Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove direct dgrijalva/jwt-go dependency #105

Merged
merged 2 commits into from Oct 6, 2021
Merged

Remove direct dgrijalva/jwt-go dependency #105

merged 2 commits into from Oct 6, 2021

Conversation

odacremolbap
Copy link
Member

  • Remove direct dgrijalva/jwt-go depencendy.
  • Upgrade some but not all the libraries that use it as an indirect dependency.

Closes #104

There are still indirect dependencies that might need some more effort to remove.
https://github.com/knative/pkg/blob/a00ba487121ef45e7f14f1d59187ea6bb498bb4e/go.sum#L136

@odacremolbap odacremolbap self-assigned this Oct 6, 2021
antoineco
antoineco reviewed Oct 6, 2021
View reviewed changes
go.mod Outdated
github.com/Azure/go-autorest/autorest v0.11.20
github.com/Azure/go-autorest/autorest/adal v0.9.13
github.com/Azure/go-autorest/autorest v0.11.21
github.com/Azure/go-autorest/autorest/adal v0.9.16
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are those unrelated version bumps needed?
Can we push them separately?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no, they are not needed.

I wanted to also remove transitive dependencies to clean go.sum, but it is tougher than expected.
I'll remove them

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the rabbit hole is here at the moment

etcd-io/etcd#13390

antoineco
antoineco approved these changes Oct 6, 2021
View reviewed changes
Copy link
Contributor

@antoineco antoineco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving because I suppose dependencies updates are related to the version with the CVE.

@odacremolbap odacremolbap changed the title Remove direct dgrijalva/jwt-go depencendy Remove direct dgrijalva/jwt-go dependency Oct 6, 2021
@odacremolbap odacremolbap merged commit 3e99c0e into triggermesh:main Oct 6, 2021
@odacremolbap odacremolbap deleted the fix/replace-jwt-library branch October 6, 2021 10:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@antoineco antoineco antoineco approved these changes

@tzununbekov tzununbekov tzununbekov approved these changes

@sameersbn sameersbn Awaiting requested review from sameersbn

Assignees

@odacremolbap odacremolbap

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Replace insecure library: CVE-2020-26160
3 participants
@odacremolbap @antoineco @tzununbekov