Skip to content

🚨 Update go modules (main) (major)#3133

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/main-major-go-modules
Open

🚨 Update go modules (main) (major)#3133
renovate[bot] wants to merge 1 commit intomainfrom
renovate/main-major-go-modules

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Feb 27, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/MakeNowJust/heredoc v1.0.0v2.0.1 age adoption passing confidence
github.com/golangci/golangci-lint v1.63.4v2.11.4 age adoption passing confidence
github.com/santhosh-tekuri/jsonschema/v5 v5.3.1v6.0.2 age adoption passing confidence
gopkg.in/go-jose/go-jose.v2 v2.6.3v4.1.4 age adoption passing confidence

Release Notes

MakeNowJust/heredoc (github.com/MakeNowJust/heredoc)

v2.0.1

Compare Source

Version 2.0.1

Fixes

  • Correct import path for Go modules

v2.0.0

Compare Source

Version 2.0.0

Breaking Changes

  • Treats only white space (U+0020) and horizontal tabs (U+000D) as space characters. (#​6)
golangci/golangci-lint (github.com/golangci/golangci-lint)

v2.11.4

Compare Source

Released on 2026-03-22

  1. Linters bug fixes
    • govet-modernize: from 0.42.0 to 0.43.0
    • noctx: from 0.5.0 to 0.5.1
    • sqlclosecheck: from 0.5.1 to 0.6.0

v2.11.3

Compare Source

Released on 2026-03-10

  1. Linters bug fixes

v2.11.2

Compare Source

Released on 2026-03-07

  1. Fixes
    • fmt: fix error when using the fmt command with explicit paths.

v2.11.1

Compare Source

Released on 2026-03-06

Due to an error related to AUR, some artifacts of the v2.11.0 release have not been published.

This release contains the same things as v2.11.0.

v2.11.0

Compare Source

Released on 2026-03-06

  1. Linters new features or changes
    • errcheck: from 1.9.0 to 1.10.0 (exclude crypto/rand.Read by default)
    • gosec: from 2.23.0 to 2.24.6 (new rules: G113, G118, G119, G120, G121, G122, G123, G408, G707)
    • noctx: from 0.4.0 to 0.5.0 (new detection: httptest.NewRequestWithContext)
    • prealloc: from 1.0.2 to 1.1.0
    • revive: from 1.14.0 to 1.15.0 (⚠️ Breaking change: package-related checks moved from var-naming to a new rule package-naming)
  2. Linters bug fixes
    • gocognit: from 1.2.0 to 1.2.1
    • gosec: from 2.24.6 to 2.24.7
    • unqueryvet: from 1.5.3 to 1.5.4

v2.10.1

Compare Source

Released on 2026-02-17

  1. Fixes
    • buildssa panic

v2.10.0

Compare Source

Released on 2026-02-17

  1. Linters new features or changes
    • ginkgolinter: from 0.22.0 to 0.23.0
    • gosec: from 2.22.11 to 2.23.0 (new rules: G117, G602, G701, G702, G703, G704, G705, G706)
    • staticcheck: from 0.6.1 to 0.7.0
  2. Linters bug fixes
    • godoclint: from 0.11.1 to 0.11.2

v2.9.0

Compare Source

Released on 2026-02-10

  1. Enhancements
    • 🎉 go1.26 support
  2. Linters new features or changes
    • arangolint: from 0.3.1 to 0.4.0 (new rule: detect potential query injections)
    • ginkgolinter: from 0.21.2 to 0.22.0 (support for wrappers)
    • golines: from 0.14.0 to 0.15.0
    • misspell: from 0.7.0 to 0.8.0
    • unqueryvet: from 1.4.0 to 1.5.3 (new options: check-n1, check-sql-injection, check-tx-leaks, allow, custom-rules)
    • wsl: from 5.3.0 to 5.6.0 (new rule: after-block)
  3. Linters bug fixes
    • modernize: from 0.41.0 to 0.42.0
    • prealloc: from 1.0.1 to 1.0.2
    • protogetter: from 0.3.18 to 0.3.20
  4. Misc.
    • Log information about files when configuration verification
    • Emit an error when no linters enabled
    • Do not collect VCS information when loading code

v2.8.0

Compare Source

Released on 2026-01-07

  1. Linters new features or changes
    • godoc-lint: from 0.10.2 to 0.11.1 (new rule: require-stdlib-doclink)
    • golines: from 442fd00 to 0.14.0
    • gomoddirectives: from 0.7.1 to 0.8.0
    • gosec: from daccba6 to 2.22.11 (new rule: G116)
    • modernize: from 0.39.0 to 0.40.0 (new analyzers: stringscut, unsafefuncs)
    • prealloc: from 1.0.0 to 1.0.1 (message changes)
    • unqueryvet: from 1.3.0 to 1.4.0 (new options: check-aliased-wildcard, check-string-concat, check-format-strings, check-string-builder, check-subqueries, ignored-functions, sql-builders)
  2. Linters bug fixes
    • go-critic: from 0.14.2 to 0.14.3
    • go-errorlint: from 1.8.0 to 1.9.0
    • govet: from 0.39.0 to 0.40.0
    • protogetter: from 0.3.17 to 0.3.18
    • revive: add missing enable-default-rules setting
  3. Documentation
    • docs: split installation page

v2.7.2

Compare Source

Released on 2025-12-07

  1. Linter bug fixes

v2.7.1

Compare Source

Released on 2025-12-04

  1. Linter bug fixes
    • modernize: disable stringscut analyzer

v2.7.0

Compare Source

  1. Bug fixes
    • fix: clone args used by custom command
  2. Linters new features or changes
    • no-sprintf-host-port: from 0.2.0 to 0.3.1 (ignore string literals without a colon)
    • unqueryvet: from 1.2.1 to 1.3.0 (handles const and var declarations)
    • revive: from 1.12.0 to 1.13.0 (new option: enable-default-rules, new rules: forbidden-call-in-wg-go, unnecessary-if, inefficient-map-lookup)
    • modernize: from 0.38.0 to 0.39.0 (new analyzers: plusbuild, stringscut)
  3. Linters bug fixes
    • perfsprint: from 0.10.0 to 0.10.1
    • wrapcheck: from 2.11.0 to 2.12.0
    • godoc-lint: from 0.10.1 to 0.10.2
  4. Misc.
    • Add some flags to the custom command
  5. Documentation
    • docs: split changelog v1 and v2

v2.6.2

Compare Source

Released on 2025-11-14

  1. Bug fixes
    • fmt command with symlinks
    • use file depending on build configuration to invalidate cache
  2. Linters bug fixes
    • testableexamples: from 1.0.0 to 1.0.1
    • testpackage: from 1.1.1 to 1.1.2

v2.6.1

Compare Source

v2.6.0

Compare Source

  1. New linters
    • Add modernize analyzer suite
  2. Linters new features or changes
    • arangolint: from 0.2.0 to 0.3.1
    • dupword: from 0.1.6 to 0.1.7 (new option comments-only)
    • go-critic: from 0.13.0 to 0.14.0 (new rules/checkers: zeroByteRepeat, dupOption)
    • gofumpt: from 0.9.1 to 0.9.2 ("clothe" naked returns is now controlled by the extra-rules option)
    • perfsprint: from 0.9.1 to 0.10.0 (new options: concat-loop, loop-other-ops)
    • wsl: from 5.2.0 to 5.3.0
  3. Linters bug fixes
    • dupword: from 0.1.6 to 0.1.7
    • durationcheck: from 0.0.10 to 0.0.11
    • exptostd: from 0.4.4 to 0.4.5
    • fatcontext: from 0.8.1 to 0.9.0
    • forbidigo: from 2.1.0 to 2.3.0
    • ginkgolinter: from 0.21.0 to 0.21.2
    • godoc-lint: from 0.10.0 to 0.10.1
    • gomoddirectives: from 0.7.0 to 0.7.1
    • gosec: from 2.22.8 to 2.22.10
    • makezero: from 2.0.1 to 2.1.0
    • nilerr: from 0.1.1 to 0.1.2
    • paralleltest: from 1.0.14 to 1.0.15
    • protogetter: from 0.3.16 to 0.3.17
    • unparam: from 0df0534 to 5beb8c8
  4. Misc.
    • fix: ignore some files to hash the version for custom build

v2.5.0

Compare Source

  1. New linters
  2. Linters new features or changes
    • embeddedstructfieldcheck: from 0.3.0 to 0.4.0 (new option: empty-line)
    • err113: from aea10b5 to 0.1.1 (skip internals of Is methods for error type)
    • ginkgolinter: from 0.20.0 to 0.21.0 (new option: force-tonot)
    • gofumpt: from 0.8.0 to 0.9.1 (new rule is to "clothe" naked returns for the sake of clarity)
    • ineffassign: from 0.1.0 to 0.2.0 (new option: check-escaping-errors)
    • musttag: from 0.13.1 to 0.14.0 (support interface methods)
    • revive: from 1.11.0 to 1.12.0 (new options: identical-ifelseif-branches, identical-ifelseif-conditions, identical-switch-branches, identical-switch-conditions, package-directory-mismatch, unsecure-url-scheme, use-waitgroup-go, useless-fallthrough)
    • thelper: from 0.6.3 to 0.7.1 (skip t.Helper in functions passed to synctest.Test)
    • wsl: from 5.1.1 to 5.2.0 (improvements related to subexpressions)
  3. Linters bug fixes
    • asciicheck: from 0.4.1 to 0.5.0
    • errname: from 1.1.0 to 1.1.1
    • fatcontext: from 0.8.0 to 0.8.1
    • go-printf-func-name: from 0.1.0 to 0.1.1
    • godot: from 1.5.1 to 1.5.4
    • gosec: from 2.22.7 to 2.22.8
    • nilerr: from 0.1.1 to a temporary fork
    • nilnil: from 1.1.0 to 1.1.1
    • protogetter: from 0.3.15 to 0.3.16
    • tagliatelle: from 0.7.1 to 0.7.2
    • testifylint: from 1.6.1 to 1.6.4
  4. Misc.
    • fix: "no export data" errors are now handled as a standard typecheck error
  5. Documentation
    • Improve nolint section about syntax

v2.4.0

Compare Source

  1. Enhancements
    • 🎉 go1.25 support
  2. Linters new features or changes
    • exhaustruct: from v3.3.1 to 4.0.0 (new options: allow-empty, allow-empty-rx, allow-empty-returns, allow-empty-declarations)
  3. Linters bug fixes
    • godox: trim filepath from report messages
    • staticcheck: allow empty options
    • tagalign: from 1.4.2 to 1.4.3
  4. Documentation
    • 🌟 New website (with a search engine)

v2.3.1

Compare Source

  1. Linters bug fixes
    • gci: from 0.13.6 to 0.13.7
    • gosec: from 2.22.6 to 2.22.7
    • noctx: from 0.3.5 to 0.4.0
    • wsl: from 5.1.0 to 5.1.1
    • tagliatelle: force upper case for custom initialisms

v2.3.0

Compare Source

  1. Linters new features or changes
    • ginkgolinter: from 0.19.1 to 0.20.0 (new option: force-assertion-description)
    • iface: from 1.4.0 to 1.4.1 (report message improvements)
    • noctx: from 0.3.4 to 0.3.5 (new detections: log/slog, exec, crypto/tls)
    • revive: from 1.10.0 to 1.11.0 (new rule: enforce-switch-style)
    • wsl: from 5.0.0 to 5.1.0
  2. Linters bug fixes
    • gosec: from 2.22.5 to 2.22.6
    • noinlineerr: from 1.0.4 to 1.0.5
    • sloglint: from 0.11.0 to 0.11.1
  3. Misc.
    • fix: panic close of closed channel

v2.2.2

Compare Source

  1. Linters bug fixes
    • noinlineerr: from 1.0.3 to 1.0.4
  2. Documentation
    • Improve debug keys documentation
  3. Misc.
    • fix: panic close of closed channel
    • godot: add noinline value into the JSONSchema

v2.2.1

Compare Source

  1. Linters bug fixes
  • varnamelen: fix configuration

v2.2.0

Compare Source

  1. New linters
  2. Linters new features or changes
    • errcheck: add verbose option
    • funcorder: from 0.2.1 to 0.5.0 (new option alphabetical)
    • gomoddirectives: from 0.6.1 to 0.7.0 (new option ignore-forbidden)
    • iface: from 1.3.1 to 1.4.0 (new option unexported)
    • noctx: from 0.1.0 to 0.3.3 (new report messages, and new rules related to database/sql)
    • noctx: from 0.3.3 to 0.3.4 (new SQL functions detection)
    • revive: from 1.9.0 to 1.10.0 (new rules: time-date, unnecessary-format, use-fmt-print)
    • usestdlibvars: from 1.28.0 to 1.29.0 (new option time-date-month)
    • wsl: deprecation
    • wsl_v5: from 4.7.0 to 5.0.0 (major version with new configuration)
  3. Linters bug fixes
    • dupword: from 0.1.3 to 0.1.6
    • exptostd: from 0.4.3 to 0.4.4
    • forbidigo: from 1.6.0 to 2.1.0
    • gci: consistently format the code
    • go-spancheck: from 0.6.4 to 0.6.5
    • goconst: from 1.8.1 to 1.8.2
    • gosec: from 2.22.3 to 2.22.4
    • gosec: from 2.22.4 to 2.22.5
    • makezero: from 1.2.0 to 2.0.1
    • misspell: from 0.6.0 to 0.7.0
    • usetesting: from 0.4.3 to 0.5.0
  4. Misc.
    • exclusions: fix path-expect
    • formatters: write the input to stdout when using stdin and there are no changes
    • migration: improve the error message when trying to migrate a migrated config
    • typecheck: deduplicate errors
    • typecheck: stops the analysis after the first error
    • Deprecate print-resources-usage flag
    • Unique version per custom build
  5. Documentation
    • Improves typecheck FAQ
    • Adds plugin systems recommendations
    • Add description for linters.default sets

v2.1.6

Compare Source

  1. Linters bug fixes
    • godot: from 1.5.0 to 1.5.1
    • musttag: from 0.13.0 to 0.13.1
  2. Documentation
    • Add note about golangci-lint v2 integration in VS Code

v2.1.5

Compare Source

Due to an error related to Snapcraft, some artifacts of the v2.1.4 release have not been published.

This release contains the same things as v2.1.3.

v2.1.4

Compare Source

Due to an error related to Snapcraft, some artifacts of the v2.1.3 release have not been published.

This release contains the same things as v2.1.3.

v2.1.3

Compare Source

  1. Linters bug fixes
    • fatcontext: from 0.7.2 to 0.8.0
  2. Misc.
    • migration: fix nakedret.max-func-lines: 0
    • migration: fix order of staticcheck settings
    • fix: add go.mod hash to the cache salt
    • fix: use diagnostic position for related information position

v2.1.2

Compare Source

  1. Linters bug fixes
    • exptostd: from 0.4.2 to 0.4.3
    • gofumpt: from 0.7.0 to 0.8.0
    • protogetter: from 0.3.13 to 0.3.15
    • usetesting: from 0.4.2 to 0.4.3

v2.1.1

Compare Source

The release process of v2.1.0 failed due to a regression inside goreleaser.

The binaries of v2.1.0 have been published, but not the other artifacts (AUR, Docker, etc.).

v2.1.0

Compare Source

  1. Enhancements
    • Add an option to display absolute paths (--path-mode=abs)
    • Add configuration path placeholder (${config-path})
    • Add warn-unused option for fmt command
    • Colored diff for fmt command (golangci-lint fmt --diff-colored)
  2. New linters
  3. Linters new features or changes
    • go-errorlint: from 1.7.1 to 1.8.0 (automatic error comparison and type assertion fixes)
    • ⚠️ goconst: ignore-strings is deprecated and replaced by ignore-string-values
    • goconst: from 1.7.1 to 1.8.1 (new options: find-duplicates, eval-const-expressions)
    • govet: add httpmux analyzer
    • nilnesserr: from 0.1.2 to 0.2.0 (detect more cases)
    • paralleltest: from 1.0.10 to 1.0.14 (checks only _test.go files)
    • revive: from 1.7.0 to 1.9.0 (support kebab case for setting names)
    • sloglint: from 0.9.0 to 0.11.0 (autofix, new option msg-style, suggest slog.DiscardHandler)
    • wrapcheck: from 2.10.0 to 2.11.0 (new option report-internal-errors)
    • wsl: from 4.6.0 to 4.7.0 (cgo files are always excluded)
  4. Linters bug fixes
    • fatcontext: from 0.7.1 to 0.7.2
    • gocritic: fix importshadow checker
    • gosec: from 2.22.2 to 2.22.3
    • ireturn: from 0.3.1 to 0.4.0
    • loggercheck: from 0.10.1 to 0.11.0
    • nakedret: from 2.0.5 to 2.0.6
    • nonamedreturns: from 1.0.5 to 1.0.6
    • protogetter: from 0.3.12 to 0.3.13
    • testifylint: from 1.6.0 to 1.6.1
    • unconvert: update to HEAD
  5. Misc.
    • Fixes memory leaks when using go1.(N) with golangci-lint built with go1.(N-X)
    • Adds golangci-lint-fmt pre-commit hook
  6. Documentation
    • Improvements
    • Updates section about vscode integration

v2.0.2

Compare Source

  1. Misc.
    • Fixes flags parsing for formatters
    • Fixes the filepath used by the exclusion source option
  2. Documentation
    • Adds a section about flags migration
    • Cleaning pages with v1 options

v2.0.1

Compare Source

  1. Linters/formatters bug fixes
    • golines: fix settings during linter load
  2. Misc.
    • Validates the version field before the configuration
    • forbidigo: fix migration

v2.0.0

Compare Source

  1. Enhancements
  2. New linters/formatters
  3. Linters new features
    • ⚠️ Merge staticcheck, stylecheck, gosimple into one linter (staticcheck) (cf. Migration guide)
    • go-critic: from 0.12.0 to 0.13.0
    • gomodguard: from 1.3.5 to 1.4.1 (block explicit indirect dependencies)
    • nilnil: from 1.0.1 to 1.1.0 (new option: only-two)
    • perfsprint: from 0.8.2 to 0.9.1 (checker name in the diagnostic message)
    • staticcheck: new quickfix set of rules
    • testifylint: from 1.5.2 to 1.6.0 (new options: equal-values, suite-method-signature, require-string-msg)
    • wsl: from 4.5.0 to 4.6.0 (new option: allow-cuddle-used-in-block)
  4. Linters bug fixes
    • bidichk: from 0.3.2 to 0.3.3
    • errchkjson: from 0.4.0 to 0.4.1
    • errname: from 1.0.0 to 1.1.0
    • funlen: fix ignore-comments option
    • gci: from 0.13.5 to 0.13.6
    • gosmopolitan: from 1.2.2 to 1.3.0
    • inamedparam: from 0.1.3 to 0.2.0
    • intrange: from 0.3.0 to 0.3.1
    • protogetter: from 0.3.9 to 0.3.12
    • unparam: from 8a5130c to 0df0534
  5. Misc.
    • 🧹 Configuration options renaming (cf. Migration guide)
    • 🧹 Remove options (cf. Migration guide)
    • 🧹 Remove flags (cf. Migration guide)
    • 🧹 Remove alternative names (cf. Migration guide)
    • 🧹 Remove or replace deprecated elements (cf. Migration guide)
    • Adds an option to display some commands as JSON:
      • golangci-lint config path --json
      • golangci-lint help linters --json
      • golangci-lint help formatters --json
      • golangci-lint linters --json
      • golangci-lint formatters --json
      • golangci-lint version --json
  6. Documentation

v1.64.8

Compare Source

  • Detects use of configuration files from golangci-lint v2

v1.64.7

Compare Source

  1. Linters bug fixes
    • depguard: from 2.2.0 to 2.2.1
    • dupl: from 3e9179a to f665c8d
    • gosec: from 2.22.1 to 2.22.2
    • staticcheck: from 0.6.0 to 0.6.1
  2. Documentation
    • Add GitLab documentation

v1.64.6

Compare Source

  1. Linters bug fixes
    • asciicheck: from 0.4.0 to 0.4.1
    • contextcheck: from 1.1.5 to 1.1.6
    • errcheck: from 1.8.0 to 1.9.0
    • exptostd: from 0.4.1 to 0.4.2
    • ginkgolinter: from 0.19.0 to 0.19.1
    • go-exhaustruct: from 3.3.0 to 3.3.1
    • gocheckcompilerdirectives: from 1.2.1 to 1.3.0
    • godot: from 1.4.20 to 1.5.0
    • perfsprint: from 0.8.1 to 0.8.2
    • revive: from 1.6.1 to 1.7.0
    • tagalign: from 1.4.1 to 1.4.2

v1.64.5

Compare Source

  1. Bug fixes
    • Add missing flag new-from-merge-base-flag
  2. Linters bug fixes
    • asciicheck: from 0.3.0 to 0.4.0
    • forcetypeassert: from 0.1.0 to 0.2.0
    • gosec: from 2.22.0 to 2.22.1

v1.64.4

Compare Source

  1. Linters bug fixes
    • gci: fix standard packages list for go1.24

v1.64.3

Compare Source

  1. Linters bug fixes
    • ginkgolinter: from 0.18.4 to 0.19.0
    • go-critic: from 0.11.5 to 0.12.0
    • revive: from 1.6.0 to 1.6.1
    • gci: fix standard packages list for go1.24
  2. Misc.
    • Build Docker images with go1.24

v1.64.2

Compare Source

This is the last minor release of golangci-lint v1.
The next release will be golangci-lint v2.

  1. Enhancements
    • 🎉 go1.24 support
    • New issues.new-from-merge-base option
    • New run.relative-path-mode option
  2. Linters new features
    • copyloopvar: from 1.1.0 to 1.2.1 (support suggested fixes)
    • exptostd: from 0.3.1 to 0.4.1 (handles golang.org/x/exp/constraints.Ordered)
    • fatcontext: from 0.5.3 to 0.7.1 (new option: check-struct-pointers)
    • perfsprint: from 0.7.1 to 0.8.1 (new options: integer-format, error-format, string-format, bool-format, and hex-format)
    • revive: from 1.5.1 to 1.6.0 (new rules: redundant-build-tag, use-errors-new. New option early-return.early-return)
  3. Linters bug fixes
    • go-errorlint: from 1.7.0 to 1.7.1
    • gochecknoglobals: from 0.2.1 to 0.2.2
    • godox: from 006bad1 to 1.1.0
    • gosec: from 2.21.4 to 2.22.0
    • iface: from 1.3.0 to 1.3.1
    • nilnesserr: from 0.1.1 to 0.1.2
    • protogetter: from 0.3.8 to 0.3.9
    • sloglint: from 0.7.2 to 0.9.0
    • spancheck: fix default StartSpanMatchersSlice values
    • staticcheck: from 0.5.1 to 0.6.0
  4. Deprecations
    • ⚠️ tenv is deprecated and replaced by usetesting.os-setenv: true.
    • ⚠️ exportloopref deprecation step 2
  5. Misc.
    • Sanitize severities by output format
    • Avoid panic with plugin without description
  6. Documentation
    • Clarify depguard configuration

v1.64.1

Compare Source

Cancelled due to CI failure.

v1.64.0

Compare Source

Cancelled due to CI failure.

santhosh-tekuri/jsonschema (github.com/santhosh-tekuri/jsonschema/v5)

v6.0.2

Compare Source

v6.0.1

Compare Source

Bug Fixes:

  • fix/schema: field RecursiveRef misspelled
  • fix/schema: missing Deprecated field

check https://redirect.github.com/santhosh-tekuri/jsonschema/discussions/172 to see notes for migrating from v5 to v6

v6.0.0

Compare Source

Improvements

  • mixed dialect support
  • custom $vocabulary support
  • sermver format
  • support for localisation for ValidationError
  • command jv
    • support stdin
    • --insecure and --cacert flag
    • --quiet flag

check https://redirect.github.com/santhosh-tekuri/jsonschema/discussions/172 to see notes for migrating from v5 to v6

go-jose/go-jose (gopkg.in/go-jose/go-jose.v2)

v4.1.4

Compare Source

What's Changed

Fixes Panic in JWE decryption. See GHSA-78h2-9frx-2jm8

Full Changelog: go-jose/go-jose@v4.1.3...v4.1.4

v4.1.3

Compare Source

This release drops Go 1.23 support as that Go release is no longer supported. With that, we can drop x/crypto and no longer have any external dependencies in go-jose outside of the standard library!

This release fixes a bug where a critical b64 header was ignored if in an unprotected header. It is now rejected instead of ignored.

What's Changed

Full Changelog: go-jose/go-jose@v4.1.2...v4.1.3

v4.1.2

Compare Source

What's Changed

go-jose v4.1.2 improves some documentation, errors, and removes the only 3rd-party dependency.

New Contributors

Full Changelog: go-jose/go-jose@v4.1.1...v4.1.2

v4.1.1

Compare Source

What's Changed

New Contributors

Full Changelog: go-jose/go-jose@v4.1.0...v4.1.1

v4.1.0

Compare Source

What's Changed

New Contributors

Full Changelog: go-jose/go-jose@v4.0.5...v4.1.0

v4.0.5

Compare Source

What's Changed

Fixes GHSA-c6gw-w398-hv78

Various other dependency updates, small fixes, and documentation updates in the full changelog

New Contributors

Full Changelog: go-jose/go-jose@v4.0.4...v4.0.5

v4.0.4: Version 4.0.4

Compare Source

Fixed

  • Reverted "Allow unmarshalling JSONWebKeySets with unsupported key types" as a breaking change. See #​136 / #​137.

v4.0.3: Version 4.0.3

Compare Source

Changed

  • Allow unmarshalling JSONWebKeySets with unsupported key types (#​130)
  • Document that OpaqueKeyEncrypter can't be implemented (for now) (#​129)
  • Dependency updates

v4.0.2: Version 4.0.2

Compare Source

What's Changed

New Contributors

Full Changelog: go-jose/go-jose@v4.0.1...v4.0.2

v4.0.1: Version 4.0.1

Compare Source

Fixed

  • An attacker could send a JWE containing compressed data that used large
    amounts of memory and CPU when decompressed by Decrypt or DecryptMulti.
    Those functions now return an error if the decompressed data would exceed
    250kB or 10x the compressed size (whichever is larger). Thanks to
    Enze Wang@​Alioth and Jianjun Chen@​Zhongguancun Lab (@​zer0yu and @​chenjj)
    for reporting.

v4.0.0: Version 4.0.0

Compare Source

This release makes some breaking changes in order to more thoroughly address the vulnerabilities discussed in Three New Attacks Against JSON Web Tokens, "Sign/encrypt confusion", "Billion hash attack", and "Polyglot token".

Changed

  • Limit JWT encryption types (exclude password or public key types) (#​78)
  • Enforce minimum length for HMAC keys (#​85)
  • jwt: match any audience in a list, rather than requiring all audiences (#​81)
  • jwt: accept only Compact Serialization (#​75)
  • jws: Add expected algorithms for signatures (#​74)
  • Require specifying expected algorithms for ParseEncrypted,
    ParseSigned, ParseDetached, jwt.ParseEncrypted, jwt.ParseSigned,
    jwt.ParseSignedAndEncrypted (#​69, #​74)
    • Usually there is a small, known set of appropriate algorithms for a program to use and it's a mistake to allow unexpected algorithms. For instance the "billion hash attack" relies in part on programs accepting the PBES2 encryption algorithm and doing the necessary work even if they weren't specifically configured to allow PBES2.
  • Revert "Strip padding off base64 strings" (#​82)
  • The specs require base64url encoding without padding.
  • Minimum supported Go version is now 1.21

Added

  • ParseSignedCompact, ParseSignedJSON, ParseEncryptedCompact, ParseEncryptedJSON.
    • These allow parsing a specific serialization, as opposed to ParseSigned and ParseEncrypted, which try to automatically detect which serialization was provided. It's common to require a specific serialization for a specific protocol - for instance JWT requires Compact serialization.

v3.0.5

Compare Source

What's Changed

Fixes GHSA-78h2-9frx-2jm8

We recommend migrating from v3 to v4, and we will stop support v3 in the near future.

Full Changelog: go-jose/go-jose@v3.0.4...v3.0.5

v3.0.4

Compare Source

What's Changed

Backport fix for GHSA-c6gw-w398-hv78 CVE-2025-27144
#​174

Full Changelog: go-jose/go-jose@v3.0.3...v3.0.4

v3.0.3: Version 3.0.3

Compare Source

Fixed

  • Limit decompression output size to prevent a DoS. Backport from v4.0.1.

v3.0.2: Version 3.0.2

Compare Source

Fixed

  • DecryptMulti: handle decompression error (#​19)

Changed

  • jwe/CompactSerialize: improve performance (#​67)
  • Increase the default number of PBKDF2 iterations to 600k (#​48)
  • Return the proper algorithm for ECDSA keys (#​45)
  • Update golang.org/x/crypto to v0.19 (#​94)

Added

  • Add Thumbprint support for opaque signers (#​38)

v3.0.1: Version 3.0.1

Compare Source

Fixed

Security issue: an attacker specifying a large "p2c" value can cause JSONWebEncryption.Decrypt and JSONWebEncryption.DecryptMulti to consume large amounts of CPU, causing a DoS. Thanks to Matt Schwager (@​mschwager) for the disclosure and to Tom Tervoort for originally publishing the category of attack. https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf

The release is tagged off the release-v3.0.1 branch to avoid mixing in some as-yet unreleased changes on the v3 branch.

v3.0.0: Version 3.0.0

Compare Source

First release after moving from square/go-jose to the new go-jose/go-jose repository.

Fixes & Improvements
a10ff54 - Fix for EC thumbprint template so we compute EC thumbprints correctly
30f4a6a - Treat zero Expected.Time as now in Claims.Validate when verifying JWTs
4ac8eda - Fix handling of the x5u header (X.509 certificate URL) in JWKs
d7b900b - Strip padding off base64 strings, to match spec per RFC7515 Appendix C
7f81482 - Extract key from JWKs to ensure you can use it when verifying a detached signature
e225b2d - Support non-pointer JWKs to match behavior for other key types
94cbec2 - Use ed25519 from the stdlib instead of the golang.org/x/crypto version
eae0da4 - Export jose-util helpers as they might be useful for others
4bac79d - Fix issue square#182 that caused panic on claims with invalid JWT payload
60a6e9d - Use string.Builder to remove whitespace, instead of a regexp to improve performance
2009556 - Better error handling to avoid panic that can be caused by invalid headers

This release also cleans up a number of module references for the new repo migration, fixed some typos in comments, and more.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Between 12:00 AM and 03:59 AM (* 0-3 * * *)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/main-major-go-modules branch from 3061ab1 to ad5b351 Compare February 27, 2026 09:54
@renovate
Copy link
Copy Markdown
Contributor Author

renovate bot commented Feb 27, 2026
edited
Loading

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: acceptance/go.sum
Command failed: go get -t ./...
go: gopkg.in/go-jose/go-jose.v4@v4.1.4: parsing go.mod:
	module declares its path as: github.com/go-jose/go-jose/v4
	        but was required as: gopkg.in/go-jose/go-jose.v4
File name: tools/go.sum
Command failed: go get -t ./...
go: downloading github.com/golangci/golangci-lint v1.57.2
go: downloading golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b
go: downloading github.com/fatih/color v1.19.0
go: downloading github.com/lib/pq v1.11.2
go: downloading github.com/ldez/gomoddirectives v0.8.0
go: downloading github.com/golangci/plugin-module-register v0.1.2
go: downloading cloud.google.com/go/kms v1.22.0
go: downloading cloud.google.com/go v0.121.2
go: downloading google.golang.org/api v0.239.0
go: downloading cloud.google.com/go/storage v1.53.0
go: downloading google.golang.org/genproto v0.0.0-20250603155806-513f23925822
go: downloading github.com/ldez/grignotin v0.10.1
go: downloading github.com/4meepo/tagalign v1.4.3
go: downloading github.com/Abirdcfly/dupword v0.1.7
go: downloading github.com/Antonboom/errname v1.1.1
go: downloading github.com/Antonboom/nilnil v1.1.1
go: downloading github.com/Antonboom/testifylint v1.6.4
go: downloading github.com/Djarvur/go-err113 v0.1.1
go: downloading github.com/alexkohler/nakedret/v2 v2.0.6
go: downloading github.com/alexkohler/prealloc v1.1.0
go: downloading github.com/bombsimon/wsl/v4 v4.7.0
go: downloading github.com/breml/bidichk v0.3.3
go: downloading github.com/breml/errchkjson v0.4.1
go: downloading github.com/butuzov/ireturn v0.4.0
go: downloading github.com/catenacyber/perfsprint v0.10.1
go: downloading github.com/charithe/durationcheck v0.0.11
go: downloading github.com/ckaznocha/intrange v0.3.1
go: downloading github.com/firefart/nonamedreturns v1.0.6
go: downloading github.com/ghostiam/protogetter v0.3.20
go: downloading github.com/go-critic/go-critic v0.14.3
go: downloading github.com/golangci/misspell v0.8.0
go: downloading github.com/golangci/unconvert v0.0.0-20250410112200-a129a6e6413e
go: downloading github.com/gordonklaus/ineffassign v0.2.0
go: downloading github.com/gostaticanalysis/nilerr v0.1.2
go: downloading github.com/jgautheron/goconst v1.8.2
go: downloading github.com/jirfag/go-printf-func-name v0.0.0-20200119135958-7558a9eaa5af
go: downloading github.com/jjti/go-spancheck v0.6.5
go: downloading github.com/karamaru-alpha/copyloopvar v1.2.2
go: downloading github.com/kisielk/errcheck v1.10.0
go: downloading github.com/kulti/thelper v0.7.1
go: downloading github.com/kunwardeep/paralleltest v1.0.15
go: downloading github.com/ldez/tagliatelle v0.7.2
go: downloading github.com/lufeee/execinquery v1.2.1
go: downloading github.com/macabu/inamedparam v0.2.0
go: downloading github.com/maratori/testableexamples v1.0.1
go: downloading github.com/maratori/testpackage v1.1.2
go: downloading github.com/mgechev/revive v1.15.0
go: downloading github.com/nunnatsa/ginkgolinter v0.23.0
go: downloading github.com/ryancurrah/gomodguard v1.4.1
go: downloading github.com/ryanrolds/sqlclosecheck v0.6.0
go: downloading github.com/sashamelentyev/usestdlibvars v1.29.0
go: downloading github.com/securego/gosec/v2 v2.24.8-0.20260309165252-619ce2117e08
go: downloading github.com/sonatard/noctx v0.5.1
go: downloading github.com/stbenjam/no-sprintf-host-port v0.3.1
go: downloading github.com/tetafro/godot v1.5.4
go: downloading github.com/timakin/bodyclose v0.0.0-20241222091800-1db5c5ca4d67
go: downloading github.com/timonwong/loggercheck v0.11.0
go: downloading github.com/tomarrell/wrapcheck/v2 v2.12.0
go: downloading github.com/uudashr/gocognit v1.2.1
go: downloading github.com/xen0n/gosmopolitan v1.3.0
go: downloading go-simpler.org/musttag v0.14.0
go: downloading go-simpler.org/sloglint v0.11.1
go: downloading honnef.co/go/tools v0.7.0
go: downloading mvdan.cc/gofumpt v0.9.2
go: downloading mvdan.cc/unparam v0.0.0-20251027182757-5beb8c8f8f15
go: downloading cloud.google.com/go/iam v1.5.2
go: downloading cloud.google.com/go/longrunning v0.6.7
go: downloading github.com/googleapis/gax-go/v2 v2.15.0
go: downloading cloud.google.com/go/auth v0.16.5
go: downloading cloud.google.com/go/firestore v1.18.0
go: downloading github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.51.0
go: downloading github.com/alfatraining/structtag v1.0.0
go: downloading github.com/quasilyte/go-ruleguard v0.4.5
go: downloading github.com/ccojocar/zxcvbn-go v1.0.4
go: downloading go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0
go: downloading cloud.google.com/go/monitoring v1.24.2
go: downloading github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.51.0
go: downloading golang.org/x/exp/typeparams v0.0.0-20260209203927-2842357ff358
go: downloading codeberg.org/chavacava/garif v0.2.0
go: downloading github.com/googleapis/enterprise-certificate-proxy v0.3.6
go: downloading github.com/golangci/gofmt v0.0.0-20251215234548-e7be49a5ab4d
go: github.com/conforma/cli/tools imports
	github.com/golangci/golangci-lint/cmd/golangci-lint imports
	github.com/golangci/golangci-lint/pkg/commands imports
	github.com/golangci/golangci-lint/pkg/lint/lintersdb imports
	github.com/golangci/golangci-lint/pkg/golinters imports
	github.com/golangci/gofmt/goimports: cannot find module providing package github.com/golangci/gofmt/goimports
go: github.com/conforma/cli/tools imports
	github.com/golangci/golangci-lint/cmd/golangci-lint imports
	github.com/golangci/golangci-lint/pkg/commands imports
	github.com/golangci/golangci-lint/pkg/lint/lintersdb imports
	github.com/golangci/golangci-lint/pkg/golinters imports
	github.com/nunnatsa/ginkgolinter/types: cannot find module providing package github.com/nunnatsa/ginkgolinter/types
go: warning: github.com/klauspost/compress@v1.18.1: retracted by module author: https://github.com/klauspost/compress/issues/1114
go: to switch to the latest unretracted version, run:
	go get github.com/klauspost/compress@latest

@github-actions github-actions bot added size: L and removed size: S labels Feb 27, 2026
@renovate renovate bot force-pushed the renovate/main-major-go-modules branch 7 times, most recently from 55a7196 to ca1e8bd Compare March 12, 2026 12:48
@renovate renovate bot force-pushed the renovate/main-major-go-modules branch 3 times, most recently from 4ddfa54 to 6a6166b Compare March 18, 2026 09:16
@renovate renovate bot force-pushed the renovate/main-major-go-modules branch 3 times, most recently from 8eb3e76 to f1aa247 Compare March 26, 2026 13:42
@github-actions github-actions bot added size: XS and removed size: L labels Mar 26, 2026
@renovate renovate bot force-pushed the renovate/main-major-go-modules branch 2 times, most recently from 7c8ec28 to 2b721f7 Compare April 1, 2026 17:17
@renovate renovate bot force-pushed the renovate/main-major-go-modules branch from 2b721f7 to 2be196d Compare April 9, 2026 10:38
@renovate renovate bot force-pushed the renovate/main-major-go-modules branch from 2be196d to 458ca5f Compare April 10, 2026 21:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

main major renovate size: XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants