Replace `square/go-jose` by `go-jose/go-jose`

canonical / lxd

Powerful system container and virtual machine manager

https://canonical.com/lxd

GNU Affero General Public License v3.0

4.39k stars 931 forks source link

Replace `square/go-jose` by `go-jose/go-jose` #13526

Closed simondeziel closed 5 months ago

simondeziel commented 6 months ago

square/go-jose.v2 is affected by https://github.com/canonical/lxd/security/dependabot/13 and the module is deprecated and superseded/replaced by go-jose/go-jose:

https://github.com/square/go-jose?tab=readme-ov-file:

Go JOSE v1/v2 (DEPRECATED) Development of Go JOSE has continued in a new organization:

https://github.com/go-jose/go-jose

We already depend on github.com/go-jose/go-jose/v4 for LXD and github.com/go-jose/go-jose/v3 for the mini-oidc.

Ideally, we'd probably settle on github.com/go-jose/go-jose/v4 for all.

MusicDin commented 5 months ago

This deprecated dependency is from zitadel/oidc.

$ go mod why -m gopkg.in/square/go-jose.v2
# gopkg.in/square/go-jose.v2
github.com/canonical/lxd/client
github.com/zitadel/oidc/v2/pkg/client/rp
gopkg.in/square/go-jose.v2

Is there any blocker that prevents us from moving to zitadel/oidc/v3?

markylaing commented 5 months ago

Is there any blocker that prevents us from moving to zitadel/oidc/v3?

This is on my to-do list for this pulse :smiley:

simondeziel commented 5 months ago

https://github.com/canonical/lxd/pull/13566 is a temporary fix for the security issue but it would be nice to keep this issue around until a proper fix lands.

tomponline commented 5 months ago

@markylaing @simondeziel did this get completed by https://github.com/canonical/lxd/pull/13602 ?

MusicDin commented 5 months ago

Yes, this is done. There is no square/go-jose dependency anymore and security issue is also closed.