chore: Update unsupported v2 of go-jose to supported v4 (#4439)

macrael · web-flow · commit a09dd8c05eda · 2025-10-21T08:51:11.000+09:00
# Summary We're getting [Dependabot warnings](GHSA-c5q2-7r4c-mv6g) about using go-jose v2 in our repo b/c we import slsa-github-generator. This PR updates the import to use the supported v4 of the library and updates go mod. All go tests pass, it looks like go-jose is only used in one line of the tests for GitHub biz. ... ## Testing Process * ran `make go-test` and everything was clean. This change only affected tests so that feels sufficient. ... ## Checklist - [x] Review the contributing [guidelines](https://github.com/slsa-framework/slsa-github-generator/blob/main/CONTRIBUTING.md) - [x] Add a reference to related issues in the PR description. - [x] Update documentation if applicable. - [x] Add unit tests if applicable. - [x] Add changes to the [CHANGELOG](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md) if applicable. --------- Signed-off-by: MacRae Linton <macrael@confidentsecurity.com>
diff --git a/.golangci.yml b/.golangci.yml
@@ -110,6 +110,7 @@ linters-settings:
           # Approved packages.
           - "github.com/spf13/cobra" # For CLI
           - "github.com/coreos/go-oidc" # For verifying OIDC tokens.
+          - "github.com/go-jose/go-jose/v4" # For testing OIDC tokens
 
           # Allowed packages in container-based builder.
           - "github.com/pelletier/go-toml" # For container-based builder config.
diff --git a/github/oidctest.go b/github/oidctest.go
@@ -29,7 +29,7 @@ import (
 	"time"
 
 	"github.com/coreos/go-oidc/v3/oidc"
-	"gopkg.in/square/go-jose.v2"
+	"github.com/go-jose/go-jose/v4"
 )
 
 type jsonToken struct {
diff --git a/go.mod b/go.mod
@@ -4,6 +4,7 @@ go 1.23.1
 
 require (
 	github.com/coreos/go-oidc/v3 v3.11.0
+	github.com/go-jose/go-jose/v4 v4.0.4
 	github.com/go-openapi/strfmt v0.23.0
 	github.com/go-openapi/swag v0.23.0
 	github.com/google/go-cmp v0.6.0
@@ -17,7 +18,6 @@ require (
 	github.com/sigstore/sigstore-go v0.6.1
 	github.com/spf13/cobra v1.8.1
 	golang.org/x/oauth2 v0.23.0
-	gopkg.in/square/go-jose.v2 v2.6.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 
@@ -91,7 +91,6 @@ require (
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/go-chi/chi v4.1.2+incompatible // indirect
 	github.com/go-jose/go-jose/v3 v3.0.3 // indirect
-	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/analysis v0.23.0 // indirect
diff --git a/go.sum b/go.sum
@@ -869,8 +869,6 @@ gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/ini.v1 v1.56.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
 gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
-gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
-gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=

Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ import (`
`29`	`29`	`"time"`
`30`	`30`
`31`	`31`	`"github.com/coreos/go-oidc/v3/oidc"`
`32`		`- "gopkg.in/square/go-jose.v2"`
	`32`	`+ "github.com/go-jose/go-jose/v4"`
`33`	`33`	`)`
`34`	`34`
`35`	`35`	`type jsonToken struct {`