Go: Bump github.com/nats-io/nats-server/v2 from 2.1.9 to 2.2.0 in /lib/go

[dependabot]

Bumps github.com/nats-io/nats-server/v2 from 2.1.9 to 2.2.0.

Release notes

Sourced from github.com/nats-io/nats-server/v2's releases.

Release v2.2.0

Changelog

Go Version

• 1.16.2: Both release executables and Docker images are built with this Go release.

Added

• JetStream, our new persistence offering
• Websocket support (#1309)
  • Websocket Leafnode connections (#1858)
  • Cookie JWT authentication for Websocket. Thanks to #pas2k for the contribution (#1477)
• MQTT Support (#1754)
  • Allow BearerToken as MQTT authentication method. Thanks to @​angiglesias for the contribution (#1840)
• Monitoring:
  • New Endpoint: jsz for JetStream (#1881)
  • New Endpoint /accountz (#1611)
  • Value of GOMAXPROCS in /varz endpoint (#1304)
  • Ability to include subscription details in monitoring responses (#1318)
  • Endpoints now available via system services (#1362)
  • Base path for monitoring endpoints. Thanks to @​guilherme-santos for the contribution (#1392)
  • Filtering by account for /leafz and exposing this as per account subject (#1612)
  • Support for tags and filter PING monitoring requests by tags (#1832)
  • JWT/IssuerKey/NameTag/Tags to monitoring and event endpoints (#1830)
  • tls_required, tls_verify and tls_timeout to Cluster/Gateway/Leafnode sections under /varz (#1854)
  • Operator JWT to /varz (#1862)
  • system_account to /varz (#1898)
• Options
  • lame_duck_grace_period (#1460)
  • sys_trace or --sys_trace command line to trace the system account (#1295)
  • resolver_tls to specify TLS configuration for account resolver. Thanks to @​JnMik for the report (#1272)
  • allowed_connection_types to restrict which type connections (STANDARD, WEBSOCKET, etc..) can authenticate with a specific user (#1594)
  • verify_cert_and_check_known_urls to tie subject ALT name to URL in configuration (#1727)
  • account_token_position to simplify the securing of imports without requiring a token (#1874)
• Support for JWT BearerToken (#1226)
• Accounts default permissions (#1398)
• Printing of the configuration file being used in the startup banner. Thanks to @​rmoriz for the report (#1473)
• Checks for CIDR blocks and connect time ranges specified in JWTs (#1567)
• Support for route hostname resolution. Thanks to @​israellot for the report (#1590)
• Account name checks for Leafnodes in operator mode (#1739)
• User JWT payload and subscriber limits (#1570)
• Ability to use JWT latency sampling properties "headers" and "share" (#1776)
• Support for wildcard services and import remapping by JWT (#1790)
• Support for JWT export response threshold (#1793)
• Enforcement and usage of scoped signing keys (#1805)
• Support for StrictSigningKeyUsage (#1845)
• Support for JWT based account mappings (#1897)
• Build for mips64le platform. Thanks to @​duchuanLX for the contribution (#1885)

Changed

... (truncated)

Commits

• 0e3c723 Merge pull request #2007 from nats-io/release_2_2_0
• 0d5b037 Release v2.2.0
• 6764130 Merge pull request #2006 from nats-io/li
• e84f845 Avoid lock inversions.
• 4d15658 Merge pull request #1996 from nats-io/updates
• e530c98 We no longer force remove our peer on out of space.
• 423b794 Merge pull request #2004 from nats-io/jwt-issue
• 4f8931e Merge pull request #2005 from nats-io/rm-dockerfile-alpine
• e2287c6 Delete Dockerfile.alpine
• eb1a91d [fixed] private import issue by pulling in up to date jwt library
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[aviary3-wk]

Security Insights

(3) Vulnerable direct dependencies were detected

1 vulns in aiohttp < 3.7.4 via lib/python/requirements_dev_asyncio.txt

1 vulns in org.apache.thrift:libthrift < 0.14.0 via examples/java/pom.xml

1 vulns in org.apache.thrift:libthrift < 0.14.0 via test/integration/java/frugal-integration-test/pom.xml

Action Items

• Review dependencies for available updates
• See this Splunk dashboard for more CVE details
• Review PR for security impact; comment "security review required" if needed or unsure
• Verify aviary.yaml coverage of security relevant code

---

Questions or Comments? Reach out on Slack: #support-infosec.

[charliekump-wf]

@dependabot rebase

[charliekump-wf]

+1

@Workiva/release-management-p ready for merge.

[rmconsole-wf]

+1 from RM