[Security] Replace 'github.com/dgrijalva/jwt-go' with 'github.com/golang-jwt/jwt' (#766)

ajanikow · web-flow · commit 89004dda7447 · 2021-07-28T13:51:02.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,7 @@
 ## [master](https://github.com/arangodb/kube-arangodb/tree/master) (N/A)
 - Fix ArangoMember race with multiple ArangoDeployments within single namespace
 - Allow to define Member Recreation Policy within group
+- Replace 'github.com/dgrijalva/jwt-go' with 'github.com/golang-jwt/jwt'
 - Update 'github.com/gin-gonic/gin' dependency to v1.7.2
 
 ## [1.2.0](https://github.com/arangodb/kube-arangodb/tree/1.2.0) (2021-07-16)
diff --git a/go.mod b/go.mod
@@ -31,11 +31,11 @@ require (
 	github.com/cenkalti/backoff v2.1.1+incompatible
 	github.com/coreos/go-semver v0.3.0
 	github.com/dchest/uniuri v0.0.0-20160212164326-8902c56451e9
-	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/evanphx/json-patch v4.9.0+incompatible
 	github.com/ghodss/yaml v1.0.0
 	github.com/gin-gonic/gin v1.7.2
 	github.com/github-release/github-release v0.10.0 // indirect
+	github.com/golang-jwt/jwt v3.2.1+incompatible
 	github.com/go-playground/validator/v10 v10.8.0 // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/google/addlicense v0.0.0-20210428195630-6d92264d7170 // indirect
diff --git a/go.sum b/go.sum
@@ -213,6 +213,8 @@ github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zV
 github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls=
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
+github.com/golang-jwt/jwt v3.2.1+incompatible h1:73Z+4BJcrTC+KczS6WvTPvRGOp1WmfEP4Q1lOd9Z/+c=
+github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903 h1:LbsanbbD6LieFkXbj9YNNBupiGHJgFeLpO0j0Fza1h8=
diff --git a/pkg/deployment/resources/secrets.go b/pkg/deployment/resources/secrets.go
@@ -54,7 +54,7 @@ import (
 	"github.com/arangodb/kube-arangodb/pkg/metrics"
 	"github.com/arangodb/kube-arangodb/pkg/util/constants"
 	"github.com/arangodb/kube-arangodb/pkg/util/k8sutil"
-	jg "github.com/dgrijalva/jwt-go"
+	jg "github.com/golang-jwt/jwt"
 	"k8s.io/apimachinery/pkg/api/equality"
 )
 
diff --git a/pkg/util/k8sutil/secrets.go b/pkg/util/k8sutil/secrets.go
@@ -32,7 +32,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 
 	"github.com/arangodb/kube-arangodb/pkg/util/constants"
-	jg "github.com/dgrijalva/jwt-go"
+	jg "github.com/golang-jwt/jwt"
 )
 
 // SecretInterface has methods to work with Secret resources.

Original file line number	Diff line number	Diff line change
`@@ -54,7 +54,7 @@ import (`
`54`	`54`	`"github.com/arangodb/kube-arangodb/pkg/metrics"`
`55`	`55`	`"github.com/arangodb/kube-arangodb/pkg/util/constants"`
`56`	`56`	`"github.com/arangodb/kube-arangodb/pkg/util/k8sutil"`
`57`		`- jg "github.com/dgrijalva/jwt-go"`
	`57`	`+ jg "github.com/golang-jwt/jwt"`
`58`	`58`	`"k8s.io/apimachinery/pkg/api/equality"`
`59`	`59`	`)`
`60`	`60`
Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,7 @@ import (`
`32`	`32`	`"k8s.io/apimachinery/pkg/types"`
`33`	`33`
`34`	`34`	`"github.com/arangodb/kube-arangodb/pkg/util/constants"`
`35`		`- jg "github.com/dgrijalva/jwt-go"`
	`35`	`+ jg "github.com/golang-jwt/jwt"`
`36`	`36`	`)`
`37`	`37`
`38`	`38`	`// SecretInterface has methods to work with Secret resources.`