Skip to content

[release-v0.37.8] chore(deps): update go-jose to fix GHSA-78h2-9frx-2jm8#2717

Merged
theakshaypant merged 1 commit into
tektoncd:release-v0.37.8from
theakshaypant:deps/go-jose
May 12, 2026
Merged

[release-v0.37.8] chore(deps): update go-jose to fix GHSA-78h2-9frx-2jm8#2717
theakshaypant merged 1 commit into
tektoncd:release-v0.37.8from
theakshaypant:deps/go-jose

Conversation

@theakshaypant
Copy link
Copy Markdown
Member

@theakshaypant theakshaypant commented May 8, 2026

📝 Description of the Change

Update go-jose v3 and v4 to patch security vulnerability in JWE and JWS handling.

🔗 Linked GitHub Issue

N/A

🧪 Testing Strategy

  • Unit tests
  • Integration tests
  • End-to-end tests
  • Manual testing
  • Not Applicable

🤖 AI Assistance

AI assistance can be used for various tasks, such as code generation,
documentation, or testing.

Please indicate whether you have used AI assistance
for this PR and provide details if applicable.

  • I have not used any AI assistance for this PR.
  • I have used AI assistance for this PR.

Important

Slop will be simply rejected, if you are using AI assistance you need to make sure you
understand the code generated and that it meets the project's standards. you
need at least know how to run the code and deploy it (if needed). See
startpaac to make it easy
to deploy and test your code changes.

If the majority of the code in this PR was generated by an AI, please add a Co-authored-by trailer to your commit message.
For example:

Co-authored-by: Claude noreply@anthropic.com

✅ Submitter Checklist

  • 📝 My commit messages are clear, informative, and follow the project's How to write a git commit message guide. The Gitlint linter ensures in CI it's properly validated
  • ✨ I have ensured my commit message prefix (e.g., fix:, feat:) matches the "Type of Change" I selected above.
  • ♽ I have run make test and make lint locally to check for and fix any
    issues. For an efficient workflow, I have considered installing
    pre-commit and running pre-commit install to
    automate these checks.
  • 📖 I have added or updated documentation for any user-facing changes.
  • 🧪 I have added sufficient unit tests for my code changes.
  • 🎁 I have added end-to-end tests where feasible. See README for more details.
  • 🔎 I have addressed any CI test flakiness or provided a clear reason to bypass it.
  • If adding a provider feature, I have filled in the following and updated the provider documentation:
    • GitHub App
    • GitHub Webhook
    • Gitea/Forgejo
    • GitLab
    • Bitbucket Cloud
    • Bitbucket Data Center

@theakshaypant
chore(deps): update go-jose to fix GHSA-78h2-9frx-2jm8
79c76bd 
Update go-jose v3 and v4 to patch security vulnerability in
JWE and JWS handling.

Signed-off-by: Akshay Pant <akpant@redhat.com>
@theakshaypant theakshaypant changed the title chore(deps): update go-jose to fix GHSA-78h2-9frx-2jm8 [release-v0.37.8] chore(deps): update go-jose to fix GHSA-78h2-9frx-2jm8 May 8, 2026
gemini-code-assist[bot]
gemini-code-assist Bot reviewed May 8, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the go-jose dependency to versions v3.0.5 and v4.1.4 and removes a replace directive that previously pinned v4 to version v4.0.5. Feedback was provided to ensure that the current version addresses security vulnerabilities and to investigate potential false positives in scanner alerts before considering a version pin, in accordance with security guidelines.

Comment thread go.mod
gemini-code-assist[bot]
gemini-code-assist Bot reviewed May 8, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the go-jose library dependencies, upgrading github.com/go-jose/go-jose/v3 to v3.0.5 and github.com/go-jose/go-jose/v4 to v4.1.4. It also removes a version replacement directive for the v4 library in go.mod. I have no feedback to provide.

@theakshaypant theakshaypant marked this pull request as ready for review May 11, 2026 05:31
enarha
enarha reviewed May 11, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@enarha enarha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@theakshaypant
Copy link
Copy Markdown
Member Author

theakshaypant commented May 12, 2026

Merging the PR as the CI failure is expected.

@theakshaypant theakshaypant merged commit cef8cd2 into tektoncd:release-v0.37.8 May 12, 2026
2 of 13 checks passed
@theakshaypant theakshaypant deleted the deps/go-jose branch May 12, 2026 10:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@enarha enarha enarha left review comments

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@theakshaypant @enarha