Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update golang-jwt/jwt/v4 version #904

Merged
merged 1 commit into from
Oct 29, 2021
Merged

Update golang-jwt/jwt/v4 version #904

merged 1 commit into from
Oct 29, 2021

Conversation

BamButz
Copy link
Contributor

@BamButz BamButz commented Oct 29, 2021

PR regarding #898

The subject of #898 seems to be already accomplished.
In this PR, I've upgraded github.com/golang-jwt/jwt/v4 to version 4.1.0 to be fully up-to-date on this.

closes #898

@seokho-son
Copy link
Member

Hello @BamButz ~! Thank you for the contribution. Welcome to CB-Tumblebug project :)

You are right. The guide in the issue #898 is not appropriate :)
CB-Tumblebug go.mod already uses github.com/golang-jwt/jwt/v4

The problem (github.com/dgrijalva/jwt-go) comes from go.sum file not from the go.mod.

Other external packages that CB-Tumblebug utilize include github.com/dgrijalva/jwt-go as follows.

son@son:~/go/src/github.com/cloud-barista/cb-tumblebug$ go mod graph | grep github.com/dgrijalva/jwt-go

github.com/labstack/echo/v4@v4.2.1 github.com/dgrijalva/jwt-go@v3.2.0+incompatible
github.com/dgrijalva/jwt-go/v4@v4.0.0-preview1 golang.org/x/xerrors@v0.0.0-20191204190536-9bdfabe68543
github.com/labstack/echo/v4@v4.0.0 github.com/dgrijalva/jwt-go@v3.2.0+incompatible
github.com/Azure/go-autorest/autorest/adal@v0.8.3 github.com/dgrijalva/jwt-go@v3.2.0+incompatible
github.com/go-kit/kit@v0.10.0 github.com/dgrijalva/jwt-go@v3.2.0+incompatible
github.com/influxdata/influxdb@v1.8.0 github.com/dgrijalva/jwt-go@v3.2.0+incompatible
github.com/labstack/echo/v4@v4.1.11 github.com/dgrijalva/jwt-go@v3.2.0+incompatible
github.com/Azure/go-autorest/autorest/adal@v0.8.2 github.com/dgrijalva/jwt-go@v3.2.0+incompatible
github.com/Azure/go-autorest/autorest/adal@v0.8.1 github.com/dgrijalva/jwt-go@v3.2.0+incompatible
go.etcd.io/etcd@v0.0.0-20191023171146-3cf2f69b5738 github.com/dgrijalva/jwt-go@v3.2.0+incompatible
github.com/Azure/go-autorest/autorest/adal@v0.5.0 github.com/dgrijalva/jwt-go@v3.2.0+incompatible
github.com/influxdata/influxdb@v1.9.2 github.com/dgrijalva/jwt-go/v4@v4.0.0-preview1
github.com/Azure/go-autorest/autorest/adal@v0.8.0 github.com/dgrijalva/jwt-go@v3.2.0+incompatible
github.com/labstack/echo/v4@v4.3.0 github.com/dgrijalva/jwt-go@v3.2.0+incompatible
github.com/cloud-barista/cb-spider@v0.4.5 github.com/dgrijalva/jwt-go@v3.2.0+incompatible

We need to use updated version for those packages to fully resolve #898

Anyway! This PR is acceptable and meaningful (fully up-to-date version).
So, LGTM !

@seokho-son
Copy link
Member

/lgtm

@github-actions github-actions bot added the lgtm This PR is acceptable by at least one reviewer label Oct 29, 2021
@seokho-son seokho-son merged commit 54f75b4 into cloud-barista:main Oct 29, 2021
@seokho-son seokho-son changed the title Replace dgrijalva/jwt-go to golang-jwt/jwt/v4 to fix CVE-2020-26160 Update golang-jwt/jwt/v4 version Oct 29, 2021
@seokho-son
Copy link
Member

@all-contributors please add @BamButz for code

@allcontributors allcontributors bot mentioned this pull request Oct 29, 2021
Merged
@allcontributors
Copy link
Contributor

@seokho-son

I've put up a pull request to add @BamButz! 🎉

@seokho-son seokho-son added the hacktoberfest-accepted hacktoberfest-accepted label Oct 29, 2021
@seokho-son
Copy link
Member

@BamButz I added you in contributor list of CB-Tumblebug project :)
https://github.com/cloud-barista/cb-tumblebug#contributors-

@seokho-son
Copy link
Member

Also, please fill free to open a issue regarding the package security issue.

@seokho-son seokho-son mentioned this pull request Nov 3, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@seokho-son seokho-son seokho-son approved these changes

@jihoon-seo jihoon-seo Awaiting requested review from jihoon-seo

Assignees
No one assigned
Labels
hacktoberfest-accepted hacktoberfest-accepted lgtm This PR is acceptable by at least one reviewer
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Update go.mod to fix CVE-2020-26160 regarding dgrijalva/jwt-go
2 participants
@BamButz @seokho-son