Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport of [NET-6617] security: Bump github.com/golang-jwt/jwt/v4 to 4.5.0 into release/1.17.x #19741

Merged
merged 1 commit into from
Nov 27, 2023
Merged

Backport of [NET-6617] security: Bump github.com/golang-jwt/jwt/v4 to 4.5.0 into release/1.17.x #19741

merged 1 commit into from
Nov 27, 2023

Conversation

hc-github-team-consul-core
Copy link
Collaborator

Backport

This PR is auto-generated from #19705 to be assessed for backporting due to the inclusion of the label backport/1.17.

The below text is copied from the body of the original PR.

This version is accepted by Prisma/Twistlock, resolving scan results for issue PRISMA-2022-0270. Chosen over later versions to avoid a major version with breaking changes that is otherwise unnecessary.

Note that in practice this is a false positive (see golang-jwt/jwt#258), but we should update the version to aid customers relying on scanners that flag it.

Description

Resolves proprietary scanner reported vulnerability, and #19661.

I've reviewed the changelog from 4.2.0 to 4.5.0 and don't see any evidence of breaking changes.

Testing & Reproduction steps

Unit tests should continue to pass.

Links

PR Checklist

  • updated test coverage
  • external facing docs updated
  • appropriate backport labels added
  • not a security concern
Overview of commits

@hc-github-team-consul-core hc-github-team-consul-core force-pushed the backport/zalimeni/net-6617-bump-golang-jwt-prisma/strangely-real-impala branch from d974bf4 to 4ae78f3 Compare November 27, 2023 16:03
@hc-github-team-consul-core hc-github-team-consul-core force-pushed the backport/zalimeni/net-6617-bump-golang-jwt-prisma/strangely-real-impala branch from 5f112b5 to 1f5aeab Compare November 27, 2023 16:03
@github-actions github-actions bot added the pr/dependencies PR specifically updates dependencies of project label Nov 27, 2023
github-team-consul-core-pr-approver
github-team-consul-core-pr-approver approved these changes Nov 27, 2023
View reviewed changes
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto approved Consul Bot automated PR

@zalimeni zalimeni enabled auto-merge (squash) November 27, 2023 16:06
@zalimeni zalimeni merged commit f8feb09 into release/1.17.x Nov 27, 2023
90 checks passed
@zalimeni zalimeni deleted the backport/zalimeni/net-6617-bump-golang-jwt-prisma/strangely-real-impala branch November 27, 2023 16:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-team-consul-core-pr-approver github-team-consul-core-pr-approver github-team-consul-core-pr-approver approved these changes

@zalimeni zalimeni Awaiting requested review from zalimeni

Assignees

@zalimeni zalimeni

Labels
pr/dependencies PR specifically updates dependencies of project
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@hc-github-team-consul-core @github-team-consul-core-pr-approver @zalimeni