dovholuknf
commented
1 month ago FYI - a PR was opened against the library we are are using https://github.com/zitadel/oidc/pull/630
Open cloudxxx8 opened 1 month ago
dovholuknf
commented
1 month ago FYI - a PR was opened against the library we are are using https://github.com/zitadel/oidc/pull/630
cloudxxx8
commented
1 month ago nice, thanks for taking care of it
There is a CVE in go-jose v2.6.0 Our project depends on openziti sdk-golang, so this dependency is included https://github.com/openziti/sdk-golang/blob/fb662f949bd0fbc6258f63ae5d963b2684f13958/go.mod#L89
Please see more details from the dependabot security adviosry https://github.com/edgexfoundry/device-sdk-go/security/dependabot/11
The problem is fixed in the following packages and versions: github.com/go-jose/go-jose/v4 version 4.0.1 github.com/go-jose/go-jose/v3 version 3.0.3 gopkg.in/go-jose/go-jose.v2 version 2.6.3
The problem will not be fixed in the following package because the package is archived: gopkg.in/square/go-jose.v2
Are you able to resolve this dependency issue?