Nerzal
commented
3 years ago Good catch, thank u!
Closed cameracker closed 2 years ago
Nerzal
commented
3 years ago Good catch, thank u!
poperor
commented
3 years ago Another reason to address this issue is that GitHub depandbot now gives a "high severity" alert on dgrijalva/jwt-go.
Nerzal
commented
3 years ago do i see it correctly, that they still lack the v4 changes? These changes are needed to cover some features.
I can have a deeper look later on.
poperor
commented
3 years ago Thaks for taking a look. Seems like dependabot gives the security alert even for v4. Any way on https://github.com/dgrijalva/jwt-go GitHub page a switch to https://github.com/golang-jwt/jwt is recommended.
Nerzal
commented
3 years ago I have linked a "proposal" PR
msvechla
commented
3 years ago Are there any updates here? With the recent CVEs in that package, I think we really should merge your proposal.
Nerzal
commented
3 years ago Hi,
yes, i'll merge in the next days, as there is another possibly breaking change in the PR pipeline. I just need to do some further testing.
Nerzal
commented
2 years ago Fixed in new version v10.0.1
Describe the bug dgrijalva/jwt-go is deprecated. Currently it is at use in this library at major v4.
To Reproduce NA
Expected behavior Packages that provide features in the authorization and authentication realm should use up to date and well maintained libraries.
Consider replacing this package with the community maintained drop in replacement: https://github.com/golang-jwt/jwt
Note: this library only has parity with dgrijalva/jwt-go@v3, it does not have any of the v4 changes.
Screenshots
https://github.com/dgrijalva/jwt-go#this-repository-is-no-longer-maintaned
Desktop (please complete the following information): NA
Smartphone (please complete the following information): NA
Additional context Add any other context about the problem here.