Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

go.mod: replace dgrijalva/jwt-go with form3tech-oss/jwt-go #28733

Merged
merged 4 commits into from
Oct 13, 2021
Merged

go.mod: replace dgrijalva/jwt-go with form3tech-oss/jwt-go #28733

merged 4 commits into from
Oct 13, 2021

Conversation

bb7133
Copy link
Member

@bb7133 bb7133 commented Oct 11, 2021
edited
Loading

What problem does this PR solve?

The github.com/dgrijalva/jwt-go is introduced indirectly, but it is not maintained anymore but contains a security vulnerability marked as high. See CVE-2020-26160.

Problem Summary:

What is changed and how it works?

Update go.mod to replace dgrijalva/jwt-go with form3tech-oss/jwt-go(it may NOT a good idea either since this repo is also archived, the recommended replacement is golang-jwt/jwt).

Check List

Tests

  • No code

Documentation

Alternatives

  • Tried to replace dgrijalva/jwt-go with golang-jwt/jwt v3.2.2, but the error is reported for go mod tidy: "used for two different module paths".
  • Tried to replace dgrijalva/jwt-go with golang-jwt/jwt v3.2.1, but the fix is not included(upstream fix for security vulnerability from form3tech-oss/jwt-go fork golang-jwt/jwt#40).
  • Tried to replace dgrijalva/jwt-go with dgrijalva/jwt-go@release_4_0_0, but the import path has been changed because of the semantic version of Go.

Release note 

None

@ti-chi-bot
Copy link
Member

ti-chi-bot commented Oct 11, 2021
edited
Loading

[REVIEW NOTIFICATION]

This pull request has been approved by:

  • dveeden
  • morgo

To complete the pull request process, please ask the reviewers in the list to review by filling /cc @reviewer in the comment.
After your PR has acquired the required number of LGTMs, you can assign this pull request to the committer in the list by filling /assign @committer in the comment to help you merge this pull request.

The full list of commands accepted by this bot can be found here.

Reviewer can indicate their review by submitting an approval review.
Reviewer can cancel approval by submitting a request changes review.

@ti-chi-bot ti-chi-bot added release-note-none Denotes a PR that doesn't merit a release note. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Oct 11, 2021
@morgo
Copy link
Contributor

morgo commented Oct 11, 2021

The dependency is from etcd:

$ go mod why github.com/dgrijalva/jwt-go
warning: ignoring symlink /home/morgo/go/src/github.com/morgo/tidb/plugin/audit
# github.com/dgrijalva/jwt-go
github.com/pingcap/tidb/ddl/util
github.com/pingcap/tidb/ddl/util.test
go.etcd.io/etcd/etcdserver
go.etcd.io/etcd/auth
github.com/dgrijalva/jwt-go

The etcd dependency is also holding back the package google.golang.org/grpc. From some quick googling it looks like we might be importing it from an older location, but someone who understands it better might want to take a look.

@ti-chi-bot ti-chi-bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 11, 2021
@zhangjinpeng87
Copy link
Contributor

@bb7133 Please address comments

@zhangjinpeng87
Copy link
Contributor

Can we using https://github.com/golang-jwt/jwt directly?

@bb7133 bb7133 force-pushed the bb7133/fix_by_replace branch from ba2b462 to eeba4da Compare October 13, 2021 04:03
@ti-chi-bot ti-chi-bot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Oct 13, 2021
@bb7133
Copy link
Member Author

bb7133 commented Oct 13, 2021

Can we using https://github.com/golang-jwt/jwt directly?

I've tried but it doesn't work(see "Alternatives" in description and the commit history).

@morgo morgo self-requested a review October 13, 2021 04:15
@ti-chi-bot ti-chi-bot added the status/LGT1 Indicates that a PR has LGTM 1. label Oct 13, 2021
@ti-chi-bot ti-chi-bot added status/LGT2 Indicates that a PR has LGTM 2. and removed status/LGT1 Indicates that a PR has LGTM 1. labels Oct 13, 2021
@bb7133
Copy link
Member Author

bb7133 commented Oct 13, 2021

/merge

@ti-chi-bot
Copy link
Member

This pull request has been accepted and is ready to merge.

Commit hash: eeba4da

@ti-chi-bot ti-chi-bot added the status/can-merge Indicates a PR has been approved by a committer. label Oct 13, 2021
@ti-chi-bot ti-chi-bot merged commit 90ccd6a into pingcap:master Oct 13, 2021
@bb7133 bb7133 mentioned this pull request Oct 13, 2021
Merged
1 task
@bb7133 bb7133 deleted the bb7133/fix_by_replace branch December 29, 2023 18:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@morgo morgo morgo approved these changes

@dveeden dveeden dveeden approved these changes

Assignees
No one assigned
Labels
release-note-none Denotes a PR that doesn't merit a release note. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. status/can-merge Indicates a PR has been approved by a committer. status/LGT2 Indicates that a PR has LGTM 2.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@bb7133 @ti-chi-bot @morgo @zhangjinpeng87 @dveeden