chore(deps): update module github.com/go-jose/go-jose/v3 to v4 by mend-for-github-com[bot] · Pull Request #10 · amplify-education/consul

mend-for-github-com · 2025-02-25T18:08:17Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/go-jose/go-jose/v3	`v3.0.0` -> `v4.0.5`

By merging this PR, the below vulnerabilities will be automatically resolved:

Severity	CVSS Score	CVE
High	7.5	CVE-2025-27144
Medium	6.5	WS-2023-0431
Medium	4.3	CVE-2024-28180

Release Notes

go-jose/go-jose (github.com/go-jose/go-jose/v3)

`v4.0.5`

Compare Source

What's Changed

Don't allow unbounded amounts of splits by @mcpherrinm in https://github.com/go-jose/go-jose/pull/167

Fixes GHSA-c6gw-w398-hv78

Various other dependency updates, small fixes, and documentation updates in the full changelog

New Contributors

@tgeoghegan made their first contribution in https://github.com/go-jose/go-jose/pull/161

Full Changelog: go-jose/go-jose@v4.0.4...v4.0.5

`v4.0.4`

Compare Source

Fixed

Reverted "Allow unmarshalling JSONWebKeySets with unsupported key types" as a
breaking change. See #136 / #137.

`v4.0.3`

Compare Source

Changed

Allow unmarshalling JSONWebKeySets with unsupported key types (#130)
Document that OpaqueKeyEncrypter can't be implemented (for now) (#129)
Dependency updates

`v4.0.2`

Compare Source

Changed

Improved documentation of Verify() to note that JSONWebKeySet is a supported
argument type (#104)
Defined exported error values for missing x5c header and unsupported elliptic
curves error cases (#117)

`v4.0.1`

Compare Source

Fixed

An attacker could send a JWE containing compressed data that used large
amounts of memory and CPU when decompressed by Decrypt or DecryptMulti.
Those functions now return an error if the decompressed data would exceed
250kB or 10x the compressed size (whichever is larger). Thanks to
Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@zer0yu and @chenjj)
for reporting.

`v4.0.0`

Compare Source

This release makes some breaking changes in order to more thoroughly
address the vulnerabilities discussed in Three New Attacks Against JSON Web
Tokens, "Sign/encrypt confusion", "Billion hash attack", and "Polyglot
token".

Changed

Limit JWT encryption types (exclude password or public key types) (#78)
Enforce minimum length for HMAC keys (#85)
jwt: match any audience in a list, rather than requiring all audiences (#81)
jwt: accept only Compact Serialization (#75)
jws: Add expected algorithms for signatures (#74)
Require specifying expected algorithms for ParseEncrypted,
ParseSigned, ParseDetached, jwt.ParseEncrypted, jwt.ParseSigned,
jwt.ParseSignedAndEncrypted (#69, #74)
- Usually there is a small, known set of appropriate algorithms for a program
  to use and it's a mistake to allow unexpected algorithms. For instance the
  "billion hash attack" relies in part on programs accepting the PBES2
  encryption algorithm and doing the necessary work even if they weren't
  specifically configured to allow PBES2.
Revert "Strip padding off base64 strings" (#82)
The specs require base64url encoding without padding.
Minimum supported Go version is now 1.21

Added

ParseSignedCompact, ParseSignedJSON, ParseEncryptedCompact, ParseEncryptedJSON.
- These allow parsing a specific serialization, as opposed to ParseSigned and
  ParseEncrypted, which try to automatically detect which serialization was
  provided. It's common to require a specific serialization for a specific
  protocol - for instance JWT requires Compact serialization.

Fixed

Limit decompression output size to prevent a DoS. Backport from v4.0.1.

`v3.0.2`

Compare Source

Fixed

DecryptMulti: handle decompression error (#19)

Changed

jwe/CompactSerialize: improve performance (#67)
Increase the default number of PBKDF2 iterations to 600k (#48)
Return the proper algorithm for ECDSA keys (#45)

Added

Add Thumbprint support for opaque signers (#38)

`v3.0.1`

Compare Source

Fixed

Security issue: an attacker specifying a large "p2c" value can cause
JSONWebEncryption.Decrypt and JSONWebEncryption.DecryptMulti to consume large
amounts of CPU, causing a DoS. Thanks to Matt Schwager (@mschwager) for the
disclosure and to Tom Tervoort for originally publishing the category of attack.
https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf

If you want to rebase/retry this PR, check this box

mend-for-github-com · 2025-02-25T18:08:19Z

ℹ Artifact update notice

File name: test-integ/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

8 additional dependencies were updated
The go directive was updated for compatibility reasons

Details:

Package	Change
`go`	`1.20` -> `1.24.0`
`github.com/google/go-cmp`	`v0.5.9` -> `v0.6.0`
`github.com/stretchr/testify`	`v1.8.4` -> `v1.10.0`
`golang.org/x/net`	`v0.19.0` -> `v0.25.0`
`golang.org/x/crypto`	`v0.17.0` -> `v0.32.0`
`golang.org/x/mod`	`v0.12.0` -> `v0.17.0`
`golang.org/x/sys`	`v0.15.0` -> `v0.29.0`
`golang.org/x/text`	`v0.14.0` -> `v0.21.0`
`golang.org/x/tools`	`v0.12.1-0.20230815132531-74c255bcf846` -> `v0.21.1-0.20240508182429-e35e4ccd0d2d`

File name: test/integration/consul-container/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

10 additional dependencies were updated
The go directive was updated for compatibility reasons

Details:

Package	Change
`go`	`1.20` -> `1.24.0`
`github.com/stretchr/testify`	`v1.8.4` -> `v1.10.0`
`golang.org/x/mod`	`v0.12.0` -> `v0.17.0`
`github.com/google/go-cmp`	`v0.5.9` -> `v0.6.0`
`github.com/stretchr/objx`	`v0.5.0` -> `v0.5.2`
`golang.org/x/crypto`	`v0.17.0` -> `v0.32.0`
`golang.org/x/net`	`v0.19.0` -> `v0.25.0`
`golang.org/x/sync`	`v0.3.0` -> `v0.10.0`
`golang.org/x/sys`	`v0.15.0` -> `v0.29.0`
`golang.org/x/text`	`v0.14.0` -> `v0.21.0`
`golang.org/x/tools`	`v0.12.1-0.20230815132531-74c255bcf846` -> `v0.21.1-0.20240508182429-e35e4ccd0d2d`

mend-for-github-com bot added the security fix Security fix generated by Mend label Feb 25, 2025

chore(deps): update module github.com/go-jose/go-jose/v3 to v4

984deea

mend-for-github-com bot force-pushed the whitesource-remediate/github.com-go-jose-go-jose-v3-4.x branch from b5740f2 to 984deea Compare February 27, 2025 12:46

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update module github.com/go-jose/go-jose/v3 to v4#10

chore(deps): update module github.com/go-jose/go-jose/v3 to v4#10
mend-for-github-com[bot] wants to merge 1 commit intomainfrom
whitesource-remediate/github.com-go-jose-go-jose-v3-4.x

mend-for-github-com bot commented Feb 25, 2025 •

edited

Loading

Uh oh!

mend-for-github-com bot commented Feb 25, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

mend-for-github-com bot commented Feb 25, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

What's Changed

New Contributors

Fixed

Changed

Changed

Fixed

Changed

Added

What's Changed

v3.0.3: Version 3.0.3

Fixed

Fixed

Changed

Added

Fixed

Uh oh!

mend-for-github-com bot commented Feb 25, 2025

ℹ Artifact update notice

File name: test-integ/go.mod

File name: test/integration/consul-container/go.mod

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

mend-for-github-com bot commented Feb 25, 2025 •

edited

Loading

`v3.0.3`: Version 3.0.3