-
Notifications
You must be signed in to change notification settings - Fork 327
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changed the package dep version to fix security vulternability #2844
Conversation
Signed-off-by: nikita15p <nikita15p@gmail.com>
Hi! Isn't it advised to move from github.com/dgrijalva/jwt-go to github.com/golang-jwt/jwt/v4 instead ? |
Yeh, if this repo has vulnerabilities, best to switch to something that is maintained. |
@mmorel-35 @jpeach agreed and made changes to this PR. Thanks ! |
It's seems like tests are failing. And did you go mod tidy? I don't see the deletion of the old library in the go.sum |
3b7201b
to
cc42b84
Compare
Signed-off-by: nikita15p <nikita15p@gmail.com>
Yes I did. (Its there in make check also). But it will remain there since some dependencies which we use still use that package. For eg: github.com/spiffe/spire@v0.12.3 |
Alright! I see 😊! |
Codecov Report
@@ Coverage Diff @@
## master #2844 +/- ##
==========================================
+ Coverage 52.34% 52.35% +0.01%
==========================================
Files 888 888
Lines 51798 51798
==========================================
+ Hits 27113 27120 +7
+ Misses 22534 22524 -10
- Partials 2151 2154 +3
Continue to review full report at Codecov.
|
Signed-off-by: nikita15p <nikita15p@gmail.com> (cherry picked from commit 1d52756)
Signed-off-by: nikita15p <nikita15p@gmail.com>
Summary
The github.com/golang-jwt/jwt/v4 package is the active package with fix of vulnerability.
Full changelog
With this change, secure version of jwt-go package is used
Issues resolved
Fix #XXX
Documentation
NA
Testing
Backwards compatibility
backport-to-stable
label if the code is backwards compatible. Otherwise, list breaking changes.