-
-
Notifications
You must be signed in to change notification settings - Fork 298
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
High severity issue in github.com/dgrijalva/jwt-go #394
Comments
AFAIU, we aren't affected by the security issue because we don't rely on audiences. |
I would like to migrate to |
@dunglas 👋, I think there are some conflicts with maintenance and it doesn't look good that main contributor left the company and it isn't being taken care square/go-jose#342 (comment) Maybe as suggested this one is better https://github.com/lestrrat-go/jwx? Thanks! |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Related: Currently, there is no clear winner between all the proposed replacements. I'll use my own fork until it is merged (#491), and we'll switch either to form3tech's fork, JWX or Square's lib (but this one looks unmaintained too) when a clear winner will emerge. |
Looks like go-jose v3 is just around the corner: https://github.com/go-jose/go-jose/releases |
I think this might be the option going forward https://github.com/golang-jwt/jwt. It's a direct form from the dgrijalva/jwt-go and is now being maintained. It would probably involve a lot less commitment to switch too |
There is an unpatched, high severity issue in the aforementioned JWT package: dgrijalva/jwt-go#428
Unfortunately, it looks like the author completely abandoned the package.
There is a maintained fork that fixes the issue, but a lot of users seem to prefer gopkg.in/square/go-jose.v2 now.
The text was updated successfully, but these errors were encountered: