Skip to content

chore: Update unsupported v2 of go-jose to supported v4 #4439

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ianlewis merged 2 commits into from
Oct 20, 2025
Merged

chore: Update unsupported v2 of go-jose to supported v4 #4439

ianlewis merged 2 commits into from
Oct 20, 2025

Conversation

@macrael
Copy link
Contributor

@macrael macrael commented Oct 6, 2025
edited
Loading

Summary

We're getting Dependabot warnings about using go-jose v2 in our repo b/c we import slsa-github-generator. This PR updates the import to use the supported v4 of the library and updates go mod. All go tests pass, it looks like go-jose is only used in one line of the tests for GitHub biz.

...

Testing Process

  • ran make go-test and everything was clean. This change only affected tests so that feels sufficient.

...

Checklist

  • Review the contributing guidelines
  • Add a reference to related issues in the PR description.
  • Update documentation if applicable.
  • Add unit tests if applicable.
  • Add changes to the CHANGELOG if applicable.

@macrael macrael requested review from a team as code owners October 6, 2025 21:26
@macrael
Update unsupported v2 of go-jose to supported v4
a1c31c3 
Signed-off-by: MacRae Linton <macrael@confidentsecurity.com>
@macrael macrael force-pushed the wml-update-go-jose branch from 265d6c3 to a1c31c3 Compare October 6, 2025 21:26
@macrael
add allow the new package
bdafc6d 
Signed-off-by: MacRae Linton <macrael@confidentsecurity.com>
ianlewis
ianlewis approved these changes Oct 6, 2025
View reviewed changes
Copy link
Member

@ianlewis ianlewis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

.golangci.yml
# Approved packages.
- "github.com/spf13/cobra" # For CLI
- "github.com/coreos/go-oidc" # For verifying OIDC tokens.
- "github.com/go-jose/go-jose/v4" # For testing OIDC tokens
Copy link
Member

@ianlewis ianlewis Oct 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm. How was depguard allowing gopkg.in/square/go-jose.v2 before? 🤔

Copy link
Contributor Author

@macrael macrael Oct 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

my guess is it was an old line, never linted? but I really don't know

@sgreene570
Copy link

sgreene570 commented Oct 20, 2025
edited
Loading

xref #408

@sgreene570
Copy link

sgreene570 commented Oct 20, 2025

@ianlewis looks like this PR is ready to go? Can you help with merging it?

@ianlewis ianlewis merged commit a09dd8c into slsa-framework:main Oct 20, 2025
74 checks passed
@ianlewis
Copy link
Member

ianlewis commented Oct 20, 2025

@sgreene570 Yeah, looks fine. This won't show up on a proper tag until we do a tagged release, which is a bit complicated. Given that no one is really working on this much anymore it might be a while.

I think you could import it from latest if you're ok doing that.

@macrael macrael deleted the wml-update-go-jose branch October 21, 2025 00:12
@sgreene570
Copy link

sgreene570 commented Oct 21, 2025

I think you could import it from latest if you're ok doing that.

Yup, this is just fine, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ianlewis ianlewis ianlewis approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@macrael @sgreene570 @ianlewis