OCPBUGS-56483: bump jwt and oauth dependencies

This commit aims to mitigate two different CVEs in the following packages: - github.com/golang-jwt/jwt/v4 (CVE-2025-30204) - golang.org/x/oauth2 (CVE-2025-22868) We add two replaces here. Ideally these would be bumped in the docker-distribution repository but at the current state we can't easily cherry pick those from upstream.
2026-02-05 09:45:55 +01:00 · 2025-05-21 09:30:57 +02:00
parent 59376a751c
commit 861d0d053d
39 changed files with 1540 additions and 1055 deletions
--- a/go.mod
+++ b/go.mod
@@ -32,8 +32,7 @@ require (

 require (
 	cloud.google.com/go v0.110.6 // indirect
-	cloud.google.com/go/compute v1.23.0 // indirect
-	cloud.google.com/go/compute/metadata v0.2.3 // indirect
+	cloud.google.com/go/compute/metadata v0.3.0 // indirect
 	cloud.google.com/go/iam v1.1.1 // indirect
 	cloud.google.com/go/storage v1.30.1 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0 // indirect
@@ -120,4 +119,13 @@ require (
 	sigs.k8s.io/yaml v1.3.0 // indirect
 )

-replace github.com/distribution/distribution/v3 => github.com/openshift/docker-distribution/v3 v3.0.0-20250403075108-ac5742e896d4
+replace (
+	github.com/distribution/distribution/v3 => github.com/openshift/docker-distribution/v3 v3.0.0-20250403075108-ac5742e896d4
+
+	// CVE-2025-30204
+	github.com/golang-jwt/jwt/v4 => github.com/golang-jwt/jwt/v4 v4.5.2
+
+	// CVE-2025-22868
+	// This is from tag v0.26.openshift.1
+	golang.org/x/oauth2 => github.com/openshift/golang-oauth2 v0.26.1-0.20250310184649-06a918c6239d
+)