Skip to content

chore(deps): bump github.com/go-oauth2/oauth2 to v4.5.3 #803

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 28, 2025
Merged

chore(deps): bump github.com/go-oauth2/oauth2 to v4.5.3 #803

merged 1 commit into from
Jul 28, 2025

Conversation

dnwe
Copy link
Contributor

@dnwe dnwe commented Jun 27, 2025
edited
Loading

What type of PR is this?

/kind cleanup

Any specific area of the project related to this PR?

/area library

What this PR does / why we need it:

Bump github.com/go-oauth2/oauth2 to v4.5.3
As they've updated to jwt/v5 this prevents us from pulling in the legacy vulnerable github.com/golang-jwt/jwt@v3.2.2+incompatible dependency ourselves

Vulnerability #1: GO-2025-3553
    Excessive memory allocation during header parsing in
    github.com/golang-jwt/jwt
  More info: https://pkg.go.dev/vuln/GO-2025-3553
  Module: github.com/golang-jwt/jwt
    Found in: github.com/golang-jwt/jwt@v3.2.2+incompatible
    Fixed in: N/A
    Example traces found:
      #1: pkg/test/registry.go:238:36: test.StartOAuthServer calls server.Server.HandleAuthorizeRequest, which eventually calls jwt.NewWithClaims
      #2: pkg/test/registry.go:238:36: test.StartOAuthServer calls server.Server.HandleAuthorizeRequest, which eventually calls jwt.ParseECPrivateKeyFromPEM
      #3: pkg/test/registry.go:238:36: test.StartOAuthServer calls server.Server.HandleAuthorizeRequest, which eventually calls jwt.ParseRSAPrivateKeyFromPEM
      #4: pkg/test/registry.go:238:36: test.StartOAuthServer calls server.Server.HandleAuthorizeRequest, which eventually calls jwt.SigningMethodHMAC.Alg
      #5: pkg/test/registry.go:238:36: test.StartOAuthServer calls server.Server.HandleAuthorizeRequest, which eventually calls jwt.Token.SignedString
      #6: pkg/test/registry.go:46:2: test.init calls jwt.init

@poiana poiana requested review from loresuso and zuc June 27, 2025 09:29
@poiana
Copy link
Contributor

poiana commented Jun 27, 2025

Welcome @dnwe! It looks like this is your first PR to falcosecurity/falcoctl 🎉

@dnwe
chore(deps): bump github.com/go-oauth2/oauth2 to v4.5.3
bbd3560 
As they've updated to jwt/v5 this prevents us from pulling in the legacy
vulnerable github.com/golang-jwt/jwt@v3.2.2+incompatible dependency

Signed-off-by: Dominic Evans <dominic.evans@uk.ibm.com>
@poiana poiana added the size/S label Jun 27, 2025
@dnwe
Copy link
Contributor Author

dnwe commented Jul 13, 2025

@leogr any chance you could take a look at this dep bump that dependabot won’t be able to handle by itself?

@github-project-automation github-project-automation bot moved this from Todo to In progress in Falco Roadmap Jul 25, 2025
@leogr
Copy link
Member

leogr commented Jul 28, 2025

/approve

@leogr
Copy link
Member

leogr commented Jul 28, 2025

/lgtm

@poiana poiana added the lgtm label Jul 28, 2025
@poiana
Copy link
Contributor

poiana commented Jul 28, 2025

LGTM label has been added.

Git tree hash: 1caff22f85827d6ca7f64f1f2d376aa57081251c

@poiana
Copy link
Contributor

poiana commented Jul 28, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dnwe, leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

1 similar comment
@poiana
Copy link
Contributor

poiana commented Jul 28, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dnwe, leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@poiana poiana merged commit 6a25fa9 into falcosecurity:main Jul 28, 2025
17 checks passed
@github-project-automation github-project-automation bot moved this from In progress to Done in Falco Roadmap Jul 28, 2025
@BrewTestBot BrewTestBot mentioned this pull request Aug 21, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leogr leogr leogr approved these changes

@loresuso loresuso Awaiting requested review from loresuso

@zuc zuc Awaiting requested review from zuc

Assignees

@leogr leogr

Labels
approved area/library dco-signoff: yes kind/cleanup lgtm size/S
Projects
Falco Roadmap
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dnwe @poiana @leogr