From e6d0c936231c1e5bbfdeed1961264ed108a02bb4 Mon Sep 17 00:00:00 2001 From: Michael Traver Date: Thu, 12 Aug 2021 15:21:24 -0700 Subject: [PATCH] Use github.com/golang-jwt/jwt instead of github.com/dgrijalva/jwt-go See dgrijalva/jwt-go#462 for more info. This also addresses CVE-2020-26160 since github.com/golang-jwt/jwt v3.2.1 fixes the issue. --- go.mod | 2 +- go.sum | 4 ++-- iotcore.go | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index 6d2fc30..c7cba6c 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/mtraver/iotcore go 1.15 require ( - github.com/dgrijalva/jwt-go v3.2.0+incompatible github.com/eclipse/paho.mqtt.golang v1.3.5 + github.com/golang-jwt/jwt v3.2.2+incompatible golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d // indirect ) diff --git a/go.sum b/go.sum index f772ac2..9599506 100644 --- a/go.sum +++ b/go.sum @@ -1,7 +1,7 @@ -github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM= -github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/eclipse/paho.mqtt.golang v1.3.5 h1:sWtmgNxYM9P2sP+xEItMozsR3w0cqZFlqnNN1bdl41Y= github.com/eclipse/paho.mqtt.golang v1.3.5/go.mod h1:eTzb4gxwwyWpqBUHGQZ4ABAV7+Jgm1PklsYT/eo8Hcc= +github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY= +github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc= github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= diff --git a/iotcore.go b/iotcore.go index ac8e71a..12df0d2 100644 --- a/iotcore.go +++ b/iotcore.go @@ -12,8 +12,8 @@ import ( "sync" "time" - jwt "github.com/dgrijalva/jwt-go" mqtt "github.com/eclipse/paho.mqtt.golang" + jwt "github.com/golang-jwt/jwt" ) // Google Cloud IoT Core's MQTT brokers ignore the password when authenticating (they only care about the JWT).