Azure/go-autorest

jwt-go security warning, why aren't all of the packages up to date?

AsafMah opened this issue · 1 comments

I'm trying to solve the security alert for jwt-go:
https://github.com/Azure/azure-kusto-go/security/dependabot/go.sum/github.com%2Fdgrijalva%2Fjwt-go/open

It seems that it was solved here - #645
Which is good, but the problem is that some of the packages in here still depend on an old version of adal:

Specifically, from my usage:

  • autorest@v0.11.23 is still on adal v0.9.14
  • cli@v0.4.4 is still on adal v0.9.14
  • auth@v0.5.10 is still on cli@v0.4.2 and on autorest@v0.11.23 (although, even if it was on their latest versions it won't be nough)

Is there a reason that all of them didn't upgrade to the newest adal?

Fixed in autorest/v0.11.24 autorest/azure/cli/v0.4.5 autorest/azure/auth/v0.5.11