René's URL Explorer Experiment

Title: Bump the go_modules group across 1 directory with 3 updates by dependabot[bot] · Pull Request #21078 · github/codeql · GitHub

Open Graph Title: Bump the go_modules group across 1 directory with 3 updates by dependabot[bot] · Pull Request #21078 · github/codeql

X Title: Bump the go_modules group across 1 directory with 3 updates by dependabot[bot] · Pull Request #21078 · github/codeql

Description: Bumps the go_modules group with 2 updates in the /go/ql/test/experimental/CWE-321-V2 directory: github.com/go-jose/go-jose/v3 and github.com/golang-jwt/jwt/v5. Updates github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.4 Release notes Sourced from github.com/go-jose/go-jose/v3's releases. v3.0.4 What's Changed Backport fix for GHSA-c6gw-w398-hv78 CVE-2025-27144 go-jose/go-jose#174 Full Changelog: go-jose/go-jose@v3.0.3...v3.0.4 Version 3.0.3 Fixed Limit decompression output size to prevent a DoS. Backport from v4.0.1. Version 3.0.2 Fixed DecryptMulti: handle decompression error (#19) Changed jwe/CompactSerialize: improve performance (#67) Increase the default number of PBKDF2 iterations to 600k (#48) Return the proper algorithm for ECDSA keys (#45) Update golang.org/x/crypto to v0.19 (#94) Added Add Thumbprint support for opaque signers (#38) Version 3.0.1 Fixed Security issue: an attacker specifying a large "p2c" value can cause JSONWebEncryption.Decrypt and JSONWebEncryption.DecryptMulti to consume large amounts of CPU, causing a DoS. Thanks to Matt Schwager (@​mschwager) for the disclosure and to Tom Tervoort for originally publishing the category of attack. https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf The release is tagged off the release-v3.0.1 branch to avoid mixing in some as-yet unreleased changes on the v3 branch. Commits 5253038 Backport fix 167 to v3 (#174) 047dc99 CI: Update github actions and go version (#173) 0f017e9 Revert #26 (ignore unsupported JWKs in Sets) (#131) 3e2bbef Unmarshal jwk keys with unsupported key type or algorithm into empty … (#26) add6a28 v3: backport decompression limit fix (#107) 11bb4e7 doc: in v3 branch's README, point to v4 as latest (#101) 863f73b v3.0.2: Update changelog (#95) bdbc794 Update golang.org/x/crypto to v0.19 (backport) (#94) 25bce79 Updated go-jose v3.0.0 to v3.0.1 in jose-util (#70) aa386df jwe/CompactSerialize: improve performance. (#67) Additional commits viewable in compare view Updates github.com/golang-jwt/jwt/v5 from 5.0.0 to 5.2.2 Release notes Sourced from github.com/golang-jwt/jwt/v5's releases. v5.2.2 What's Changed Fixed GHSA-mh63-6h87-95cp by @​mfridman Fixed some typos by @​Ashikpaul in golang-jwt/jwt#382 build: add go1.22 to ci workflows by @​mfridman in golang-jwt/jwt#383 Bump golangci/golangci-lint-action from 4 to 5 by @​dependabot in golang-jwt/jwt#387 Bump golangci/golangci-lint-action from 5 to 6 by @​dependabot in golang-jwt/jwt#389 chore: bump ci tests to include go1.23 by @​mfridman in golang-jwt/jwt#405 Fix jwt -show by @​AlexanderYastrebov in golang-jwt/jwt#406 docs: typo by @​kvii in golang-jwt/jwt#407 Update SECURITY.md by @​oxisto in golang-jwt/jwt#416 Update jwt.Parse example to use jwt.WithValidMethods by @​mattt in golang-jwt/jwt#425 New Contributors @​Ashikpaul made their first contribution in golang-jwt/jwt#382 @​kvii made their first contribution in golang-jwt/jwt#407 @​mattt made their first contribution in golang-jwt/jwt#425 Full Changelog: golang-jwt/jwt@v5.2.1...v5.2.2 v5.2.1 What's Changed chore: remove unnecessary conversions from tests by @​estensen in golang-jwt/jwt#370 Trivial: Typo fix for ECDSA error message by @​tjs-cinemo in golang-jwt/jwt#373 Fix incorrect error return by @​ss49919201 in golang-jwt/jwt#371 New Contributors @​tjs-cinemo made their first contribution in golang-jwt/jwt#373 @​ss49919201 made their first contribution in golang-jwt/jwt#371 Full Changelog: golang-jwt/jwt@v5.2.0...v5.2.1 v5.2.0 What's Changed Exported NewValidator by @​oxisto in golang-jwt/jwt#349 Improve ErrInvalidKeyType error messages by @​Laurin-Notemann in golang-jwt/jwt#361 Update MIGRATION_GUIDE.md by @​jbarham in golang-jwt/jwt#363 New Contributors @​Laurin-Notemann made their first contribution in golang-jwt/jwt#361 @​jbarham made their first contribution in golang-jwt/jwt#363 Full Changelog: golang-jwt/jwt@v5.1.0...v5.2.0 v5.1.0 What's Changed Using jwt's native ErrInvalidType instead of json.UnsupportedTypeError by @​oxisto in golang-jwt/jwt#316 Fix typos in comments and test names by @​alexandear in golang-jwt/jwt#317 Format: add whitespaces, remove empty lines by @​alexandear in golang-jwt/jwt#319 Refactor example: use io.ReadAll instead of io.Copy by @​alexandear in golang-jwt/jwt#320 ... (truncated) Commits 0951d18 Merge commit from fork c035977 Update Parse example to use WithValidMethods (#425) bc8bdca Update SECURITY.md (#416) 5ec246c docs: typo (#407) 0123f1a Fix jwt -show (#406) f961c72 chore: bump ci tests to include go1.23 (#405) 62e504c Bump golangci/golangci-lint-action from 5 to 6 (#389) 1a56dcf Bump golangci/golangci-lint-action from 4 to 5 (#387) c8043ea build: add go1.22 to ci workflows (#383) 7c3f6dc Update README.md (#382) Additional commits viewable in compare view Updates golang.org/x/crypto from 0.12.0 to 0.19.0 Commits 405cb3b go.mod: update golang.org/x dependencies 913d3ae x509roots/fallback: update bundle dbb6ec1 ssh/test: skip tests on darwin that fail on the darwin-amd64-longtest LUCI bu... 403f699 ssh/test: avoid leaking a net.UnixConn in server.TryDialWithAddr 055043d go.mod: update golang.org/x dependencies 08396bb internal/poly1305: drop Go 1.12 compatibility 9d2ee97 ssh: implement strict KEX protocol changes 4e5a261 ssh: close net.Conn on all NewServerConn errors 152cdb1 x509roots/fallback: update bundle fdfe1f8 ssh: defer channel window adjustment Additional commits viewable in compare view Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase. Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: @dependabot rebase will rebase this PR @dependabot recreate will recreate this PR, overwriting any edits that have been made to it @dependabot merge will merge this PR after your CI passes on it @dependabot squash and merge will squash and merge this PR after your CI passes on it @dependabot cancel merge will cancel a previously requested merge and block automerging @dependabot reopen will reopen this PR if it is closed @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually @dependabot show ignore conditions will show all of the ignore conditions of the specified dependency @dependabot ignore major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) @dependabot ignore minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) @dependabot ignore will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) @dependabot unignore will remove all of the ignore conditions of the specified dependency @dependabot unignore will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the Security Alerts page.

Open Graph Description: Bumps the go_modules group with 2 updates in the /go/ql/test/experimental/CWE-321-V2 directory: github.com/go-jose/go-jose/v3 and github.com/golang-jwt/jwt/v5. Updates github.com/go-jose/go-jose/v3...

X Description: Bumps the go_modules group with 2 updates in the /go/ql/test/experimental/CWE-321-V2 directory: github.com/go-jose/go-jose/v3 and github.com/golang-jwt/jwt/v5. Updates github.com/go-jose/go-jose/v3...

Opengraph URL: https://github.com/github/codeql/pull/21078

X: @github

direct link

Domain: patch-diff.githubusercontent.com

Links:

Viewport: width=device-width