You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
The go build tools report many transitive dependencies to a no longer maintained project: https://github.com/dgrijalva/jwt-go.
There are high-ranked security vulnerabilities in the dgrijalva/jwt-go, e.g: https://nvd.nist.gov/vuln/detail/CVE-2020-26160
Security scanning tools are complaining about the issue and it's hard to estimate it's impact - too many dependencies overall.
Then, when fixed releases are available, bump the versions for projects that now still link to dgrijalva/jwt-go.
Once there are no longer any dependencies to dgrijalva/jwt-go, the "replace" line can be removed.
Describe alternatives you've considered
Additional context
This is security-related, but it's kind-of a version bump, that's why I am creating an open issue for that instead of contacting the security team.
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem? Please describe.
The go build tools report many transitive dependencies to a no longer maintained project: https://github.com/dgrijalva/jwt-go.
There are high-ranked security vulnerabilities in the dgrijalva/jwt-go, e.g: https://nvd.nist.gov/vuln/detail/CVE-2020-26160
Security scanning tools are complaining about the issue and it's hard to estimate it's impact - too many dependencies overall.
Describe the solution you'd like
For the time being, add this to go.mod:
Then, when fixed releases are available, bump the versions for projects that now still link to dgrijalva/jwt-go.
Once there are no longer any dependencies to dgrijalva/jwt-go, the "replace" line can be removed.
Describe alternatives you've considered
Additional context
This is security-related, but it's kind-of a version bump, that's why I am creating an open issue for that instead of contacting the security team.
The text was updated successfully, but these errors were encountered: