chore(deps): Bump github.com/lestrrat-go/jwx from 1.2.20 to 1.2.25 (#359

)

Bumps github.com/lestrrat-go/jwx from 1.2.20 to 1.2.25.

Release notes
Sourced from github.com/lestrrat-go/jwx's releases.

v1.2.25
v1.2.25 23 May 2022
[Bug Fixes][Security]
  * [jwe] An old bug from at least 7 years ago existed in handling AES-CBC unpadding,
    where the unpad operation might remove more bytes than necessary ([#744](lestrrat-go/jwx#744))
    This affects all jwx code that is available before v2.0.2 and v1.2.25.

v1.2.24
v1.2.24 05 May 2022
[Security]
  * Upgrade golang.org/x/crypto ([#724](lestrrat-go/jwx#724))

v1.2.23
v1.2.23 13 Apr 2022
[Bug fixes]
  * [jwk] jwk.AutoRefresh had a race condition when `Configure()` was
    called concurrently ([#686](lestrrat-go/jwx#686))
    (It has been patched correctly, but we may come back to revisit
     the design choices in the near future)

v1.2.22
v1.2.22 08 Apr 2022
[Bug fixes]
  * [jws] jws.Verify was ignoring the `b64` header when it was present
    in the protected headers ([#681](lestrrat-go/jwx#681)). Now the following should work:
  jws.Sign(..., jws.WithDetachedPayload(payload))
  // previously payload had to be base64 encoded
  jws.Verify(..., jws.WithDetachedPayload(payload))
(note: v2 branch was not affected)


v1.2.21
v1.2.21 30 Mar 2022
[Bug fixes]
  * [jwk] RSA keys without p and q can now be parsed.




Changelog
Sourced from github.com/lestrrat-go/jwx's changelog.

v1.2.25 23 May 2022
[Bug Fixes][Security]

[jwe] An old bug from at least 7 years ago existed in handling AES-CBC unpadding,
where the unpad operation might remove more bytes than necessary (#744)
This affects all jwx code that is available before v2.0.2 and v1.2.25.

v1.2.24 05 May 2022
[Security]

Upgrade golang.org/x/crypto (#724)

v1.2.23 13 Apr 2022
[Bug fixes]

[jwk] jwk.AutoRefresh had a race condition when Configure() was
called concurrently (#686)
(It has been patched correctly, but we may come back to revisit
the design choices in the near future)

v1.2.22 08 Apr 2022
[Bug fixes]


[jws] jws.Verify was ignoring the b64 header when it was present
in the protected headers (#681). Now the following should work:
jws.Sign(..., jws.WithDetachedPayload(payload))
// previously payload had to be base64 encoded
jws.Verify(..., jws.WithDetachedPayload(payload))
(note: v2 branch was not affected)


v1.2.21 30 Mar 2022
[Bug fixes]

[jwk] RSA keys without p and q can now be parsed.




Commits

ad8c29d merge develop/v1 (#747)
e38f677 Merge develop/v1 (#727)
baba561 Merge branch 'develop/v1' into v1
8ff6c75 Update Changes
ea97e8c Fix race in jwk.AutoRefresh (#686)
f4701e1 Update Changes
e831228 Fix jws.Verify not respecting the b64 header in the protected headers (#683)
b66a2cb backport: Update golangci lint (#679) (#680)
4899c32 reword error
dd9e4c4 Bump github.com/lestrrat-go/httpcc from 1.0.0 to 1.0.1 (#675)
Additional commits viewable in compare view




Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Ankur Banerjee <[email protected]>

go.mod

@@ -14,7 +14,7 @@ require (
 	github.com/google/uuid v1.3.0
 	github.com/gorilla/mux v1.8.0
 	github.com/grpc-ecosystem/grpc-gateway v1.16.0
-	github.com/lestrrat-go/jwx v1.2.20
+	github.com/lestrrat-go/jwx v1.2.25
 	github.com/multiformats/go-multibase v0.0.3
 	github.com/rakyll/statik v0.1.7
 	github.com/spf13/cast v1.5.0
@@ -62,7 +62,7 @@ require (
 	github.com/go-kit/log v0.2.0 // indirect
 	github.com/go-logfmt/logfmt v0.5.1 // indirect
 	github.com/go-playground/universal-translator v0.18.0 // indirect
-	github.com/goccy/go-json v0.9.4 // indirect
+	github.com/goccy/go-json v0.9.7 // indirect
 	github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 // indirect
 	github.com/gogo/gateway v1.1.0 // indirect
 	github.com/golang/snappy v0.0.3 // indirect
@@ -86,7 +86,7 @@ require (
 	github.com/leodido/go-urn v1.2.1 // indirect
 	github.com/lestrrat-go/backoff/v2 v2.0.8 // indirect
 	github.com/lestrrat-go/blackmagic v1.0.0 // indirect
-	github.com/lestrrat-go/httpcc v1.0.0 // indirect
+	github.com/lestrrat-go/httpcc v1.0.1 // indirect
 	github.com/lestrrat-go/iter v1.0.1 // indirect
 	github.com/lestrrat-go/option v1.0.0 // indirect
 	github.com/lib/pq v1.10.4 // indirect
@@ -126,7 +126,7 @@ require (
 	github.com/tendermint/go-amino v0.16.0 // indirect
 	github.com/zondax/hid v0.9.0 // indirect
 	go.etcd.io/bbolt v1.3.6 // indirect
-	golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4 // indirect
+	golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f // indirect
 	golang.org/x/net v0.0.0-20220520000938-2e3eb7b945c2 // indirect
 	golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a // indirect
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect