◐ Shell
clean mode source ↗

fix: bump go-jose/go-jose/v4 to v4.1.4 (CVE-2026-34986) by Shelnutt2 · Pull Request #25263 · coder/coder

github-actions

Skip to content

Navigation Menu

Sign in

Appearance settings

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Sign up

Appearance settings

Conversation

@Shelnutt2

Copy link Copy Markdown

Contributor

Summary

Bumps github.com/go-jose/go-jose/v4 from v4.1.3 to v4.1.4 on the release/2.29 branch to fix a JWE decryption panic.

CVE Severity Advisory
CVE-2026-34986 High NVD
GHSA-78h2-9frx-2jm8 High GitHub

Changes

  • go.mod: go-jose/go-jose/v4 v4.1.3 -> v4.1.4
  • go.sum: updated checksums

No code changes; dependency-only bump.

Ref: ENT-55, ENT-65

Generated by Coder Agents (session)

 
Upgrade github.com/go-jose/go-jose/v4 from v4.1.3 to v4.1.4 to fix a
JWE decryption panic vulnerability (CVE-2026-34986, GHSA-78h2-9frx-2jm8).

Ref: ENT-55, ENT-65

@Shelnutt2 Shelnutt2 added dependencies

Pull requests that update a dependency file

cherry-pick/v2.29

Needs to be cherry-picked to the 2.29 release branch

labels

May 13, 2026

@Shelnutt2 Shelnutt2 changed the title fix(deps): bump go-jose/go-jose/v4 to v4.1.4 (CVE-2026-34986) fix: bump go-jose/go-jose/v4 to v4.1.4 (CVE-2026-34986)

May 13, 2026

@Shelnutt2 Shelnutt2 merged commit e02a00e into release/2.29

May 13, 2026

37 of 39 checks passed

@Shelnutt2 Shelnutt2 deleted the fix/upgrade-go-jose-v2.29 branch

May 13, 2026 12:24

@github-actions github-actions Bot locked and limited conversation to collaborators

May 13, 2026

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@f0ssel f0ssel f0ssel approved these changes

@jdomeracki-coder jdomeracki-coder Awaiting requested review from jdomeracki-coder

Assignees

@Shelnutt2 Shelnutt2

Labels

cherry-pick/v2.29

Needs to be cherry-picked to the 2.29 release branch

dependencies

Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Shelnutt2 @f0ssel