go.mod: replace github.com/dgrijalva/jwt-go with .../golang-jwt/jwt
CVE-2020-26160 is a high-severity advisory reported against this module. The dgrijalva package is no longer maintained but our legacy etcv2 backend depends on it indirectly, via go.etcd.io/etcd/client. The golang-jwt package is the blessed successor of the original, and has a v3 line which is compatible with the v3 line of dgrijalva, and so through this replace we can get a fix for the advisory without other significant behavior change. We've preserved the etcdv2 backend as-is on a best-effort basis in order to support anyone who is already using it, but recommend that users switch to etcdv3 or to some other backend for ongoing use. We also have future plans to make state storage be a matter for provider plugins rather than built in to Terraform CLI, at which point this backend will either become obsolete or be factored out into its own plugin, at which point we can remove this "replace" directive and the associated dependency altogether.
Showing
+8 -3
... | ... | @@ -192,4 +192,10 @@ replace github.com/golang/mock v1.5.0 => github.com/golang/mock v1.4.4 |
replace k8s.io/client-go => k8s.io/client-go v0.0.0-20190620085101-78d2af792bab | ||
// github.com/dgrijalva/jwt-go is no longer maintained but is an indirect | ||
// dependency of the old etcdv2 backend, and so we need to keep this working | ||
// until that backend is removed. github.com/golang-jwt/jwt/v3 is a drop-in | ||
// replacement that includes a fix for CVE-2020-26160. | ||
replace github.com/dgrijalva/jwt-go => github.com/golang-jwt/jwt v3.2.1+incompatible | ||
go 1.17 |
Please register or sign in to comment