From 89004dda744740f00dc880182a9a016002eb9151 Mon Sep 17 00:00:00 2001 From: Adam Janikowski <12255597+ajanikow@users.noreply.github.com> Date: Wed, 28 Jul 2021 13:51:02 +0200 Subject: [PATCH] [Security] Replace 'github.com/dgrijalva/jwt-go' with 'github.com/golang-jwt/jwt' (#766) --- CHANGELOG.md | 1 + go.mod | 2 +- go.sum | 2 ++ pkg/deployment/resources/secrets.go | 2 +- pkg/util/k8sutil/secrets.go | 2 +- 5 files changed, 6 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0768bfa9a..650fe083f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ ## [master](https://github.com/arangodb/kube-arangodb/tree/master) (N/A) - Fix ArangoMember race with multiple ArangoDeployments within single namespace - Allow to define Member Recreation Policy within group +- Replace 'github.com/dgrijalva/jwt-go' with 'github.com/golang-jwt/jwt' - Update 'github.com/gin-gonic/gin' dependency to v1.7.2 ## [1.2.0](https://github.com/arangodb/kube-arangodb/tree/1.2.0) (2021-07-16) diff --git a/go.mod b/go.mod index 64598cbad..186261aa6 100644 --- a/go.mod +++ b/go.mod @@ -31,11 +31,11 @@ require ( github.com/cenkalti/backoff v2.1.1+incompatible github.com/coreos/go-semver v0.3.0 github.com/dchest/uniuri v0.0.0-20160212164326-8902c56451e9 - github.com/dgrijalva/jwt-go v3.2.0+incompatible github.com/evanphx/json-patch v4.9.0+incompatible github.com/ghodss/yaml v1.0.0 github.com/gin-gonic/gin v1.7.2 github.com/github-release/github-release v0.10.0 // indirect + github.com/golang-jwt/jwt v3.2.1+incompatible github.com/go-playground/validator/v10 v10.8.0 // indirect github.com/golang/protobuf v1.5.2 // indirect github.com/google/addlicense v0.0.0-20210428195630-6d92264d7170 // indirect diff --git a/go.sum b/go.sum index cb5d5059f..821e376d8 100644 --- a/go.sum +++ b/go.sum @@ -213,6 +213,8 @@ github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zV github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls= github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= +github.com/golang-jwt/jwt v3.2.1+incompatible h1:73Z+4BJcrTC+KczS6WvTPvRGOp1WmfEP4Q1lOd9Z/+c= +github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903 h1:LbsanbbD6LieFkXbj9YNNBupiGHJgFeLpO0j0Fza1h8= diff --git a/pkg/deployment/resources/secrets.go b/pkg/deployment/resources/secrets.go index 3eb61742a..2df7adb1a 100644 --- a/pkg/deployment/resources/secrets.go +++ b/pkg/deployment/resources/secrets.go @@ -54,7 +54,7 @@ import ( "github.com/arangodb/kube-arangodb/pkg/metrics" "github.com/arangodb/kube-arangodb/pkg/util/constants" "github.com/arangodb/kube-arangodb/pkg/util/k8sutil" - jg "github.com/dgrijalva/jwt-go" + jg "github.com/golang-jwt/jwt" "k8s.io/apimachinery/pkg/api/equality" ) diff --git a/pkg/util/k8sutil/secrets.go b/pkg/util/k8sutil/secrets.go index de5b73171..32384b983 100644 --- a/pkg/util/k8sutil/secrets.go +++ b/pkg/util/k8sutil/secrets.go @@ -32,7 +32,7 @@ import ( "k8s.io/apimachinery/pkg/types" "github.com/arangodb/kube-arangodb/pkg/util/constants" - jg "github.com/dgrijalva/jwt-go" + jg "github.com/golang-jwt/jwt" ) // SecretInterface has methods to work with Secret resources.