Upgrade `go-jose` from v2 to v4

jamestelfer commented 4 months ago

Checklist

[X] I have looked into the README and have not found a suitable solution or answer.
[X] I have looked into the documentation and have not found a suitable solution or answer.
[X] I have searched the issues and have not found a suitable solution or answer.
[X] I have upgraded to the latest version of this SDK and the issue still persists.
[X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
[X] I agree to the terms within the Auth0 Code of Conduct.

Description

This was previously addressed in #239, but I think this issue might need to be reopened.

On main, the "Versions" section says:

The old square/go-jose repo contains the prior v1 and v2 versions, which are still useable but not actively developed anymore.

Now, a version 2.6.3 was released in March owing to a security vulnerability, so it's possible that some security issues will be backported.

However, the security policy states clearly that only v3 and v4 are supported versions.

It would be good to investigate an upgrade, given the stability and security improvements since v2.

Reproduction

go.mod references go-jose v2.x

Go JWT Middleware version

2.2.1

Go version

1.22

maxime-gaudron commented 2 months ago

@sergiught Hello, mentioning you as the main contributor of the repo. As Auth0 clients we're facing the same issue and as we're working in a regulated domain it's a bit sensitive for us. Would there be any chance you could look at this? Thank you!

pat-git023 commented 1 month ago

is there any update on this? since go-jose 2.x has reached end-of-live we also get security warnings and need to react on that. any chance that the open PR #275 will be merged in a timely manner?

Thank you very much

cantutar commented 3 weeks ago

Im absolutely agreed with above users. Please update the dependecy it has a security vulnerability.

sergiught commented 3 weeks ago

Hey folks, apologies for the delay as I have missed getting notified on this. Unfortunately I am no longer a maintainer of this project as I have transitioned to a new team, however I've immediately alerted the owning team and it will be looked at ASAP.

CC: @developerkunal, @arpit-jn

developerkunal commented 2 weeks ago

Hey folks, I apologize for the delay in addressing this vulnerability; it was unfortunately overlooked. At this time, we're unable to upgrade to JoseV4 due to the breaking changes it would introduce, which would require a major version release. However, I’ve already scheduled improvements and version upgrades that will be included in an upcoming major release.

In the meantime, we’ve released a security patch to address the issue. If you encounter any further problems, please don’t hesitate to tag me or open a new issue, and I’ll respond as quickly as possible.

Thank you for your understanding.

abiabsurd commented 1 week ago

What's the timeline for the upcoming major release that will include this support for jose v4? Anything contributors can help with?

auth0 / go-jwt-middleware