Skip to content

fix(deps): Update module github.com/golang-jwt/jwt/v5 to v5.2.2 [SECURITY]#20407

Merged
kodiakhq[bot] merged 2 commits intomainfrom
renovate/go-github.com-golang-jwt-jwt-v5-vulnerability
Mar 22, 2025
Merged

fix(deps): Update module github.com/golang-jwt/jwt/v5 to v5.2.2 [SECURITY]#20407
kodiakhq[bot] merged 2 commits intomainfrom
renovate/go-github.com-golang-jwt-jwt-v5-vulnerability

Conversation

@cq-bot
Copy link
Copy Markdown
Contributor

@cq-bot cq-bot commented Mar 22, 2025

This PR contains the following updates:

Package Type Update Change
github.com/golang-jwt/jwt/v5 indirect patch v5.2.1 -> v5.2.2

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-30204

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

Release Notes

golang-jwt/jwt (github.com/golang-jwt/jwt/v5)

v5.2.2

Compare Source

What's Changed

New Contributors

Full Changelog: golang-jwt/jwt@v5.2.1...v5.2.2

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@cq-bot cq-bot added automerge Automatically merge once required checks pass security labels Mar 22, 2025
@cq-bot
Copy link
Copy Markdown
Contributor Author

cq-bot commented Mar 22, 2025

/gen sha=eebae50979630cd89c22209db4201dfcc74bb5c0 dir=plugins/destination/snowflake

@kodiakhq kodiakhq bot merged commit c6efff0 into main Mar 22, 2025
13 checks passed
@kodiakhq kodiakhq bot deleted the renovate/go-github.com-golang-jwt-jwt-v5-vulnerability branch March 22, 2025 02:45
@cq-bot cq-bot mentioned this pull request Mar 22, 2025
Merged
kodiakhq bot pushed a commit that referenced this pull request Mar 26, 2025
@cq-bot
chore(main): Release plugins-destination-snowflake v4.4.10 (#20409)
4bbf4f0 
🤖 I have created a release *beep* *boop*
---


## [4.4.10](plugins-destination-snowflake-v4.4.9...plugins-destination-snowflake-v4.4.10) (2025-03-26)


### Bug Fixes

* **deps:** Update module github.com/apache/arrow-go/v18 to v18.2.0 ([#20410](#20410)) ([ee081fb](ee081fb))
* **deps:** Update module github.com/cloudquery/plugin-sdk/v4 to v4.74.2 ([#20434](#20434)) ([8db20d6](8db20d6))
* **deps:** Update module github.com/golang-jwt/jwt/v5 to v5.2.2 [SECURITY] ([#20407](#20407)) ([c6efff0](c6efff0))

---
This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kodiakhq kodiakhq[bot] kodiakhq[bot] approved these changes

Assignees

No one assigned

Labels

area/plugin/destination/snowflake automerge Automatically merge once required checks pass security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cq-bot