Replace github.com/dgrijalva/jwt-go with github.com/golang-jwt/jwt #13378
Conversation
ysksuzuki
force-pushed
the
replace-jwt-go
branch
from
4e22883
to
9fbef6a
Compare
|
github.com/golang-jwt/jwt v3.2.2 added ed25519 support but go 1.12 doesn't support crypto/ed25519 package. So I replaced it with github.com/golang-jwt/jwt v3.2.1 which also has the CVE fix. |
ysksuzuki
force-pushed
the
replace-jwt-go
branch
from
9fbef6a
to
2ae540d
Compare
|
I fixed a commit message format error and confirmed that the test following passed on my local ubuntu 20.04 with go 1.15.13. $ GOARCH=amd64 PASSES='fmt bom dep' ./test
$ ./build && GOARCH=amd64 PASSES='functional' RACE="false" ./test
$ GOARCH=amd64 CPU=4 PASSES='integration' RACE="false" ./test |
…lang-jwt/jwt github.com/dgrijalva/jwt-go has CVE GHSA-w73w-5m7g-f7qc and is already archived. etcd v3.4 should use a community maintained fork github.com/golang-jwt/jwt which provides the fixed version of the CVE. Signed-off-by: Yusuke Suzuki <yusuke-suzuki@cybozu.co.jp>
Update go to 1.15.15 which is the latest of 1.15 because linux-amd64-fmt fails with go 1.15.13. Signed-off-by: Yusuke Suzuki <yusuke-suzuki@cybozu.co.jp>
ysksuzuki
force-pushed
the
replace-jwt-go
branch
from
2ae540d
to
e63d058
Compare
|
I also updated go to 1.15.15 on the workflow file because linux-amd64-fmt doesn't pass with go 1.15.13 anymore. |
|
Now I could confirm that all jobs passed on my forked repository. |
|
It seems that some jobs failed because of flaky tests. Please rerun the jobs. |
|
One job failed. Please rerun it or let me rerun jobs by myself if I can. As far as I know this flakiness is a known issue and is being handled on #13167 |
|
Thank you for reviewing my PR!
Do you mean to add a v3.4.17 section and describe the change in dependency on the main branch something like this? |
|
Thank you for releasing v3.4.17 including this fix! |
|
I added the CL no worries, thanks for the assist! |
This PR is related to #13254.
etcd v3.4 still depends on github.com/dgrijalva/jwt-go which has CVE GHSA-w73w-5m7g-f7qc and is already archived. etcd v3.4 should use a community maintained fork github.com/golang-jwt/jwt which provides the fixed version of the CVE.
Signed-off-by: Yusuke Suzuki yusuke-suzuki@cybozu.co.jp