Closed kpcraig closed 1 month ago
go-jose v4.0.2 seems to still upset the scanner, although https://pkg.go.dev/vuln/GO-2024-2631 seems to think it was resolved.
@fairclothjm says go-jose is releasing another patch update next week, so maybe things will be better then?
It looks like v2.6.3 of go-jose avoids the need to try to update to v3 or v4, although it does require a rename of the import from gopkg.in/square/go-jose
to github.com/go-jose/go-jose
(gopkg.in/go-jose/go-jose
is also valid, but if we do move to v4, this is more future-proof)
This is the Release/changelog PR for vault-plugin-auth-kubernetes.
Of note here are updates to go-jose 2.6.0 to 2.6.3 (a direct dependency), and go-jose 4.0.1 to 4.0.3 (an indirect dependency) to resolve GO-2024-2631.