go.mod 
module github.com/coreos/go-oidc/v3

go 1.19

require (
	github.com/go-jose/go-jose/v3 v3.0.3
	golang.org/x/net v0.17.0
	golang.org/x/oauth2 v0.13.0
)

require (
	github.com/golang/protobuf v1.5.3 // indirect
	golang.org/x/crypto v0.19.0 // indirect
	google.golang.org/appengine v1.6.8 // indirect
	google.golang.org/protobuf v1.31.0 // indirect
)

@@ -1,17 +1,19 @@
module github.com/coreos/go-oidc/v3

go 1.19
go 1.21
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To the best of my knowledge, this directive describes "this package can only be used with go 1.21 and up." But this package works fine with older versions

go 1.19
go 1.21

toolchain go1.21.5
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't expect us to pin a specific toolchain version like this

@bcandeias
Copy link
Author

@ericchiang sorry but I could only get to this now. You're right, I let these changes slide in with my local setup.
In the meantime I saw you did bump to 4.
Thanks, and apologies for not being more of a help 😅
Closing this PR.

@bcandeias bcandeias closed this Mar 21, 2024
@bcandeias bcandeias deleted the chore-dep-go-jose branch March 21, 2024 08:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Upgrade go-jose to fix CVE-2024-28180
3 participants