Title: Bump the go_modules group across 1 directory with 3 updates by dependabot[bot] · Pull Request #21078 · github/codeql · GitHub
Open Graph Title: Bump the go_modules group across 1 directory with 3 updates by dependabot[bot] · Pull Request #21078 · github/codeql
X Title: Bump the go_modules group across 1 directory with 3 updates by dependabot[bot] · Pull Request #21078 · github/codeql
Description: Bumps the go_modules group with 2 updates in the /go/ql/test/experimental/CWE-321-V2 directory: github.com/go-jose/go-jose/v3 and github.com/golang-jwt/jwt/v5.
Updates github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.4
Release notes
Sourced from github.com/go-jose/go-jose/v3's releases.
v3.0.4
What's Changed
Backport fix for GHSA-c6gw-w398-hv78 CVE-2025-27144
go-jose/go-jose#174
Full Changelog: go-jose/go-jose@v3.0.3...v3.0.4
Version 3.0.3
Fixed
Limit decompression output size to prevent a DoS. Backport from v4.0.1.
Version 3.0.2
Fixed
DecryptMulti: handle decompression error (#19)
Changed
jwe/CompactSerialize: improve performance (#67)
Increase the default number of PBKDF2 iterations to 600k (#48)
Return the proper algorithm for ECDSA keys (#45)
Update golang.org/x/crypto to v0.19 (#94)
Added
Add Thumbprint support for opaque signers (#38)
Version 3.0.1
Fixed
Security issue: an attacker specifying a large "p2c" value can cause JSONWebEncryption.Decrypt and JSONWebEncryption.DecryptMulti to consume large amounts of CPU, causing a DoS. Thanks to Matt Schwager (@mschwager) for the disclosure and to Tom Tervoort for originally publishing the category of attack. https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf
The release is tagged off the release-v3.0.1 branch to avoid mixing in some as-yet unreleased changes on the v3 branch.
Commits
5253038 Backport fix 167 to v3 (#174)
047dc99 CI: Update github actions and go version (#173)
0f017e9 Revert #26 (ignore unsupported JWKs in Sets) (#131)
3e2bbef Unmarshal jwk keys with unsupported key type or algorithm into empty … (#26)
add6a28 v3: backport decompression limit fix (#107)
11bb4e7 doc: in v3 branch's README, point to v4 as latest (#101)
863f73b v3.0.2: Update changelog (#95)
bdbc794 Update golang.org/x/crypto to v0.19 (backport) (#94)
25bce79 Updated go-jose v3.0.0 to v3.0.1 in jose-util (#70)
aa386df jwe/CompactSerialize: improve performance. (#67)
Additional commits viewable in compare view
Updates github.com/golang-jwt/jwt/v5 from 5.0.0 to 5.2.2
Release notes
Sourced from github.com/golang-jwt/jwt/v5's releases.
v5.2.2
What's Changed
Fixed GHSA-mh63-6h87-95cp by @mfridman
Fixed some typos by @Ashikpaul in golang-jwt/jwt#382
build: add go1.22 to ci workflows by @mfridman in golang-jwt/jwt#383
Bump golangci/golangci-lint-action from 4 to 5 by @dependabot in golang-jwt/jwt#387
Bump golangci/golangci-lint-action from 5 to 6 by @dependabot in golang-jwt/jwt#389
chore: bump ci tests to include go1.23 by @mfridman in golang-jwt/jwt#405
Fix jwt -show by @AlexanderYastrebov in golang-jwt/jwt#406
docs: typo by @kvii in golang-jwt/jwt#407
Update SECURITY.md by @oxisto in golang-jwt/jwt#416
Update jwt.Parse example to use jwt.WithValidMethods by @mattt in golang-jwt/jwt#425
New Contributors
@Ashikpaul made their first contribution in golang-jwt/jwt#382
@kvii made their first contribution in golang-jwt/jwt#407
@mattt made their first contribution in golang-jwt/jwt#425
Full Changelog: golang-jwt/jwt@v5.2.1...v5.2.2
v5.2.1
What's Changed
chore: remove unnecessary conversions from tests by @estensen in golang-jwt/jwt#370
Trivial: Typo fix for ECDSA error message by @tjs-cinemo in golang-jwt/jwt#373
Fix incorrect error return by @ss49919201 in golang-jwt/jwt#371
New Contributors
@tjs-cinemo made their first contribution in golang-jwt/jwt#373
@ss49919201 made their first contribution in golang-jwt/jwt#371
Full Changelog: golang-jwt/jwt@v5.2.0...v5.2.1
v5.2.0
What's Changed
Exported NewValidator by @oxisto in golang-jwt/jwt#349
Improve ErrInvalidKeyType error messages by @Laurin-Notemann in golang-jwt/jwt#361
Update MIGRATION_GUIDE.md by @jbarham in golang-jwt/jwt#363
New Contributors
@Laurin-Notemann made their first contribution in golang-jwt/jwt#361
@jbarham made their first contribution in golang-jwt/jwt#363
Full Changelog: golang-jwt/jwt@v5.1.0...v5.2.0
v5.1.0
What's Changed
Using jwt's native ErrInvalidType instead of json.UnsupportedTypeError by @oxisto in golang-jwt/jwt#316
Fix typos in comments and test names by @alexandear in golang-jwt/jwt#317
Format: add whitespaces, remove empty lines by @alexandear in golang-jwt/jwt#319
Refactor example: use io.ReadAll instead of io.Copy by @alexandear in golang-jwt/jwt#320
... (truncated)
Commits
0951d18 Merge commit from fork
c035977 Update Parse example to use WithValidMethods (#425)
bc8bdca Update SECURITY.md (#416)
5ec246c docs: typo (#407)
0123f1a Fix jwt -show (#406)
f961c72 chore: bump ci tests to include go1.23 (#405)
62e504c Bump golangci/golangci-lint-action from 5 to 6 (#389)
1a56dcf Bump golangci/golangci-lint-action from 4 to 5 (#387)
c8043ea build: add go1.22 to ci workflows (#383)
7c3f6dc Update README.md (#382)
Additional commits viewable in compare view
Updates golang.org/x/crypto from 0.12.0 to 0.19.0
Commits
405cb3b go.mod: update golang.org/x dependencies
913d3ae x509roots/fallback: update bundle
dbb6ec1 ssh/test: skip tests on darwin that fail on the darwin-amd64-longtest LUCI bu...
403f699 ssh/test: avoid leaking a net.UnixConn in server.TryDialWithAddr
055043d go.mod: update golang.org/x dependencies
08396bb internal/poly1305: drop Go 1.12 compatibility
9d2ee97 ssh: implement strict KEX protocol changes
4e5a261 ssh: close net.Conn on all NewServerConn errors
152cdb1 x509roots/fallback: update bundle
fdfe1f8 ssh: defer channel window adjustment
Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show
Open Graph Description: Bumps the go_modules group with 2 updates in the /go/ql/test/experimental/CWE-321-V2 directory: github.com/go-jose/go-jose/v3 and github.com/golang-jwt/jwt/v5. Updates github.com/go-jose/go-jose/v3...
X Description: Bumps the go_modules group with 2 updates in the /go/ql/test/experimental/CWE-321-V2 directory: github.com/go-jose/go-jose/v3 and github.com/golang-jwt/jwt/v5. Updates github.com/go-jose/go-jose/v3...
Opengraph URL: https://github.com/github/codeql/pull/21078
X: @github
Domain: patch-diff.githubusercontent.com
| route-pattern | /:user_id/:repository/pull/:id/files(.:format) |
| route-controller | pull_requests |
| route-action | files |
| fetch-nonce | v2:e1dd065a-4a2f-e90d-b6bc-56531487419c |
| current-catalog-service-hash | ae870bc5e265a340912cde392f23dad3671a0a881730ffdadd82f2f57d81641b |
| request-id | C154:3D991D:8FBC1E:CA38FC:696E6120 |
| html-safe-nonce | b7c4d41669e044a0366b6b44e592f7f5288c3a85deaf465b464e800ed5f4baf1 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJDMTU0OjNEOTkxRDo4RkJDMUU6Q0EzOEZDOjY5NkU2MTIwIiwidmlzaXRvcl9pZCI6IjM2NzQyMDc5OTkzNzE0MDM1NTIiLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ== |
| visitor-hmac | 8c942ed3feaaeda61f5a1ca3bf03af06b2c08644d76c250473b5a1b0a33547e5 |
| hovercard-subject-tag | pull_request:3127381828 |
| github-keyboard-shortcuts | repository,pull-request-list,pull-request-conversation,pull-request-files-changed,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/github/codeql/pull/21078/files |
| twitter:image | https://avatars.githubusercontent.com/in/29110?s=400&v=4 |
| twitter:card | summary_large_image |
| og:image | https://avatars.githubusercontent.com/in/29110?s=400&v=4 |
| og:image:alt | Bumps the go_modules group with 2 updates in the /go/ql/test/experimental/CWE-321-V2 directory: github.com/go-jose/go-jose/v3 and github.com/golang-jwt/jwt/v5. Updates github.com/go-jose/go-jose/v3... |
| og:site_name | GitHub |
| og:type | object |
| hostname | github.com |
| expected-hostname | github.com |
| None | f68b42d371252b0f236260d6234f4304a806fe5ac43d59faa21fb59d80df103b |
| turbo-cache-control | no-preview |
| diff-view | unified |
| go-import | github.com/github/codeql git https://github.com/github/codeql.git |
| octolytics-dimension-user_id | 9919 |
| octolytics-dimension-user_login | github |
| octolytics-dimension-repository_id | 143040428 |
| octolytics-dimension-repository_nwo | github/codeql |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 143040428 |
| octolytics-dimension-repository_network_root_nwo | github/codeql |
| turbo-body-classes | logged-out env-production page-responsive full-width |
| disable-turbo | true |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 6b74bc8dbcd10b5d69fd9ee9d2cfdc8b35e18a4c |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width