Skip to content

Bump the go_modules group across 1 directory with 4 updates#158

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/go_modules-e788dd8ca7
Open

Bump the go_modules group across 1 directory with 4 updates#158
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/go_modules-e788dd8ca7

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Mar 23, 2026

Bumps the go_modules group with 3 updates in the / directory: golang.org/x/oauth2, github.com/cloudflare/circl and github.com/golang-jwt/jwt/v4.

Updates golang.org/x/oauth2 from 0.17.0 to 0.27.0

Commits
  • 681b4d8 jws: split token into fixed number of parts
  • 3f78298 all: upgrade go directive to at least 1.23.0 [generated]
  • 109dabf endpoints: add links/provider for Discord
  • ac571fa oauth2: fix docs for Config.DeviceAuth
  • 314ee5b endpoints: add patreon endpoint
  • b9c813b google: add warning about externally-provided credentials
  • 49a531d all: make method and struct comments match the names
  • 22134a4 README: don't recommend go get
  • 3e64809 x/oauth2: add Token.ExpiresIn
  • 16a9973 jwt: rename example to avoid vet error
  • Additional commits viewable in compare view

Updates github.com/cloudflare/circl from 1.3.7 to 1.6.3

Release notes

Sourced from github.com/cloudflare/circl's releases.

CIRCL v1.6.3

Fix a bug on ecc/p384 scalar multiplication.

What's Changed

Full Changelog: cloudflare/circl@v1.6.2...v1.6.3

CIRCL v1.6.2

  • New SLH-DSA, improvements in ML-DSA for arm64.
  • Tested compilation on WASM.

What's Changed

New Contributors

Full Changelog: cloudflare/circl@v1.6.1...v1.6.2

CIRCL v1.6.1

  • Fixes some point checks on the FourQ curve.
  • Hybrid KEM fails on low-order points.

... (truncated)

Commits
  • 24ae53c Release CIRCL v1.6.3
  • 581020b Rename method to oddMultiplesProjective.
  • 12209a4 Removing unused cmov for jacobian points.
  • fcba359 ecc/p384: use of complete projective formulas for scalar multiplication.
  • 5e1bae8 ecc/p384: handle point doubling in point addition with Jacobian coordinates.
  • 3416046 Check opts for nil value.
  • a763d47 Release CIRCL v1.6.2
  • 3c70bf9 Bump x/crypto x/sys dependencies.
  • 3f0f15b Revert to using package-declared HPKE errors for shortkem instead of standard...
  • 23491bd Adding generic Power2Round method.
  • Additional commits viewable in compare view

Updates github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.2

Release notes

Sourced from github.com/golang-jwt/jwt/v4's releases.

v4.5.2

See GHSA-mh63-6h87-95cp

Full Changelog: golang-jwt/jwt@v4.5.1...v4.5.2

v4.5.1

Security

Unclear documentation of the error behavior in ParseWithClaims in <= 4.5.0 could lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by ParseWithClaims return both error codes. If users only check for the jwt.ErrTokenExpired using error.Is, they will ignore the embedded jwt.ErrTokenSignatureInvalid and thus potentially accept invalid tokens.

This issue was documented in GHSA-29wx-vh33-7x7r and fixed in this release.

Note: v5 was not affected by this issue. So upgrading to this release version is also recommended.

What's Changed

  • Back-ported error-handling logic in ParseWithClaims from v5 branch. This fixes GHSA-29wx-vh33-7x7r.

Full Changelog: golang-jwt/jwt@v4.5.0...v4.5.1

Commits

Updates golang.org/x/crypto from 0.20.0 to 0.30.0

Commits
  • 7042ebc openpgp/clearsign: just use rand.Reader in tests
  • 3e90321 go.mod: update golang.org/x dependencies
  • 8c4e668 x509roots/fallback: update bundle
  • 6018723 go.mod: update golang.org/x dependencies
  • 71ed71b README: don't recommend go get
  • 750a45f sha3: add MarshalBinary, AppendBinary, and UnmarshalBinary
  • 36b1725 sha3: avoid trailing permutation
  • 80ea76e sha3: fix padding for long cSHAKE parameters
  • c17aa50 sha3: avoid buffer copy
  • 7cfb916 ssh: return unexpected msg error when server fails keyboard-interactive auth ...
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the go_modules group across 1 directory with 4 updates
c1564e7 
Bumps the go_modules group with 3 updates in the / directory: [golang.org/x/oauth2](https://github.com/golang/oauth2), [github.com/cloudflare/circl](https://github.com/cloudflare/circl) and [github.com/golang-jwt/jwt/v4](https://github.com/golang-jwt/jwt).


Updates `golang.org/x/oauth2` from 0.17.0 to 0.27.0
- [Commits](golang/oauth2@v0.17.0...v0.27.0)

Updates `github.com/cloudflare/circl` from 1.3.7 to 1.6.3
- [Release notes](https://github.com/cloudflare/circl/releases)
- [Commits](cloudflare/circl@v1.3.7...v1.6.3)

Updates `github.com/golang-jwt/jwt/v4` from 4.5.0 to 4.5.2
- [Release notes](https://github.com/golang-jwt/jwt/releases)
- [Commits](golang-jwt/jwt@v4.5.0...v4.5.2)

Updates `golang.org/x/crypto` from 0.20.0 to 0.30.0
- [Commits](golang/crypto@v0.20.0...v0.30.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-version: 0.27.0
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: github.com/cloudflare/circl
  dependency-version: 1.6.3
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/golang-jwt/jwt/v4
  dependency-version: 4.5.2
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: golang.org/x/crypto
  dependency-version: 0.30.0
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Mar 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants