go-jose v2.6.0 CVE-2024-28180 resolution

[cloudxxx8]

There is a CVE in go-jose v2.6.0
Our project depends on openziti sdk-golang, so this dependency is included

sdk-golang/go.mod

Line 89 in fb662f9

gopkg.in/square/go-jose.v2 v2.6.0 // indirect

Please see more details from the dependabot security adviosry
https://github.com/edgexfoundry/device-sdk-go/security/dependabot/11

The problem is fixed in the following packages and versions:
github.com/go-jose/go-jose/v4 version 4.0.1
github.com/go-jose/go-jose/v3 version 3.0.3
gopkg.in/go-jose/go-jose.v2 version 2.6.3

The problem will not be fixed in the following package because the package is archived:
gopkg.in/square/go-jose.v2

Are you able to resolve this dependency issue?

[dovholuknf]

FYI - a PR was opened against the library we are are using zitadel/oidc#630

[cloudxxx8]

nice, thanks for taking care of it

[plorenz]

Closing, this was addressed in v0.23.41