Consider upgrading to github.com/go-jose/go-jose/v4

[mitar]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe your problem

github.com/go-jose/go-jose/v3 dependency has made a new github.com/go-jose/go-jose/v4 version. It breaks backwards compatibility to improve security:

This release makes some breaking changes in order to more thoroughly address the vulnerabilities discussed in Three New Attacks Against JSON Web Tokens, "Sign/encrypt confusion", "Billion hash attack", and "Polyglot token".

I think it is not critical, but it would be beneficial to do so sooner than later.

Describe your ideal solution

We upgrade.

Workarounds or alternatives

We do not.

Version

latest master

Additional Context

No response

[mitar]

@aeneasr: What about this?

[mitar]

@aeneasr: Would you be open for a PR for this?

[aeneasr]

Yes, but it depends just how breaking those changes are and if it has an impact on existing deployments of Ory Hydra / Ory Network

[mitar]

Let's see. From my side I am able to use both versions at the same time, but it is ugly. So I think it will probably just mean you will have to propagate this upgrade to Ory. But I do not expect much code changes. Let's see.

[mitar]

It bumps go to minimum 1.21.

Also, I see replace directives in go.mod, is there any reason to keep them in? They seem redundant and not used?

[mitar]

I made #824. See comments there.