codeql icon indicating copy to clipboard operation
codeql copied to clipboard
verified publisher icon github

Bump the go_modules group across 2 directories with 4 updates

Open dependabot[bot] opened this issue 1 month ago • 1 comments

Bumps the go_modules group with 2 updates in the /go/ql/test/experimental/CWE-321-V2 directory: github.com/go-jose/go-jose/v3 and github.com/golang-jwt/jwt/v5. Bumps the go_modules group with 1 update in the /go/ql/test/experimental/frameworks/Fiber directory: github.com/gofiber/utils.

Updates github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.4

Release notes

Sourced from github.com/go-jose/go-jose/v3's releases.

v3.0.4

What's Changed

Backport fix for GHSA-c6gw-w398-hv78 CVE-2025-27144 go-jose/go-jose#174

Full Changelog: https://github.com/go-jose/go-jose/compare/v3.0.3...v3.0.4

Version 3.0.3

Fixed

  • Limit decompression output size to prevent a DoS. Backport from v4.0.1.

Version 3.0.2

Fixed

  • DecryptMulti: handle decompression error (#19)

Changed

  • jwe/CompactSerialize: improve performance (#67)
  • Increase the default number of PBKDF2 iterations to 600k (#48)
  • Return the proper algorithm for ECDSA keys (#45)
  • Update golang.org/x/crypto to v0.19 (#94)

Added

  • Add Thumbprint support for opaque signers (#38)

Version 3.0.1

Fixed

Security issue: an attacker specifying a large "p2c" value can cause JSONWebEncryption.Decrypt and JSONWebEncryption.DecryptMulti to consume large amounts of CPU, causing a DoS. Thanks to Matt Schwager (@​mschwager) for the disclosure and to Tom Tervoort for originally publishing the category of attack. https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf

The release is tagged off the release-v3.0.1 branch to avoid mixing in some as-yet unreleased changes on the v3 branch.

Commits
  • 5253038 Backport fix 167 to v3 (#174)
  • 047dc99 CI: Update github actions and go version (#173)
  • 0f017e9 Revert #26 (ignore unsupported JWKs in Sets) (#131)
  • 3e2bbef Unmarshal jwk keys with unsupported key type or algorithm into empty … (#26)
  • add6a28 v3: backport decompression limit fix (#107)
  • 11bb4e7 doc: in v3 branch's README, point to v4 as latest (#101)
  • 863f73b v3.0.2: Update changelog (#95)
  • bdbc794 Update golang.org/x/crypto to v0.19 (backport) (#94)
  • 25bce79 Updated go-jose v3.0.0 to v3.0.1 in jose-util (#70)
  • aa386df jwe/CompactSerialize: improve performance. (#67)
  • Additional commits viewable in compare view

Updates github.com/golang-jwt/jwt/v5 from 5.0.0 to 5.2.2

Release notes

Sourced from github.com/golang-jwt/jwt/v5's releases.

v5.2.2

What's Changed

New Contributors

Full Changelog: https://github.com/golang-jwt/jwt/compare/v5.2.1...v5.2.2

v5.2.1

What's Changed

New Contributors

Full Changelog: https://github.com/golang-jwt/jwt/compare/v5.2.0...v5.2.1

v5.2.0

What's Changed

New Contributors

Full Changelog: https://github.com/golang-jwt/jwt/compare/v5.1.0...v5.2.0

v5.1.0

What's Changed

... (truncated)

Commits

Updates golang.org/x/crypto from 0.12.0 to 0.19.0

Commits
  • 405cb3b go.mod: update golang.org/x dependencies
  • 913d3ae x509roots/fallback: update bundle
  • dbb6ec1 ssh/test: skip tests on darwin that fail on the darwin-amd64-longtest LUCI bu...
  • 403f699 ssh/test: avoid leaking a net.UnixConn in server.TryDialWithAddr
  • 055043d go.mod: update golang.org/x dependencies
  • 08396bb internal/poly1305: drop Go 1.12 compatibility
  • 9d2ee97 ssh: implement strict KEX protocol changes
  • 4e5a261 ssh: close net.Conn on all NewServerConn errors
  • 152cdb1 x509roots/fallback: update bundle
  • fdfe1f8 ssh: defer channel window adjustment
  • Additional commits viewable in compare view

Updates github.com/gofiber/utils from 0.0.10 to 1.2.0

Release notes

Sourced from github.com/gofiber/utils's releases.

v1.2.0

What's Changed

Full Changelog: https://github.com/gofiber/utils/compare/v1.1.0...v1.2.0

v1.1.0

🚀 New

  • Add go 1.20 to test matrix (#43)
  • Add timestamp calculation functionality (#33)
  • Add IsIPv4/v6 util (#32)
  • Definitions required for client (#29)

🧹 Updates

  • Bump dependabot/fetch-metadata from 1.3.6 to 1.4.0 (#44)
  • Add go 1.20 to test matrix (#43)
  • Bump actions/setup-go from 3 to 4 (#42)
  • Bump github.com/stretchr/testify from 1.8.1 to 1.8.2 (#41)
  • Bump lewagon/wait-on-check-action from 1.2.0 to 1.3.1 (#40)
  • Bump dependabot/fetch-metadata from 1.3.5 to 1.3.6 (#39)
  • v3: time: do not export timestamp var, instead provide helper function to retrieve it (#38)
  • http: update list of HTTP status codes (#37)
  • Bump dependabot/fetch-metadata from 1.3.4 to 1.3.5 (#36)
  • Bump lewagon/wait-on-check-action from 1.1.2 to 1.2.0 (#35)
  • Bump github.com/stretchr/testify from 1.8.0 to 1.8.1 (#34)
  • Bump dependabot/fetch-metadata from 1.3.3 to 1.3.4 (#31)

Full Changelog: https://github.com/gofiber/utils/compare/v1.0.1...v1.1.0

v1.0.1

repush old version v0.1.2 as version v1.0.1

So that we can push version v2 under new namespace and there are no problems with go get when resolving dependencies

Full Changelog: https://github.com/gofiber/utils/compare/v0.1.1...v0.1.2

v1.0.0

❗Breaking changes

🚀 New

  • Add timestamp calculation functionality (#33)
  • Add IsIPv4/v6 util (#32)

... (truncated)

Commits
  • b986fcc Merge pull request #169 from gofiber/feat/cherry-pick-6c6cf04
  • 439e4d4 Merge branch 'v1' into feat/cherry-pick-6c6cf04
  • 7a3cc37 Upgrade GitHub Actions to latest versions
  • 97b23a8 fix: wrap error in fmt.Errorf for UUID seeding
  • e099627 fix: use fmt.Errorf for error formatting in UUID seeding
  • a9bc7b7 fix: rename UUIDSetup to uuidSetup for consistency
  • c3f8a1f Remove unnecessary UUID counter check that could panic
  • 0d25616 Update UUID function to panic on initialization errors
  • 301b082 Update strings.go
  • 999a088 Merge pull request #77 from gofiber/backport-if-to-lower
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the Security Alerts page.

dependabot[bot] avatar Dec 12 '25 17:12 dependabot[bot]

@dependabot ignore go_modules

owen-mc avatar Dec 13 '25 22:12 owen-mc

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

dependabot[bot] avatar Dec 14 '25 22:12 dependabot[bot]