Skip to content

Commit

Permalink
Upgrade JWT and pulsar-client-go dependency to address JWT vulnerabil…
Browse files Browse the repository at this point in the history 
…ity (#11)

* upgrade dependency to remove dgri jwt lib

* jwt pulsar-client-go workaround
  • Loading branch information
@zzzming
zzzming committed Jan 18, 2022
1 parent 5a7c261 commit fa1d6a8
Show file tree
Hide file tree
Showing 2 changed files with 526 additions and 98 deletions.
72 changes: 40 additions & 32 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,41 +4,40 @@ go 1.17

require (
github.com/allegro/bigcache v1.2.1
github.com/apache/pulsar-client-go v0.7.0
github.com/apache/pulsar-client-go v0.7.1-0.20220117080525-a119bab0f859
github.com/apex/log v1.1.2
github.com/ghodss/yaml v1.0.0
github.com/golang-jwt/jwt v3.2.2+incompatible
github.com/golang/protobuf v1.4.2
github.com/golang/protobuf v1.5.2
github.com/google/gops v0.3.10
github.com/gorilla/mux v1.7.4
github.com/gorilla/websocket v1.4.2
github.com/hashicorp/go-memdb v1.2.1
github.com/kafkaesque-io/pulsar-beam v0.0.2-0.20220118013053-8f6566bb1f1a
github.com/kafkaesque-io/pulsar-beam v0.0.2-0.20220118204327-cae0c220d4ac
github.com/koding/websocketproxy v0.0.0-20181220232114-7ed82d81a28c
github.com/prometheus/client_golang v1.7.1
github.com/prometheus/common v0.10.0
github.com/prometheus/client_golang v1.11.0
github.com/prometheus/common v0.26.0
github.com/rs/cors v1.7.0
github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da
google.golang.org/grpc v1.28.0
google.golang.org/protobuf v1.23.0
google.golang.org/grpc v1.38.0
google.golang.org/protobuf v1.26.0
k8s.io/api v0.18.5
k8s.io/apimachinery v0.18.5
k8s.io/client-go v0.18.5
k8s.io/metrics v0.18.5
)

require (
github.com/99designs/keyring v1.1.5 // indirect
github.com/AthenZ/athenz v1.10.15 // indirect
github.com/DataDog/zstd v1.4.6-0.20210211175136-c6db21d202f4 // indirect
github.com/apache/pulsar-client-go/oauth2 v0.0.0-20201120111947-b8bd55bc02bd // indirect
github.com/99designs/keyring v1.1.6 // indirect
github.com/AthenZ/athenz v1.10.39 // indirect
github.com/DataDog/zstd v1.5.0 // indirect
github.com/apache/pulsar-client-go/oauth2 v0.0.0-20220117080525-a119bab0f859 // indirect
github.com/ardielle/ardielle-go v1.5.2 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/cespare/xxhash/v2 v2.1.1 // indirect
github.com/danieljoos/wincred v1.0.2 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/dgrijalva/jwt-go v3.2.0+incompatible // indirect
github.com/dvsekhvalnov/jose2go v0.0.0-20180829124132-7f401d37b68a // indirect
github.com/dvsekhvalnov/jose2go v0.0.0-20200901110807-248326c1351b // indirect
github.com/go-stack/stack v1.8.0 // indirect
github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
Expand All @@ -51,10 +50,10 @@ require (
github.com/hashicorp/go-retryablehttp v0.6.4 // indirect
github.com/hashicorp/golang-lru v0.5.4 // indirect
github.com/imdario/mergo v0.3.5 // indirect
github.com/json-iterator/go v1.1.10 // indirect
github.com/json-iterator/go v1.1.11 // indirect
github.com/keybase/go-keychain v0.0.0-20190712205309-48d3d31d256d // indirect
github.com/klauspost/compress v1.10.8 // indirect
github.com/konsorten/go-windows-terminal-sequences v1.0.1 // indirect
github.com/klauspost/compress v1.13.6 // indirect
github.com/konsorten/go-windows-terminal-sequences v1.0.3 // indirect
github.com/linkedin/goavro/v2 v2.9.8 // indirect
github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
github.com/mitchellh/go-homedir v1.1.0 // indirect
Expand All @@ -65,28 +64,37 @@ require (
github.com/pkg/errors v0.9.1 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/prometheus/client_model v0.2.0 // indirect
github.com/prometheus/procfs v0.1.3 // indirect
github.com/sirupsen/logrus v1.5.0 // indirect
github.com/prometheus/procfs v0.6.0 // indirect
github.com/sirupsen/logrus v1.6.0 // indirect
github.com/spaolacci/murmur3 v1.1.0 // indirect
github.com/spf13/pflag v1.0.5 // indirect
github.com/stretchr/testify v1.5.1 // indirect
github.com/xdg/scram v0.0.0-20180814205039-7eeb5667e42c // indirect
github.com/xdg/stringprep v1.0.0 // indirect
go.mongodb.org/mongo-driver v1.2.0 // indirect
github.com/stretchr/testify v1.7.0 // indirect
github.com/xdg-go/pbkdf2 v1.0.0 // indirect
github.com/xdg-go/scram v1.0.2 // indirect
github.com/xdg-go/stringprep v1.0.2 // indirect
github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d // indirect
go.mongodb.org/mongo-driver v1.8.0 // indirect
go.uber.org/atomic v1.7.0 // indirect
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 // indirect
golang.org/x/net v0.0.0-20201021035429-f5854403a974 // indirect
golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d // indirect
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9 // indirect
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f // indirect
golang.org/x/text v0.3.3 // indirect
golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 // indirect
google.golang.org/appengine v1.5.0 // indirect
google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55 // indirect
golang.org/x/crypto v0.0.0-20201216223049-8b5274cf687f // indirect
golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985 // indirect
golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602 // indirect
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40 // indirect
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 // indirect
golang.org/x/text v0.3.6 // indirect
golang.org/x/time v0.0.0-20191024005414-555d28b269f0 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/yaml.v2 v2.3.0 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
k8s.io/klog v1.0.0 // indirect
k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89 // indirect
sigs.k8s.io/structured-merge-diff/v3 v3.0.0 // indirect
sigs.k8s.io/yaml v1.2.0 // indirect
)

// temporary pulsar client until https://github.com/apache/pulsar-client-go/pull/238 can be merged
replace github.com/apache/pulsar-client-go/oauth2 => github.com/zzzming/pulsar-client-go/oauth2 v0.0.0-20220118161656-73e4b6371a36

replace github.com/apache/pulsar-client-go => github.com/zzzming/pulsar-client-go v0.0.0-20220118161656-73e4b6371a36

0 comments on commit fa1d6a8

Please sign in to comment.