Skip to content

dep: update golang-jwt to v4.5.1#2700

Closed
inge4pres wants to merge 1 commit intolabstack:masterfrom
inge4pres:issues/2699
Closed

dep: update golang-jwt to v4.5.1#2700
inge4pres wants to merge 1 commit intolabstack:masterfrom
inge4pres:issues/2699

Conversation

@inge4pres
Copy link

@inge4pres inge4pres commented Nov 8, 2024
edited
Loading

Fixes #2699

We want to avoid a known vulnerability in golang-jwt library is flagged as a security concern when using echo as a framework in our applications.

Tests are passing locally with the new version.

@inge4pres
dep: update golang-jwt to v4.5.1
6fcfd69 
Signed-off-by: inge4pres <fgualazzi@gmail.com>
@cgalibern
Copy link
Contributor

cgalibern commented Nov 18, 2024
edited
Loading

Hi @inge4pres,
Is there a reason why you don't propose github.com/golang-jwt/jwt/v5 ?

Sorry the response is into #2699

@aldas
Copy link
Contributor

aldas commented Nov 18, 2024
edited
Loading

Because there will be v6 one day + some CVE and we again need to upgrade that library version. Echo core library tries very hard not to introduce backwards incompatible changes. So in long run removing this dependency is better strategy. We already have https://github.com/labstack/echo-jwt which from first day said is not trying to be stable and not introduce breaking changes.

being stable and not breaking things is one of the most important feature of Go. In comparison to Javascript ecosystem Go is a bliss to maintain older applications. I very much want Echo to honor this tradition as much as we can - but CVEs pop up every other year with JWT.

@inge4pres inge4pres mentioned this pull request Nov 19, 2024
Closed
3 tasks
@inge4pres
Copy link
Author

inge4pres commented Nov 19, 2024

Superseded by #2701

@inge4pres inge4pres closed this Nov 19, 2024
@aldas aldas mentioned this pull request Nov 25, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Upgrade golang-jwt to v4

3 participants

@inge4pres @cgalibern @aldas