From 4d3ff9f838f245acd362830e3513ad0914f85115 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 17 Mar 2026 05:39:50 +0000
Subject: [PATCH] chore(deps): bump github.com/dvsekhvalnov/jose2go from 1.6.0
 to 1.7.0

Bumps [github.com/dvsekhvalnov/jose2go](https://github.com/dvsekhvalnov/jose2go) from 1.6.0 to 1.7.0.
- [Commits](https://github.com/dvsekhvalnov/jose2go/compare/v1.6.0...v1.7.0)

---
updated-dependencies:
- dependency-name: github.com/dvsekhvalnov/jose2go
  dependency-version: 1.7.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 go.mod                                        |  2 +-
 go.sum                                        |  4 +-
 .../ios/Keychain/Keychain-Bridging-Header.h   |  5 --
 .../bind.framework/Versions/A/Headers/Bind.h  | 13 ----
 .../Versions/A/Headers/Bind.objc.h            | 36 -----------
 .../Versions/A/Headers/Universe.objc.h        | 28 ---------
 .../bind.framework/Versions/A/Headers/ref.h   | 35 -----------
 .../github.com/dvsekhvalnov/jose2go/README.md | 16 +++++
 .../dvsekhvalnov/jose2go/deflate.go           | 60 +++++++++++++++----
 .../github.com/dvsekhvalnov/jose2go/jose.go   |  6 +-
 vendor/modules.txt                            |  2 +-
 11 files changed, 71 insertions(+), 136 deletions(-)
 delete mode 100644 vendor/github.com/99designs/go-keychain/ios/Keychain/Keychain-Bridging-Header.h
 delete mode 100644 vendor/github.com/99designs/go-keychain/ios/bind.framework/Versions/A/Headers/Bind.h
 delete mode 100644 vendor/github.com/99designs/go-keychain/ios/bind.framework/Versions/A/Headers/Bind.objc.h
 delete mode 100644 vendor/github.com/99designs/go-keychain/ios/bind.framework/Versions/A/Headers/Universe.objc.h
 delete mode 100644 vendor/github.com/99designs/go-keychain/ios/bind.framework/Versions/A/Headers/ref.h

diff --git a/go.mod b/go.mod
index 6ed55dcb..d3f19cfd 100644
--- a/go.mod
+++ b/go.mod
@@ -44,7 +44,7 @@ require (
 	github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect
 	github.com/danieljoos/wincred v1.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/dvsekhvalnov/jose2go v1.6.0 // indirect
+	github.com/dvsekhvalnov/jose2go v1.7.0 // indirect
 	github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 // indirect
 	github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c // indirect
diff --git a/go.sum b/go.sum
index cdf58ac9..1f111765 100644
--- a/go.sum
+++ b/go.sum
@@ -46,8 +46,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dvsekhvalnov/jose2go v1.6.0 h1:Y9gnSnP4qEI0+/uQkHvFXeD2PLPJeXEL+ySMEA2EjTY=
-github.com/dvsekhvalnov/jose2go v1.6.0/go.mod h1:QsHjhyTlD/lAVqn/NSbVZmSCGeDehTB/mPZadG+mhXU=
+github.com/dvsekhvalnov/jose2go v1.7.0 h1:bnQc8+GMnidJZA8zc6lLEAb4xNrIqHwO+9TzqvtQZPo=
+github.com/dvsekhvalnov/jose2go v1.7.0/go.mod h1:QsHjhyTlD/lAVqn/NSbVZmSCGeDehTB/mPZadG+mhXU=
 github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
 github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
 github.com/go-logfmt/logfmt v0.6.1 h1:4hvbpePJKnIzH1B+8OR/JPbTx37NktoI9LE2QZBBkvE=
diff --git a/vendor/github.com/99designs/go-keychain/ios/Keychain/Keychain-Bridging-Header.h b/vendor/github.com/99designs/go-keychain/ios/Keychain/Keychain-Bridging-Header.h
deleted file mode 100644
index 85b2f74f..00000000
--- a/vendor/github.com/99designs/go-keychain/ios/Keychain/Keychain-Bridging-Header.h
+++ /dev/null
@@ -1,5 +0,0 @@
-//
-//  Use this file to import your target's public headers that you would like to expose to Swift.
-//
-
-#import <bind/bind.h>
diff --git a/vendor/github.com/99designs/go-keychain/ios/bind.framework/Versions/A/Headers/Bind.h b/vendor/github.com/99designs/go-keychain/ios/bind.framework/Versions/A/Headers/Bind.h
deleted file mode 100644
index 06ee05a6..00000000
--- a/vendor/github.com/99designs/go-keychain/ios/bind.framework/Versions/A/Headers/Bind.h
+++ /dev/null
@@ -1,13 +0,0 @@
-
-// Objective-C API for talking to the following Go packages
-//
-//	github.com/keybase/go-keychain/bind
-//
-// File is generated by gomobile bind. Do not edit.
-#ifndef __Bind_FRAMEWORK_H__
-#define __Bind_FRAMEWORK_H__
-
-#include "Bind.objc.h"
-#include "Universe.objc.h"
-
-#endif
diff --git a/vendor/github.com/99designs/go-keychain/ios/bind.framework/Versions/A/Headers/Bind.objc.h b/vendor/github.com/99designs/go-keychain/ios/bind.framework/Versions/A/Headers/Bind.objc.h
deleted file mode 100644
index b0d8d0e8..00000000
--- a/vendor/github.com/99designs/go-keychain/ios/bind.framework/Versions/A/Headers/Bind.objc.h
+++ /dev/null
@@ -1,36 +0,0 @@
-// Objective-C API for talking to github.com/keybase/go-keychain/bind Go package.
-//   gobind -lang=objc github.com/keybase/go-keychain/bind
-//
-// File is generated by gobind. Do not edit.
-
-#ifndef __Bind_H__
-#define __Bind_H__
-
-@import Foundation;
-#include "Universe.objc.h"
-
-
-@protocol BindTest;
-@class BindTest;
-
-@protocol BindTest <NSObject>
-- (void)fail:(NSString*)s;
-@end
-
-FOUNDATION_EXPORT BOOL BindAddGenericPassword(NSString* service, NSString* account, NSString* label, NSString* password, NSString* accessGroup, NSError** error);
-
-FOUNDATION_EXPORT BOOL BindDeleteGenericPassword(NSString* service, NSString* account, NSString* accessGroup, NSError** error);
-
-FOUNDATION_EXPORT void BindGenericPasswordTest(id<BindTest> t, NSString* service, NSString* accessGroup);
-
-@class BindTest;
-
-@interface BindTest : NSObject <goSeqRefInterface, BindTest> {
-}
-@property(strong, readonly) id _ref;
-
-- (instancetype)initWithRef:(id)ref;
-- (void)fail:(NSString*)s;
-@end
-
-#endif
diff --git a/vendor/github.com/99designs/go-keychain/ios/bind.framework/Versions/A/Headers/Universe.objc.h b/vendor/github.com/99designs/go-keychain/ios/bind.framework/Versions/A/Headers/Universe.objc.h
deleted file mode 100644
index e47f7160..00000000
--- a/vendor/github.com/99designs/go-keychain/ios/bind.framework/Versions/A/Headers/Universe.objc.h
+++ /dev/null
@@ -1,28 +0,0 @@
-// Objective-C API for talking to  Go package.
-//   gobind -lang=objc 
-//
-// File is generated by gobind. Do not edit.
-
-#ifndef __Universe_H__
-#define __Universe_H__
-
-@import Foundation;
-
-@protocol Universeerror;
-@class Universeerror;
-
-@protocol Universeerror <NSObject>
-- (NSString*)error;
-@end
-
-@class Universeerror;
-
-@interface Universeerror : NSError <goSeqRefInterface, Universeerror> {
-}
-@property(strong, readonly) id _ref;
-
-- (instancetype)initWithRef:(id)ref;
-- (NSString*)error;
-@end
-
-#endif
diff --git a/vendor/github.com/99designs/go-keychain/ios/bind.framework/Versions/A/Headers/ref.h b/vendor/github.com/99designs/go-keychain/ios/bind.framework/Versions/A/Headers/ref.h
deleted file mode 100644
index b8036a4d..00000000
--- a/vendor/github.com/99designs/go-keychain/ios/bind.framework/Versions/A/Headers/ref.h
+++ /dev/null
@@ -1,35 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-#ifndef __GO_REF_HDR__
-#define __GO_REF_HDR__
-
-#include <Foundation/Foundation.h>
-
-// GoSeqRef is an object tagged with an integer for passing back and
-// forth across the language boundary. A GoSeqRef may represent either
-// an instance of a Go object, or an Objective-C object passed to Go.
-// The explicit allocation of a GoSeqRef is used to pin a Go object
-// when it is passed to Objective-C. The Go seq package maintains a
-// reference to the Go object in a map keyed by the refnum along with
-// a reference count. When the reference count reaches zero, the Go
-// seq package will clear the corresponding entry in the map.
-@interface GoSeqRef : NSObject {
-}
-@property(readonly) int32_t refnum;
-@property(strong) id obj; // NULL when representing a Go object.
-
-// new GoSeqRef object to proxy a Go object. The refnum must be
-// provided from Go side.
-- (instancetype)initWithRefnum:(int32_t)refnum obj:(id)obj;
-
-- (int32_t)incNum;
-
-@end
-
-@protocol goSeqRefInterface
--(GoSeqRef*) _ref;
-@end
-
-#endif
diff --git a/vendor/github.com/dvsekhvalnov/jose2go/README.md b/vendor/github.com/dvsekhvalnov/jose2go/README.md
index bbf0ef75..a1aa0b3c 100644
--- a/vendor/github.com/dvsekhvalnov/jose2go/README.md
+++ b/vendor/github.com/dvsekhvalnov/jose2go/README.md
@@ -15,6 +15,8 @@ Extensively unit tested and cross tested (100+ tests) for compatibility with [jo
 Used in production. GA ready. Current version is 1.6.
 
 ## Important
+v1.7 introduced deflate decompression memory limits to avoid denial-of-service attacks aka 'deflate-bomb'. See [Customizing compression](#customizing-compression) section for details.
+
 v1.6 security tuning options
 
 v1.5 bug fix release
@@ -997,7 +999,21 @@ test, headers, err := Decode(token, func(headers map[string]interface{}, payload
 })
 ```
 
+### Customizing compression
+There were denial-of-service attacks reported on JWT libraries that supports deflate compression by constructing malicious payload that explodes in terms of RAM on decompression. See for details: [#33](https://github.com/dvsekhvalnov/jose2go/issues/33)
+
+As of v1.7.0 `jose2go` limits decompression buffer to 250Kb to limit memory consumption and additionaly provides a way to adjust the limit according to specific scenarios:
+
+```Go
+    // Override compression alg with new limits (10Kb example)
+    jose.RegisterJwc(RegisterJwc(NewDeflate(10240)))
+```
+
 ## Changelog
+### 1.7
+- 250Kb limit on decompression buffer
+- ability to register deflate compressor with custom limits
+
 ### 1.6
 - ability to deregister specific algorithms
 - configurable min/max restrictions for PBES2-HS256+A128KW, PBES2-HS384+A192KW, PBES2-HS512+A256KW
diff --git a/vendor/github.com/dvsekhvalnov/jose2go/deflate.go b/vendor/github.com/dvsekhvalnov/jose2go/deflate.go
index c788f5bd..b46cdf9f 100644
--- a/vendor/github.com/dvsekhvalnov/jose2go/deflate.go
+++ b/vendor/github.com/dvsekhvalnov/jose2go/deflate.go
@@ -3,15 +3,27 @@ package jose
 import (
 	"bytes"
 	"compress/flate"
-	"io/ioutil"
+	"errors"
+	"io"
 )
 
+var ErrSizeExceeded = errors.New("Deflate stream size exceeded limit.")
+
 func init() {
-	RegisterJwc(new(Deflate))
+	// 250Kb limited decompression buffer
+	RegisterJwc(NewDeflate(250 * 1024))
 }
 
 // Deflate compression algorithm implementation
-type Deflate struct {}
+type Deflate struct {
+	maxBufferSizeBytes int64
+}
+
+func NewDeflate(maxBufferSizeBytes int64) JwcAlgorithm {
+	return &Deflate{
+		maxBufferSizeBytes: maxBufferSizeBytes,
+	}
+}
 
 func (alg *Deflate) Name() string {
 	return DEF
@@ -19,21 +31,43 @@ func (alg *Deflate) Name() string {
 
 func (alg *Deflate) Compress(plainText []byte) []byte {
 	var buf bytes.Buffer
-	deflate,_ := flate.NewWriter(&buf, 8) //level=DEFLATED
-	
+	deflate, _ := flate.NewWriter(&buf, 8) //level=DEFLATED
+
 	deflate.Write(plainText)
 	deflate.Close()
-	
+
 	return buf.Bytes()
 }
 
-func (alg *Deflate) Decompress(compressedText []byte) []byte {	
-	
-	enflated,_ := ioutil.ReadAll(
-					flate.NewReader(
-						bytes.NewReader(compressedText)))
-	
-	return enflated
+func (alg *Deflate) Decompress(compressedText []byte) ([]byte, error) {
+	enflated, err := io.ReadAll(
+		newMaxBytesReader(alg.maxBufferSizeBytes,
+			flate.NewReader(
+				bytes.NewReader(compressedText))))
+
+	return enflated, err
 }
 
+// Max bytes reader
+type maxBytesReader struct {
+	reader io.Reader
+	limit  int64
+}
+
+func newMaxBytesReader(limit int64, r io.Reader) io.Reader {
+	return &maxBytesReader{reader: r, limit: limit}
+}
 
+func (mbr *maxBytesReader) Read(p []byte) (n int, err error) {
+	if mbr.limit <= 0 {
+		return 0, ErrSizeExceeded
+	}
+
+	if int64(len(p)) > mbr.limit {
+		p = p[0:mbr.limit]
+	}
+
+	n, err = mbr.reader.Read(p)
+	mbr.limit -= int64(n)
+	return
+}
diff --git a/vendor/github.com/dvsekhvalnov/jose2go/jose.go b/vendor/github.com/dvsekhvalnov/jose2go/jose.go
index 3549a918..0d14ae93 100644
--- a/vendor/github.com/dvsekhvalnov/jose2go/jose.go
+++ b/vendor/github.com/dvsekhvalnov/jose2go/jose.go
@@ -140,7 +140,7 @@ type JwsAlgorithm interface {
 // JwcAlgorithm is a contract for implementing compression algorithm
 type JwcAlgorithm interface {
 	Compress(plainText []byte) []byte
-	Decompress(compressedText []byte) []byte
+	Decompress(compressedText []byte) ([]byte, error)
 	Name() string
 }
 
@@ -427,7 +427,9 @@ func decrypt(parts [][]byte, key interface{}) (plainText []byte, headers map[str
 							return nil, nil, errors.New(fmt.Sprintf("jwt.decrypt(): Unknown compression algorithm '%v'", zip))
 						}
 
-						plainBytes = zipAlg.Decompress(plainBytes)
+						if plainBytes, err = zipAlg.Decompress(plainBytes); err != nil {
+							return nil, nil, err
+						}
 					}
 
 					return plainBytes, jwtHeader, nil
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 87008849..6afbb840 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -61,7 +61,7 @@ github.com/danieljoos/wincred
 # github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
 ## explicit
 github.com/davecgh/go-spew/spew
-# github.com/dvsekhvalnov/jose2go v1.6.0
+# github.com/dvsekhvalnov/jose2go v1.7.0
 ## explicit; go 1.15
 github.com/dvsekhvalnov/jose2go
 github.com/dvsekhvalnov/jose2go/aes