domi/forgejo-domi
1
0
Fork 0
forked from forgejo/forgejo
Code Pull requests Activity

Upgrade to golang-jwt 3.2.2 (#16590)

Browse source 
* Upgrade to golang-jwt 3.2.2

Upgrade to the latest version of golang-jwt

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Forcibly replace the 3.2.1 version of golang-jwt/jwt and increase minimum Go version

Using go.mod we can forcibly replace the 3.2.1 version used by goth to 3.2.2.

Further given golang-jwt/jwts stated policy of only supporting supported go versions
we should just raise our minimal version of go to 1.16 for 1.16 as by time of release
1.15 will be out of support.

Signed-off-by: Andrew Thornton <art27@cantab.net>

* update minimal go required

Signed-off-by: Andrew Thornton <art27@cantab.net>

* update config.yaml

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: 6543 <6543@obermui.de>
This commit is contained in:
zeripath 2021-08-03 19:32:01 +01:00 committed by GitHub
parent 80b7889fee
commit 35735bbef9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
14 changed files with 203 additions and 52 deletions
Download patch file Download diff file Expand all files Collapse all files

9
vendor/github.com/golang-jwt/jwt/README.md generated vendored
View file

@ -9,10 +9,17 @@ A [go](http://www.golang.org) (or 'golang' for search engine friendliness) imple
Future releases will be using the `github.com/golang-jwt/jwt` import path and continue the existing versioning scheme of `v3.x.x+incompatible`. Backwards-compatible patches and fixes will be done on the `v3` release branch, where as new build-breaking features will be developed in a `v4` release, possibly including a SIV-style import path.
**SECURITY NOTICE:** Some older versions of Go have a security issue in the crypto/elliptic. Recommendation is to upgrade to at least 1.8.3. See issue [dgrijalva/jwt-go#216](https://github.com/dgrijalva/jwt-go/issues/216) for more detail.
**SECURITY NOTICE:** Some older versions of Go have a security issue in the crypto/elliptic. Recommendation is to upgrade to at least 1.15 See issue [dgrijalva/jwt-go#216](https://github.com/dgrijalva/jwt-go/issues/216) for more detail.
**SECURITY NOTICE:** It's important that you [validate the `alg` presented is what you expect](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/). This library attempts to make it easy to do the right thing by requiring key types match the expected alg, but you should take the extra step to verify it in your usage. See the examples provided.
### Supported Go versions
Our support of Go versions is aligned with Go's [version release policy](https://golang.org/doc/devel/release#policy).
So we will support a major version of Go until there are two newer major releases.
We no longer support building jwt-go with unsupported Go versions, as these contain security vulnerabilities
which will not be fixed.
## What the heck is a JWT?
JWT.io has [a great introduction](https://jwt.io/introduction) to JSON Web Tokens.