Bump the go_modules group across 2 directories with 6 updates #2058

dependabot · 2025-01-21T12:53:03Z

Bumps the go_modules group with 3 updates in the /extra/server-discovery directory: github.com/lestrrat-go/jwx, golang.org/x/net and google.golang.org/protobuf.
Bumps the go_modules group with 5 updates in the /server directory:

Package	From	To
github.com/lestrrat-go/jwx	`1.2.28`	`1.2.29`
golang.org/x/net	`0.21.0`	`0.33.0`
google.golang.org/protobuf	`1.32.0`	`1.33.0`
github.com/golang-jwt/jwt/v4	`4.4.3`	`4.5.1`
golang.org/x/image	`0.15.0`	`0.18.0`

Updates github.com/lestrrat-go/jwx from 1.2.28 to 1.2.29

Release notes

Sourced from github.com/lestrrat-go/jwx's releases.

v1.2.29 07 Mar 2024

[Security]

[jwe] Added jwe.Settings(jwe.WithMaxDecompressBufferSize(int64)) to specify the maximum size of a decompressed JWE payload. The default value is 10MB. If you are compressing payloads greater than this, you need to explicitly set it.

Unlike in v2, there is no way to set this globally. Please use v2 if this is required.

Changelog

Sourced from github.com/lestrrat-go/jwx's changelog.

v1.2.29 07 Mar 2024

[jwe] Added jwe.Settings(jwe.WithMaxDecompressBufferSize(int64)) to specify the maximum size of a decompressed JWE payload. The default value is 10MB. If you are compressing payloads greater than this, you need to explicitly set it.

Unlike in v2, there is no way to set this globally. Please use v2 if this is required.

Commits

1025f8e Merge pull request #1092 from lestrrat-go/develop/v1
4399ace Merge branch 'v1' into develop/v1
dc80fed Update Changes
e4c1511 silence linter
d01027d Merge pull request from GHSA-hj3v-m684-v259
3d6e0e0 Bump github.com/stretchr/testify from 1.8.4 to 1.9.0 (#1085)
3af5916 Bump golang.org/x/crypto from 0.19.0 to 0.21.0 (#1087)
7a05818 Bump golang.org/x/crypto from 0.18.0 to 0.19.0 (#1074)
8e2aacd Bump golangci/golangci-lint-action from 3 to 4 (#1076)
4b1fd05 Bump kentaro-m/auto-assign-action from 1.2.6 to 2.0.0 (#1068)
Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.19.0 to 0.21.0

Commits

7067223 go.mod: update golang.org/x dependencies
0d2316b ssh/test: work around for TestCiphers failures on macOS
0aab8d0 all: update go.mod x/net dependency
5bead59 ocsp: don't use iota for externally defined constants
1a86580 x/crypto/internal/poly1305: improve sum_ppc64le.s
1c981e6 ssh/test: don't use DSA keys in integrations tests, update test RSA key
62c9f17 x509roots/nss: manually exclude a confusingly constrained root
See full diff in compare view

Updates golang.org/x/net from 0.21.0 to 0.33.0

Commits

dfc720d go.mod: update golang.org/x dependencies
8e66b04 html: use strings.EqualFold instead of lowering ourselves
b935f7b html: avoid endless loop on error token
9af49ef route: remove unused sizeof* consts
6705db9 quic: clean up crypto streams when dropping packet protection keys
4ef7588 quic: handle ACK frame in packet which drops number space
552d8ac Revert "route: change from syscall to x/sys/unix"
13a7c01 Revert "route: remove unused sizeof* consts on freebsd"
285e1cf go.mod: update golang.org/x dependencies
d0a1049 route: remove unused sizeof* consts on freebsd
Additional commits viewable in compare view

Updates google.golang.org/protobuf from 1.32.0 to 1.33.0

Updates github.com/lestrrat-go/jwx from 1.2.28 to 1.2.29

Release notes

Sourced from github.com/lestrrat-go/jwx's releases.

v1.2.29 07 Mar 2024

[Security]

[jwe] Added jwe.Settings(jwe.WithMaxDecompressBufferSize(int64)) to specify the maximum size of a decompressed JWE payload. The default value is 10MB. If you are compressing payloads greater than this, you need to explicitly set it.

Unlike in v2, there is no way to set this globally. Please use v2 if this is required.

Changelog

Sourced from github.com/lestrrat-go/jwx's changelog.

v1.2.29 07 Mar 2024

[jwe] Added jwe.Settings(jwe.WithMaxDecompressBufferSize(int64)) to specify the maximum size of a decompressed JWE payload. The default value is 10MB. If you are compressing payloads greater than this, you need to explicitly set it.

Unlike in v2, there is no way to set this globally. Please use v2 if this is required.

Commits

1025f8e Merge pull request #1092 from lestrrat-go/develop/v1
4399ace Merge branch 'v1' into develop/v1
dc80fed Update Changes
e4c1511 silence linter
d01027d Merge pull request from GHSA-hj3v-m684-v259
3d6e0e0 Bump github.com/stretchr/testify from 1.8.4 to 1.9.0 (#1085)
3af5916 Bump golang.org/x/crypto from 0.19.0 to 0.21.0 (#1087)
7a05818 Bump golang.org/x/crypto from 0.18.0 to 0.19.0 (#1074)
8e2aacd Bump golangci/golangci-lint-action from 3 to 4 (#1076)
4b1fd05 Bump kentaro-m/auto-assign-action from 1.2.6 to 2.0.0 (#1068)
Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.19.0 to 0.21.0

Commits

7067223 go.mod: update golang.org/x dependencies
0d2316b ssh/test: work around for TestCiphers failures on macOS
0aab8d0 all: update go.mod x/net dependency
5bead59 ocsp: don't use iota for externally defined constants
1a86580 x/crypto/internal/poly1305: improve sum_ppc64le.s
1c981e6 ssh/test: don't use DSA keys in integrations tests, update test RSA key
62c9f17 x509roots/nss: manually exclude a confusingly constrained root
See full diff in compare view

Updates golang.org/x/net from 0.21.0 to 0.33.0

Commits

dfc720d go.mod: update golang.org/x dependencies
8e66b04 html: use strings.EqualFold instead of lowering ourselves
b935f7b html: avoid endless loop on error token
9af49ef route: remove unused sizeof* consts
6705db9 quic: clean up crypto streams when dropping packet protection keys
4ef7588 quic: handle ACK frame in packet which drops number space
552d8ac Revert "route: change from syscall to x/sys/unix"
13a7c01 Revert "route: remove unused sizeof* consts on freebsd"
285e1cf go.mod: update golang.org/x dependencies
d0a1049 route: remove unused sizeof* consts on freebsd
Additional commits viewable in compare view

Updates google.golang.org/protobuf from 1.32.0 to 1.33.0

Updates github.com/golang-jwt/jwt/v4 from 4.4.3 to 4.5.1

Release notes

Sourced from github.com/golang-jwt/jwt/v4's releases.

v4.5.1

Security

Unclear documentation of the error behavior in ParseWithClaims in <= 4.5.0 could lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by ParseWithClaims return both error codes. If users only check for the jwt.ErrTokenExpired using error.Is, they will ignore the embedded jwt.ErrTokenSignatureInvalid and thus potentially accept invalid tokens.

This issue was documented in GHSA-29wx-vh33-7x7r and fixed in this release.

Note: v5 was not affected by this issue. So upgrading to this release version is also recommended.

What's Changed

Back-ported error-handling logic in ParseWithClaims from v5 branch. This fixes GHSA-29wx-vh33-7x7r.

Full Changelog: golang-jwt/jwt@v4.5.0...v4.5.1

v4.5.0

What's Changed

Allow strict base64 decoding by @AlexanderYastrebov in golang-jwt/jwt#259

Full Changelog: golang-jwt/jwt@v4.4.3...v4.5.0

Commits

7b1c1c0 Merge commit from fork
9358574 Allow strict base64 decoding (#259)
2f0984a Using tparse for nicer CI test display (#251)
See full diff in compare view

Updates golang.org/x/image from 0.15.0 to 0.18.0

Commits

3bbf4a6 tiff: Validate palette indices when parsing palette-color images
6c5fa46 go.mod: update golang.org/x dependencies
55c4ab6 go.mod: update golang.org/x dependencies
0057a93 tiff: fix function name in comment
See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the go_modules group with 3 updates in the /extra/server-discovery directory: [github.com/lestrrat-go/jwx](https://github.com/lestrrat-go/jwx), [golang.org/x/net](https://github.com/golang/net) and google.golang.org/protobuf. Bumps the go_modules group with 5 updates in the /server directory: | Package | From | To | | --- | --- | --- | | [github.com/lestrrat-go/jwx](https://github.com/lestrrat-go/jwx) | `1.2.28` | `1.2.29` | | [golang.org/x/net](https://github.com/golang/net) | `0.21.0` | `0.33.0` | | google.golang.org/protobuf | `1.32.0` | `1.33.0` | | [github.com/golang-jwt/jwt/v4](https://github.com/golang-jwt/jwt) | `4.4.3` | `4.5.1` | | [golang.org/x/image](https://github.com/golang/image) | `0.15.0` | `0.18.0` | Updates `github.com/lestrrat-go/jwx` from 1.2.28 to 1.2.29 - [Release notes](https://github.com/lestrrat-go/jwx/releases) - [Changelog](https://github.com/lestrrat-go/jwx/blob/v1.2.29/Changes) - [Commits](lestrrat-go/jwx@v1.2.28...v1.2.29) Updates `golang.org/x/crypto` from 0.19.0 to 0.21.0 - [Commits](golang/crypto@v0.19.0...v0.21.0) Updates `golang.org/x/net` from 0.21.0 to 0.33.0 - [Commits](golang/net@v0.21.0...v0.33.0) Updates `google.golang.org/protobuf` from 1.32.0 to 1.33.0 Updates `github.com/lestrrat-go/jwx` from 1.2.28 to 1.2.29 - [Release notes](https://github.com/lestrrat-go/jwx/releases) - [Changelog](https://github.com/lestrrat-go/jwx/blob/v1.2.29/Changes) - [Commits](lestrrat-go/jwx@v1.2.28...v1.2.29) Updates `golang.org/x/crypto` from 0.19.0 to 0.21.0 - [Commits](golang/crypto@v0.19.0...v0.21.0) Updates `golang.org/x/net` from 0.21.0 to 0.33.0 - [Commits](golang/net@v0.21.0...v0.33.0) Updates `google.golang.org/protobuf` from 1.32.0 to 1.33.0 Updates `github.com/golang-jwt/jwt/v4` from 4.4.3 to 4.5.1 - [Release notes](https://github.com/golang-jwt/jwt/releases) - [Changelog](https://github.com/golang-jwt/jwt/blob/main/VERSION_HISTORY.md) - [Commits](golang-jwt/jwt@v4.4.3...v4.5.1) Updates `golang.org/x/image` from 0.15.0 to 0.18.0 - [Commits](golang/image@v0.15.0...v0.18.0) --- updated-dependencies: - dependency-name: github.com/lestrrat-go/jwx dependency-type: direct:production dependency-group: go_modules - dependency-name: golang.org/x/crypto dependency-type: indirect dependency-group: go_modules - dependency-name: golang.org/x/net dependency-type: indirect dependency-group: go_modules - dependency-name: google.golang.org/protobuf dependency-type: indirect dependency-group: go_modules - dependency-name: github.com/lestrrat-go/jwx dependency-type: direct:production dependency-group: go_modules - dependency-name: golang.org/x/crypto dependency-type: direct:production dependency-group: go_modules - dependency-name: golang.org/x/net dependency-type: direct:production dependency-group: go_modules - dependency-name: google.golang.org/protobuf dependency-type: direct:production dependency-group: go_modules - dependency-name: github.com/golang-jwt/jwt/v4 dependency-type: direct:production dependency-group: go_modules - dependency-name: golang.org/x/image dependency-type: direct:production dependency-group: go_modules ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot · 2025-01-21T13:34:36Z

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jan 21, 2025

Fajfa force-pushed the 2024.9.x branch 7 times, most recently from 41079ac to a42eefd Compare January 21, 2025 13:34

Fajfa closed this Jan 21, 2025

dependabot bot deleted the dependabot/go_modules/extra/server-discovery/go_modules-d71f122b20 branch January 21, 2025 13:34

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the go_modules group across 2 directories with 6 updates #2058

Bump the go_modules group across 2 directories with 6 updates #2058

dependabot bot commented on behalf of github Jan 21, 2025

dependabot bot commented on behalf of github Jan 21, 2025

Bump the go_modules group across 2 directories with 6 updates #2058

Bump the go_modules group across 2 directories with 6 updates #2058

Conversation

dependabot bot commented on behalf of github Jan 21, 2025

v1.2.29 07 Mar 2024

[Security]

v1.2.29 07 Mar 2024

[Security]

v4.5.1

Security

What's Changed

v4.5.0

What's Changed

dependabot bot commented on behalf of github Jan 21, 2025