Open mark-miller-dev opened 3 weeks ago
Hi @mark-miller-dev :
ekuiper introduced gopkg.in/square/go-jose.v2 v2.6.0 // indirect
by github.com/openziti/sdk-golang v0.23.37
, so we need the latest github.com/openziti/sdk-golang
upgrade go-jose
to v2.6.3
Hi @mark-miller-dev, @Yisaer, I see the corresponding PR is already open in openziti's repo a 2 weeks ago: https://github.com/zitadel/oidc/pull/630 for the issue https://github.com/openziti/sdk-golang/issues/607, but still not merged
The latest Ekuiper version v.1.14.2 has a high severity vulnerability [CVE-2024-28180] [gopkg.in/square/go-jose.v2] [v2.6.0] which is release blocker for our project. The recommended fixed version >=2.6.3 ("This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3."(c)) E.g, the resource - https://github.com/go-jose/go-jose/tree/v2.6.3, the dependency - github.com/go-jose/go-jose/v2 v2.6.3
Could you please make this upgrade in the Ekuiper's go.mod?
Thanks,Mark