feat: update go-jose to resolve x/crypto vuln #539
Conversation
go.mod
Outdated
| go 1.23.0 | ||
|
|
||
| toolchain go1.24.2 |
There was a problem hiding this comment.
| go 1.23.0 | |
| toolchain go1.24.2 | |
| go 1.22 |
should we revert that for now or was this change intentional?
There was a problem hiding this comment.
im having a look in more depth have a linter issue about going back to 1.22, do you even use go-jose? go mod tidy suggests you don't.
edit: i see the one file where its used
There was a problem hiding this comment.
this is the output when you try to upgrade it.
$ go get -u github.com/go-jose/go-jose/v3
go: upgraded go 1.22.0 => 1.23.0
go: upgraded toolchain go1.23.0 => go1.24.2
go: upgraded golang.org/x/crypto v0.19.0 => v0.37.0
it seems intentional? ( possibly because im on 1.24.2, the toolchain can be rolled back ).
im happy to close this if you want to handle updating it?
There was a problem hiding this comment.
i did a new push with what i think is minimal. i haven't had to deal with things that possibly require a go version change. but might make sense if upgrading x/crypto
There was a problem hiding this comment.
playwright-go only uses the json library in go-jose. The difference from the go standard library is https://github.com/go-jose/go-jose/tree/main/json#safe-json.
Not affected by the security vulnerabilities.
Anyway, I updated its version in #540.
|
ok so a quick summary, the indirect in the go mod would get cleaned up with a go mod tidy, the docs i found about the go toolchain suggest requiring a higher level of something a downstream packages uses will default to the higher version provided they are the same major version which they are. |
this resolves a CVE that popped up in one of our scans.
GHSA-v778-237x-gjrc
i was unable to run the tests to verify it had no impact.