Skip to content

Update dependencies, Go toolchain, CI actions to latest#151

Merged
mbilski merged 2 commits intomasterfrom
chore/deps-update
Apr 29, 2026
Merged

Update dependencies, Go toolchain, CI actions to latest#151
mbilski merged 2 commits intomasterfrom
chore/deps-update

Conversation

@mbilski
Copy link
Copy Markdown
Contributor

@mbilski mbilski commented Apr 29, 2026

Summary

  • Bump Go to 1.26 (.mise.toml, go.mod, all GitHub workflows)
  • Bump golangci-lint to 2.11.4 (.mise.toml; lint workflow pinned to v2.11)
  • Bump goreleaser/goreleaser-action to v7
  • Update Go module deps to latest patch/minor (gojq 0.12.19, testify 1.11.1, validator 10.30.2, pterm 0.12.83, mimetype 1.4.13, uax29/v2 2.7.0, golang.org/x/{crypto,sys,term,text} family)
  • Migrate go-jose v3 → v4 — adds internal/oauth2/jose_algos.go with comprehensive JWS/JWE algorithm allowlists (v4 now requires explicit algorithm lists at every Parse* call site)
  • Replace WriteString(fmt.Sprintf(...)) with fmt.Fprintf in internal/oauth2/error.go to satisfy the new staticcheck QF1012 rule introduced by the bumped linter

Test plan

  • go build ./...
  • go test ./... — all packages pass
  • golangci-lint run — 0 issues
  • Verify CI green on this PR
  • Smoke-test a couple of OAuth2 flows that exercise signed/encrypted JWTs (request objects, JARM) to confirm the v4 algorithm allowlists cover real-world configurations

🤖 Generated with Claude Code

mbilski and others added 2 commits April 29, 2026 10:32
@mbilski @claude
Update dependencies, Go toolchain, and CI actions to latest
c2850bd 
- Bump Go to 1.26 (mise.toml, go.mod, all workflows)
- Bump golangci-lint to 2.11.4 (mise.toml, lint workflow to v2.11)
- Bump goreleaser-action to v7
- Update Go module deps to latest patch/minor versions
  (gojq 0.12.19, testify 1.11.1, validator 10.30.2, pterm 0.12.83,
  golang.org/x/* family, mimetype, uax29, go-jose v3.0.5, etc.)
- Replace WriteString(fmt.Sprintf(...)) with fmt.Fprintf to satisfy
  the new staticcheck QF1012 rule

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@mbilski @claude
Migrate go-jose v3 to v4
5853d21 
v4 requires explicit algorithm allowlists for ParseSigned,
ParseEncrypted, and ParseSignedAndEncrypted. Add JOSE algorithm
constants in internal/oauth2/jose_algos.go covering every standard
JWS/JWE algorithm so this OAuth2 testing tool keeps working against
servers regardless of their algorithm choices, and pass them at every
call site.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@mbilski mbilski enabled auto-merge (squash) April 29, 2026 08:57
@mbilski mbilski merged commit d8a5b36 into master Apr 29, 2026
2 checks passed
@mbilski mbilski deleted the chore/deps-update branch April 29, 2026 08:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ikawalec ikawalec ikawalec approved these changes

@jdabrowski jdabrowski jdabrowski approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mbilski @ikawalec @jdabrowski