Update go deps (major)

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/go-jose/go-jose/v3	v3.0.3 -> v4.0.3
github.com/pion/rtp	v1.8.6 -> v2.0.0

---

Release Notes

go-jose/go-jose (github.com/go-jose/go-jose/v3)

v4.0.3

Compare Source

Changed

• Allow unmarshalling JSONWebKeySets with unsupported key types (#​130)
• Document that OpaqueKeyEncrypter can't be implemented (for now) (#​129)
• Dependency updates

v4.0.2: Version 4.0.2

Compare Source

What's Changed

• Improved documentation of Verify() to note that JSONWebKeySet is a supported argument type
• Defined exported error values for missing x5c header and unsupported elliptic curves error cases

New Contributors

• @​mitar made their first contribution in https://github.com/go-jose/go-jose/pull/104
• @​milosgajdos made their first contribution in https://github.com/go-jose/go-jose/pull/117

Full Changelog: go-jose/go-jose@v4.0.1...v4.0.2

v4.0.1

Compare Source

Fixed

• An attacker could send a JWE containing compressed data that used large
  amounts of memory and CPU when decompressed by Decrypt or DecryptMulti.
  Those functions now return an error if the decompressed data would exceed
  250kB or 10x the compressed size (whichever is larger). Thanks to
  Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@​zer0yu and @​chenjj)
  for reporting.

v4.0.0

Compare Source

This release makes some breaking changes in order to more thoroughly
address the vulnerabilities discussed in Three New Attacks Against JSON Web
Tokens, "Sign/encrypt confusion", "Billion hash attack", and "Polyglot
token".

Changed

• Limit JWT encryption types (exclude password or public key types) (#​78)
• Enforce minimum length for HMAC keys (#​85)
• jwt: match any audience in a list, rather than requiring all audiences (#​81)
• jwt: accept only Compact Serialization (#​75)
• jws: Add expected algorithms for signatures (#​74)
• Require specifying expected algorithms for ParseEncrypted,
  ParseSigned, ParseDetached, jwt.ParseEncrypted, jwt.ParseSigned,
  jwt.ParseSignedAndEncrypted (#​69, #​74)
  • Usually there is a small, known set of appropriate algorithms for a program
    to use and it's a mistake to allow unexpected algorithms. For instance the
    "billion hash attack" relies in part on programs accepting the PBES2
    encryption algorithm and doing the necessary work even if they weren't
    specifically configured to allow PBES2.
• Revert "Strip padding off base64 strings" (#​82)
• The specs require base64url encoding without padding.
• Minimum supported Go version is now 1.21

Added

• ParseSignedCompact, ParseSignedJSON, ParseEncryptedCompact, ParseEncryptedJSON.
  • These allow parsing a specific serialization, as opposed to ParseSigned and
    ParseEncrypted, which try to automatically detect which serialization was
    provided. It's common to require a specific serialization for a specific
    protocol - for instance JWT requires Compact serialization.

pion/rtp (github.com/pion/rtp)

v2.0.0

Compare Source

v1.8.7

Compare Source

Changelog

• 0967ee9 Fix RTP padding length validation
• bc5124c Fix VP9 decoding on iOS

---

Configuration

📅 Schedule: Branch creation - "on sunday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 2 additional dependencies were updated

Details:

Package	Change
golang.org/x/crypto	v0.24.0 -> v0.25.0
golang.org/x/sys	v0.21.0 -> v0.22.0