🚨 Update go modules (main) (major)

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/MakeNowJust/heredoc	v1.0.0 → v2.0.1
github.com/santhosh-tekuri/jsonschema/v5	v5.3.1 → v6.0.2
gopkg.in/go-jose/go-jose.v2	v2.6.3 → v4.1.4

---

Release Notes

MakeNowJust/heredoc (github.com/MakeNowJust/heredoc)

v2.0.1

Compare Source

Version 2.0.1

Fixes

• Correct import path for Go modules

v2.0.0

Compare Source

Version 2.0.0

Breaking Changes

• Treats only white space (U+0020) and horizontal tabs (U+000D) as space characters. (#​6)

santhosh-tekuri/jsonschema (github.com/santhosh-tekuri/jsonschema/v5)

v6.0.2

Compare Source

v6.0.1

Compare Source

Bug Fixes:

• fix/schema: field RecursiveRef misspelled
• fix/schema: missing Deprecated field

check https://redirect.github.com/santhosh-tekuri/jsonschema/discussions/172 to see notes for migrating from v5 to v6

v6.0.0

Compare Source

Improvements

• mixed dialect support
• custom $vocabulary support
• sermver format
• support for localisation for ValidationError
• command jv
  • support stdin
  • --insecure and --cacert flag
  • --quiet flag

check https://redirect.github.com/santhosh-tekuri/jsonschema/discussions/172 to see notes for migrating from v5 to v6

go-jose/go-jose (gopkg.in/go-jose/go-jose.v2)

v4.1.4

Compare Source

What's Changed

Fixes Panic in JWE decryption. See GHSA-78h2-9frx-2jm8

Full Changelog: go-jose/go-jose@v4.1.3...v4.1.4

v4.1.3

Compare Source

This release drops Go 1.23 support as that Go release is no longer supported. With that, we can drop x/crypto and no longer have any external dependencies in go-jose outside of the standard library!

This release fixes a bug where a critical b64 header was ignored if in an unprotected header. It is now rejected instead of ignored.

What's Changed

• Remove Go 1.23 support by @​mcpherrinm in #​205
• Reject JWS with an unprotected critical b64 header by @​mcpherrinm in #​210

Full Changelog: go-jose/go-jose@v4.1.2...v4.1.3

v4.1.2

Compare Source

What's Changed

go-jose v4.1.2 improves some documentation, errors, and removes the only 3rd-party dependency.

• Update go-jose documentation by @​mcpherrinm in #​198
• Remove dependency on testify by @​wardviaene in #​197
• Improve error message for invalid private keys by @​ProjectMutilation in #​195
• JWK unsupported error when unmarshalling by @​fprojetto in #​191
• Add JSONWebKey type to makeJWERecipient by @​alvarolivie in #​200
• testutils/assert: remove True, Nil, NotNil by @​jsha in #​202

New Contributors

• @​wardviaene made their first contribution in #​197
• @​fprojetto made their first contribution in #​191
• @​alvarolivie made their first contribution in #​200

Full Changelog: go-jose/go-jose@v4.1.1...v4.1.2

v4.1.1

Compare Source

What's Changed

• Drop go-cmp dependency by @​mcpherrinm in #​186
• jws: improve performance and allocations for ParseSignedCompact by @​drakkan in #​188
• Add missing quote to unknown curve message #​170 by @​sudhanvaghebbale in #​189
• Fix incorrect validation by @​ProjectMutilation in #​192
• Restore Go 1.23 compatibility by @​anuraaga in #​193

New Contributors

• @​drakkan made their first contribution in #​188
• @​sudhanvaghebbale made their first contribution in #​189
• @​ProjectMutilation made their first contribution in #​192
• @​anuraaga made their first contribution in #​193

Full Changelog: go-jose/go-jose@v4.1.0...v4.1.1

v4.1.0

Compare Source

What's Changed

• Document signatureAlgorithms argument by @​tgeoghegan in #​163
• Add custom error for unsupported JWS signature algorithms by @​beautifulentropy in #​181
• use stdlib pbkdf2 package on go 1.24 by @​kruskall in #​180
• The minimum supported Go version is now 1.24

New Contributors

• @​kruskall made their first contribution in #​180

Full Changelog: go-jose/go-jose@v4.0.5...v4.1.0

v4.0.5

Compare Source

What's Changed

• Don't allow unbounded amounts of splits by @​mcpherrinm in #​167

Fixes GHSA-c6gw-w398-hv78

Various other dependency updates, small fixes, and documentation updates in the full changelog

New Contributors

• @​tgeoghegan made their first contribution in #​161

Full Changelog: go-jose/go-jose@v4.0.4...v4.0.5

v4.0.4: Version 4.0.4

Compare Source

Fixed

• Reverted "Allow unmarshalling JSONWebKeySets with unsupported key types" as a breaking change. See #​136 / #​137.

v4.0.3: Version 4.0.3

Compare Source

Changed

• Allow unmarshalling JSONWebKeySets with unsupported key types (#​130)
• Document that OpaqueKeyEncrypter can't be implemented (for now) (#​129)
• Dependency updates

v4.0.2: Version 4.0.2

Compare Source

What's Changed

• Improved documentation of Verify() to note that JSONWebKeySet is a supported argument type
• Defined exported error values for missing x5c header and unsupported elliptic curves error cases

New Contributors

• @​mitar made their first contribution in #​104
• @​milosgajdos made their first contribution in #​117

Full Changelog: go-jose/go-jose@v4.0.1...v4.0.2

v4.0.1: Version 4.0.1

Compare Source

Fixed

• An attacker could send a JWE containing compressed data that used large
  amounts of memory and CPU when decompressed by Decrypt or DecryptMulti.
  Those functions now return an error if the decompressed data would exceed
  250kB or 10x the compressed size (whichever is larger). Thanks to
  Enze Wang@​Alioth and Jianjun Chen@​Zhongguancun Lab (@​zer0yu and @​chenjj)
  for reporting.

v4.0.0: Version 4.0.0

Compare Source

This release makes some breaking changes in order to more thoroughly address the vulnerabilities discussed in Three New Attacks Against JSON Web Tokens, "Sign/encrypt confusion", "Billion hash attack", and "Polyglot token".

Changed

• Limit JWT encryption types (exclude password or public key types) (#​78)
• Enforce minimum length for HMAC keys (#​85)
• jwt: match any audience in a list, rather than requiring all audiences (#​81)
• jwt: accept only Compact Serialization (#​75)
• jws: Add expected algorithms for signatures (#​74)
• Require specifying expected algorithms for ParseEncrypted,
  ParseSigned, ParseDetached, jwt.ParseEncrypted, jwt.ParseSigned,
  jwt.ParseSignedAndEncrypted (#​69, #​74)
  • Usually there is a small, known set of appropriate algorithms for a program to use and it's a mistake to allow unexpected algorithms. For instance the "billion hash attack" relies in part on programs accepting the PBES2 encryption algorithm and doing the necessary work even if they weren't specifically configured to allow PBES2.
• Revert "Strip padding off base64 strings" (#​82)
• The specs require base64url encoding without padding.
• Minimum supported Go version is now 1.21

Added

• ParseSignedCompact, ParseSignedJSON, ParseEncryptedCompact, ParseEncryptedJSON.
  • These allow parsing a specific serialization, as opposed to ParseSigned and ParseEncrypted, which try to automatically detect which serialization was provided. It's common to require a specific serialization for a specific protocol - for instance JWT requires Compact serialization.

v3.0.5

Compare Source

What's Changed

Fixes GHSA-78h2-9frx-2jm8

We recommend migrating from v3 to v4, and we will stop support v3 in the near future.

Full Changelog: go-jose/go-jose@v3.0.4...v3.0.5

v3.0.4

Compare Source

What's Changed

Backport fix for GHSA-c6gw-w398-hv78 CVE-2025-27144
#​174

Full Changelog: go-jose/go-jose@v3.0.3...v3.0.4

v3.0.3: Version 3.0.3

Compare Source

Fixed

• Limit decompression output size to prevent a DoS. Backport from v4.0.1.

v3.0.2: Version 3.0.2

Compare Source

Fixed

• DecryptMulti: handle decompression error (#​19)

Changed

• jwe/CompactSerialize: improve performance (#​67)
• Increase the default number of PBKDF2 iterations to 600k (#​48)
• Return the proper algorithm for ECDSA keys (#​45)
• Update golang.org/x/crypto to v0.19 (#​94)

Added

• Add Thumbprint support for opaque signers (#​38)

v3.0.1: Version 3.0.1

Compare Source

Fixed

Security issue: an attacker specifying a large "p2c" value can cause JSONWebEncryption.Decrypt and JSONWebEncryption.DecryptMulti to consume large amounts of CPU, causing a DoS. Thanks to Matt Schwager (@​mschwager) for the disclosure and to Tom Tervoort for originally publishing the category of attack. https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf

The release is tagged off the release-v3.0.1 branch to avoid mixing in some as-yet unreleased changes on the v3 branch.

v3.0.0: Version 3.0.0

Compare Source

First release after moving from square/go-jose to the new go-jose/go-jose repository.

Fixes & Improvements
a10ff54 - Fix for EC thumbprint template so we compute EC thumbprints correctly
30f4a6a - Treat zero Expected.Time as now in Claims.Validate when verifying JWTs
4ac8eda - Fix handling of the x5u header (X.509 certificate URL) in JWKs
d7b900b - Strip padding off base64 strings, to match spec per RFC7515 Appendix C
7f81482 - Extract key from JWKs to ensure you can use it when verifying a detached signature
e225b2d - Support non-pointer JWKs to match behavior for other key types
94cbec2 - Use ed25519 from the stdlib instead of the golang.org/x/crypto version
eae0da4 - Export jose-util helpers as they might be useful for others
4bac79d - Fix issue square#182 that caused panic on claims with invalid JWT payload
60a6e9d - Use string.Builder to remove whitespace, instead of a regexp to improve performance
2009556 - Better error handling to avoid panic that can be caused by invalid headers

This release also cleans up a number of module references for the new repo migration, fixed some typos in comments, and more.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM (* 0-3 * * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: acceptance/go.sum

Command failed: go get -t ./...
go: gopkg.in/go-jose/go-jose.v4@v4.1.4: parsing go.mod:
	module declares its path as: github.com/go-jose/go-jose/v4
	        but was required as: gopkg.in/go-jose/go-jose.v4

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 8:34 PM UTC · Completed 8:44 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

Review

Findings

Critical

• [api-contract] acceptance/go.mod:38 — The PR replaces gopkg.in/go-jose/go-jose.v2 v2.6.3 with gopkg.in/go-jose/go-jose.v4 v4.1.4, but acceptance/image/image.go (line 60) still imports gopkg.in/go-jose/go-jose.v2/json. In Go, v2 and v4 are distinct module paths. Removing v2 from go.mod while no source file imports the v4 path means the acceptance module will not compile — the v2 import cannot resolve without a declared v2 dependency, and v4 is an unused dependency.
  Remediation: Either update the import in acceptance/image/image.go from gopkg.in/go-jose/go-jose.v2/json to the v4 equivalent (the canonical v4 path is github.com/go-jose/go-jose/v4), or keep v2 as a dependency alongside v4.

High

• [incomplete-security-fix] acceptance/go.mod:38 — The stated purpose of upgrading go-jose is to address GHSA-78h2-9frx-2jm8 (JWE decryption panic) and GHSA-c6gw-w398-hv78 (unbounded splits), but acceptance/image/image.go still imports from the v2 module path. The security fixes in v4 will NOT apply to code importing v2. If go mod tidy re-adds v2 as an indirect dependency, the vulnerable version remains linked into the binary. See also: [api-contract] finding at this location.
  Remediation: Update the import in acceptance/image/image.go to use the v4 module path and adapt to API changes, then run go mod tidy to ensure v2 is fully removed from the dependency graph.

Medium

• [logic-error] go.mod:8 — github.com/MakeNowJust/heredoc/v2 v2.0.1 is promoted to a direct dependency, but no Go source file imports this v2 path. All 19 files using heredoc import github.com/MakeNowJust/heredoc (v1). The v1 module is retained in a secondary require block so the code compiles, but v2 is entirely unused — go.sum only contains the /go.mod hash for v2, confirming no source was downloaded.
  Remediation: Either update all 19 source files to import github.com/MakeNowJust/heredoc/v2 (verify API compatibility — v2 changes whitespace handling), or remove the v2 entry from go.mod.

• [logic-error] go.mod:32 — github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 is promoted to a direct dependency, but no Go source file imports the v6 path. All 3 files using jsonschema import github.com/santhosh-tekuri/jsonschema/v5. The v5 module is retained so the code compiles, but v6 is unused. The v5→v6 migration involves breaking API changes (mixed dialect support, vocabulary support, localization) that require source code adaptation.
  Remediation: Either update the 3 source files (pkg/schema/schema.go, internal/policy/policy.go, internal/evaluation_target/application_snapshot_image/application_snapshot_image.go) to import v6 and adapt to the new API, or remove the v6 entry from go.mod.

---

Labels: PR modifies Go module dependencies across go.mod and go.sum files.

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[critical] api-contract

The PR replaces gopkg.in/go-jose/go-jose.v2 with v4 in acceptance/go.mod, but acceptance/image/image.go (line 60) still imports gopkg.in/go-jose/go-jose.v2/json. In Go, v2 and v4 are distinct module paths. The acceptance module will not compile.

Suggested fix: Update the import in acceptance/image/image.go to the v4 equivalent (github.com/go-jose/go-jose/v4), or keep v2 alongside v4.

[fullsend-ai-review]

[high] incomplete-security-fix

The go-jose upgrade from v2 to v4 addresses GHSA-78h2-9frx-2jm8 and GHSA-c6gw-w398-hv78, but acceptance/image/image.go still imports v2. Security fixes in v4 will not apply to code importing the v2 module path.

Suggested fix: Update the import in acceptance/image/image.go to the v4 module path, adapt to API changes, and run go mod tidy to remove v2 from the dependency graph.

[fullsend-ai-review]

[medium] logic-error

github.com/MakeNowJust/heredoc/v2 v2.0.1 is added as a direct dependency but no source file imports the v2 path. All 19 files import v1. The v2 dependency is unused.

Suggested fix: Either update all 19 source files to import heredoc/v2 or remove the v2 entry from go.mod.

[fullsend-ai-review]

[medium] logic-error

github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 is added as a direct dependency but no source file imports v6. All 3 files import v5. The v6 dependency is unused.

Suggested fix: Either update the 3 source files to import jsonschema/v6 and adapt to the new API, or remove the v6 entry from go.mod.