Groups
Sign in
Groups
Jaeger Tracing
Conversations
About
Send feedback
Help
Transitive dependency on github.com/dgrijalva/jwt-go
18 views
Skip to first unread message
Colin Douch
unread,
Jun 20, 2022, 7:24:53 PM
6/20/22
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Jaeger Tracing
Hi!
Through the dependency on go-kit/k...@v0.11.0, jaegertracing/jaeger depends on
github.com/dgrijalva/jwt-go
. There are a slew of vulns against that repo (e.g.
https://github.com/dgrijalva/jwt-go/issues/428
) and it is abandoned in favour of
https://github.com/golang-jwt/jwt
. go-kit 0.12.0 upgrades to the new repo, so can we update jaegertracing/jaeger to go-kit 0.12.0 to mitigate this?
- Colin
Reply all
Reply to author
Forward
0 new messages