Consider upgrading version of jwt-go to fix security vulnerability

[lodi-g]

Hi,

The dependency jwt-go has a security vulnerability in all versions <4.0.0: dgrijalva/jwt-go#428 .
Please consider upgrading to the latest version (v4.0.0-preview1) or switching for another library.

Thanks!

[github-actions]

Hi! Thank you for taking the time to create your first issue! Really cool to see you here for the first time. Please give us a bit of time to review it.

[benjivesterby]

@andygrunwald @ghostsquad Perhaps we should set up dependabot so that it can auto-pr package upgrades and merge if the CI passes?

[andygrunwald]

Everything is activated already. Is there anything else to do from our side?

Is there a way to check if this vuln is already caught up by the bot?

[benjivesterby]

Hmm I'm not sure. Do you have it setup here? https://app.dependabot.com/accounts/andygrunwald

[andygrunwald]

Thanks @benjivesterby
Dependabot is now working. PRs are incoming. Until now, no one for go-jwt.
Maybe we wait a bit and/or do it by hand :)

[benjivesterby]

@andygrunwald no problem. I would suspect that it will auto-PR it. When I've had a security vuln pop on my libs before it took a couple days before dependabot updated. If not that we can keep an eye and do it manually.

[lodi-g]

Thank you for your reactivity!
Please keep in mind that the newest version of jwt-go is a "preview" version so it might not be publised at the "latest" but more in a beta form, we should make sure it does not break anything before upgrading.

[yarlson]

@andygrunwald https://github.com/dgrijalva/jwt-go has been abondoned (see dgrijalva/jwt-go#462). In order to fix the vulnarability we have to switch to a community driven fork https://github.com/golang-jwt/jwt . The issue has been fixed in golang-jwt/jwt#12