Skip to content

chore(deps): bump github.com/lestrrat-go/jwx/v2 from 2.1.4 to 2.1.6#308

Closed
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/go_modules/github.com/lestrrat-go/jwx/v2-2.1.6
Closed

chore(deps): bump github.com/lestrrat-go/jwx/v2 from 2.1.4 to 2.1.6#308
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/go_modules/github.com/lestrrat-go/jwx/v2-2.1.6

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Jun 9, 2025
edited
Loading

Bumps github.com/lestrrat-go/jwx/v2 from 2.1.4 to 2.1.6.

Release notes

Sourced from github.com/lestrrat-go/jwx/v2's releases.

v2.1.6

What's Changed

Please read the Changes file and upgrade accordingly, especially if you are using the following combinations for JWE:

  • DIRECT mode content encryption
  • Using A256CBC_HS512
  • With an erroneously created CEK of exactly 32-bytes.

Full Changelog: lestrrat-go/jwx@v2.1.5...v2.1.6

v2.1.5

What's Changed

Full Changelog: lestrrat-go/jwx@v2.1.4...v2.1.5

Changelog

Sourced from github.com/lestrrat-go/jwx/v2's changelog.

v2.1.6 29 Apr 2025

  • [jwe] Fixed a long standing bug that could lead to degraded encryption or failure to decrypt JWE messages when a very specific combination of inputs were used for JWE operations.

    This problem only manifested itself when the following conditions in content encryption or decryption were met:

    • Content encryption was specified to use DIRECT mode.
    • Contentn encryption algorithm is specified as A256CBC_HS512
    • The key was erronously constructed with a 32-byte content encryption key (CEK)

    In this case, the user would be passing a mis-constructed key of 32-bytes instead of the intended 64-bytes. In all other cases, this construction would cause an error because crypto/aes.NewCipher would return an error when a key with length not matching 16, 24, and 32 bytes is used. However, due to use using a the provided 32-bytes as half CEK and half the hash, the crypto/aes.NewCipher was passed a 16-byte key, which is fine for AES-128. So internally crypto/aes.NewCipher would choose to use AES-128 instead of AES-256, and happily continue. Note that no other key lengths such as 48 and 128 would have worked. It had to be exactly 32.

    This does indeed result in a downgraded encryption, but we believe it is unlikely that this would cause a problem in the real world, as you would have to very specifically choose to use DIRECT mode, choose the specific content encryption algorithm, AND also use the wrong key size of exactly 32 bytes.

    However, in abandunce of caution, we recommend that you upgrade to v3.0.1 or later, or v2.1.6 or later if you are still on v2 series.

  • [jws] Improve performance of jws.SplitCompact and jws.SplitCompactString

  • [jwe] Improve performance of jwe.Parse

v2.1.5 16 Apr 2025

  • Update minimum require go version to 1.23; this is an indirect consequence of updateing github.com/lestrrat-go/blackmagic
  • backport #1308
Commits

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jun 9, 2025
@Kyrremann
Copy link
Copy Markdown
Member

Kyrremann commented Jun 4, 2026

@dependabot recreate

@dependabot dependabot Bot force-pushed the dependabot/go_modules/github.com/lestrrat-go/jwx/v2-2.1.6 branch from 8a12a8c to fcee10d Compare June 4, 2026 10:04
@Kyrremann
Copy link
Copy Markdown
Member

Kyrremann commented Jun 5, 2026

https://github.com/dependabot recreate

@dependabot
chore(deps): bump github.com/lestrrat-go/jwx/v2 from 2.1.4 to 2.1.6
8c395af 
Bumps [github.com/lestrrat-go/jwx/v2](https://github.com/lestrrat-go/jwx) from 2.1.4 to 2.1.6.
- [Release notes](https://github.com/lestrrat-go/jwx/releases)
- [Changelog](https://github.com/lestrrat-go/jwx/blob/v2.1.6/Changes)
- [Commits](lestrrat-go/jwx@v2.1.4...v2.1.6)

---
updated-dependencies:
- dependency-name: github.com/lestrrat-go/jwx/v2
  dependency-version: 2.1.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/github.com/lestrrat-go/jwx/v2-2.1.6 branch from fcee10d to 8c395af Compare June 5, 2026 06:44
@Kyrremann
Copy link
Copy Markdown
Member

Kyrremann commented Jun 5, 2026

https://github.com/dependabot recreate

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Jun 5, 2026

Looks like github.com/lestrrat-go/jwx/v2 is up-to-date now, so this is no longer needed.

@dependabot dependabot Bot closed this Jun 5, 2026
@dependabot dependabot Bot deleted the dependabot/go_modules/github.com/lestrrat-go/jwx/v2-2.1.6 branch June 5, 2026 07:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Kyrremann