10000 chore(deps): update module github.com/go-jose/go-jose/v3 to v4 by renovate-rancher[bot] · Pull Request #1816 · neuvector/neuvector · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

chore(deps): update module github.com/go-jose/go-jose/v3 to v4 #1816

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update module github.com/go-jose/go-jose/v3 to v4 #1816

wants to merge 1 commit into from

Conversation

renovate-rancher[bot]
Copy link
Contributor
@renovate-rancher renovate-rancher bot commented Feb 8, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
github.com/go-jose/go-jose/v3 require major v3.0.4 -> v4.1.0

Release Notes

go-jose/go-jose (github.com/go-jose/go-jose/v3)

v4.1.0

Compare Source

What's Changed

New Contributors

Full Changelog: go-jose/go-jose@v4.0.5...v4.1.0

v4.0.5

Compare Source

What's Changed

Fixes GHSA-c6gw-w398-hv78

Various other dependency updates, small fixes, and documentation updates in the full changelog

New Contributors

Full Changelog: go-jose/go-jose@v4.0.4...v4.0.5

v4.0.4

Compare Source

Fixed

  • Reverted "Allow unmarshalling JSONWebKeySets with unsupported key types" as a
    breaking change. See #​136 / #​137.

v4.0.3

Compare Source

Changed

  • Allow unmarshalling JSONWebKeySets with unsupported key types (#​130)
  • Document that OpaqueKeyEncrypter can't be implemented (for now) (#​129)
  • Dependency updates

v4.0.2

Compare Source

Changed

  • Improved documentation of Verify() to note that JSONWebKeySet is a supported
    argument type (#​104)
  • Defined exported error values for missing x5c header and unsupported elliptic
    curves error cases (#​117)

v4.0.1

Compare Source

Fixed

  • An attacker could send a JWE containing compressed data that used large
    amounts of memory and CPU when decompressed by Decrypt or DecryptMulti.
    Those functions now return an error if the decompressed data would exceed
    250kB or 10x the compressed size (whichever is larger). Thanks to
    Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@​zer0yu and @​chenjj)
    for reporting.

v4.0.0

Compare Source

This release makes some breaking changes in order to more thoroughly
address the vulnerabilities discussed in Three New Attacks Against JSON Web
Tokens, "Sign/encrypt confusion", "Billion hash attack", and "Polyglot
token".

Changed

  • Limit JWT encryption types (exclude password or public key types) (#​78)
  • Enforce minimum length for HMAC keys (#​85)
  • jwt: match any audience in a list, rather than requiring all audiences (#​81)
  • jwt: accept only Compact Serialization (#​75)
  • jws: Add expected algorithms for signatures (#​74)
  • Require specifying expected algorithms for ParseEncrypted,
    ParseSigned, ParseDetached, jwt.ParseEncrypted, jwt.ParseSigned,
    jwt.ParseSignedAndEncrypted (#​69, #​74)
    • Usually there is a small, known set of appropriate algorithms for a program
      to use and it's a mistake to allow unexpected algorithms. For instance the
      "billion hash attack" relies in part on programs accepting the PBES2
      encryption algorithm and doing the necessary work even if they weren't
      specifically configured to allow PBES2.
  • Revert "Strip padding off base64 strings" (#​82)
  • The specs require base64url encoding without padding.
  • Minimum supported Go version is now 1.21

Added

  • ParseSignedCompact, ParseSignedJSON, ParseEncryptedCompact, ParseEncryptedJSON.
    • These allow parsing a specific serialization, as opposed to ParseSigned and
      ParseEncrypted, which try to automatically detect which serialization was
      provided. It's common to require a specific serialization for a specific
      protocol - for instance JWT requires Compact serialization.

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@renovate-rancher renovate-rancher bot force-pushed the renovate/github.com-go-jose-go-jose-v3-4.x branch 4 times, most recently from 7e70b4c to dd947f5 Compare February 15, 2025 04:39
@renovate-rancher renovate-rancher bot force-pushed the renovate/github.com-go-jose-go-jose-v3-4.x branch 4 times, most recently from 891d06c to b12bb33 Compare February 26, 2025 04:40
@renovate-rancher renovate-rancher bot changed the title chore(deps): update module github.com/go-jose/go-jose/v3 to v4 chore(deps): update module github.com/go-jose/go-jose/v3 to v4 - autoclosed Feb 27, 2025
@renovate-rancher renovate-rancher bot closed this Feb 27, 2025
@renovate-rancher renovate-rancher bot deleted the renovate/github.com-go-jose-go-jose-v3-4.x branch February 27, 2025 04:40
@renovate-rancher renovate-rancher bot changed the title chore(deps): update module github.com/go-jose/go-jose/v3 to v4 - autoclosed chore(deps): update module github.com/go-jose/go-jose/v3 to v4 Mar 5, 2025
@renovate-rancher renovate-rancher bot reopened this Mar 5, 2025
@renovate-rancher renovate-rancher bot restored the renovate/github.com-go-jose-go-jose-v3-4.x branch March 5, 2025 04:40
@renovate-rancher renovate-rancher bot force-pushed the renovate/github.com-go-jose-go-jose-v3-4.x branch from b12bb33 to de1d1d9 Compare March 5, 2025 06:43
@renovate-rancher renovate-rancher bot changed the title chore(deps): update module github.com/go-jose/go-jose/v3 to v4 Update module github.com/go-jose/go-jose/v3 to v4 Mar 5, 2025 8000
@renovate-rancher renovate-rancher bot force-pushed the renovate/github.com-go-jose-go-jose-v3-4.x branch from de1d1d9 to 0fd2b3a Compare March 8, 2025 04:37
@renovate-rancher renovate-rancher
Copy link
Contributor Author
renovate-rancher bot commented Mar 8, 2025
edited
Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum
Command failed: mod upgrade --mod-name=github.com/go-jose/go-jose/v3 -t=4
could not load package: err: exit status 1: stderr: go: inconsistent vendoring in /tmp/renovate/repos/github/neuvector/neuvector:
	github.com/go-jose/go-jose/v4@v4.1.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	github.com/go-jose/go-jose/v4@v4.0.5: is marked as explicit in vendor/modules.txt, but not explicitly required in go.mod

	To ignore the vendor directory, use -mod=readonly or -mod=mod.
	To sync the vendor directory, run:
		go mod vendor

@renovate-rancher renovate-rancher bot changed the title Update module github.com/go-jose/go-jose/v3 to v4 chore(deps): update module github.com/go-jose/go-jose/v3 to v4 Mar 8, 2025
@renovate-rancher renovate-rancher bot force-pushed the renovate/github.com-go-jose-go-jose-v3-4.x branch 2 times, most recently from 32875ad to 33764fb Compare March 12, 2025 18:03
@renovate-rancher renovate-rancher bot force-pushed the renovate/github.com-go-jose-go-jose-v3-4.x branch from 33764fb to 643a523 Compare March 21, 2025 15:42
@holyspectral holyspectral added upstream Upstream issue and removed upstream Upstream issue labels Mar 21, 2025
@holyspectral holyspectral force-pushed the renovate/github.com-go-jose-go-jose-v3-4.x branch from 643a523 to 3ec7255 Compare March 21, 2025 19:48
@holyspectral holyspectral requested a review from a team as a code owner March 21, 2025 19:48
@renovate-rancher renovate-rancher bot force-pushed the renovate/github.com-go-jose-go-jose-v3-4.x branch from 3ec7255 to ea6e7b9 Compare March 22, 2025 04:40
@renovate-rancher renovate-rancher bot force-pushed the renovate/github.com-go-jose-go-jose-v3-4.x branch from ea6e7b9 to 3fa047f Compare April 8, 2025 19:00
@renovate-rancher renovate-rancher bot force-pushed the renovate/github.com-go-jose-go-jose-v3-4.x branch from 3fa047f to f016b36 Compare May 2, 2025 04:42
@renovate-rancher renovate-rancher bot changed the title chore(deps): update module github.com/go-jose/go-jose/v3 to v4 Update module github.com/go-jose/go-jose/v3 to v4 May 2, 2025
@renovate-rancher renovate-rancher bot force-pushed the renovate/github.com-go-jose-go-jose-v3-4.x branch from f016b36 to 5a14ff8 Compare May 2, 2025 16:44
@renovate-rancher renovate-rancher bot changed the title Update module github.com/go-jose/go-jose/v3 to v4 chore(deps): update module github.com/go-jose/go-jose/v3 to v4 May 7, 2025
@renovate-rancher renovate-rancher bot force-pushed the renovate/github.com-go-jose-go-jose-v3-4.x branch from 5a14ff8 to 91f5a4a Compare May 9, 2025 04:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alopez-suse alopez-suse Awaiting requested review from alopez-suse alopez-suse was automatically assigned from neuvector/controller

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@holyspectral
0