[release/2.7 backport] remove github.com/dgrijalva/jwt-go #3465
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,5 +1,5 @@ | ||
| github.com/Azure/azure-sdk-for-go 4650843026a7fdec254a8d9cf893693a254edd0b | ||
| github.com/Azure/go-autorest 10e0b31633f168ce1a329dcbdd0ab9842e533fb5 | ||
| github.com/sirupsen/logrus 3d4380f53a34dcdc95f0c1db702615992b38d9a4 | ||
| github.com/aws/aws-sdk-go f831d5a0822a1ad72420ab18c6269bca1ddaf490 | ||
| github.com/bshuster-repo/logrus-logstash-hook d2c0ecc1836d91814e15e23bb5dc309c3ef51f4a | ||
|
|
@@ -8,9 +8,9 @@ github.com/bugsnag/bugsnag-go b1d153021fcd90ca3f080db36bec96dc690fb274 | |
| github.com/bugsnag/osext 0dd3f918b21bec95ace9dc86c7e70266cfc5c702 | ||
| github.com/bugsnag/panicwrap e2c28503fcd0675329da73bf48b33404db873782 | ||
| github.com/denverdino/aliyungo afedced274aa9a7fcdd47ac97018f0f8db4e5de2 | ||
| github.com/docker/go-metrics 399ea8c73916000c64c2c76e8da00ca82f8387ab | ||
| github.com/docker/libtrust fa567046d9b14f6aa788882a950d69651d230b21 | ||
| github.com/form3tech-oss/jwt-go 9162a5abdbc046b7c8b03ee90052cee67e25caa7 | ||
|
There was a problem hiding this comment. This commit looks to be matching v3.2.2; form3tech-oss/jwt-go@9162a5a...v3.2.2, which is missing a security fix in v3.2.4; form3tech-oss/jwt-go@v3.2.2...v3.2.4 (see https://github.com/form3tech-oss/jwt-go/tree/v3.2.4) |
||
| github.com/garyburd/redigo 535138d7bcd717d6531c701ef5933d98b1866257 | ||
| github.com/go-ini/ini 2ba15ac2dc9cdf88c110ec2dc0ced7fa45f5678c | ||
| github.com/golang/protobuf 8d92cf5fc15a4382f8964b08e1f42a75c0591aa3 | ||
|
|
@@ -35,7 +35,7 @@ github.com/xenolf/lego a9d8cec0e6563575e5868a005359ac97911b5985 | |
| github.com/yvasiyarov/go-metrics 57bccd1ccd43f94bb17fdd8bf3007059b802f85e | ||
| github.com/yvasiyarov/gorelic a9bba5b9ab508a086f9a12b8c51fab68478e2128 | ||
| github.com/yvasiyarov/newrelic_platform_go b21fdbd4370f3717f3bbd2bf41c223bc273068e6 | ||
| golang.org/x/crypto 7f63de1d35b0f77fa2b9faea3e7deb402a2383c8 | ||
| golang.org/x/net 4876518f9e71663000c348837735820161a42df7 | ||
| golang.org/x/oauth2 045497edb6234273d67dbc25da3f2ddbc4c4cacf | ||
| golang.org/x/time a4bde12657593d5e90d0533a3e4fd95e635124cb | ||
|
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see updating Azure/go-autorest brings a substantial number of code changes (for a patch release).
If the bug is in this library, could we instead update just this library to a version with the fix? I see maintains a fork with the fix (IIUC), and we can specify it with a custom location (the equivalent to
replaceingo.mod);That would only bring the diff of the jwt-go package;
form3tech-oss/jwt-go@a601269...v3.2.4
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
gave it a quick attempt; #3466
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not against using a replace if vndr can do that. Should we consider using the fork which the original repository now links to? https://github.com/golang-jwt/jwt
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh! Arf... there's two forks now, and both being actively maintained? 😞
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I updated #3466 with a commit (allowing the differences between those forks to be reviewed)