Aias00 commented on PR #874:
URL: https://github.com/apache/dubbo-go-pixiu/pull/874#issuecomment-3802722815
> 需要说明原因,为何更换依赖包
旧包: github.com/dgrijalva/jwt-go
新包: github.com/golang-jwt/jwt/v4
- 安全漏洞: 原库 dgrijalva/jwt-go 已经停止维护超过 4 年,且存在已知的严重安全漏洞(例如 CVE-2020-26160,涉及
aud 字段验证绕过)。
- 官方推荐: golang-jwt/jwt 是社区接手维护的分支,修复了已知的安全问题,是目前 Go 生态中处理 JWT 的标准库。
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
