chore(deps): bump the go_modules group across 4 directories with 4 updates by dependabot[bot] · Pull Request #85 · datum-cloud/auth-ui

dependabot · 2026-06-20T07:54:21Z

Bumps the go_modules group with 2 updates in the /apps/login-test-acceptance/idp/oidc directory: github.com/go-chi/chi/v5 and github.com/go-jose/go-jose/v4.
Bumps the go_modules group with 2 updates in the /apps/login-test-acceptance/idp/saml directory: golang.org/x/crypto and github.com/russellhaering/goxmldsig.
Bumps the go_modules group with 1 update in the /apps/login-test-acceptance/oidcrp directory: github.com/go-jose/go-jose/v4.
Bumps the go_modules group with 2 updates in the /apps/login-test-acceptance/samlsp directory: golang.org/x/crypto and github.com/russellhaering/goxmldsig.

Updates github.com/go-chi/chi/v5 from 5.2.2 to 5.2.4

Release notes

Sourced from github.com/go-chi/chi/v5's releases.

v5.2.3

What's Changed

Add pathvalue example to README and implement PathValue handler. by @catatsuy in go-chi/chi#985

Allow multiple whitespace between method & pattern by @JRaspass in go-chi/chi#1013

Avoid potential nil dereference by @ProjectMutilation in go-chi/chi#1008

feat(mux): support http.Request.Pattern in Go 1.23 by @Gusted in go-chi/chi#986

fix/608 - Fix flaky Throttle middleware test by synchronizing token usage by @OtavioBernardes in go-chi/chi#1016

Optimize throttle middleware by avoiding unnecessary timer creation by @vasayxtx in go-chi/chi#1011

Simplify wildcard replacement in route patterns by @srpvpn in go-chi/chi#1012

Replace methodTypString func with reverseMethodMap by @JRaspass in go-chi/chi#1018

New Contributors

@ProjectMutilation made their first contribution in go-chi/chi#1008

@Gusted made their first contribution in go-chi/chi#986

@OtavioBernardes made their first contribution in go-chi/chi#1016

@srpvpn made their first contribution in go-chi/chi#1012

Full Changelog: go-chi/chi@v5.2.2...v5.2.3

Commits

6eb3588 middleware: harden RedirectSlashes handler (#1044)
de0d16e Update comment about min Go version (#1023)
9fb4a15 update reverseMethodMap in RegisterMethod (#1022)
51c977c Refactor to use atomic type (#1019)
563ab11 Refactor graceful shutdown example (#994)
a52c582 Bump minimum Go and use new features (#1017)
9b9fb55 Replace methodTypString func with reverseMethodMap (#1018)
0265fcd refactor: iterative wildcard collapsing and add test for consecutive wildcard...
cf537d4 Optimize throttle middleware by avoiding unnecessary timer creation (#1011)
9040e95 fix/608 - Fix flaky Throttle middleware test by synchronizing token usage (#1...
Additional commits viewable in compare view

Updates github.com/go-jose/go-jose/v4 from 4.0.5 to 4.1.4

Release notes

Sourced from github.com/go-jose/go-jose/v4's releases.

v4.1.4

What's Changed

Fixes Panic in JWE decryption. See GHSA-78h2-9frx-2jm8

Full Changelog: go-jose/go-jose@v4.1.3...v4.1.4

v4.1.3

This release drops Go 1.23 support as that Go release is no longer supported. With that, we can drop x/crypto and no longer have any external dependencies in go-jose outside of the standard library!

This release fixes a bug where a critical b64 header was ignored if in an unprotected header. It is now rejected instead of ignored.

What's Changed

Remove Go 1.23 support by @mcpherrinm in go-jose/go-jose#205

Reject JWS with an unprotected critical b64 header by @mcpherrinm in go-jose/go-jose#210

Full Changelog: go-jose/go-jose@v4.1.2...v4.1.3

v4.1.2

What's Changed

go-jose v4.1.2 improves some documentation, errors, and removes the only 3rd-party dependency.

Update go-jose documentation by @mcpherrinm in go-jose/go-jose#198

Remove dependency on testify by @wardviaene in go-jose/go-jose#197

Improve error message for invalid private keys by @ProjectMutilation in go-jose/go-jose#195

JWK unsupported error when unmarshalling by @fprojetto in go-jose/go-jose#191

Add JSONWebKey type to makeJWERecipient by @alvarolivie in go-jose/go-jose#200

testutils/assert: remove True, Nil, NotNil by @jsha in go-jose/go-jose#202

New Contributors

@wardviaene made their first contribution in go-jose/go-jose#197

@fprojetto made their first contribution in go-jose/go-jose#191

@alvarolivie made their first contribution in go-jose/go-jose#200

Full Changelog: go-jose/go-jose@v4.1.1...v4.1.2

v4.1.1

What's Changed

Drop go-cmp dependency by @mcpherrinm in go-jose/go-jose#186

jws: improve performance and allocations for ParseSignedCompact by @drakkan in go-jose/go-jose#188

Add missing quote to unknown curve message #170 by @sudhanvaghebbale in go-jose/go-jose#189

Fix incorrect validation by @ProjectMutilation in go-jose/go-jose#192

Restore Go 1.23 compatibility by @anuraaga in go-jose/go-jose#193

New Contributors

@drakkan made their first contribution in go-jose/go-jose#188

@sudhanvaghebbale made their first contribution in go-jose/go-jose#189

@ProjectMutilation made their first contribution in go-jose/go-jose#192

@anuraaga made their first contribution in go-jose/go-jose#193

... (truncated)

Commits

0e59876 Merge commit from fork
ddffdbc Bump actions/checkout from 5 to 6 (#213)
5348b9a Reject JWS with an unprotected critical b64 header (#210)
9153a5e Bump actions/setup-python from 5 to 6 (#208)
2126e17 Bump actions/setup-go from 5 to 6 (#209)
9860c65 Bump actions/checkout from 4 to 5 (#206)
14239fd Remove Go 1.23 support (#205)
a16e158 Update CI to run on Go 1.24 and 1.25 (#204)
a1565a4 testutils/assert: remove True, Nil, NotNil (#202)
3a80e13 jwe: accept non-pointer JSONWebKey in Recipient (#200)
Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.36.0 to 0.45.0

Commits

4e0068c go.mod: update golang.org/x dependencies
e79546e ssh: curb GSSAPI DoS risk by limiting number of specified OIDs
f91f7a7 ssh/agent: prevent panic on malformed constraint
2df4153 acme/autocert: let automatic renewal work with short lifetime certs
bcf6a84 acme: pass context to request
b4f2b62 ssh: fix error message on unsupported cipher
79ec3a5 ssh: allow to bind to a hostname in remote forwarding
122a78f go.mod: update golang.org/x dependencies
c0531f9 all: eliminate vet diagnostics
0997000 all: fix some comments
Additional commits viewable in compare view

Updates github.com/russellhaering/goxmldsig from 1.3.0 to 1.6.0

Release notes

Sourced from github.com/russellhaering/goxmldsig's releases.

v1.6.0

What's Changed

Security: Fix possible signature validation bypass caused by loop variable capture in validateSignature (GHSA-479m-364c-43vc)

Bump minimum Go version to 1.23

Bump github.com/beevik/etree to v1.6.0

Add fuzz tests for XML signature validation and canonicalization

Full Changelog: russellhaering/goxmldsig@v1.5.0...v1.6.0

v1.5.0

What's Changed

Bump dependencies

Update GitHub workflows

Security hardening by @ahacker1-securesaml

Full Changelog: russellhaering/goxmldsig@v1.4.0...v1.5.0

v1.4.0

What's Changed

Fixed a bug where attributes were sorted incorrectly during canonicalization in russellhaering/goxmldsig#91 (credit @adamdecaf)

Fixed a bug where canonicalizing a subset of a document did not pull in surrounding namespace declarations in russellhaering/goxmldsig#93 (credit @rowland66)

Fixed a bug where Signatures extracted during verification sometimes had elements in a different order than the original document @karlovskiy in russellhaering/goxmldsig#82 (credit @karlovskiy)

Fixed a bug where superfluous namespace declarations were sometimes included in canonicalized documents in russellhaering/goxmldsig#94 (credit: @rowland66)

New Contributors

@rowland66 made their first contribution in russellhaering/goxmldsig#93

@karlovskiy made their first contribution in russellhaering/goxmldsig#82

Full Changelog: russellhaering/goxmldsig@v1.3.0...v1.4.0

Commits

878c8c6 Apply go fix ./...
db3d1e3 Fix loop variable capture bug in validateSignature
4f576b8 Bump dependencies
79c29ee Rename FuzzValidate to FuzzValidateXML to avoid name collision
ac7bf74 Add fuzz tests for XML signature validation and canonicalization
a5805df Bump github/codeql-action from 2.13.4 to 3.28.17 (#155)
7dac9ec Update GitHub Workflow
1bf54ca Bump dependencies
e1c8a5b Refactor to help eliminate potential vulnerabilities:
2ac5490 Refactor .verifyCertificate to obtain the certificate from an identifier from...
Additional commits viewable in compare view

Updates github.com/go-jose/go-jose/v4 from 4.0.5 to 4.1.4

Release notes

Sourced from github.com/go-jose/go-jose/v4's releases.

v4.1.4

What's Changed

Fixes Panic in JWE decryption. See GHSA-78h2-9frx-2jm8

Full Changelog: go-jose/go-jose@v4.1.3...v4.1.4

v4.1.3

This release drops Go 1.23 support as that Go release is no longer supported. With that, we can drop x/crypto and no longer have any external dependencies in go-jose outside of the standard library!

This release fixes a bug where a critical b64 header was ignored if in an unprotected header. It is now rejected instead of ignored.

What's Changed

Remove Go 1.23 support by @mcpherrinm in go-jose/go-jose#205

Reject JWS with an unprotected critical b64 header by @mcpherrinm in go-jose/go-jose#210

Full Changelog: go-jose/go-jose@v4.1.2...v4.1.3

v4.1.2

What's Changed

go-jose v4.1.2 improves some documentation, errors, and removes the only 3rd-party dependency.

Update go-jose documentation by @mcpherrinm in go-jose/go-jose#198

Remove dependency on testify by @wardviaene in go-jose/go-jose#197

Improve error message for invalid private keys by @ProjectMutilation in go-jose/go-jose#195

JWK unsupported error when unmarshalling by @fprojetto in go-jose/go-jose#191

Add JSONWebKey type to makeJWERecipient by @alvarolivie in go-jose/go-jose#200

testutils/assert: remove True, Nil, NotNil by @jsha in go-jose/go-jose#202

New Contributors

@wardviaene made their first contribution in go-jose/go-jose#197

@fprojetto made their first contribution in go-jose/go-jose#191

@alvarolivie made their first contribution in go-jose/go-jose#200

Full Changelog: go-jose/go-jose@v4.1.1...v4.1.2

v4.1.1

What's Changed

Drop go-cmp dependency by @mcpherrinm in go-jose/go-jose#186

jws: improve performance and allocations for ParseSignedCompact by @drakkan in go-jose/go-jose#188

Add missing quote to unknown curve message #170 by @sudhanvaghebbale in go-jose/go-jose#189

Fix incorrect validation by @ProjectMutilation in go-jose/go-jose#192

Restore Go 1.23 compatibility by @anuraaga in go-jose/go-jose#193

New Contributors

@drakkan made their first contribution in go-jose/go-jose#188

@sudhanvaghebbale made their first contribution in go-jose/go-jose#189

@ProjectMutilation made their first contribution in go-jose/go-jose#192

@anuraaga made their first contribution in go-jose/go-jose#193

... (truncated)

Commits

0e59876 Merge commit from fork
ddffdbc Bump actions/checkout from 5 to 6 (#213)
5348b9a Reject JWS with an unprotected critical b64 header (#210)
9153a5e Bump actions/setup-python from 5 to 6 (#208)
2126e17 Bump actions/setup-go from 5 to 6 (#209)
9860c65 Bump actions/checkout from 4 to 5 (#206)
14239fd Remove Go 1.23 support (#205)
a16e158 Update CI to run on Go 1.24 and 1.25 (#204)
a1565a4 testutils/assert: remove True, Nil, NotNil (#202)
3a80e13 jwe: accept non-pointer JSONWebKey in Recipient (#200)
Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.36.0 to 0.45.0

Commits

4e0068c go.mod: update golang.org/x dependencies
e79546e ssh: curb GSSAPI DoS risk by limiting number of specified OIDs
f91f7a7 ssh/agent: prevent panic on malformed constraint
2df4153 acme/autocert: let automatic renewal work with short lifetime certs
bcf6a84 acme: pass context to request
b4f2b62 ssh: fix error message on unsupported cipher
79ec3a5 ssh: allow to bind to a hostname in remote forwarding
122a78f go.mod: update golang.org/x dependencies
c0531f9 all: eliminate vet diagnostics
0997000 all: fix some comments
Additional commits viewable in compare view

Updates github.com/russellhaering/goxmldsig from 1.5.0 to 1.6.0

Release notes

Sourced from github.com/russellhaering/goxmldsig's releases.

v1.6.0

What's Changed

Security: Fix possible signature validation bypass caused by loop variable capture in validateSignature (GHSA-479m-364c-43vc)

Bump minimum Go version to 1.23

Bump github.com/beevik/etree to v1.6.0

Add fuzz tests for XML signature validation and canonicalization

Full Changelog: russellhaering/goxmldsig@v1.5.0...v1.6.0

v1.5.0

What's Changed

Bump dependencies

Update GitHub workflows

Security hardening by @ahacker1-securesaml

Full Changelog: russellhaering/goxmldsig@v1.4.0...v1.5.0

v1.4.0

What's Changed

Fixed a bug where attributes were sorted incorrectly during canonicalization in russellhaering/goxmldsig#91 (credit @adamdecaf)

Fixed a bug where canonicalizing a subset of a document did not pull in surrounding namespace declarations in russellhaering/goxmldsig#93 (credit @rowland66)

Fixed a bug where Signatures extracted during verification sometimes had elements in a different order than the original document @karlovskiy in russellhaering/goxmldsig#82 (credit @karlovskiy)

Fixed a bug where superfluous namespace declarations were sometimes included in canonicalized documents in russellhaering/goxmldsig#94 (credit: @rowland66)

New Contributors

@rowland66 made their first contribution in russellhaering/goxmldsig#93

@karlovskiy made their first contribution in russellhaering/goxmldsig#82

Full Changelog: russellhaering/goxmldsig@v1.3.0...v1.4.0

Commits

878c8c6 Apply go fix ./...
db3d1e3 Fix loop variable capture bug in validateSignature
4f576b8 Bump dependencies
79c29ee Rename FuzzValidate to FuzzValidateXML to avoid name collision
ac7bf74 Add fuzz tests for XML signature validation and canonicalization
a5805df Bump github/codeql-action from 2.13.4 to 3.28.17 (#155)
7dac9ec Update GitHub Workflow
1bf54ca Bump dependencies
e1c8a5b Refactor to help eliminate potential vulnerabilities:
2ac5490 Refactor .verifyCertificate to obtain the certificate from an identifier from...
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

…dates Bumps the go_modules group with 2 updates in the /apps/login-test-acceptance/idp/oidc directory: [github.com/go-chi/chi/v5](https://github.com/go-chi/chi) and [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose). Bumps the go_modules group with 2 updates in the /apps/login-test-acceptance/idp/saml directory: [golang.org/x/crypto](https://github.com/golang/crypto) and [github.com/russellhaering/goxmldsig](https://github.com/russellhaering/goxmldsig). Bumps the go_modules group with 1 update in the /apps/login-test-acceptance/oidcrp directory: [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose). Bumps the go_modules group with 2 updates in the /apps/login-test-acceptance/samlsp directory: [golang.org/x/crypto](https://github.com/golang/crypto) and [github.com/russellhaering/goxmldsig](https://github.com/russellhaering/goxmldsig). Updates `github.com/go-chi/chi/v5` from 5.2.2 to 5.2.4 - [Release notes](https://github.com/go-chi/chi/releases) - [Changelog](https://github.com/go-chi/chi/blob/master/CHANGELOG.md) - [Commits](go-chi/chi@v5.2.2...v5.2.4) Updates `github.com/go-jose/go-jose/v4` from 4.0.5 to 4.1.4 - [Release notes](https://github.com/go-jose/go-jose/releases) - [Commits](go-jose/go-jose@v4.0.5...v4.1.4) Updates `golang.org/x/crypto` from 0.36.0 to 0.45.0 - [Commits](golang/crypto@v0.36.0...v0.45.0) Updates `github.com/russellhaering/goxmldsig` from 1.3.0 to 1.6.0 - [Release notes](https://github.com/russellhaering/goxmldsig/releases) - [Commits](russellhaering/goxmldsig@v1.3.0...v1.6.0) Updates `github.com/go-jose/go-jose/v4` from 4.0.5 to 4.1.4 - [Release notes](https://github.com/go-jose/go-jose/releases) - [Commits](go-jose/go-jose@v4.0.5...v4.1.4) Updates `golang.org/x/crypto` from 0.36.0 to 0.45.0 - [Commits](golang/crypto@v0.36.0...v0.45.0) Updates `github.com/russellhaering/goxmldsig` from 1.5.0 to 1.6.0 - [Release notes](https://github.com/russellhaering/goxmldsig/releases) - [Commits](russellhaering/goxmldsig@v1.3.0...v1.6.0) --- updated-dependencies: - dependency-name: github.com/go-chi/chi/v5 dependency-version: 5.2.4 dependency-type: indirect dependency-group: go_modules - dependency-name: github.com/go-jose/go-jose/v4 dependency-version: 4.1.4 dependency-type: indirect dependency-group: go_modules - dependency-name: golang.org/x/crypto dependency-version: 0.45.0 dependency-type: direct:production dependency-group: go_modules - dependency-name: github.com/russellhaering/goxmldsig dependency-version: 1.6.0 dependency-type: indirect dependency-group: go_modules - dependency-name: github.com/go-jose/go-jose/v4 dependency-version: 4.1.4 dependency-type: indirect dependency-group: go_modules - dependency-name: golang.org/x/crypto dependency-version: 0.45.0 dependency-type: indirect dependency-group: go_modules - dependency-name: github.com/russellhaering/goxmldsig dependency-version: 1.6.0 dependency-type: indirect dependency-group: go_modules ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Jun 20, 2026

dependabot Bot deployed to staging June 20, 2026 07:54 Active

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the go_modules group across 4 directories with 4 updates#85

chore(deps): bump the go_modules group across 4 directories with 4 updates#85
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/apps/login-test-acceptance/idp/oidc/go_modules-49c9e84abe

dependabot Bot commented on behalf of github Jun 20, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Jun 20, 2026

v5.2.3

What's Changed

New Contributors

v4.1.4

What's Changed

v4.1.3

What's Changed

v4.1.2

What's Changed

New Contributors

v4.1.1

What's Changed

New Contributors

v1.6.0

What's Changed

v1.5.0

What's Changed

v1.4.0

What's Changed

New Contributors

v4.1.4

What's Changed

v4.1.3

What's Changed

v4.1.2

What's Changed

New Contributors

v4.1.1

What's Changed

New Contributors

v1.6.0

What's Changed

v1.5.0

What's Changed

v1.4.0

What's Changed

New Contributors

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants