chore: Update module github.com/MicahParks/jwkset to v0.6.0 [SECURITY] #1853

Annotations

2 errors and 1 warning

Run release-drafter/release-drafter@v6

Validation Failed: {"resource":"Release","code":"invalid","field":"target_commitish"} { name: 'HttpError', id: '12805681743', status: 422, response: { url: 'https://api.github.com/repos/nobl9/nobl9-go/releases/193655946', status: 422, headers: { 'access-control-allow-origin': '*', 'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset', connection: 'close', 'content-length': '210', 'content-security-policy': "default-src 'none'", 'content-type': 'application/json; charset=utf-8', date: 'Thu, 16 Jan 2025 09:16:16 GMT', 'github-authentication-token-expiration': '2026-01-14 12:00:10 +0100', 'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin', server: 'github.com', 'strict-transport-security': 'max-age=31536000; includeSubdomains; preload', vary: 'Accept-Encoding, Accept, X-Requested-With', 'x-accepted-github-permissions': 'contents=write', 'x-content-type-options': 'nosniff', 'x-frame-options': 'deny', 'x-github-api-version-selected': '2022-11-28', 'x-github-media-type': 'github.v3; format=json', 'x-github-request-id': 'CFC9:1250:41E497B:42FE41F:6788CE60', 'x-ratelimit-limit': '5000', 'x-ratelimit-remaining': '4967', 'x-ratelimit-reset': '1737022038', 'x-ratelimit-resource': 'core', 'x-ratelimit-used': '33', 'x-xss-protection': '0' }, data: { message: 'Validation Failed', errors: [ { resource: 'Release', code: 'invalid', field: 'target_commitish' } ], documentation_url: 'https://docs.github.com/rest/releases/releases#update-a-release', status: '422' } }, request: { method: 'PATCH', url: 'https://api.github.com/repos/nobl9/nobl9-go/releases/193655946', headers: { accept: 'application/vnd.github.v3+json', 'user-agent': 'probot/12.2.5 octokit-core.js/3.5.1 Node.js/20.18.0 (linux; x64)', authorization: 'token [REDACTED]', 'content-type': 'application/json; charset=utf-8' }, body: `{"body":"# What's Changed\\n\\n## 🚀 Features\\n\\n- fix: PC-9592 Validate opsgenie and slack URLs at submission (#623) @piotrkwarcinski\\n- feat: Support Website metrics in LogicMonitor [PC-14860] (#593) @dawidwisn\\n- feat: PC-15221 Add EndTime to replay (#615) @marcinlawnik\\n\\n## 💻 Fixed Vulnerabilities\\n\\n- chore: Update module github.com/MicahParks/jwkset to v0.6.0 [SECURITY] (#621) @renovate\\n\\n## 🐞 Bug Fixes\\n\\n- fix: PC-9592 Validate opsgenie and slack URLs at submission (#623) @piotrkwarcinski\\n\\n## 🧰 Maintenance\\n\\n- chore: Update module github.com/MicahParks/jwkset to v0.6.0 [SECURITY] (#621) @renovate\\n- chore: Correct Go code docs - fix links (#618) @nieomylnieja\\n","draft":true,"prerelease":false,"make_latest":"true","name":"v0.93.0","tag_name":"v0.93.0","target_commitish":"refs/pull/622/merge"}`, request: {} }, event: { id: '12805681743', name: 'pull_request', payload: { action: 'edited', changes: { body: { from: 'This PR contains the following updates:\n' + '\n' + '| Package | Change | Age | Adoption | Passing | Confidence |\n' + '|---|---|---|---|---|---|\n' + '| [github.com/MicahParks/jwkset](https://redirect.github.com/MicahParks/jwkset) | `v0.5.20` -> `v0.6.0` | [![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fMicahParks%2fjwkset/v0.6.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fMicahParks%2fjwkset/v0.6.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibi

Run release-drafter/release-drafter@v6

HttpError: Validation Failed: {"resource":"Release","code":"invalid","field":"target_commitish"} at /home/runner/work/_actions/release-drafter/release-drafter/v6/dist/index.js:8462:21 at process.processTicksAndRejections (node:internal/process/task_queues:95:5) at async Job.doExecute (/home/runner/work/_actions/release-drafter/release-drafter/v6/dist/index.js:30793:18) { name: 'AggregateError', event: { id: '12805681743', name: 'pull_request', payload: { action: 'edited', changes: { body: { from: 'This PR contains the following updates:\n' + '\n' + '| Package | Change | Age | Adoption | Passing | Confidence |\n' + '|---|---|---|---|---|---|\n' + '| [github.com/MicahParks/jwkset](https://redirect.github.com/MicahParks/jwkset) | `v0.5.20` -> `v0.6.0` | [![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fMicahParks%2fjwkset/v0.6.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fMicahParks%2fjwkset/v0.6.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fMicahParks%2fjwkset/v0.5.20/v0.6.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fMicahParks%2fjwkset/v0.5.20/v0.6.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) |\n' + '\n' + '### GitHub Vulnerability Alerts\n' + '\n' + '#### [CVE-2025-22149](https://redirect.github.com/MicahParks/jwkset/security/advisories/GHSA-675f-rq2r-jw82)\n' + '\n' + '### Impact\n' + "The project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation.\n" + '\n' + 'Example attack scenario:\n' + '1. An attacker has stolen the private key for a key published in JWK Set.\n' + '2. The publishers of that JWK Set remove that key from the JWK Set.\n' + '3. Enough time has passed that the program using the auto-caching HTTP client found in `github.com/MicahParks/jwkset` v0.5.0-v0.5.21 has elapsed its `HTTPClientStorageOptions.RefreshInterval` duration, causing a refresh of the remote JWK Set.\n' + '4. The attacker is signing content (such as JWTs) with the stolen private key and the system has no other forms of revocation.\n' + '\n' + '### Patches\n' + 'The affected auto-caching HTTP client was added in version `v0.5.0` and fixed in `v0.6.0`. Upgrade to `v0.6.0` or later.\n' + '\n' + '### Workarounds\n' + 'The only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the `HTTPClientStorageOptions.RefreshInterval` to zero (or not specifying the value). Upgrade to `v0.6.0` is advised.\n' + '\n' + '### References\n' + 'Please see the tracking issue on GitHub for additional details: [https://github.com/MicahParks/jwkset/issues/40](https://redirect.github.com/MicahParks/jwkset/issues/40)\n' + '\n' + '---\n' + '\n' + '### Release Notes\n' + '\n' + '<details>\n' + '<summary>MicahParks/jwkset (github.com/MicahParks/jwkset)</summary>\n' + '\n' + '### [`v0.6.0`](https://redirect.github.com/MicahParks/jwkset/releases/tag/v0.6.0)\n' + '\n' + '[Compare Source](https://redirect.github.com/MicahParks/jwkset/compare/v0.5.21...v0.6.0)\n' + '\n' +

ubuntu-latest pipelines will use ubuntu-24.04 soon. For more details, see https://github.com/actions/runner-images/issues/10636

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: Update module github.com/MicahParks/jwkset to v0.6.0 [SECURITY] #1853

update_release_draft