Skip to content
This repository has been archived by the owner on Apr 11, 2023. It is now read-only.

chore(deps): bump github.com/lestrrat-go/jwx/v2 from 2.0.6 to 2.0.9 in /spi/gnap #332

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 23, 2023

Bumps github.com/lestrrat-go/jwx/v2 from 2.0.6 to 2.0.9.

Release notes

Sourced from github.com/lestrrat-go/jwx/v2's releases.

v2.0.9

v2.0.9 - 21 Mar 2023
[Security Fixes]
  * Updated use of golang.org/x/crypto to v0.7.0
[Bug fixes]
  * Emitted PEM file for EC private key types used the wrong PEM armor ([#875](https://github.com/lestrrat-go/jwx/issues/875))
[Miscellaneous]
  * Banners for generated files have been modified to allow tools to pick them up ([#867](https://github.com/lestrrat-go/jwx/issues/867))
  * Remove unused variables around ReadFileOption ([#866](https://github.com/lestrrat-go/jwx/issues/866))
  * Fix test failures
  * Support bazel out of the box
  * Now you can create JWS messages using `{"alg":"none"}`, by calling `jws.Sign()`
    with `jws.WithInsecureNoSignature()` option. ([#888](https://github.com/lestrrat-go/jwx/issues/888), [#890](https://github.com/lestrrat-go/jwx/issues/890)).
Note that there is no way to call
`jws.Verify()` while allowing `{"alg":"none"}` as you wouldn't be _verifying_
the message if we allowed the "none" algorithm. `jws.Parse()` will parse such
messages witout verification.

jwt also allows you to sign using alg="none", but there's no symmetrical
way to verify such messages.

v2.0.8

v2.0.8 - 25 Nov 2022
[Security Fixes]
  * [jws][jwe] Starting from go 1.19, code related to elliptic algorithms
    panics (instead of returning an error) when certain methods
    such as `ScalarMult` are called using points that are not on the
    elliptic curve being used.
Using inputs that cause this condition, and you accept unverified JWK
from the outside it may be possible for a third-party to cause panics
in your program.

This has been fixed by verifying that the point being used is actually
on the curve before such computations (#840)

[Miscellaneous]

  • jwx.GuessFormat now returns jwx.InvalidFormat when the heuristics is sure that the buffer format is invalid.

v2.0.7

v2.0.7 - 15 Nov 2022
[New features]
  * [jwt] Each `jwt.Token` now has an `Options()` method
  * [jwt] `jwt.Settings(jwt.WithFlattenedAudience(true))` has a slightly
</tr></table> 

... (truncated)

Changelog

Sourced from github.com/lestrrat-go/jwx/v2's changelog.

v2.0.9 - 21 Mar 2023 [Security Fixes]

  • Updated use of golang.org/x/crypto to v0.7.0 [Bug fixes]

  • Emitted PEM file for EC private key types used the wrong PEM armor (#875) [Miscellaneous]

  • Banners for generated files have been modified to allow tools to pick them up (#867)

  • Remove unused variables around ReadFileOption (#866)

  • Fix test failures

  • Support bazel out of the box

  • Now you can create JWS messages using {"alg":"none"}, by calling jws.Sign() with jws.WithInsecureNoSignature() option. (#888, #890).

    Note that there is no way to call jws.Verify() while allowing {"alg":"none"} as you wouldn't be verifying the message if we allowed the "none" algorithm. jws.Parse() will parse such messages witout verification.

    jwt also allows you to sign using alg="none", but there's no symmetrical way to verify such messages.

v2.0.8 - 25 Nov 2022 [Security Fixes]

  • [jws][jwe] Starting from go 1.19, code related to elliptic algorithms panics (instead of returning an error) when certain methods such as ScalarMult are called using points that are not on the elliptic curve being used.

    Using inputs that cause this condition, and you accept unverified JWK from the outside it may be possible for a third-party to cause panics in your program.

    This has been fixed by verifying that the point being used is actually on the curve before such computations (#840) [Miscellaneous]

  • jwx.GuessFormat now returns jwx.InvalidFormat when the heuristics is sure that the buffer format is invalid.

v2.0.7 - 15 Nov 2022 [New features]

  • [jwt] Each jwt.Token now has an Options() method

  • [jwt] jwt.Settings(jwt.WithFlattenedAudience(true)) has a slightly different semantic than before. Instead of changing a global variable, it now specifies that the default value of each per-token option for jwt.FlattenAudience is true.

    Therefore, this is what happens:

    // No global settings tok := jwt.New()

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [github.com/lestrrat-go/jwx/v2](https://github.com/lestrrat-go/jwx) from 2.0.6 to 2.0.9.
- [Release notes](https://github.com/lestrrat-go/jwx/releases)
- [Changelog](https://github.com/lestrrat-go/jwx/blob/develop/v2/Changes)
- [Commits](lestrrat-go/jwx@v2.0.6...v2.0.9)

---
updated-dependencies:
- dependency-name: github.com/lestrrat-go/jwx/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added area: backend Something related to back-end dependencies Pull requests that update a dependency file labels Mar 23, 2023
@cla-bot cla-bot bot added the cla-signed label Mar 23, 2023
@codecov
Copy link

codecov bot commented Mar 23, 2023

Codecov Report

Patch and project coverage have no change.

Comparison is base (0eb232e) 87.83% compared to head (e971ea2) 87.83%.

Additional details and impacted files
@@           Coverage Diff           @@
##             main     #332   +/-   ##
=======================================
  Coverage   87.83%   87.83%           
=======================================
  Files          22       22           
  Lines        2623     2623           
=======================================
  Hits         2304     2304           
  Misses        210      210           
  Partials      109      109           

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
area: backend Something related to back-end cla-signed dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants