Skip to content

Update go deps to v4 (major) #1083

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update go deps to v4 (major) #1083

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented May 19, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
github.com/go-jose/go-jose/v3 v3.0.4 -> v4.1.2 age confidence
github.com/puzpuzpuz/xsync/v3 v3.5.1 -> v4.1.0 age confidence

Release Notes

go-jose/go-jose (github.com/go-jose/go-jose/v3)

v4.1.2

Compare Source

What's Changed

go-jose v4.1.2 improves some documentation, errors, and removes the only 3rd-party dependency.

New Contributors

Full Changelog: go-jose/go-jose@v4.1.1...v4.1.2

v4.1.1

Compare Source

What's Changed

New Contributors

Full Changelog: go-jose/go-jose@v4.1.0...v4.1.1

v4.1.0

Compare Source

What's Changed

New Contributors

Full Changelog: go-jose/go-jose@v4.0.5...v4.1.0

v4.0.5

Compare Source

What's Changed

Fixes GHSA-c6gw-w398-hv78

Various other dependency updates, small fixes, and documentation updates in the full changelog

New Contributors

Full Changelog: go-jose/go-jose@v4.0.4...v4.0.5

v4.0.4: Version 4.0.4

Compare Source

Fixed

  • Reverted "Allow unmarshalling JSONWebKeySets with unsupported key types" as a breaking change. See #​136 / #​137.

v4.0.3: Version 4.0.3

Compare Source

Changed

  • Allow unmarshalling JSONWebKeySets with unsupported key types (#​130)
  • Document that OpaqueKeyEncrypter can't be implemented (for now) (#​129)
  • Dependency updates

v4.0.2: Version 4.0.2

Compare Source

What's Changed

New Contributors

Full Changelog: go-jose/go-jose@v4.0.1...v4.0.2

v4.0.1: Version 4.0.1

Compare Source

Fixed

  • An attacker could send a JWE containing compressed data that used large
    amounts of memory and CPU when decompressed by Decrypt or DecryptMulti.
    Those functions now return an error if the decompressed data would exceed
    250kB or 10x the compressed size (whichever is larger). Thanks to
    Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@​zer0yu and @​chenjj)
    for reporting.

v4.0.0: Version 4.0.0

Compare Source

This release makes some breaking changes in order to more thoroughly address the vulnerabilities discussed in Three New Attacks Against JSON Web Tokens, "Sign/encrypt confusion", "Billion hash attack", and "Polyglot token".

Changed

  • Limit JWT encryption types (exclude password or public key types) (#​78)
  • Enforce minimum length for HMAC keys (#​85)
  • jwt: match any audience in a list, rather than requiring all audiences (#​81)
  • jwt: accept only Compact Serialization (#​75)
  • jws: Add expected algorithms for signatures (#​74)
  • Require specifying expected algorithms for ParseEncrypted,
    ParseSigned, ParseDetached, jwt.ParseEncrypted, jwt.ParseSigned,
    jwt.ParseSignedAndEncrypted (#​69, #​74)
    • Usually there is a small, known set of appropriate algorithms for a program to use and it's a mistake to allow unexpected algorithms. For instance the "billion hash attack" relies in part on programs accepting the PBES2 encryption algorithm and doing the necessary work even if they weren't specifically configured to allow PBES2.
  • Revert "Strip padding off base64 strings" (#​82)
  • The specs require base64url encoding without padding.
  • Minimum supported Go version is now 1.21

Added

  • ParseSignedCompact, ParseSignedJSON, ParseEncryptedCompact, ParseEncryptedJSON.
    • These allow parsing a specific serialization, as opposed to ParseSigned and ParseEncrypted, which try to automatically detect which serialization was provided. It's common to require a specific serialization for a specific protocol - for instance JWT requires Compact serialization.
puzpuzpuz/xsync (github.com/puzpuzpuz/xsync/v3)

v4.1.0

Compare Source

  • New data structure: UMPSCQueue #​168
  • Speed up LoadAndDelete and Delete in case of non-existing Map key #​167
  • Parallel Map resize #​170

UMPSCQueue is meant to serve as a replacement for a channel. However, crucially, it has infinite capacity. This is a very bad idea in many cases as it means that it never exhibits backpressure. In other words, if nothing is consuming elements from the queue, it will eventually consume all available memory and crash the process. However, there are also cases where this is desired behavior as it means the queue will dynamically allocate more memory to store temporary bursts, allowing producers to never block while the consumer catches up.

From now on, Map spawns additional goroutines to speed up resizing the hash table. This can be disabled when creating a Map with the new WithSerialResize setting:

m := xsync.NewMap[int, int](xsync.WithSerialResize())
// resize will take place on the current goroutine only
for i := 0; i < 10000; i++ {
	m.Store(i, i)
}

Thanks @​PapaCharlie and @​llxisdsh for the contributions!

v4.0.0

Compare Source

  • Minimal Golang version is now 1.24.
  • All non-generic data structures are now removed. Generic versions should be used instead - they use the old names, but type aliases are present to simplify v3-to-v4 code migration.
  • MapOf's hasher API is gone. The default and only hash function is now based on maphash.Comparable.
  • Map's Compute API now supports no-op (cancel) compute operation.

Thanks @​PapaCharlie for making this release happen

Migration notes
  • The old *Of types are kept as type aliases for the renamed data structures to simplify the migration, e.g. MapOf is an alias for Map.
  • NewMapOfPresized function is gone. NewMap combined with WithPresize should be used instead.
  • Map.Compute method now expects valueFn to return a ComputeOp value instead of a boolean flag. That's to support compute operation cancellation, so that the call does nothing.
  • Map.LoadOrTryCompute method is renamed to LoadOrCompute. The old LoadOrCompute method is removed as it was redundant.

Configuration

📅 Schedule: Branch creation - "on monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate Renovate
Copy link
Contributor Author

renovate bot commented May 19, 2025

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum
Command failed: install-tool golang 1.22.12

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented May 19, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: 9ab4cea

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

💥 An error occurred when fetching the changed packages and changesets in this PR 
Some errors occurred when validating the changesets config:
The package or glob expression "github.com/livekit/protocol" specified in the `fixed` option does not match any package in the project. You may have misspelled the package name or provided an invalid glob expression. Note that glob expressions must be defined according to https://www.npmjs.com/package/micromatch.

@renovate renovate bot changed the title fix(deps): update go deps to v4 (major) Update go deps to v4 (major) Jun 11, 2025
@renovate renovate bot changed the title Update go deps to v4 (major) fix(deps): update go deps to v4 (major) Jun 16, 2025
@renovate renovate bot force-pushed the renovate/major-go-deps branch from 2c24bea to 4de46f8 Compare June 26, 2025 21:50
@renovate renovate bot changed the title fix(deps): update go deps to v4 (major) fix(deps): update module github.com/puzpuzpuz/xsync/v3 to v4 Jul 13, 2025
@renovate renovate bot changed the title fix(deps): update module github.com/puzpuzpuz/xsync/v3 to v4 fix(deps): update go deps to v4 (major) Jul 13, 2025
@renovate renovate bot force-pushed the renovate/major-go-deps branch 2 times, most recently from b0b1b56 to 37ab3fd Compare July 21, 2025 11:43
@renovate renovate bot force-pushed the renovate/major-go-deps branch from 37ab3fd to 738e61f Compare August 1, 2025 20:43
@renovate renovate bot changed the title fix(deps): update go deps to v4 (major) Update go deps to v4 (major) Aug 2, 2025
@renovate renovate bot force-pushed the renovate/major-go-deps branch from 738e61f to 965713b Compare August 10, 2025 13:21
@renovate
Update go deps to v4
9ab4cea 
Generated by renovateBot
@renovate renovate bot force-pushed the renovate/major-go-deps branch from 965713b to 9ab4cea Compare August 13, 2025 15:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants