search

coreos / go-oidc

A Go OpenID Connect client.
Apache License 2.0
1.92k stars 393 forks source link

chore: Bump go-jose dependency and mod tidy #418

Closed bcandeias closed 5 months ago

bcandeias commented 5 months ago

This bumps the go-jose dependency to a version that addresses vulnerability CVE-2024-28180.

Tested with the below:

$ go fmt ./... ; go mod tidy ; go build ./... ; go test ./...
go: finding module for package github.com/go-jose/go-jose/v3
go: downloading github.com/go-jose/go-jose/v3 v3.0.3
go: downloading github.com/go-jose/go-jose v2.6.3+incompatible
go: found github.com/go-jose/go-jose/v3 in github.com/go-jose/go-jose/v3 v3.0.3
go: downloading github.com/stretchr/testify v1.8.2
go: downloading golang.org/x/crypto v0.19.0
Run 'go help' for usage.
?       github.com/coreos/go-oidc/v3/example/idtoken    [no test files]
?       github.com/coreos/go-oidc/v3/example/userinfo   [no test files]
ok      github.com/coreos/go-oidc/v3/oidc   1.528s

Closes #417

bcandeias commented 5 months ago

@ericchiang sorry but I could only get to this now. You're right, I let these changes slide in with my local setup. In the meantime I saw you did bump to 4. Thanks, and apologies for not being more of a help 😅 Closing this PR.