There is no fix for the GO-2024-2631 vuln for gopkg.in/square/go-jose.v2, so now seems like a good time to remove it from the dependencies and standardise on the latest v4 version of the module.
Unfortunately it does mean we need to be more selective about the signature algorithms we allow when receiving a JWT during a login request. I think RS256 is the correct choice based on empirical evidence, but I do have concerns that there's no public commitment to that signature algorithm in Google's docs, so it's possible they could change this signature algorithm at any point.
Thanks, added those 2 as well 👍 I also updated the target release version to 0.17.0 as that seems more appropriate with the change in accepted algorithms.
There is no fix for the GO-2024-2631 vuln for
gopkg.in/square/go-jose.v2
, so now seems like a good time to remove it from the dependencies and standardise on the latest v4 version of the module.Unfortunately it does mean we need to be more selective about the signature algorithms we allow when receiving a JWT during a login request. I think RS256 is the correct choice based on empirical evidence, but I do have concerns that there's no public commitment to that signature algorithm in Google's docs, so it's possible they could change this signature algorithm at any point.
References: