From 8538af41a7b439121aabe9880d659e5f77c3b262 Mon Sep 17 00:00:00 2001 From: Amnon Date: Sun, 20 Jun 2021 12:37:30 +0100 Subject: [PATCH 1/6] remove support for Go <= 1.14 --- .github/workflows/build.yml | 2 +- .travis.yml | 6 ++---- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4da8eab6..ec7bd9ac 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -13,7 +13,7 @@ jobs: strategy: fail-fast: false matrix: - go: [1.11, 1.12, 1.13, 1.14, 1.15, 1.16] + go: [1.15, 1.16] steps: - name: Checkout uses: actions/checkout@v2 diff --git a/.travis.yml b/.travis.yml index 036a862f..57e4cf1f 100644 --- a/.travis.yml +++ b/.travis.yml @@ -5,7 +5,5 @@ script: - go test -v ./... go: - - 1.7 - - 1.8 - - 1.9 - - 1.10 + - 1.15 + - 1.16 From a46d20d0b5507785da5a354a9779a2ddae06f0b1 Mon Sep 17 00:00:00 2001 From: Amnon Date: Sun, 20 Jun 2021 14:47:39 +0100 Subject: [PATCH 2/6] Add a note to README.md about supported Go versions. --- README.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 13c31c09..bd665bbd 100644 --- a/README.md +++ b/README.md @@ -9,10 +9,19 @@ A [go](http://www.golang.org) (or 'golang' for search engine friendliness) imple Future releases will be using the `github.com/golang-jwt/jwt` import path and continue the existing versioning scheme of `v3.x.x+incompatible`. Backwards-compatible patches and fixes will be done on the `v3` release branch, where as new build-breaking features will be developed in a `v4` release, possibly including a SIV-style import path. -**SECURITY NOTICE:** Some older versions of Go have a security issue in the crypto/elliptic. Recommendation is to upgrade to at least 1.8.3. See issue [dgrijalva/jwt-go#216](https://github.com/dgrijalva/jwt-go/issues/216) for more detail. +**SECURITY NOTICE:** Some older versions of Go have a security issue in the crypto/elliptic. Recommendation is to upgrade to at least 1.15 See issue [dgrijalva/jwt-go#216](https://github.com/dgrijalva/jwt-go/issues/216) for more detail. **SECURITY NOTICE:** It's important that you [validate the `alg` presented is what you expect](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/). This library attempts to make it easy to do the right thing by requiring key types match the expected alg, but you should take the extra step to verify it in your usage. See the examples provided. +### Supported Go versions + +Our support of Go versions is alaigned with Go's [version release policy](https://golang.org/doc/devel/release#policy). +So we will support a major version of Go unil there are two newer major releases. +We no longer support building jwt-go with unsupported Go versions, as these contain secruity vulnerabilities +which will not be fixed. +This means that currently we support Go 1.15 and 1.16. Anybody using older versions of the toolchain should upgrade +to the latest stable release. + ## What the heck is a JWT? JWT.io has [a great introduction](https://jwt.io/introduction) to JSON Web Tokens. From d66125abcac4d2eb47ffcdfebe7eec8abf51281e Mon Sep 17 00:00:00 2001 From: Amnon Date: Mon, 21 Jun 2021 21:08:10 +0100 Subject: [PATCH 3/6] remove travis build as requested by @oxisto --- .travis.yml | 9 --------- 1 file changed, 9 deletions(-) delete mode 100644 .travis.yml diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index 57e4cf1f..00000000 --- a/.travis.yml +++ /dev/null @@ -1,9 +0,0 @@ -language: go - -script: - - go vet ./... - - go test -v ./... - -go: - - 1.15 - - 1.16 From 2000fa2bf095d0c2fea84aa95da07ce49188dfa7 Mon Sep 17 00:00:00 2001 From: Amnon Date: Mon, 21 Jun 2021 21:10:56 +0100 Subject: [PATCH 4/6] fix my spelling mistakes pointed out by @oxisto --- README.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index bd665bbd..98b57f8a 100644 --- a/README.md +++ b/README.md @@ -15,12 +15,11 @@ Future releases will be using the `github.com/golang-jwt/jwt` import path and co ### Supported Go versions -Our support of Go versions is alaigned with Go's [version release policy](https://golang.org/doc/devel/release#policy). -So we will support a major version of Go unil there are two newer major releases. +Our support of Go versions is aligned with Go's [version release policy](https://golang.org/doc/devel/release#policy). +So we will support a major version of Go until there are two newer major releases. We no longer support building jwt-go with unsupported Go versions, as these contain secruity vulnerabilities which will not be fixed. -This means that currently we support Go 1.15 and 1.16. Anybody using older versions of the toolchain should upgrade -to the latest stable release. +This means that currently we support Go 1.15 and 1.16. ## What the heck is a JWT? From d9f73a13aa171322f9d1069e341d4f995ef5b1c1 Mon Sep 17 00:00:00 2001 From: Amnon Date: Mon, 21 Jun 2021 21:12:44 +0100 Subject: [PATCH 5/6] fix another spelling --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 98b57f8a..8da43a7f 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ Future releases will be using the `github.com/golang-jwt/jwt` import path and co Our support of Go versions is aligned with Go's [version release policy](https://golang.org/doc/devel/release#policy). So we will support a major version of Go until there are two newer major releases. -We no longer support building jwt-go with unsupported Go versions, as these contain secruity vulnerabilities +We no longer support building jwt-go with unsupported Go versions, as these contain security vulnerabilities which will not be fixed. This means that currently we support Go 1.15 and 1.16. From e5eda23cc6fdef24c5d98fc414f90dc43753c3d0 Mon Sep 17 00:00:00 2001 From: Amnon Date: Tue, 22 Jun 2021 17:40:55 +0100 Subject: [PATCH 6/6] remove reference to specific Go versions --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 8da43a7f..9b653e46 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,6 @@ Our support of Go versions is aligned with Go's [version release policy](https:/ So we will support a major version of Go until there are two newer major releases. We no longer support building jwt-go with unsupported Go versions, as these contain security vulnerabilities which will not be fixed. -This means that currently we support Go 1.15 and 1.16. ## What the heck is a JWT?