Skip to content

Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4#1141

Merged
calebbrown merged 1 commit into
mainfrom
dependabot/go_modules/github.com/go-jose/go-jose/v4-4.1.4
May 15, 2026
Merged

Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4#1141
calebbrown merged 1 commit into
mainfrom
dependabot/go_modules/github.com/go-jose/go-jose/v4-4.1.4

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 15, 2026
edited
Loading

Bumps github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4.

Release notes

Sourced from github.com/go-jose/go-jose/v4's releases.

v4.1.4

What's Changed

Fixes Panic in JWE decryption. See GHSA-78h2-9frx-2jm8

Full Changelog: go-jose/go-jose@v4.1.3...v4.1.4

Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels May 15, 2026
@dependabot
Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4
650da24 
Bumps [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose) from 4.1.3 to 4.1.4.
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Commits](go-jose/go-jose@v4.1.3...v4.1.4)

---
updated-dependencies:
- dependency-name: github.com/go-jose/go-jose/v4
  dependency-version: 4.1.4
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/github.com/go-jose/go-jose/v4-4.1.4 branch from 597394c to 650da24 Compare May 15, 2026 00:37
@calebbrown calebbrown enabled auto-merge (squash) May 15, 2026 00:39
@kusari-inspector
Copy link
Copy Markdown

kusari-inspector Bot commented May 15, 2026
edited
Loading

Kusari Inspector

Kusari Analysis Results:

Proceed with these changes

✅ No Flagged Issues Detected
All values appear to be within acceptable risk parameters.

Both dependency and code security analyses independently recommend proceeding with this PR. The change updates github.com/go-jose/go-jose/v4 from v4.1.3 to v4.1.4, directly remediating a high-severity denial-of-service vulnerability (GHSA-78h2-9frx-2jm8 / CVE-2026-34986) that caused a panic during JWE decryption when the encrypted_key field is empty. The updated version v4.1.4 carries no known advisories, is the current latest release, and scores 10/10 on maintenance and code review metrics. Licenses remain permissive (Apache-2.0, BSD-3-Clause). Code analysis returned zero findings across all severity levels, with no secrets or workflow issues detected in the scanned files. This is a low-risk, high-benefit security patch with a clear remediation purpose and no offsetting concerns from either analysis.

Note

View full detailed analysis result for more information on the output and the checks that were run.

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: 650da24, performed at: 2026-05-15T02:01:53Z

Found this helpful? Give it a 👍 or 👎 reaction!

@calebbrown calebbrown merged commit 9f88b60 into main May 15, 2026
10 of 12 checks passed
@calebbrown calebbrown deleted the dependabot/go_modules/github.com/go-jose/go-jose/v4-4.1.4 branch May 15, 2026 00:42
@kusari-inspector
Copy link
Copy Markdown

kusari-inspector Bot commented May 15, 2026

Kusari PR Analysis rerun based on - 650da24 performed at: 2026-05-15T00:56:01Z - link to updated analysis

@kusari-inspector
Copy link
Copy Markdown

kusari-inspector Bot commented May 15, 2026

Kusari PR Analysis rerun based on - 650da24 performed at: 2026-05-15T02:02:07Z - link to updated analysis

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@calebbrown calebbrown calebbrown approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@calebbrown