Skip to content

fix(deps): update go deps to v4 (major) #1083

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix(deps): update go deps to v4 (major) #1083

wants to merge 2 commits into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented May 19, 2025
edited
Loading

Note

Mend has cancelled the proposed renaming of the Renovate GitHub app being renamed to mend[bot].

This notice will be removed on 2025-10-07.

This PR contains the following updates:

Package Change Age Confidence
github.com/go-jose/go-jose/v3 v3.0.4 -> v4.1.3 age confidence
github.com/puzpuzpuz/xsync/v3 v3.5.1 -> v4.2.0 age confidence

Release Notes

go-jose/go-jose (github.com/go-jose/go-jose/v3)

v4.1.3

Compare Source

This release drops Go 1.23 support as that Go release is no longer supported. With that, we can drop x/crypto and no longer have any external dependencies in go-jose outside of the standard library!

This release fixes a bug where a critical b64 header was ignored if in an unprotected header. It is now rejected instead of ignored.

What's Changed

Full Changelog: go-jose/go-jose@v4.1.2...v4.1.3

v4.1.2

Compare Source

What's Changed

go-jose v4.1.2 improves some documentation, errors, and removes the only 3rd-party dependency.

New Contributors

Full Changelog: go-jose/go-jose@v4.1.1...v4.1.2

v4.1.1

Compare Source

What's Changed

New Contributors

Full Changelog: go-jose/go-jose@v4.1.0...v4.1.1

v4.1.0

Compare Source

What's Changed

New Contributors

Full Changelog: go-jose/go-jose@v4.0.5...v4.1.0

v4.0.5

Compare Source

What's Changed

Fixes GHSA-c6gw-w398-hv78

Various other dependency updates, small fixes, and documentation updates in the full changelog

New Contributors

Full Changelog: go-jose/go-jose@v4.0.4...v4.0.5

v4.0.4: Version 4.0.4

Compare Source

Fixed

  • Reverted "Allow unmarshalling JSONWebKeySets with unsupported key types" as a breaking change. See #​136 / #​137.

v4.0.3: Version 4.0.3

Compare Source

Changed

  • Allow unmarshalling JSONWebKeySets with unsupported key types (#​130)
  • Document that OpaqueKeyEncrypter can't be implemented (for now) (#​129)
  • Dependency updates

v4.0.2: Version 4.0.2

Compare Source

What's Changed

New Contributors

Full Changelog: go-jose/go-jose@v4.0.1...v4.0.2

v4.0.1: Version 4.0.1

Compare Source

Fixed

  • An attacker could send a JWE containing compressed data that used large
    amounts of memory and CPU when decompressed by Decrypt or DecryptMulti.
    Those functions now return an error if the decompressed data would exceed
    250kB or 10x the compressed size (whichever is larger). Thanks to
    Enze Wang@​Alioth and Jianjun Chen@​Zhongguancun Lab (@​zer0yu and @​chenjj)
    for reporting.

v4.0.0: Version 4.0.0

Compare Source

This release makes some breaking changes in order to more thoroughly address the vulnerabilities discussed in Three New Attacks Against JSON Web Tokens, "Sign/encrypt confusion", "Billion hash attack", and "Polyglot token".

Changed

  • Limit JWT encryption types (exclude password or public key types) (#​78)
  • Enforce minimum length for HMAC keys (#​85)
  • jwt: match any audience in a list, rather than requiring all audiences (#​81)
  • jwt: accept only Compact Serialization (#​75)
  • jws: Add expected algorithms for signatures (#​74)
  • Require specifying expected algorithms for ParseEncrypted,
    ParseSigned, ParseDetached, jwt.ParseEncrypted, jwt.ParseSigned,
    jwt.ParseSignedAndEncrypted (#​69, #​74)
    • Usually there is a small, known set of appropriate algorithms for a program to use and it's a mistake to allow unexpected algorithms. For instance the "billion hash attack" relies in part on programs accepting the PBES2 encryption algorithm and doing the necessary work even if they weren't specifically configured to allow PBES2.
  • Revert "Strip padding off base64 strings" (#​82)
  • The specs require base64url encoding without padding.
  • Minimum supported Go version is now 1.21

Added

  • ParseSignedCompact, ParseSignedJSON, ParseEncryptedCompact, ParseEncryptedJSON.
    • These allow parsing a specific serialization, as opposed to ParseSigned and ParseEncrypted, which try to automatically detect which serialization was provided. It's common to require a specific serialization for a specific protocol - for instance JWT requires Compact serialization.
puzpuzpuz/xsync (github.com/puzpuzpuz/xsync/v3)

v4.2.0

Compare Source

  • Cooperative parallel rehashing in Map #​178
  • Use runtime.cheaprand instead of fastrand #​177

Introduces cooperative rehashing for xsync.Map this means that goroutines that execute write operations, such as Compute or Store, may participate in table rehashing when the hash table grows or shrinks. From now on, table rehashing never spawns additional goroutines.

This behavior is always enabled, so the WithSerialResize function is now marked as deprecated and acts as a no-op.

v4.1.0

Compare Source

  • New data structure: UMPSCQueue #​168
  • Speed up LoadAndDelete and Delete in case of non-existing Map key #​167
  • Parallel Map resize #​170

UMPSCQueue is meant to serve as a replacement for a channel. However, crucially, it has infinite capacity. This is a very bad idea in many cases as it means that it never exhibits backpressure. In other words, if nothing is consuming elements from the queue, it will eventually consume all available memory and crash the process. However, there are also cases where this is desired behavior as it means the queue will dynamically allocate more memory to store temporary bursts, allowing producers to never block while the consumer catches up.

From now on, Map spawns additional goroutines to speed up resizing the hash table. This can be disabled when creating a Map with the new WithSerialResize setting:

m := xsync.NewMap[int, int](xsync.WithSerialResize())
// resize will take place on the current goroutine only
for i := 0; i < 10000; i++ {
	m.Store(i, i)
}

Thanks @​PapaCharlie and @​llxisdsh for the contributions!

v4.0.0

Compare Source

  • Minimal Golang version is now 1.24.
  • All non-generic data structures are now removed. Generic versions should be used instead - they use the old names, but type aliases are present to simplify v3-to-v4 code migration.
  • MapOf's hasher API is gone. The default and only hash function is now based on maphash.Comparable.
  • Map's Compute API now supports no-op (cancel) compute operation.

Thanks @​PapaCharlie for making this release happen

Migration notes
  • The old *Of types are kept as type aliases for the renamed data structures to simplify the migration, e.g. MapOf is an alias for Map.
  • NewMapOfPresized function is gone. NewMap combined with WithPresize should be used instead.
  • Map.Compute method now expects valueFn to return a ComputeOp value instead of a boolean flag. That's to support compute operation cancellation, so that the call does nothing.
  • Map.LoadOrTryCompute method is renamed to LoadOrCompute. The old LoadOrCompute method is removed as it was redundant.

Configuration

📅 Schedule: Branch creation - "on monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
Copy link
Contributor Author

renovate bot commented May 19, 2025

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum
Command failed: install-tool golang 1.22.12

@changeset-bot
Copy link

changeset-bot bot commented May 19, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: ded7f81

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

💥 An error occurred when fetching the changed packages and changesets in this PR 
Some errors occurred when validating the changesets config:
The package or glob expression "github.com/livekit/protocol" specified in the `fixed` option does not match any package in the project. You may have misspelled the package name or provided an invalid glob expression. Note that glob expressions must be defined according to https://www.npmjs.com/package/micromatch.

@renovate renovate bot changed the title fix(deps): update go deps to v4 (major) Update go deps to v4 (major) Jun 11, 2025
@renovate renovate bot changed the title Update go deps to v4 (major) fix(deps): update go deps to v4 (major) Jun 16, 2025
@renovate renovate bot force-pushed the renovate/major-go-deps branch from 2c24bea to 4de46f8 Compare June 26, 2025 21:50
@renovate renovate bot changed the title fix(deps): update go deps to v4 (major) fix(deps): update module github.com/puzpuzpuz/xsync/v3 to v4 Jul 13, 2025
@renovate renovate bot changed the title fix(deps): update module github.com/puzpuzpuz/xsync/v3 to v4 fix(deps): update go deps to v4 (major) Jul 13, 2025
@renovate renovate bot force-pushed the renovate/major-go-deps branch 2 times, most recently from b0b1b56 to 37ab3fd Compare July 21, 2025 11:43
@renovate renovate bot force-pushed the renovate/major-go-deps branch from 37ab3fd to 738e61f Compare August 1, 2025 20:43
@renovate renovate bot changed the title fix(deps): update go deps to v4 (major) Update go deps to v4 (major) Aug 2, 2025
@renovate renovate bot force-pushed the renovate/major-go-deps branch 2 times, most recently from 965713b to 9ab4cea Compare August 13, 2025 15:40
@renovate renovate bot changed the title Update go deps to v4 (major) fix(deps): update go deps to v4 (major) Sep 11, 2025
@renovate renovate bot force-pushed the renovate/major-go-deps branch from 9ab4cea to 7a2072d Compare September 14, 2025 20:38
@renovate renovate bot force-pushed the renovate/major-go-deps branch 8 times, most recently from 204474b to e65f335 Compare October 1, 2025 19:12
@renovate
fix(deps): update go deps to v4
da132a7 
Generated by renovateBot
@renovate renovate bot force-pushed the renovate/major-go-deps branch from e65f335 to da132a7 Compare October 3, 2025 21:56
@renovate
Copy link
Contributor Author

renovate bot commented Oct 4, 2025

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants