search

livekit / egress

Export and record WebRTC sessions and tracks
https://blog.livekit.io/livekit-universal-egress-launch/
Apache License 2.0
168 stars 68 forks source link

Update go deps (major) #728

Closed renovate[bot] closed 1 month ago

renovate[bot] commented 1 month ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/go-jose/go-jose/v3 v3.0.3 -> v4.0.3 age adoption passing confidence
github.com/pion/rtp v1.8.6 -> v2.0.0 age adoption passing confidence

Release Notes

go-jose/go-jose (github.com/go-jose/go-jose/v3) ### [`v4.0.3`](https://togithub.com/go-jose/go-jose/blob/HEAD/CHANGELOG.md#v403) [Compare Source](https://togithub.com/go-jose/go-jose/compare/v4.0.2...v4.0.3) #### Changed - Allow unmarshalling JSONWebKeySets with unsupported key types ([#​130](https://togithub.com/go-jose/go-jose/issues/130)) - Document that OpaqueKeyEncrypter can't be implemented (for now) ([#​129](https://togithub.com/go-jose/go-jose/issues/129)) - Dependency updates ### [`v4.0.2`](https://togithub.com/go-jose/go-jose/releases/tag/v4.0.2): Version 4.0.2 [Compare Source](https://togithub.com/go-jose/go-jose/compare/v4.0.1...v4.0.2) #### What's Changed - [Improved documentation](https://togithub.com/go-jose/go-jose/pull/104) of Verify() to note that JSONWebKeySet is a supported argument type - [Defined exported error values](https://togithub.com/go-jose/go-jose/pull/117) for missing x5c header and unsupported elliptic curves error cases #### New Contributors - [@​mitar](https://togithub.com/mitar) made their first contribution in [https://github.com/go-jose/go-jose/pull/104](https://togithub.com/go-jose/go-jose/pull/104) - [@​milosgajdos](https://togithub.com/milosgajdos) made their first contribution in [https://github.com/go-jose/go-jose/pull/117](https://togithub.com/go-jose/go-jose/pull/117) **Full Changelog**: https://github.com/go-jose/go-jose/compare/v4.0.1...v4.0.2 ### [`v4.0.1`](https://togithub.com/go-jose/go-jose/blob/HEAD/CHANGELOG.md#v401) [Compare Source](https://togithub.com/go-jose/go-jose/compare/v4.0.0...v4.0.1) #### Fixed - An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by `Decrypt` or `DecryptMulti`. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). Thanks to Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab ([@​zer0yu](https://togithub.com/zer0yu) and [@​chenjj](https://togithub.com/chenjj)) for reporting. ### [`v4.0.0`](https://togithub.com/go-jose/go-jose/blob/HEAD/CHANGELOG.md#v400) [Compare Source](https://togithub.com/go-jose/go-jose/compare/v3.0.3...v4.0.0) This release makes some breaking changes in order to more thoroughly address the vulnerabilities discussed in [Three New Attacks Against JSON Web Tokens][1], "Sign/encrypt confusion", "Billion hash attack", and "Polyglot token". #### Changed - Limit JWT encryption types (exclude password or public key types) ([#​78](https://togithub.com/go-jose/go-jose/issues/78)) - Enforce minimum length for HMAC keys ([#​85](https://togithub.com/go-jose/go-jose/issues/85)) - jwt: match any audience in a list, rather than requiring all audiences ([#​81](https://togithub.com/go-jose/go-jose/issues/81)) - jwt: accept only Compact Serialization ([#​75](https://togithub.com/go-jose/go-jose/issues/75)) - jws: Add expected algorithms for signatures ([#​74](https://togithub.com/go-jose/go-jose/issues/74)) - Require specifying expected algorithms for ParseEncrypted, ParseSigned, ParseDetached, jwt.ParseEncrypted, jwt.ParseSigned, jwt.ParseSignedAndEncrypted ([#​69](https://togithub.com/go-jose/go-jose/issues/69), [#​74](https://togithub.com/go-jose/go-jose/issues/74)) - Usually there is a small, known set of appropriate algorithms for a program to use and it's a mistake to allow unexpected algorithms. For instance the "billion hash attack" relies in part on programs accepting the PBES2 encryption algorithm and doing the necessary work even if they weren't specifically configured to allow PBES2. - Revert "Strip padding off base64 strings" ([#​82](https://togithub.com/go-jose/go-jose/issues/82)) - The specs require base64url encoding without padding. - Minimum supported Go version is now 1.21 #### Added - ParseSignedCompact, ParseSignedJSON, ParseEncryptedCompact, ParseEncryptedJSON. - These allow parsing a specific serialization, as opposed to ParseSigned and ParseEncrypted, which try to automatically detect which serialization was provided. It's common to require a specific serialization for a specific protocol - for instance JWT requires Compact serialization. [1]: https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf
pion/rtp (github.com/pion/rtp) ### [`v2.0.0`](https://togithub.com/pion/rtp/compare/v1.8.6...v2.0.0) [Compare Source](https://togithub.com/pion/rtp/compare/v1.8.7...v2.0.0) ### [`v1.8.7`](https://togithub.com/pion/rtp/releases/tag/v1.8.7) [Compare Source](https://togithub.com/pion/rtp/compare/v1.8.6...v1.8.7) #### Changelog - [`0967ee9`](https://togithub.com/pion/rtp/commit/0967ee9) Fix RTP padding length validation - [`bc5124c`](https://togithub.com/pion/rtp/commit/bc5124c) Fix VP9 decoding on iOS

Configuration

📅 Schedule: Branch creation - "on sunday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

This PR has been generated by Mend Renovate. View repository job log here.

renovate[bot] commented 1 month ago

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

Details:

Package Change
golang.org/x/crypto v0.24.0 -> v0.25.0
golang.org/x/sys v0.21.0 -> v0.22.0