Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: jwt dependency upgrade #81

Merged
merged 1 commit into from
Oct 26, 2020
Merged

fix: jwt dependency upgrade #81

merged 1 commit into from
Oct 26, 2020

Conversation

christiancompton
Copy link

This upgrade changes the dgrijalva/jwt-go v3.2.0 to use form3tech-oss/jwt-go v3.2.1, a fork which as addressed the high severity security vulnerability.

There has been a lot of conversation about this fix in dgrijalva/jwt-go#428, but this project is not maintained by its authors and a fix to this project seems unlikely given this conversation.

v4/go.mod Outdated
@@ -4,6 +4,7 @@ go 1.12

require (
github.com/dgrijalva/jwt-go v3.2.0+incompatible
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we don't need to keep the original module reference, do we???

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also, if you changed go.mod to use a completely different package (i.e. form3tech-oss/jwt-go), then how did you avoid having to make source changes where the jwt-go package is being used?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

Copy link
Member

@padamstx padamstx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@christiancompton christiancompton merged commit ba2780c into master Oct 26, 2020
@christiancompton christiancompton deleted the snyk branch October 26, 2020 14:19
ibm-devx-automation pushed a commit that referenced this pull request Oct 26, 2020
## [4.7.1](v4.7.0...v4.7.1) (2020-10-26)

### Bug Fixes

* jwt dependency upgrade ([#81](#81)) ([ba2780c](ba2780c))
@ibm-devx-automation
Copy link

🎉 This PR is included in version 4.7.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants