Skip to content

Commit e0a591b

Browse files
pritesh-lahotiroachdev-claude
pritesh-lahoti
and
roachdev-claude
committed
go.mod: fix JWT vulnerabilities via upstream package updates
Previously, the project depended on vulnerable versions of golang-jwt/jwt packages (CVE-2025-30204, severity HIGH): jwt v3.2.2 (no patch available), jwt/v4 v4.2.0 (patched in v4.5.2), and jwt/v5 v5.2.1 (patched in v5.2.2). All three were indirect dependencies pulled in by upstream packages. Rather than directly bumping indirect dependencies or adding replace directives, this patch updates the upstream packages that transitively bring in the vulnerable JWT versions: - apache/pulsar-client-go v0.12.0 → v0.13.0 (migrated from jwt v3 to v5) - andygrunwald/go-jira v1.14.0 → v1.16.0 (migrated from jwt v3 to v4) - Azure/go-autorest/autorest/adal v0.9.15 → v0.9.24 (bumps jwt/v4) - Azure/azure-sdk-for-go/sdk/azidentity v1.1.0 → v1.8.2 (bumps MSAL, which migrated from jwt v3 to v5) As a result, jwt v3 is completely eliminated from the dependency graph, jwt/v4 is at v4.5.2 (patched), and jwt/v5 is at v5.2.2 (patched). Fixes: https://github.com/cockroachdb/cockroach/security/dependabot/570 Fixes: https://github.com/cockroachdb/cockroach/security/dependabot/571 Fixes: https://github.com/cockroachdb/cockroach/security/dependabot/573 Epic: none Release note: None Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com>
1 parent efc894b commit e0a591b

File tree

2 files changed

+77
-25
lines changed

2 files changed

+77
-25
lines changed

go.mod

Lines changed: 25 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -10,17 +10,17 @@ go 1.22.0
1010
// merge of any upgrades we should communicate to all teams to be on the lookout
1111
// for behavior changes, just like we would after a go upgrade.
1212
require (
13-
golang.org/x/crypto v0.22.0
13+
golang.org/x/crypto v0.33.0
1414
golang.org/x/exp v0.0.0-20230626212559-97b1e661b5df
1515
golang.org/x/exp/typeparams v0.0.0-20221208152030-732eee02a75a // indirect
16-
golang.org/x/mod v0.14.0 // indirect
17-
golang.org/x/net v0.24.0
16+
golang.org/x/mod v0.18.0 // indirect
17+
golang.org/x/net v0.35.0
1818
golang.org/x/oauth2 v0.5.0
19-
golang.org/x/sync v0.7.0
20-
golang.org/x/sys v0.19.0
21-
golang.org/x/text v0.14.0
19+
golang.org/x/sync v0.11.0
20+
golang.org/x/sys v0.30.0
21+
golang.org/x/text v0.22.0
2222
golang.org/x/time v0.3.0
23-
golang.org/x/tools v0.17.0
23+
golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d
2424
)
2525

2626
// The following dependencies are key infrastructure dependencies and
@@ -36,11 +36,11 @@ require (
3636
github.com/golang/snappy v0.0.4
3737
github.com/google/btree v1.0.1
3838
github.com/google/pprof v0.0.0-20210827144239-02619b876842
39-
github.com/google/uuid v1.5.0
39+
github.com/google/uuid v1.6.0
4040
google.golang.org/api v0.110.0
4141
google.golang.org/genproto v0.0.0-20230227214838-9b19f0bdc514
4242
google.golang.org/grpc v1.53.0
43-
google.golang.org/protobuf v1.30.0
43+
google.golang.org/protobuf v1.33.0
4444
)
4545

4646
// If any of the following dependencies get updated as a side-effect
@@ -87,11 +87,11 @@ require (
8787
)
8888

8989
require (
90-
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.3.0
91-
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0
90+
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0
91+
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.2
9292
github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.9.0
9393
github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v0.6.1
94-
github.com/Azure/go-autorest/autorest/adal v0.9.15
94+
github.com/Azure/go-autorest/autorest/adal v0.9.24
9595
github.com/BurntSushi/toml v1.2.1
9696
github.com/DataDog/datadog-go v3.2.0+incompatible
9797
github.com/IBM/sarama v1.42.1
@@ -102,10 +102,10 @@ require (
102102
github.com/VividCortex/ewma v1.1.1
103103
github.com/alessio/shellescape v1.4.1
104104
github.com/andy-kimball/arenaskl v0.0.0-20200617143215-f701008588b9
105-
github.com/andygrunwald/go-jira v1.14.0
105+
github.com/andygrunwald/go-jira v1.16.0
106106
github.com/apache/arrow/go/arrow v0.0.0-20200923215132-ac86123a3f01
107107
github.com/apache/arrow/go/v11 v11.0.0
108-
github.com/apache/pulsar-client-go v0.12.0
108+
github.com/apache/pulsar-client-go v0.13.0
109109
github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.18.2
110110
github.com/axiomhq/hyperloglog v0.0.0-20181223111420-4b99d0c2c99e
111111
github.com/bazelbuild/rules_go v0.26.0
@@ -173,7 +173,7 @@ require (
173173
github.com/kevinburke/go-bindata v3.13.0+incompatible
174174
github.com/kisielk/errcheck v1.6.1-0.20210625163953-8ddee489636a
175175
github.com/kisielk/gotool v1.0.0
176-
github.com/klauspost/compress v1.16.7
176+
github.com/klauspost/compress v1.17.9
177177
github.com/klauspost/pgzip v1.2.5
178178
github.com/knz/bubbline v0.0.0-20230422210153-e176cdfe1c43
179179
github.com/knz/strtime v0.0.0-20200318182718-be999391ffa9
@@ -193,7 +193,7 @@ require (
193193
github.com/mitchellh/reflectwalk v1.0.0
194194
github.com/mkungla/bexp/v3 v3.0.1
195195
github.com/mmatczuk/go_generics v0.0.0-20181212143635-0aaa050f9bab
196-
github.com/montanaflynn/stats v0.6.6
196+
github.com/montanaflynn/stats v0.7.0
197197
github.com/mozillazg/go-slugify v0.2.0
198198
github.com/nightlyone/lockfile v1.0.0
199199
github.com/olekukonko/tablewriter v0.0.5-0.20200416053754-163badb3bac6
@@ -203,7 +203,7 @@ require (
203203
github.com/pierrec/lz4/v4 v4.1.18
204204
github.com/pierrre/geohash v1.0.0
205205
github.com/pires/go-proxyproto v0.7.0
206-
github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4
206+
github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c
207207
github.com/pkg/errors v0.9.1
208208
github.com/pmezard/go-difflib v1.0.0
209209
github.com/pressly/goose/v3 v3.5.3
@@ -222,7 +222,7 @@ require (
222222
github.com/spf13/afero v1.9.2
223223
github.com/spf13/cobra v1.6.1
224224
github.com/spf13/pflag v1.0.5
225-
github.com/stretchr/testify v1.9.0
225+
github.com/stretchr/testify v1.10.0
226226
github.com/twpayne/go-geom v1.4.2
227227
github.com/wadey/gocovmerge v0.0.0-20160331181800-b5bfa59ec0ad
228228
github.com/xdg-go/pbkdf2 v1.0.0
@@ -237,7 +237,7 @@ require (
237237
go.opentelemetry.io/otel/trace v1.17.0
238238
go.opentelemetry.io/proto/otlp v0.11.0
239239
golang.org/x/perf v0.0.0-20230113213139-801c7ef9e5c5
240-
golang.org/x/term v0.19.0
240+
golang.org/x/term v0.29.0
241241
gopkg.in/yaml.v2 v2.4.0
242242
gopkg.in/yaml.v3 v3.0.1
243243
honnef.co/go/tools v0.4.5
@@ -253,7 +253,7 @@ require (
253253
github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 // indirect
254254
github.com/99designs/keyring v1.2.1 // indirect
255255
github.com/AthenZ/athenz v1.10.39 // indirect
256-
github.com/Azure/azure-sdk-for-go/sdk/internal v1.1.1 // indirect
256+
github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
257257
github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.0 // indirect
258258
github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
259259
github.com/Azure/go-autorest v14.2.0+incompatible // indirect
@@ -262,7 +262,7 @@ require (
262262
github.com/Azure/go-autorest/logger v0.2.1 // indirect
263263
github.com/Azure/go-autorest/tracing v0.6.0 // indirect
264264
github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
265-
github.com/AzureAD/microsoft-authentication-library-for-go v0.5.1 // indirect
265+
github.com/AzureAD/microsoft-authentication-library-for-go v1.3.3 // indirect
266266
github.com/HdrHistogram/hdrhistogram-go v1.1.2 // indirect
267267
github.com/JohnCGriffin/overflow v0.0.0-20211019200055-46fa312c352c // indirect
268268
github.com/Masterminds/goutils v1.1.0 // indirect
@@ -283,7 +283,7 @@ require (
283283
github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
284284
github.com/bits-and-blooms/bitset v1.4.0 // indirect
285285
github.com/cenkalti/backoff/v4 v4.1.3 // indirect
286-
github.com/cespare/xxhash/v2 v2.2.0 // indirect
286+
github.com/cespare/xxhash/v2 v2.3.0 // indirect
287287
github.com/charmbracelet/bubbletea v0.23.1 // indirect
288288
github.com/charmbracelet/lipgloss v0.6.0 // indirect
289289
github.com/cockroachdb/swiss v0.0.0-20240612210725-f4de07ae6964 // indirect
@@ -318,8 +318,8 @@ require (
318318
github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 // indirect
319319
github.com/gofrs/flock v0.8.1 // indirect
320320
github.com/gofrs/uuid v4.0.0+incompatible // indirect
321-
github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
322-
github.com/golang-jwt/jwt/v4 v4.2.0 // indirect
321+
github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
322+
github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
323323
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
324324
github.com/google/go-querystring v1.1.0 // indirect
325325
github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect
@@ -385,7 +385,7 @@ require (
385385
github.com/prometheus/procfs v0.10.1 // indirect
386386
github.com/pseudomuto/protokit v0.2.0 // indirect
387387
github.com/rivo/uniseg v0.2.0 // indirect
388-
github.com/rogpeppe/go-internal v1.11.0 // indirect
388+
github.com/rogpeppe/go-internal v1.12.0 // indirect
389389
github.com/rs/xid v1.3.0 // indirect
390390
github.com/russross/blackfriday/v2 v2.1.0 // indirect
391391
github.com/sahilm/fuzzy v0.1.0 // indirect

0 commit comments

Comments
 (0)