Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consider upgrading to github.com/go-jose/go-jose/v4 #797

Open
3 of 5 tasks
mitar opened this issue Mar 7, 2024 · 6 comments · May be fixed by #824
Open
3 of 5 tasks

Consider upgrading to github.com/go-jose/go-jose/v4 #797

mitar opened this issue Mar 7, 2024 · 6 comments · May be fixed by #824
Labels
feat New feature or request.

Comments

@mitar
Copy link
Contributor

mitar commented Mar 7, 2024

Preflight checklist

Ory Network Project

No response

Describe your problem

github.com/go-jose/go-jose/v3 dependency has made a new github.com/go-jose/go-jose/v4 version. It breaks backwards compatibility to improve security:

This release makes some breaking changes in order to more thoroughly address the vulnerabilities discussed in Three New Attacks Against JSON Web Tokens, "Sign/encrypt confusion", "Billion hash attack", and "Polyglot token".

I think it is not critical, but it would be beneficial to do so sooner than later.

Describe your ideal solution

We upgrade.

Workarounds or alternatives

We do not.

Version

latest master

Additional Context

No response

@mitar mitar added the feat New feature or request. label Mar 7, 2024
@mitar
Copy link
Contributor Author

mitar commented May 27, 2024

@aeneasr: What about this?

@mitar
Copy link
Contributor Author

mitar commented Sep 16, 2024

@aeneasr: Would you be open for a PR for this?

@aeneasr
Copy link
Member

aeneasr commented Sep 16, 2024

Yes, but it depends just how breaking those changes are and if it has an impact on existing deployments of Ory Hydra / Ory Network

@mitar
Copy link
Contributor Author

mitar commented Sep 16, 2024

Let's see. From my side I am able to use both versions at the same time, but it is ugly. So I think it will probably just mean you will have to propagate this upgrade to Ory. But I do not expect much code changes. Let's see.

@mitar
Copy link
Contributor Author

mitar commented Sep 16, 2024

It bumps go to minimum 1.21.

Also, I see replace directives in go.mod, is there any reason to keep them in? They seem redundant and not used?

@mitar mitar linked a pull request Sep 16, 2024 that will close this issue
6 tasks
@mitar
Copy link
Contributor Author

mitar commented Sep 16, 2024

I made #824. See comments there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feat New feature or request.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants