The problem is fixed in the following packages and versions:
github.com/go-jose/go-jose/v4 version 4.0.1
github.com/go-jose/go-jose/v3 version 3.0.3
gopkg.in/go-jose/go-jose.v2 version 2.6.3
The problem will not be fixed in the following package because the package is archived:
gopkg.in/square/go-jose.v2
There is a CVE in go-jose v2.6.0 Our project depends on openziti sdk-golang, so this dependency is included https://github.com/openziti/sdk-golang/blob/fb662f949bd0fbc6258f63ae5d963b2684f13958/go.mod#L89
Please see more details from the dependabot security adviosry https://github.com/edgexfoundry/device-sdk-go/security/dependabot/11
The problem is fixed in the following packages and versions: github.com/go-jose/go-jose/v4 version 4.0.1 github.com/go-jose/go-jose/v3 version 3.0.3 gopkg.in/go-jose/go-jose.v2 version 2.6.3
The problem will not be fixed in the following package because the package is archived: gopkg.in/square/go-jose.v2
Are you able to resolve this dependency issue?