Transitive dependency on github.com/dgrijalva/jwt-go

18 views
Skip to first unread message

Colin Douch

unread,
Jun 20, 2022, 7:24:53 PM6/20/22
to Jaeger Tracing
Hi!

Through the dependency on go-kit/k...@v0.11.0, jaegertracing/jaeger depends on github.com/dgrijalva/jwt-go. There are a slew of vulns against that repo (e.g. https://github.com/dgrijalva/jwt-go/issues/428) and it is abandoned in favour of https://github.com/golang-jwt/jwt . go-kit 0.12.0 upgrades to the new repo, so can we update jaegertracing/jaeger to go-kit 0.12.0 to mitigate this?

- Colin
Reply all
Reply to author
Forward
0 new messages