Gopkg.in/go-jose/go-jose.v2 v2.6.3 is deprecated

marimp8888 · January 14, 2025, 3:41pm

Hi,
I noticed that the latest temporal.io server is still using deprecated library “gopkg.in/go-jose/go-jose.v2 v2.6.3” (in go.mod). It could be replace by the library GitHub - go-jose/go-jose: An implementation of JOSE standards (JWE, JWS, JWT) in Go withouth code reworking.

Thanks In advance
Regards
Marco

tihomir · January 14, 2025, 8:29pm

Would create issue in github here for this. thanks.

marimp8888 · February 27, 2025, 7:38am

Hi,
I opened the issue https://github.com/temporalio/temporal/issues/7086. The go-jose/go-jose module is vulnerable to Denial of Service (DoS) attacks GHSA-2c7c-3mj9-8fqh

Could you help to provide a quick fix?
Best Regards
Marco

Topic		Replies	Views
Upgrade go stdlib to resolve CVEs Server Deployment	2	188	October 16, 2024
Security vulnerability in temporal image Server Deployment security	3	626	October 18, 2022
Golang checksum error Community Support go-sdk	5	5365	October 17, 2021
Vulnerability detected by Snyk in Go SDK Community Support go-sdk	0	615	October 12, 2023
Documentation for 3rd party OS dependencies Documentation Feedback	1	9	January 2, 2025