jwt-go security warning, why aren't all of the packages up to date?
AsafMah opened this issue · 1 comments
AsafMah commented
I'm trying to solve the security alert for jwt-go:
https://github.com/Azure/azure-kusto-go/security/dependabot/go.sum/github.com%2Fdgrijalva%2Fjwt-go/open
It seems that it was solved here - #645
Which is good, but the problem is that some of the packages in here still depend on an old version of adal:
Specifically, from my usage:
- autorest@v0.11.23 is still on adal v0.9.14
- cli@v0.4.4 is still on adal v0.9.14
- auth@v0.5.10 is still on cli@v0.4.2 and on autorest@v0.11.23 (although, even if it was on their latest versions it won't be nough)
Is there a reason that all of them didn't upgrade to the newest adal?
jhendrixMSFT commented
Fixed in autorest/v0.11.24
autorest/azure/cli/v0.4.5
autorest/azure/auth/v0.5.11