Skip to content

update jwt-go version to remove vulnerability#1713

Closed
mollylogue wants to merge 1 commit into
labstack:masterfrom
mollylogue:master
Closed

update jwt-go version to remove vulnerability#1713
mollylogue wants to merge 1 commit into
labstack:masterfrom
mollylogue:master

Conversation

@mollylogue

Copy link
Copy Markdown

Fixes #1712

@lammel

lammel commented Dec 8, 2020

Copy link
Copy Markdown
Contributor

This is actually a duplicate of PR #1663 (fixing #1647 which is a duplicate of #1712).

@mollylogue

mollylogue commented Dec 8, 2020

Copy link
Copy Markdown
Author

@lammel Thanks for pointing that out. Is there a hesitation to fixing this? Or is a longer-term fix being considered?

@lammel

lammel commented Dec 9, 2020

Copy link
Copy Markdown
Contributor

See discussion in #1663. Basically jwt-go seems unmaintained, using a preview version of an not yet marked stable branch seems not very reassuring. The fork does not seem to get a lot of traction, so a long-term solution should be targeted.

Using the go-jwt v4 branch (preview1) is one of the options. It seems other projects also hesitate with the decission.

@mollylogue

Copy link
Copy Markdown
Author

@lammel That makes sense. I agree, it's probably the right call to move to using a library that is more maintained. I'll just close this PR and keep an eye out for when this issue is addressed.

@mollylogue mollylogue closed this Dec 9, 2020
@pedromss pedromss mentioned this pull request Jan 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Vulnerability in jwt-go package

2 participants