Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): update module github.com/go-jose/go-jose/v3 to v4 #214

Closed
wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Apr 2, 2024

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/go-jose/go-jose/v3 v3.0.3 -> v4.0.4 age adoption passing confidence

Release Notes

go-jose/go-jose (github.com/go-jose/go-jose/v3)

v4.0.4

Compare Source

Fixed

  • Reverted "Allow unmarshalling JSONWebKeySets with unsupported key types" as a
    breaking change. See #​136 / #​137.

v4.0.3

Compare Source

Changed

  • Allow unmarshalling JSONWebKeySets with unsupported key types (#​130)
  • Document that OpaqueKeyEncrypter can't be implemented (for now) (#​129)
  • Dependency updates

v4.0.2: Version 4.0.2

Compare Source

What's Changed

New Contributors

Full Changelog: go-jose/go-jose@v4.0.1...v4.0.2

v4.0.1

Compare Source

Fixed

  • An attacker could send a JWE containing compressed data that used large
    amounts of memory and CPU when decompressed by Decrypt or DecryptMulti.
    Those functions now return an error if the decompressed data would exceed
    250kB or 10x the compressed size (whichever is larger). Thanks to
    Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@​zer0yu and @​chenjj)
    for reporting.

v4.0.0

Compare Source

This release makes some breaking changes in order to more thoroughly
address the vulnerabilities discussed in Three New Attacks Against JSON Web
Tokens
, "Sign/encrypt confusion", "Billion hash attack", and "Polyglot
token".

Changed

  • Limit JWT encryption types (exclude password or public key types) (#​78)
  • Enforce minimum length for HMAC keys (#​85)
  • jwt: match any audience in a list, rather than requiring all audiences (#​81)
  • jwt: accept only Compact Serialization (#​75)
  • jws: Add expected algorithms for signatures (#​74)
  • Require specifying expected algorithms for ParseEncrypted,
    ParseSigned, ParseDetached, jwt.ParseEncrypted, jwt.ParseSigned,
    jwt.ParseSignedAndEncrypted (#​69, #​74)
    • Usually there is a small, known set of appropriate algorithms for a program
      to use and it's a mistake to allow unexpected algorithms. For instance the
      "billion hash attack" relies in part on programs accepting the PBES2
      encryption algorithm and doing the necessary work even if they weren't
      specifically configured to allow PBES2.
  • Revert "Strip padding off base64 strings" (#​82)
  • The specs require base64url encoding without padding.
  • Minimum supported Go version is now 1.21

Added

  • ParseSignedCompact, ParseSignedJSON, ParseEncryptedCompact, ParseEncryptedJSON.
    • These allow parsing a specific serialization, as opposed to ParseSigned and
      ParseEncrypted, which try to automatically detect which serialization was
      provided. It's common to require a specific serialization for a specific
      protocol - for instance JWT requires Compact serialization.

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/github.com-go-jose-go-jose-v3-4.x branch from 998eb26 to 60afa16 Compare April 4, 2024 21:48
@renovate renovate bot force-pushed the renovate/github.com-go-jose-go-jose-v3-4.x branch from 60afa16 to 75c6439 Compare May 13, 2024 22:16
@renovate renovate bot force-pushed the renovate/github.com-go-jose-go-jose-v3-4.x branch from 75c6439 to a7a191e Compare June 17, 2024 13:49
@renovate renovate bot force-pushed the renovate/github.com-go-jose-go-jose-v3-4.x branch from a7a191e to fbf7f5d Compare July 9, 2024 22:08
@renovate renovate bot force-pushed the renovate/github.com-go-jose-go-jose-v3-4.x branch from fbf7f5d to 6b5e2bb Compare July 27, 2024 03:51
@renovate renovate bot force-pushed the renovate/github.com-go-jose-go-jose-v3-4.x branch from 6b5e2bb to f1cae3e Compare August 8, 2024 16:37
@renovate renovate bot requested review from a team as code owners August 8, 2024 16:37
@renovate renovate bot force-pushed the renovate/github.com-go-jose-go-jose-v3-4.x branch from f1cae3e to f2d44fb Compare August 8, 2024 16:45
@mikemrm
Copy link
Contributor

mikemrm commented Aug 8, 2024

Can't upgrade to v4 until go.step.sm/crypto/jose is upgraded to support v4.

@mikemrm mikemrm closed this Aug 8, 2024
Copy link
Contributor Author

renovate bot commented Aug 8, 2024

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 4.x releases. But if you manually upgrade to 4.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

@renovate renovate bot deleted the renovate/github.com-go-jose-go-jose-v3-4.x branch August 8, 2024 17:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant