Security issue with lego dependency for JWT

[jauderho]

Welcome

• Yes, I'm using a binary release within 2 latest releases.
• Yes, I've searched similar issues on GitHub and didn't find any.
• Yes, I've included all information below (version, config, etc).

What did you expect to see?

Snyk has identified an issue with github.com/dgrijalva/jwt-go which lego depends on. This has been an identified issue for a while.

What did you see instead?

See https://app.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515

Fix is to update to a newer version

How do you use lego?

Binary

Reproduction steps

1. Create Snyk account
2. Attach Snyk to scan lego code or binary
3. See warning

Version of lego

lego version 4.4.0 linux/amd64

Logs

lego version 4.4.0 linux/amd64

Go environment (if applicable)

$ go version && go env
# paste output here

[ldez]

Hello,

This dependency is only used by the azure provider.

$ go mod why github.com/dgrijalva/jwt-go
# github.com/dgrijalva/jwt-go
github.com/go-acme/lego/v4/providers/dns/azure
github.com/Azure/go-autorest/autorest
github.com/Azure/go-autorest/autorest/adal
github.com/dgrijalva/jwt-go

[jauderho]

Thanks. Please consider a v4.4.1 point release once fix is merged

[ldez]

the next version will be v4.5.0, and this bug is a minor bug from the point of view of lego.