Consider upgrading to github.com/go-jose/go-jose/v4
Opened this issue · 1 comments
mitar commented
Preflight checklist
- I could not find a solution in the existing issues, docs, nor discussions.
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines.
- I have joined the Ory Community Slack.
- I am signed up to the Ory Security Patch Newsletter.
Ory Network Project
No response
Describe your problem
github.com/go-jose/go-jose/v3
dependency has made a new github.com/go-jose/go-jose/v4
version. It breaks backwards compatibility to improve security:
This release makes some breaking changes in order to more thoroughly address the vulnerabilities discussed in Three New Attacks Against JSON Web Tokens, "Sign/encrypt confusion", "Billion hash attack", and "Polyglot token".
I think it is not critical, but it would be beneficial to do so sooner than later.
Describe your ideal solution
We upgrade.
Workarounds or alternatives
We do not.
Version
latest master
Additional Context
No response