mirror of
https://github.com/k3s-io/kubernetes.git
synced 2026-01-15 14:26:57 +00:00
63a23f1ed7
heketi that is dependency for glusterfs was updated to import a fork of jwt-go that fixes a high severity CVE-2020-26160 by importing a forked repo (form3tech-oss/jwt-go) that fixes the CVE as the original repo (dgrijalva/jwt-go) has a fix with breaking changes and the repo is generally loosely maintained. This fork is already being used in other places in kubernetes. Heketi 10.3.0 includes this fix. NOTE: The vulnerable function is not used by heketi or kubernetes. So the vulnerable package is a transitive dependency and this fix will reduce false postive CVE alerts on kubernetes Bumped github.com/auth0/go-jwt-middleware to v1.0.0 which removes dgrijalva/jwt-go cleanly Fixing test failures: pull-kubernetes-dependencies Removing unused dependencies in replace block to fix test failures: pull-kubernetes-dependencies Bump go-jwt-middleware to v1.0.1 to *not* pull in examples only deps