Address GO-2024-3250 vulnerability

https://pkg.go.dev/vuln/GO-2024-3250 Addressed by bumping the github.com/golang-jwt/jwt/v4 library from v4.5.0 to v4.5.1. Based on a quick look at the calls to ParseWithClaims (the affected function) I don't think there was necessarily a problem to begin with (we treated all errors as fatal), but this will make `go vuln` happy which is important.
crewjam · Nov 12, 2024 · 8829dfd · 8829dfd
1 parent bbccb79
commit 8829dfd
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 1 deletion.
diff --git a/go.mod b/go.mod
@@ -6,7 +6,7 @@ require (
 	github.com/beevik/etree v1.2.0
 	github.com/crewjam/httperr v0.2.0
 	github.com/dchest/uniuri v1.2.0
-	github.com/golang-jwt/jwt/v4 v4.5.0
+	github.com/golang-jwt/jwt/v4 v4.5.1
 	github.com/google/go-cmp v0.6.0
 	github.com/kr/pretty v0.3.1
 	github.com/mattermost/xml-roundtrip-validator v0.1.0

diff --git a/go.sum b/go.sum
@@ -11,6 +11,8 @@ github.com/dchest/uniuri v1.2.0 h1:koIcOUdrTIivZgSLhHQvKgqdWZq5d7KdMEWF1Ud6+5g=
 github.com/dchest/uniuri v1.2.0/go.mod h1:fSzm4SLHzNZvWLvWJew423PhAzkpNQYq+uNLq4kxhkY=
 github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
 github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v4 v4.5.1 h1:JdqV9zKUdtaa9gdPlywC3aeoEsR681PlKC+4F5gQgeo=
+github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/jonboulle/clockwork v0.2.2 h1:UOGuzwb1PwsrDAObMuhUnj0p5ULPj8V/xJ7Kx9qUBdQ=