Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update module gopkg.in/go-jose/go-jose.v2 to v4 #9

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Jun 17, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
gopkg.in/go-jose/go-jose.v2 v2.6.3 -> v4.0.4 age adoption passing confidence

Release Notes

go-jose/go-jose (gopkg.in/go-jose/go-jose.v2)

v4.0.4

Compare Source

Fixed

  • Reverted "Allow unmarshalling JSONWebKeySets with unsupported key types" as a
    breaking change. See #​136 / #​137.

v4.0.3

Compare Source

Changed

  • Allow unmarshalling JSONWebKeySets with unsupported key types (#​130)
  • Document that OpaqueKeyEncrypter can't be implemented (for now) (#​129)
  • Dependency updates

v4.0.2

Compare Source

Changed

  • Improved documentation of Verify() to note that JSONWebKeySet is a supported
    argument type (#​104)
  • Defined exported error values for missing x5c header and unsupported elliptic
    curves error cases (#​117)

v4.0.1

Compare Source

Fixed

  • An attacker could send a JWE containing compressed data that used large
    amounts of memory and CPU when decompressed by Decrypt or DecryptMulti.
    Those functions now return an error if the decompressed data would exceed
    250kB or 10x the compressed size (whichever is larger). Thanks to
    Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@​zer0yu and @​chenjj)
    for reporting.

v4.0.0

Compare Source

This release makes some breaking changes in order to more thoroughly
address the vulnerabilities discussed in Three New Attacks Against JSON Web
Tokens
, "Sign/encrypt confusion", "Billion hash attack", and "Polyglot
token".

Changed

  • Limit JWT encryption types (exclude password or public key types) (#​78)
  • Enforce minimum length for HMAC keys (#​85)
  • jwt: match any audience in a list, rather than requiring all audiences (#​81)
  • jwt: accept only Compact Serialization (#​75)
  • jws: Add expected algorithms for signatures (#​74)
  • Require specifying expected algorithms for ParseEncrypted,
    ParseSigned, ParseDetached, jwt.ParseEncrypted, jwt.ParseSigned,
    jwt.ParseSignedAndEncrypted (#​69, #​74)
    • Usually there is a small, known set of appropriate algorithms for a program
      to use and it's a mistake to allow unexpected algorithms. For instance the
      "billion hash attack" relies in part on programs accepting the PBES2
      encryption algorithm and doing the necessary work even if they weren't
      specifically configured to allow PBES2.
  • Revert "Strip padding off base64 strings" (#​82)
  • The specs require base64url encoding without padding.
  • Minimum supported Go version is now 1.21

Added

  • ParseSignedCompact, ParseSignedJSON, ParseEncryptedCompact, ParseEncryptedJSON.
    • These allow parsing a specific serialization, as opposed to ParseSigned and
      ParseEncrypted, which try to automatically detect which serialization was
      provided. It's common to require a specific serialization for a specific
      protocol - for instance JWT requires Compact serialization.

v3.0.3: Version 3.0.3

Compare Source

Fixed

  • Limit decompression output size to prevent a DoS. Backport from v4.0.1.

v3.0.2

Compare Source

Fixed

  • DecryptMulti: handle decompression error (#​19)

Changed

  • jwe/CompactSerialize: improve performance (#​67)
  • Increase the default number of PBKDF2 iterations to 600k (#​48)
  • Return the proper algorithm for ECDSA keys (#​45)

Added

  • Add Thumbprint support for opaque signers (#​38)

v3.0.1

Compare Source

Fixed

v3.0.0: Version 3.0.0

Compare Source

First release after moving from square/go-jose to the new go-jose/go-jose repository.

Fixes & Improvements
a10ff54 - Fix for EC thumbprint template so we compute EC thumbprints correctly
30f4a6a - Treat zero Expected.Time as now in Claims.Validate when verifying JWTs
4ac8eda - Fix handling of the x5u header (X.509 certificate URL) in JWKs
d7b900b - Strip padding off base64 strings, to match spec per RFC7515 Appendix C
7f81482 - Extract key from JWKs to ensure you can use it when verifying a detached signature
e225b2d - Support non-pointer JWKs to match behavior for other key types
94cbec2 - Use ed25519 from the stdlib instead of the golang.org/x/crypto version
eae0da4 - Export jose-util helpers as they might be useful for others
4bac79d - Fix issue square#182 that caused panic on claims with invalid JWT payload
60a6e9d - Use string.Builder to remove whitespace, instead of a regexp to improve performance
2009556 - Better error handling to avoid panic that can be caused by invalid headers

This release also cleans up a number of module references for the new repo migration, fixed some typos in comments, and more.


Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - "at 10am on Monday except on 25th of December in 2023 and 1st of January 2024 and 1st of April 2024 and 20th of May 2024 and 19th of August 2024" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Copy link
Author

renovate bot commented Jun 17, 2024

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum
Command failed: go get -d -t ./...
go: gopkg.in/go-jose/[email protected]: parsing go.mod:
	module declares its path as: github.com/go-jose/go-jose/v4
	        but was required as: gopkg.in/go-jose/go-jose.v4

@renovate renovate bot force-pushed the renovate/gopkg.in-go-jose-go-jose.v2-4.x branch from 86ce38b to 38977ba Compare July 10, 2024 05:03
@renovate renovate bot added the go label Jul 10, 2024
@renovate renovate bot force-pushed the renovate/gopkg.in-go-jose-go-jose.v2-4.x branch from 38977ba to ef5f62d Compare July 27, 2024 05:52
@gaborpongracz
Copy link

Renovate PRs should not be done until we have decided on the AUTH flow.

For more info please check this page.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant