Consider upgrading to github.com/go-jose/go-jose/v4

Question

Consider upgrading to github.com/go-jose/go-jose/v4

Opened this issue 4 months ago · 1 comments

mitar commented 4 months ago

Preflight checklist

I could not find a solution in the existing issues, docs, nor discussions.
I agree to follow this project's Code of Conduct.
I have read and am following this repository's Contribution Guidelines.
I have joined the Ory Community Slack.
I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe your problem

github.com/go-jose/go-jose/v3 dependency has made a new github.com/go-jose/go-jose/v4 version. It breaks backwards compatibility to improve security:

This release makes some breaking changes in order to more thoroughly address the vulnerabilities discussed in Three New Attacks Against JSON Web Tokens, "Sign/encrypt confusion", "Billion hash attack", and "Polyglot token".

I think it is not critical, but it would be beneficial to do so sooner than later.

Describe your ideal solution

We upgrade.

Workarounds or alternatives

We do not.

Version

latest master

Additional Context

No response

Answer 1 · 2024-05-27T19:40:12.000Z

@aeneasr: What about this?