unistack-org/micro
4
0
Fork 3
Code Issues 20 Pull Requests 1 Actions Packages Projects Releases 280 Wiki Activity

build(deps): bump github.com/golang-jwt/jwt from 3.2.1+incompatible to 3.2.2+incompatible #54

Merged
dependabot[bot] merged 1 commits from dependabot/go_modules/github.com/golang-jwt/jwt-3.2.2incompatible into master 2021-08-03 00:27:36 +03:00
Conversation 0 Commits 1 Files Changed 2 +3 -3
dependabot[bot] commented 2021-08-02 09:12:38 +03:00 (Migrated from github.com)
Copy Link

Bumps github.com/golang-jwt/jwt from 3.2.1+incompatible to 3.2.2+incompatible.

Release notes

Sourced from github.com/golang-jwt/jwt's releases.

v3.2.2

  • Starting from this release, we are adopting the policy to support the most 2 recent versions of Go currently available. By the time of this release, this is Go 1.15 and 1.16 (#28).
  • Fixed a potential issue that could occur when the presence of exp, iat or nbf was not required for verification and contained invalid contents, i.e. non-numeric/date. Thanks for @​thaJeztah for making us aware of that and @​giorgos-f3 for originally reporting it to the formtech fork (#40).
  • Added support for EdDSA / ED25519 (#36).
  • Optimized allocations (#33).
Changelog

Sourced from github.com/golang-jwt/jwt's changelog.

jwt-go Version History

3.2.2

  • Starting from this release, we are adopting the policy to support the most 2 recent versions of Go currently available. By the time of this release, this is Go 1.15 and 1.16 (#28).
  • Fixed a potential issue that could occur when the verification of exp, iat or nbf was not required and contained invalid contents, i.e. non-numeric/date. Thanks for @​thaJeztah for making us aware of that and @​giorgos-f3 for originally reporting it to the formtech fork (#40).
  • Added support for EdDSA / ED25519 (#36).
  • Optimized allocations (#33).

3.2.1

  • Import Path Change: See MIGRATION_GUIDE.md for tips on updating your code
    • Changed the import path from github.com/dgrijalva/jwt-go to github.com/golang-jwt/jwt
  • Fixed type confusing issue between string and []string in VerifyAudience (#12). This fixes CVE-2020-26160

3.2.0

  • Added method ParseUnverified to allow users to split up the tasks of parsing and validation
  • HMAC signing method returns ErrInvalidKeyType instead of ErrInvalidKey where appropriate
  • Added options to request.ParseFromRequest, which allows for an arbitrary list of modifiers to parsing behavior. Initial set include WithClaims and WithParser. Existing usage of this function will continue to work as before.
  • Deprecated ParseFromRequestWithClaims to simplify API in the future.

3.1.0

  • Improvements to jwt command line tool
  • Added SkipClaimsValidation option to Parser
  • Documentation updates

3.0.0

  • Compatibility Breaking Changes: See MIGRATION_GUIDE.md for tips on updating your code
    • Dropped support for []byte keys when using RSA signing methods. This convenience feature could contribute to security vulnerabilities involving mismatched key types with signing methods.
    • ParseFromRequest has been moved to request subpackage and usage has changed
    • The Claims property on Token is now type Claims instead of map[string]interface{}. The default value is type MapClaims, which is an alias to map[string]interface{}. This makes it possible to use a custom type when decoding claims.
  • Other Additions and Changes
    • Added Claims interface type to allow users to decode the claims into a custom type
    • Added ParseWithClaims, which takes a third argument of type Claims. Use this function instead of Parse if you have a custom type you'd like to decode into.
    • Dramatically improved the functionality and flexibility of ParseFromRequest, which is now in the request subpackage
    • Added ParseFromRequestWithClaims which is the FromRequest equivalent of ParseWithClaims
    • Added new interface type Extractor, which is used for extracting JWT strings from http requests. Used with ParseFromRequest and ParseFromRequestWithClaims.
    • Added several new, more specific, validation errors to error type bitmask
    • Moved examples from README to executable example files
    • Signing method registry is now thread safe
    • Added new property to ValidationError, which contains the raw error returned by calls made by parse/verify (such as those returned by keyfunc or json parser)

2.7.0

This will likely be the last backwards compatible release before 3.0.0, excluding essential bug fixes.

  • Added new option -show to the jwt command that will just output the decoded token without verifying

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Bumps [github.com/golang-jwt/jwt](https://github.com/golang-jwt/jwt) from 3.2.1+incompatible to 3.2.2+incompatible. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/golang-jwt/jwt/releases">github.com/golang-jwt/jwt's releases</a>.</em></p> <blockquote> <h2>v3.2.2</h2> <ul> <li>Starting from this release, we are adopting the policy to support the most 2 recent versions of Go currently available. By the time of this release, this is Go 1.15 and 1.16 (<a href="https://github-redirect.dependabot.com/golang-jwt/jwt/pull/28">#28</a>).</li> <li>Fixed a potential issue that could occur when the presence of <code>exp</code>, <code>iat</code> or <code>nbf</code> was not required for verification and contained invalid contents, i.e. non-numeric/date. Thanks for <a href="https://github.com/thaJeztah"><code>@​thaJeztah</code></a> for making us aware of that and <a href="https://github.com/giorgos-f3"><code>@​giorgos-f3</code></a> for originally reporting it to the formtech fork (<a href="https://github-redirect.dependabot.com/golang-jwt/jwt/pull/40">#40</a>).</li> <li>Added support for EdDSA / ED25519 (<a href="https://github-redirect.dependabot.com/golang-jwt/jwt/pull/36">#36</a>).</li> <li>Optimized allocations (<a href="https://github-redirect.dependabot.com/golang-jwt/jwt/pull/33">#33</a>).</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/golang-jwt/jwt/blob/main/VERSION_HISTORY.md">github.com/golang-jwt/jwt's changelog</a>.</em></p> <blockquote> <h2><code>jwt-go</code> Version History</h2> <h4>3.2.2</h4> <ul> <li>Starting from this release, we are adopting the policy to support the most 2 recent versions of Go currently available. By the time of this release, this is Go 1.15 and 1.16 (<a href="https://github-redirect.dependabot.com/golang-jwt/jwt/pull/28">#28</a>).</li> <li>Fixed a potential issue that could occur when the verification of <code>exp</code>, <code>iat</code> or <code>nbf</code> was not required and contained invalid contents, i.e. non-numeric/date. Thanks for <a href="https://github.com/thaJeztah"><code>@​thaJeztah</code></a> for making us aware of that and <a href="https://github.com/giorgos-f3"><code>@​giorgos-f3</code></a> for originally reporting it to the formtech fork (<a href="https://github-redirect.dependabot.com/golang-jwt/jwt/pull/40">#40</a>).</li> <li>Added support for EdDSA / ED25519 (<a href="https://github-redirect.dependabot.com/golang-jwt/jwt/pull/36">#36</a>).</li> <li>Optimized allocations (<a href="https://github-redirect.dependabot.com/golang-jwt/jwt/pull/33">#33</a>).</li> </ul> <h4>3.2.1</h4> <ul> <li><strong>Import Path Change</strong>: See MIGRATION_GUIDE.md for tips on updating your code <ul> <li>Changed the import path from <code>github.com/dgrijalva/jwt-go</code> to <code>github.com/golang-jwt/jwt</code></li> </ul> </li> <li>Fixed type confusing issue between <code>string</code> and <code>[]string</code> in <code>VerifyAudience</code> (<a href="https://github-redirect.dependabot.com/golang-jwt/jwt/pull/12">#12</a>). This fixes CVE-2020-26160</li> </ul> <h4>3.2.0</h4> <ul> <li>Added method <code>ParseUnverified</code> to allow users to split up the tasks of parsing and validation</li> <li>HMAC signing method returns <code>ErrInvalidKeyType</code> instead of <code>ErrInvalidKey</code> where appropriate</li> <li>Added options to <code>request.ParseFromRequest</code>, which allows for an arbitrary list of modifiers to parsing behavior. Initial set include <code>WithClaims</code> and <code>WithParser</code>. Existing usage of this function will continue to work as before.</li> <li>Deprecated <code>ParseFromRequestWithClaims</code> to simplify API in the future.</li> </ul> <h4>3.1.0</h4> <ul> <li>Improvements to <code>jwt</code> command line tool</li> <li>Added <code>SkipClaimsValidation</code> option to <code>Parser</code></li> <li>Documentation updates</li> </ul> <h4>3.0.0</h4> <ul> <li><strong>Compatibility Breaking Changes</strong>: See MIGRATION_GUIDE.md for tips on updating your code <ul> <li>Dropped support for <code>[]byte</code> keys when using RSA signing methods. This convenience feature could contribute to security vulnerabilities involving mismatched key types with signing methods.</li> <li><code>ParseFromRequest</code> has been moved to <code>request</code> subpackage and usage has changed</li> <li>The <code>Claims</code> property on <code>Token</code> is now type <code>Claims</code> instead of <code>map[string]interface{}</code>. The default value is type <code>MapClaims</code>, which is an alias to <code>map[string]interface{}</code>. This makes it possible to use a custom type when decoding claims.</li> </ul> </li> <li>Other Additions and Changes <ul> <li>Added <code>Claims</code> interface type to allow users to decode the claims into a custom type</li> <li>Added <code>ParseWithClaims</code>, which takes a third argument of type <code>Claims</code>. Use this function instead of <code>Parse</code> if you have a custom type you'd like to decode into.</li> <li>Dramatically improved the functionality and flexibility of <code>ParseFromRequest</code>, which is now in the <code>request</code> subpackage</li> <li>Added <code>ParseFromRequestWithClaims</code> which is the <code>FromRequest</code> equivalent of <code>ParseWithClaims</code></li> <li>Added new interface type <code>Extractor</code>, which is used for extracting JWT strings from http requests. Used with <code>ParseFromRequest</code> and <code>ParseFromRequestWithClaims</code>.</li> <li>Added several new, more specific, validation errors to error type bitmask</li> <li>Moved examples from README to executable example files</li> <li>Signing method registry is now thread safe</li> <li>Added new property to <code>ValidationError</code>, which contains the raw error returned by calls made by parse/verify (such as those returned by keyfunc or json parser)</li> </ul> </li> </ul> <h4>2.7.0</h4> <p>This will likely be the last backwards compatible release before 3.0.0, excluding essential bug fixes.</p> <ul> <li>Added new option <code>-show</code> to the <code>jwt</code> command that will just output the decoded token without verifying</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/golang-jwt/jwt/commit/4bbdd8ac624fc7a9ef7aec841c43d99b5fe65a29"><code>4bbdd8a</code></a> Prepare release 3.2.2 (<a href="https://github-redirect.dependabot.com/golang-jwt/jwt/issues/42">#42</a>)</li> <li><a href="https://github.com/golang-jwt/jwt/commit/8e9d9ebf6f4a43a4ae610493f1cc0c05f5630350"><code>8e9d9eb</code></a> Fix security vulnerability (<a href="https://github-redirect.dependabot.com/golang-jwt/jwt/issues/40">#40</a>)</li> <li><a href="https://github.com/golang-jwt/jwt/commit/324836737fe659697dc72a99569d7049b2f9b9d9"><code>3248367</code></a> add ed25519 support (<a href="https://github-redirect.dependabot.com/golang-jwt/jwt/issues/36">#36</a>)</li> <li><a href="https://github.com/golang-jwt/jwt/commit/860640e8862db5e9e96147c826d1aaca518fa27b"><code>860640e</code></a> Allocation optimization (<a href="https://github-redirect.dependabot.com/golang-jwt/jwt/issues/33">#33</a>)</li> <li><a href="https://github.com/golang-jwt/jwt/commit/3008b2bdeacbf196c7f52b174d9ab0c9d9276110"><code>3008b2b</code></a> remove support for Go &lt;= 1.14 (<a href="https://github-redirect.dependabot.com/golang-jwt/jwt/issues/28">#28</a>)</li> <li>See full diff in <a href="https://github.com/golang-jwt/jwt/compare/v3.2.1...v3.2.2">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/golang-jwt/jwt&package-manager=go_modules&previous-version=3.2.1+incompatible&new-version=3.2.2+incompatible)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
Kind/Breaking
Breaking change that won't be backward compatible
Kind/Bug
Something is not working
Kind/Documentation
Documentation changes
Kind/Enhancement
Improve existing functionality
Kind/Feature
New functionality
Kind/Security
This is security issue
Kind/Testing
Issue or pull request related to testing
Priority
Critical
The priority is critical
Priority
High
The priority is high
Priority
Low
The priority is low
Priority
Medium
The priority is medium
Reviewed
Confirmed
Issue has been confirmed
Reviewed
Duplicate
This issue or pull request already exists
Reviewed
Invalid
Invalid issue
Reviewed
Won't Fix
This issue won't be fixed
Status
Abandoned
Somebody has started to work on this but abandoned work
Status
Blocked
Something is blocking this issue or pull request
Status
Need More Info
Feedback is required to reproduce issue or to continue work
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unistack-org/micro#54
No description provided.
Delete Branch "dependabot/go_modules/github.com/golang-jwt/jwt-3.2.2incompatible"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?