chore(deps): bump github.com/coreos/go-oidc/v3 from 3.1.0 to 3.4.0 (#383)

Bumps [github.com/coreos/go-oidc/v3](https://github.com/coreos/go-oidc) from 3.1.0 to 3.4.0.
- [Release notes](https://github.com/coreos/go-oidc/releases)
- [Commits](https://github.com/coreos/go-oidc/compare/v3.1.0...v3.4.0)

---
updated-dependencies:
- dependency-name: github.com/coreos/go-oidc/v3
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

vendor/github.com/coreos/go-oidc/v3/oidc/jwks.go

@@ -2,6 +2,9 @@ package oidc
 
 import (
 	"context"
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/rsa"
 	"errors"
 	"fmt"
 	"io/ioutil"
@@ -12,6 +15,35 @@ import (
 	jose "gopkg.in/square/go-jose.v2"
 )
 
+// StaticKeySet is a verifier that validates JWT against a static set of public keys.
+type StaticKeySet struct {
+	// PublicKeys used to verify the JWT. Supported types are *rsa.PublicKey and
+	// *ecdsa.PublicKey.
+	PublicKeys []crypto.PublicKey
+}
+
+// VerifySignature compares the signature against a static set of public keys.
+func (s *StaticKeySet) VerifySignature(ctx context.Context, jwt string) ([]byte, error) {
+	jws, err := jose.ParseSigned(jwt)
+	if err != nil {
+		return nil, fmt.Errorf("parsing jwt: %v", err)
+	}
+	for _, pub := range s.PublicKeys {
+		switch pub.(type) {
+		case *rsa.PublicKey:
+		case *ecdsa.PublicKey:
+		default:
+			return nil, fmt.Errorf("invalid public key type provided: %T", pub)
+		}
+		payload, err := jws.Verify(pub)
+		if err != nil {
+			continue
+		}
+		return payload, nil
+	}
+	return nil, fmt.Errorf("no public keys able to verify jwt")
+}
+
 // NewRemoteKeySet returns a KeySet that can validate JSON web tokens by using HTTP
 // GETs to fetch JSON web token sets hosted at a remote URL. This is automatically
 // used by NewProvider using the URLs returned by OpenID Connect discovery, but is
@@ -81,15 +113,23 @@ func (i *inflight) result() ([]jose.JSONWebKey, error) {
 	return i.keys, i.err
 }
 
+// paresdJWTKey is a context key that allows common setups to avoid parsing the
+// JWT twice. It holds a *jose.JSONWebSignature value.
+var parsedJWTKey contextKey
+
 // VerifySignature validates a payload against a signature from the jwks_uri.
 //
 // Users MUST NOT call this method directly and should use an IDTokenVerifier
 // instead. This method skips critical validations such as 'alg' values and is
 // only exported to implement the KeySet interface.
 func (r *RemoteKeySet) VerifySignature(ctx context.Context, jwt string) ([]byte, error) {
-	jws, err := jose.ParseSigned(jwt)
-	if err != nil {
-		return nil, fmt.Errorf("oidc: malformed jwt: %v", err)
+	jws, ok := ctx.Value(parsedJWTKey).(*jose.JSONWebSignature)
+	if !ok {
+		var err error
+		jws, err = jose.ParseSigned(jwt)
+		if err != nil {
+			return nil, fmt.Errorf("oidc: malformed jwt: %v", err)
+		}
 	}
 	return r.verify(ctx, jws)
 }

vendor/github.com/coreos/go-oidc/v3/oidc/oidc.go

@@ -134,6 +134,48 @@ var supportedAlgorithms = map[string]bool{
 	PS512: true,
 }
 
+// ProviderConfig allows creating providers when discovery isn't supported. It's
+// generally easier to use NewProvider directly.
+type ProviderConfig struct {
+	// IssuerURL is the identity of the provider, and the string it uses to sign
+	// ID tokens with. For example "https://accounts.google.com". This value MUST
+	// match ID tokens exactly.
+	IssuerURL string
+	// AuthURL is the endpoint used by the provider to support the OAuth 2.0
+	// authorization endpoint.
+	AuthURL string
+	// TokenURL is the endpoint used by the provider to support the OAuth 2.0
+	// token endpoint.
+	TokenURL string
+	// UserInfoURL is the endpoint used by the provider to support the OpenID
+	// Connect UserInfo flow.
+	//
+	// https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
+	UserInfoURL string
+	// JWKSURL is the endpoint used by the provider to advertise public keys to
+	// verify issued ID tokens. This endpoint is polled as new keys are made
+	// available.
+	JWKSURL string
+
+	// Algorithms, if provided, indicate a list of JWT algorithms allowed to sign
+	// ID tokens. If not provided, this defaults to the algorithms advertised by
+	// the JWK endpoint, then the set of algorithms supported by this package.
+	Algorithms []string
+}
+
+// NewProvider initializes a provider from a set of endpoints, rather than
+// through discovery.
+func (p *ProviderConfig) NewProvider(ctx context.Context) *Provider {
+	return &Provider{
+		issuer:       p.IssuerURL,
+		authURL:      p.AuthURL,
+		tokenURL:     p.TokenURL,
+		userInfoURL:  p.UserInfoURL,
+		algorithms:   p.Algorithms,
+		remoteKeySet: NewRemoteKeySet(cloneContext(ctx), p.JWKSURL),
+	}
+}
+
 // NewProvider uses the OpenID Connect discovery mechanism to construct a Provider.
 //
 // The issuer is the URL identifier for the service. For example: "https://accounts.google.com"

vendor/github.com/coreos/go-oidc/v3/oidc/verify.go

@@ -21,6 +21,18 @@ const (
 	issuerGoogleAccountsNoScheme = "accounts.google.com"
 )
 
+// TokenExpiredError indicates that Verify failed because the token was expired. This
+// error does NOT indicate that the token is not also invalid for other reasons. Other
+// checks might have failed if the expiration check had not failed.
+type TokenExpiredError struct {
+	// Expiry is the time when the token expired.
+	Expiry time.Time
+}
+
+func (e *TokenExpiredError) Error() string {
+	return fmt.Sprintf("oidc: token is expired (Token Expiry: %v)", e.Expiry)
+}
+
 // KeySet is a set of publc JSON Web Keys that can be used to validate the signature
 // of JSON web tokens. This is expected to be backed by a remote key set through
 // provider metadata discovery or an in-memory set of keys delivered out-of-band.
@@ -55,15 +67,10 @@ type IDTokenVerifier struct {
 //		keySet := oidc.NewRemoteKeySet(ctx, "https://www.googleapis.com/oauth2/v3/certs")
 //		verifier := oidc.NewVerifier("https://accounts.google.com", keySet, config)
 //
-// Since KeySet is an interface, this constructor can also be used to supply custom
-// public key sources. For example, if a user wanted to supply public keys out-of-band
-// and hold them statically in-memory:
+// Or a static key set (e.g. for testing):
 //
-//		// Custom KeySet implementation.
-//		keySet := newStatisKeySet(publicKeys...)
-//
-//		// Verifier uses the custom KeySet implementation.
-//		verifier := oidc.NewVerifier("https://auth.example.com", keySet, config)
+//		keySet := &oidc.StaticKeySet{PublicKeys: []crypto.PublicKey{pub1, pub2}}
+//		verifier := oidc.NewVerifier("https://accounts.google.com", keySet, config)
 //
 func NewVerifier(issuerURL string, keySet KeySet, config *Config) *IDTokenVerifier {
 	return &IDTokenVerifier{keySet: keySet, config: config, issuer: issuerURL}
@@ -100,12 +107,20 @@ type Config struct {
 
 	// Time function to check Token expiry. Defaults to time.Now
 	Now func() time.Time
+
+	// InsecureSkipSignatureCheck causes this package to skip JWT signature validation.
+	// It's intended for special cases where providers (such as Azure), use the "none"
+	// algorithm.
+	//
+	// This option can only be enabled safely when the ID Token is received directly
+	// from the provider after the token exchange.
+	//
+	// This option MUST NOT be used when receiving an ID Token from sources other
+	// than the token endpoint.
+	InsecureSkipSignatureCheck bool
 }
 
 // Verifier returns an IDTokenVerifier that uses the provider's key set to verify JWTs.
-//
-// The returned IDTokenVerifier is tied to the Provider's context and its behavior is
-// undefined once the Provider's context is canceled.
 func (p *Provider) Verifier(config *Config) *IDTokenVerifier {
 	if len(config.SupportedSigningAlgs) == 0 && len(p.algorithms) > 0 {
 		// Make a copy so we don't modify the config values.
@@ -192,11 +207,6 @@ func resolveDistributedClaim(ctx context.Context, verifier *IDTokenVerifier, src
 //    token, err := verifier.Verify(ctx, rawIDToken)
 //
 func (v *IDTokenVerifier) Verify(ctx context.Context, rawIDToken string) (*IDToken, error) {
-	jws, err := jose.ParseSigned(rawIDToken)
-	if err != nil {
-		return nil, fmt.Errorf("oidc: malformed jwt: %v", err)
-	}
-
 	// Throw out tokens with invalid claims before trying to verify the token. This lets
 	// us do cheap checks before possibly re-syncing keys.
 	payload, err := parseJWT(rawIDToken)
@@ -268,13 +278,15 @@ func (v *IDTokenVerifier) Verify(ctx context.Context, rawIDToken string) (*IDTok
 		nowTime := now()
 
 		if t.Expiry.Before(nowTime) {
-			return nil, fmt.Errorf("oidc: token is expired (Token Expiry: %v)", t.Expiry)
+			return nil, &TokenExpiredError{Expiry: t.Expiry}
 		}
 
 		// If nbf claim is provided in token, ensure that it is indeed in the past.
 		if token.NotBefore != nil {
 			nbfTime := time.Time(*token.NotBefore)
-			leeway := 1 * time.Minute
+			// Set to 5 minutes since this is what other OpenID Connect providers do to deal with clock skew.
+			// https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/6.12.2/src/Microsoft.IdentityModel.Tokens/TokenValidationParameters.cs#L149-L153
+			leeway := 5 * time.Minute
 
 			if nowTime.Add(leeway).Before(nbfTime) {
 				return nil, fmt.Errorf("oidc: current time %v before the nbf (not before) time: %v", nowTime, nbfTime)
@@ -282,6 +294,15 @@ func (v *IDTokenVerifier) Verify(ctx context.Context, rawIDToken string) (*IDTok
 		}
 	}
 
+	if v.config.InsecureSkipSignatureCheck {
+		return t, nil
+	}
+
+	jws, err := jose.ParseSigned(rawIDToken)
+	if err != nil {
+		return nil, fmt.Errorf("oidc: malformed jwt: %v", err)
+	}
+
 	switch len(jws.Signatures) {
 	case 0:
 		return nil, fmt.Errorf("oidc: id token not signed")
@@ -302,6 +323,7 @@ func (v *IDTokenVerifier) Verify(ctx context.Context, rawIDToken string) (*IDTok
 
 	t.sigAlgorithm = sig.Header.Algorithm
 
+	ctx = context.WithValue(ctx, parsedJWTKey, jws)
 	gotPayload, err := v.keySet.VerifySignature(ctx, rawIDToken)
 	if err != nil {
 		return nil, fmt.Errorf("failed to verify signature: %v", err)

vendor/golang.org/x/net/AUTHORS

@@ -1,3 +0,0 @@
-# This source code refers to The Go Authors for copyright purposes.
-# The master list of authors is in the main Go distribution,
-# visible at http://tip.golang.org/AUTHORS.

vendor/golang.org/x/net/CONTRIBUTORS

@@ -1,3 +0,0 @@
-# This source code was written by the Go contributors.
-# The master list of contributors is in the main Go distribution,
-# visible at http://tip.golang.org/CONTRIBUTORS.

vendor/golang.org/x/net/bpf/doc.go

@@ -3,7 +3,6 @@
 // license that can be found in the LICENSE file.
 
 /*
-
 Package bpf implements marshaling and unmarshaling of programs for the
 Berkeley Packet Filter virtual machine, and provides a Go implementation
 of the virtual machine.
@@ -21,7 +20,7 @@ access to kernel functions, and while conditional branches are
 allowed, they can only jump forwards, to guarantee that there are no
 infinite loops.
 
-The virtual machine
+# The virtual machine
 
 The BPF VM is an accumulator machine. Its main register, called
 register A, is an implicit source and destination in all arithmetic
@@ -50,7 +49,7 @@ to extensions, which are essentially calls to kernel utility
 functions. Currently, the only extensions supported by this package
 are the Linux packet filter extensions.
 
-Examples
+# Examples
 
 This packet filter selects all ARP packets.
 
@@ -77,6 +76,5 @@ This packet filter captures a random 1% sample of traffic.
 		// Ignore.
 		bpf.RetConstant{Val: 0},
 	})
-
 */
 package bpf // import "golang.org/x/net/bpf"

vendor/golang.org/x/net/context/context.go

@@ -21,9 +21,9 @@
 // explicitly to each function that needs it. The Context should be the first
 // parameter, typically named ctx:
 //
-// 	func DoSomething(ctx context.Context, arg Arg) error {
-// 		// ... use ctx ...
-// 	}
+//	func DoSomething(ctx context.Context, arg Arg) error {
+//		// ... use ctx ...
+//	}
 //
 // Do not pass a nil Context, even if a function permits it. Pass context.TODO
 // if you are unsure about which Context to use.

vendor/golang.org/x/net/context/go17.go

@@ -54,11 +54,11 @@ func WithDeadline(parent Context, deadline time.Time) (Context, CancelFunc) {
 // Canceling this context releases resources associated with it, so code should
 // call cancel as soon as the operations running in this Context complete:
 //
-// 	func slowOperationWithTimeout(ctx context.Context) (Result, error) {
-// 		ctx, cancel := context.WithTimeout(ctx, 100*time.Millisecond)
-// 		defer cancel()  // releases resources if slowOperation completes before timeout elapses
-// 		return slowOperation(ctx)
-// 	}
+//	func slowOperationWithTimeout(ctx context.Context) (Result, error) {
+//		ctx, cancel := context.WithTimeout(ctx, 100*time.Millisecond)
+//		defer cancel()  // releases resources if slowOperation completes before timeout elapses
+//		return slowOperation(ctx)
+//	}
 func WithTimeout(parent Context, timeout time.Duration) (Context, CancelFunc) {
 	return WithDeadline(parent, time.Now().Add(timeout))
 }

vendor/golang.org/x/net/context/pre_go17.go

@@ -264,11 +264,11 @@ func (c *timerCtx) cancel(removeFromParent bool, err error) {
 // Canceling this context releases resources associated with it, so code should
 // call cancel as soon as the operations running in this Context complete:
 //
-// 	func slowOperationWithTimeout(ctx context.Context) (Result, error) {
-// 		ctx, cancel := context.WithTimeout(ctx, 100*time.Millisecond)
-// 		defer cancel()  // releases resources if slowOperation completes before timeout elapses
-// 		return slowOperation(ctx)
-// 	}
+//	func slowOperationWithTimeout(ctx context.Context) (Result, error) {
+//		ctx, cancel := context.WithTimeout(ctx, 100*time.Millisecond)
+//		defer cancel()  // releases resources if slowOperation completes before timeout elapses
+//		return slowOperation(ctx)
+//	}
 func WithTimeout(parent Context, timeout time.Duration) (Context, CancelFunc) {
 	return WithDeadline(parent, time.Now().Add(timeout))
 }

vendor/golang.org/x/net/icmp/listen_posix.go

@@ -29,6 +29,7 @@ const sysIP_STRIPHDR = 0x17 // for now only darwin supports this option
 // Currently only Darwin and Linux support this.
 //
 // Examples:
+//
 //	ListenPacket("udp4", "192.168.0.1")
 //	ListenPacket("udp4", "0.0.0.0")
 //	ListenPacket("udp6", "fe80::1%en0")
@@ -38,6 +39,7 @@ const sysIP_STRIPHDR = 0x17 // for now only darwin supports this option
 // followed by a colon and an ICMP protocol number or name.
 //
 // Examples:
+//
 //	ListenPacket("ip4:icmp", "192.168.0.1")
 //	ListenPacket("ip4:1", "0.0.0.0")
 //	ListenPacket("ip6:ipv6-icmp", "fe80::1%en0")

vendor/golang.org/x/net/icmp/listen_stub.go

@@ -16,6 +16,7 @@ package icmp
 // Currently only Darwin and Linux support this.
 //
 // Examples:
+//
 //	ListenPacket("udp4", "192.168.0.1")
 //	ListenPacket("udp4", "0.0.0.0")
 //	ListenPacket("udp6", "fe80::1%en0")
@@ -25,6 +26,7 @@ package icmp
 // followed by a colon and an ICMP protocol number or name.
 //
 // Examples:
+//
 //	ListenPacket("ip4:icmp", "192.168.0.1")
 //	ListenPacket("ip4:1", "0.0.0.0")
 //	ListenPacket("ip6:ipv6-icmp", "fe80::1%en0")

vendor/golang.org/x/net/internal/socket/rawconn_msg.go

@@ -8,22 +8,21 @@
 package socket
 
 import (
+	"net"
 	"os"
 )
 
 func (c *Conn) recvMsg(m *Message, flags int) error {
 	m.raceWrite()
-	var h msghdr
-	vs := make([]iovec, len(m.Buffers))
-	var sa []byte
-	if c.network != "tcp" {
-		sa = make([]byte, sizeofSockaddrInet6)
-	}
-	h.pack(vs, m.Buffers, m.OOB, sa)
-	var operr error
-	var n int
+	var (
+		operr     error
+		n         int
+		oobn      int
+		recvflags int
+		from      net.Addr
+	)
 	fn := func(s uintptr) bool {
-		n, operr = recvmsg(s, &h, flags)
+		n, oobn, recvflags, from, operr = recvmsg(s, m.Buffers, m.OOB, flags, c.network)
 		return ioComplete(flags, operr)
 	}
 	if err := c.c.Read(fn); err != nil {
@@ -32,34 +31,21 @@ func (c *Conn) recvMsg(m *Message, flags int) error {
 	if operr != nil {
 		return os.NewSyscallError("recvmsg", operr)
 	}
-	if c.network != "tcp" {
-		var err error
-		m.Addr, err = parseInetAddr(sa[:], c.network)
-		if err != nil {
-			return err
-		}
-	}
+	m.Addr = from
 	m.N = n
-	m.NN = h.controllen()
-	m.Flags = h.flags()
+	m.NN = oobn
+	m.Flags = recvflags
 	return nil
 }
 
 func (c *Conn) sendMsg(m *Message, flags int) error {
 	m.raceRead()
-	var h msghdr
-	vs := make([]iovec, len(m.Buffers))
-	var sa []byte
-	if m.Addr != nil {
-		var a [sizeofSockaddrInet6]byte
-		n := marshalInetAddr(m.Addr, a[:])
-		sa = a[:n]
-	}
-	h.pack(vs, m.Buffers, m.OOB, sa)
-	var operr error
-	var n int
+	var (
+		operr error
+		n     int
+	)
 	fn := func(s uintptr) bool {
-		n, operr = sendmsg(s, &h, flags)
+		n, operr = sendmsg(s, m.Buffers, m.OOB, m.Addr, flags)
 		return ioComplete(flags, operr)
 	}
 	if err := c.c.Write(fn); err != nil {

vendor/golang.org/x/net/internal/socket/sys_stub.go

@@ -36,11 +36,11 @@ func setsockopt(s uintptr, level, name int, b []byte) error {
 	return errNotImplemented
 }
 
-func recvmsg(s uintptr, h *msghdr, flags int) (int, error) {
-	return 0, errNotImplemented
+func recvmsg(s uintptr, buffers [][]byte, oob []byte, flags int, network string) (n, oobn int, recvflags int, from net.Addr, err error) {
+	return 0, 0, 0, nil, errNotImplemented
 }
 
-func sendmsg(s uintptr, h *msghdr, flags int) (int, error) {
+func sendmsg(s uintptr, buffers [][]byte, oob []byte, to net.Addr, flags int) (int, error) {
 	return 0, errNotImplemented
 }
 

vendor/golang.org/x/net/internal/socket/sys_unix.go

@@ -8,8 +8,10 @@
 package socket
 
 import (
-	"syscall"
+	"net"
 	"unsafe"
+
+	"golang.org/x/sys/unix"
 )
 
 //go:linkname syscall_getsockopt syscall.getsockopt
@@ -18,12 +20,6 @@ func syscall_getsockopt(s, level, name int, val unsafe.Pointer, vallen *uint32)
 //go:linkname syscall_setsockopt syscall.setsockopt
 func syscall_setsockopt(s, level, name int, val unsafe.Pointer, vallen uintptr) error
 
-//go:linkname syscall_recvmsg syscall.recvmsg
-func syscall_recvmsg(s int, msg *syscall.Msghdr, flags int) (int, error)
-
-//go:linkname syscall_sendmsg syscall.sendmsg
-func syscall_sendmsg(s int, msg *syscall.Msghdr, flags int) (int, error)
-
 func getsockopt(s uintptr, level, name int, b []byte) (int, error) {
 	l := uint32(len(b))
 	err := syscall_getsockopt(int(s), level, name, unsafe.Pointer(&b[0]), &l)
@@ -34,10 +30,93 @@ func setsockopt(s uintptr, level, name int, b []byte) error {
 	return syscall_setsockopt(int(s), level, name, unsafe.Pointer(&b[0]), uintptr(len(b)))
 }
 
-func recvmsg(s uintptr, h *msghdr, flags int) (int, error) {
-	return syscall_recvmsg(int(s), (*syscall.Msghdr)(unsafe.Pointer(h)), flags)
+func recvmsg(s uintptr, buffers [][]byte, oob []byte, flags int, network string) (n, oobn int, recvflags int, from net.Addr, err error) {
+	var unixFrom unix.Sockaddr
+	n, oobn, recvflags, unixFrom, err = unix.RecvmsgBuffers(int(s), buffers, oob, flags)
+	if unixFrom != nil {
+		from = sockaddrToAddr(unixFrom, network)
+	}
+	return
 }
 
-func sendmsg(s uintptr, h *msghdr, flags int) (int, error) {
-	return syscall_sendmsg(int(s), (*syscall.Msghdr)(unsafe.Pointer(h)), flags)
+func sendmsg(s uintptr, buffers [][]byte, oob []byte, to net.Addr, flags int) (int, error) {
+	var unixTo unix.Sockaddr
+	if to != nil {
+		unixTo = addrToSockaddr(to)
+	}
+	return unix.SendmsgBuffers(int(s), buffers, oob, unixTo, flags)
+}
+
+// addrToSockaddr converts a net.Addr to a unix.Sockaddr.
+func addrToSockaddr(a net.Addr) unix.Sockaddr {
+	var (
+		ip   net.IP
+		port int
+		zone string
+	)
+	switch a := a.(type) {
+	case *net.TCPAddr:
+		ip = a.IP
+		port = a.Port
+		zone = a.Zone
+	case *net.UDPAddr:
+		ip = a.IP
+		port = a.Port
+		zone = a.Zone
+	case *net.IPAddr:
+		ip = a.IP
+		zone = a.Zone
+	default:
+		return nil
+	}
+
+	if ip4 := ip.To4(); ip4 != nil {
+		sa := unix.SockaddrInet4{Port: port}
+		copy(sa.Addr[:], ip4)
+		return &sa
+	}
+
+	if ip6 := ip.To16(); ip6 != nil && ip.To4() == nil {
+		sa := unix.SockaddrInet6{Port: port}
+		copy(sa.Addr[:], ip6)
+		if zone != "" {
+			sa.ZoneId = uint32(zoneCache.index(zone))
+		}
+		return &sa
+	}
+
+	return nil
+}
+
+// sockaddrToAddr converts a unix.Sockaddr to a net.Addr.
+func sockaddrToAddr(sa unix.Sockaddr, network string) net.Addr {
+	var (
+		ip   net.IP
+		port int
+		zone string
+	)
+	switch sa := sa.(type) {
+	case *unix.SockaddrInet4:
+		ip = make(net.IP, net.IPv4len)
+		copy(ip, sa.Addr[:])
+		port = sa.Port
+	case *unix.SockaddrInet6:
+		ip = make(net.IP, net.IPv6len)
+		copy(ip, sa.Addr[:])
+		port = sa.Port
+		if sa.ZoneId > 0 {
+			zone = zoneCache.name(int(sa.ZoneId))
+		}
+	default:
+		return nil
+	}
+
+	switch network {
+	case "tcp", "tcp4", "tcp6":
+		return &net.TCPAddr{IP: ip, Port: port, Zone: zone}
+	case "udp", "udp4", "udp6":
+		return &net.UDPAddr{IP: ip, Port: port, Zone: zone}
+	default:
+		return &net.IPAddr{IP: ip, Zone: zone}
+	}
 }

vendor/golang.org/x/net/internal/socket/sys_windows.go

@@ -5,6 +5,7 @@
 package socket
 
 import (
+	"net"
 	"syscall"
 	"unsafe"
 
@@ -37,11 +38,11 @@ func setsockopt(s uintptr, level, name int, b []byte) error {
 	return syscall.Setsockopt(syscall.Handle(s), int32(level), int32(name), (*byte)(unsafe.Pointer(&b[0])), int32(len(b)))
 }
 
-func recvmsg(s uintptr, h *msghdr, flags int) (int, error) {
-	return 0, errNotImplemented
+func recvmsg(s uintptr, buffers [][]byte, oob []byte, flags int, network string) (n, oobn int, recvflags int, from net.Addr, err error) {
+	return 0, 0, 0, nil, errNotImplemented
 }
 
-func sendmsg(s uintptr, h *msghdr, flags int) (int, error) {
+func sendmsg(s uintptr, buffers [][]byte, oob []byte, to net.Addr, flags int) (int, error) {
 	return 0, errNotImplemented
 }
 

vendor/golang.org/x/net/internal/socket/sys_zos_s390x.go

@@ -5,6 +5,7 @@
 package socket
 
 import (
+	"net"
 	"syscall"
 	"unsafe"
 )
@@ -27,12 +28,39 @@ func setsockopt(s uintptr, level, name int, b []byte) error {
 	return errnoErr(errno)
 }
 
-func recvmsg(s uintptr, h *msghdr, flags int) (int, error) {
-	n, _, errno := syscall_syscall(syscall.SYS___RECVMSG_A, s, uintptr(unsafe.Pointer(h)), uintptr(flags))
-	return int(n), errnoErr(errno)
+func recvmsg(s uintptr, buffers [][]byte, oob []byte, flags int, network string) (n, oobn int, recvflags int, from net.Addr, err error) {
+	var h msghdr
+	vs := make([]iovec, len(buffers))
+	var sa []byte
+	if network != "tcp" {
+		sa = make([]byte, sizeofSockaddrInet6)
+	}
+	h.pack(vs, buffers, oob, sa)
+	sn, _, errno := syscall_syscall(syscall.SYS___RECVMSG_A, s, uintptr(unsafe.Pointer(&h)), uintptr(flags))
+	n = int(sn)
+	oobn = h.controllen()
+	recvflags = h.flags()
+	err = errnoErr(errno)
+	if network != "tcp" {
+		var err2 error
+		from, err2 = parseInetAddr(sa, network)
+		if err2 != nil && err == nil {
+			err = err2
+		}
+	}
+	return
 }
 
-func sendmsg(s uintptr, h *msghdr, flags int) (int, error) {
-	n, _, errno := syscall_syscall(syscall.SYS___SENDMSG_A, s, uintptr(unsafe.Pointer(h)), uintptr(flags))
+func sendmsg(s uintptr, buffers [][]byte, oob []byte, to net.Addr, flags int) (int, error) {
+	var h msghdr
+	vs := make([]iovec, len(buffers))
+	var sa []byte
+	if to != nil {
+		var a [sizeofSockaddrInet6]byte
+		n := marshalInetAddr(to, a[:])
+		sa = a[:n]
+	}
+	h.pack(vs, buffers, oob, sa)
+	n, _, errno := syscall_syscall(syscall.SYS___SENDMSG_A, s, uintptr(unsafe.Pointer(&h)), uintptr(flags))
 	return int(n), errnoErr(errno)
 }

vendor/golang.org/x/net/internal/socket/zsys_darwin_arm.go

@@ -1,30 +0,0 @@
-// Code generated by cmd/cgo -godefs; DO NOT EDIT.
-// cgo -godefs defs_darwin.go
-
-package socket
-
-type iovec struct {
-	Base *byte
-	Len  uint32
-}
-
-type msghdr struct {
-	Name       *byte
-	Namelen    uint32
-	Iov        *iovec
-	Iovlen     int32
-	Control    *byte
-	Controllen uint32
-	Flags      int32
-}
-
-type cmsghdr struct {
-	Len   uint32
-	Level int32
-	Type  int32
-}
-
-const (
-	sizeofIovec  = 0x8
-	sizeofMsghdr = 0x1c
-)

vendor/golang.org/x/net/internal/socket/zsys_freebsd_riscv64.go

@@ -1,11 +1,11 @@
 // Code generated by cmd/cgo -godefs; DO NOT EDIT.
-// cgo -godefs defs_darwin.go
+// cgo -godefs defs_freebsd.go
 
 package socket
 
 type iovec struct {
 	Base *byte
-	Len  uint32
+	Len  uint64
 }
 
 type msghdr struct {
@@ -25,6 +25,6 @@ type cmsghdr struct {
 }
 
 const (
-	sizeofIovec  = 0x8
-	sizeofMsghdr = 0x1c
+	sizeofIovec  = 0x10
+	sizeofMsghdr = 0x30
 )

vendor/golang.org/x/net/internal/socket/zsys_linux_ppc.go

@@ -4,32 +4,32 @@
 package socket
 
 type iovec struct {
-	Base	*byte
-	Len	uint32
+	Base *byte
+	Len  uint32
 }
 
 type msghdr struct {
-	Name		*byte
-	Namelen		uint32
-	Iov		*iovec
-	Iovlen		uint32
-	Control		*byte
-	Controllen	uint32
-	Flags		int32
+	Name       *byte
+	Namelen    uint32
+	Iov        *iovec
+	Iovlen     uint32
+	Control    *byte
+	Controllen uint32
+	Flags      int32
 }
 
 type mmsghdr struct {
-	Hdr	msghdr
-	Len	uint32
+	Hdr msghdr
+	Len uint32
 }
 
 type cmsghdr struct {
-	Len	uint32
-	Level	int32
-	Type	int32
+	Len   uint32
+	Level int32
+	Type  int32
 }
 
 const (
-	sizeofIovec	= 0x8
-	sizeofMsghdr	= 0x1c
+	sizeofIovec  = 0x8
+	sizeofMsghdr = 0x1c
 )

vendor/golang.org/x/net/ipv4/doc.go

@@ -16,8 +16,7 @@
 // 3376.
 // Source-specific multicast is defined in RFC 4607.
 //
-//
-// Unicasting
+// # Unicasting
 //
 // The options for unicasting are available for net.TCPConn,
 // net.UDPConn and net.IPConn which are created as network connections
@@ -51,8 +50,7 @@
 //		}(c)
 //	}
 //
-//
-// Multicasting
+// # Multicasting
 //
 // The options for multicasting are available for net.UDPConn and
 // net.IPConn which are created as network connections that use the
@@ -141,8 +139,7 @@
 //		}
 //	}
 //
-//
-// More multicasting
+// # More multicasting
 //
 // An application that uses PacketConn or RawConn may join multiple
 // multicast groups. For example, a UDP listener with port 1024 might
@@ -200,8 +197,7 @@
 //		// error handling
 //	}
 //
-//
-// Source-specific multicasting
+// # Source-specific multicasting
 //
 // An application that uses PacketConn or RawConn on IGMPv3 supported
 // platform is able to join source-specific multicast groups.

vendor/golang.org/x/net/ipv4/zsys_freebsd_riscv64.go

@@ -0,0 +1,52 @@
+// Code generated by cmd/cgo -godefs; DO NOT EDIT.
+// cgo -godefs defs_freebsd.go
+
+package ipv4
+
+const (
+	sizeofSockaddrStorage = 0x80
+	sizeofSockaddrInet    = 0x10
+
+	sizeofIPMreq         = 0x8
+	sizeofIPMreqSource   = 0xc
+	sizeofGroupReq       = 0x88
+	sizeofGroupSourceReq = 0x108
+)
+
+type sockaddrStorage struct {
+	Len         uint8
+	Family      uint8
+	X__ss_pad1  [6]uint8
+	X__ss_align int64
+	X__ss_pad2  [112]uint8
+}
+
+type sockaddrInet struct {
+	Len    uint8
+	Family uint8
+	Port   uint16
+	Addr   [4]byte /* in_addr */
+	Zero   [8]uint8
+}
+
+type ipMreq struct {
+	Multiaddr [4]byte /* in_addr */
+	Interface [4]byte /* in_addr */
+}
+
+type ipMreqSource struct {
+	Multiaddr  [4]byte /* in_addr */
+	Sourceaddr [4]byte /* in_addr */
+	Interface  [4]byte /* in_addr */
+}
+
+type groupReq struct {
+	Interface uint32
+	Group     sockaddrStorage
+}
+
+type groupSourceReq struct {
+	Interface uint32
+	Group     sockaddrStorage
+	Source    sockaddrStorage
+}

vendor/golang.org/x/net/ipv6/doc.go

@@ -17,8 +17,7 @@
 // On Darwin, this package requires OS X Mavericks version 10.9 or
 // above, or equivalent.
 //
-//
-// Unicasting
+// # Unicasting
 //
 // The options for unicasting are available for net.TCPConn,
 // net.UDPConn and net.IPConn which are created as network connections
@@ -52,8 +51,7 @@
 //		}(c)
 //	}
 //
-//
-// Multicasting
+// # Multicasting
 //
 // The options for multicasting are available for net.UDPConn and
 // net.IPConn which are created as network connections that use the
@@ -140,8 +138,7 @@
 //		}
 //	}
 //
-//
-// More multicasting
+// # More multicasting
 //
 // An application that uses PacketConn may join multiple multicast
 // groups. For example, a UDP listener with port 1024 might join two
@@ -199,8 +196,7 @@
 //		// error handling
 //	}
 //
-//
-// Source-specific multicasting
+// # Source-specific multicasting
 //
 // An application that uses PacketConn on MLDv2 supported platform is
 // able to join source-specific multicast groups.

vendor/golang.org/x/net/ipv6/zsys_freebsd_riscv64.go

@@ -0,0 +1,64 @@
+// Code generated by cmd/cgo -godefs; DO NOT EDIT.
+// cgo -godefs defs_freebsd.go
+
+package ipv6
+
+const (
+	sizeofSockaddrStorage = 0x80
+	sizeofSockaddrInet6   = 0x1c
+	sizeofInet6Pktinfo    = 0x14
+	sizeofIPv6Mtuinfo     = 0x20
+
+	sizeofIPv6Mreq       = 0x14
+	sizeofGroupReq       = 0x88
+	sizeofGroupSourceReq = 0x108
+
+	sizeofICMPv6Filter = 0x20
+)
+
+type sockaddrStorage struct {
+	Len         uint8
+	Family      uint8
+	X__ss_pad1  [6]uint8
+	X__ss_align int64
+	X__ss_pad2  [112]uint8
+}
+
+type sockaddrInet6 struct {
+	Len      uint8
+	Family   uint8
+	Port     uint16
+	Flowinfo uint32
+	Addr     [16]byte /* in6_addr */
+	Scope_id uint32
+}
+
+type inet6Pktinfo struct {
+	Addr    [16]byte /* in6_addr */
+	Ifindex uint32
+}
+
+type ipv6Mtuinfo struct {
+	Addr sockaddrInet6
+	Mtu  uint32
+}
+
+type ipv6Mreq struct {
+	Multiaddr [16]byte /* in6_addr */
+	Interface uint32
+}
+
+type groupReq struct {
+	Interface uint32
+	Group     sockaddrStorage
+}
+
+type groupSourceReq struct {
+	Interface uint32
+	Group     sockaddrStorage
+	Source    sockaddrStorage
+}
+
+type icmpv6Filter struct {
+	Filt [8]uint32
+}

vendor/golang.org/x/oauth2/AUTHORS

@@ -1,3 +0,0 @@
-# This source code refers to The Go Authors for copyright purposes.
-# The master list of authors is in the main Go distribution,
-# visible at http://tip.golang.org/AUTHORS.

vendor/golang.org/x/oauth2/CONTRIBUTORS

@@ -1,3 +0,0 @@
-# This source code was written by the Go contributors.
-# The master list of contributors is in the main Go distribution,
-# visible at http://tip.golang.org/CONTRIBUTORS.

vendor/golang.org/x/xerrors/doc.go

@@ -5,7 +5,8 @@
 // Package xerrors implements functions to manipulate errors.
 //
 // This package is based on the Go 2 proposal for error values:
-//   https://golang.org/design/29934-error-values
+//
+//	https://golang.org/design/29934-error-values
 //
 // These functions were incorporated into the standard library's errors package
 // in Go 1.13:

vendor/golang.org/x/xerrors/fmt.go

@@ -33,6 +33,9 @@ const percentBangString = "%!"
 // It is invalid to include more than one %w verb or to supply it with an
 // operand that does not implement the error interface. The %w verb is otherwise
 // a synonym for %v.
+//
+// Note that as of Go 1.13, the fmt.Errorf function will do error formatting,
+// but it will not capture a stack backtrace.
 func Errorf(format string, a ...interface{}) error {
 	format = formatPlusW(format)
 	// Support a ": %[wsv]" suffix, which works well with xerrors.Formatter.

vendor/golang.org/x/xerrors/wrap.go

@@ -35,6 +35,8 @@ func (e noWrapper) FormatError(p Printer) (next error) {
 
 // Unwrap returns the result of calling the Unwrap method on err, if err implements
 // Unwrap. Otherwise, Unwrap returns nil.
+//
+// Deprecated: As of Go 1.13, use errors.Unwrap instead.
 func Unwrap(err error) error {
 	u, ok := err.(Wrapper)
 	if !ok {
@@ -47,6 +49,8 @@ func Unwrap(err error) error {
 //
 // An error is considered to match a target if it is equal to that target or if
 // it implements a method Is(error) bool such that Is(target) returns true.
+//
+// Deprecated: As of Go 1.13, use errors.Is instead.
 func Is(err, target error) bool {
 	if target == nil {
 		return err == target
@@ -77,6 +81,8 @@ func Is(err, target error) bool {
 //
 // The As method should set the target to its value and return true if err
 // matches the type to which target points.
+//
+// Deprecated: As of Go 1.13, use errors.As instead.
 func As(err error, target interface{}) bool {
 	if target == nil {
 		panic("errors: target cannot be nil")

vendor/gopkg.in/square/go-jose.v2/.travis.yml

@@ -8,8 +8,8 @@ matrix:
     - go: tip
 
 go:
-- '1.11.x'
-- '1.12.x'
+- '1.14.x'
+- '1.15.x'
 - tip
 
 go_import_path: gopkg.in/square/go-jose.v2

vendor/gopkg.in/square/go-jose.v2/cipher/cbc_hmac.go

@@ -150,7 +150,7 @@ func (ctx *cbcAEAD) computeAuthTag(aad, nonce, ciphertext []byte) []byte {
 	return hmac.Sum(nil)[:ctx.authtagBytes]
 }
 
-// resize ensures the the given slice has a capacity of at least n bytes.
+// resize ensures that the given slice has a capacity of at least n bytes.
 // If the capacity of the slice is less than n, a new slice is allocated
 // and the existing data will be copied.
 func resize(in []byte, n uint64) (head, tail []byte) {

vendor/gopkg.in/square/go-jose.v2/crypter.go

@@ -216,6 +216,7 @@ func NewMultiEncrypter(enc ContentEncryption, rcpts []Recipient, opts *Encrypter
 
 	if opts != nil {
 		encrypter.compressionAlg = opts.Compression
+		encrypter.extraHeaders = opts.ExtraHeaders
 	}
 
 	for _, recipient := range rcpts {

vendor/gopkg.in/square/go-jose.v2/json/decode.go

@@ -13,6 +13,7 @@ import (
 	"encoding/base64"
 	"errors"
 	"fmt"
+	"math"
 	"reflect"
 	"runtime"
 	"strconv"
@@ -245,6 +246,18 @@ func isValidNumber(s string) bool {
 	return s == ""
 }
 
+type NumberUnmarshalType int
+
+const (
+	// unmarshal a JSON number into an interface{} as a float64
+	UnmarshalFloat NumberUnmarshalType = iota
+	// unmarshal a JSON number into an interface{} as a `json.Number`
+	UnmarshalJSONNumber
+	// unmarshal a JSON number into an interface{} as a int64
+	// if value is an integer otherwise float64
+	UnmarshalIntOrFloat
+)
+
 // decodeState represents the state while decoding a JSON value.
 type decodeState struct {
 	data       []byte
@@ -252,7 +265,7 @@ type decodeState struct {
 	scan       scanner
 	nextscan   scanner // for calls to nextValue
 	savedError error
-	useNumber  bool
+	numberType NumberUnmarshalType
 }
 
 // errPhase is used for errors that should not happen unless
@@ -723,17 +736,38 @@ func (d *decodeState) literal(v reflect.Value) {
 	d.literalStore(d.data[start:d.off], v, false)
 }
 
-// convertNumber converts the number literal s to a float64 or a Number
-// depending on the setting of d.useNumber.
+// convertNumber converts the number literal s to a float64, int64 or a Number
+// depending on d.numberDecodeType.
 func (d *decodeState) convertNumber(s string) (interface{}, error) {
-	if d.useNumber {
+	switch d.numberType {
+
+	case UnmarshalJSONNumber:
 		return Number(s), nil
+	case UnmarshalIntOrFloat:
+		v, err := strconv.ParseInt(s, 10, 64)
+		if err == nil {
+			return v, nil
+		}
+
+		// tries to parse integer number in scientific notation
+		f, err := strconv.ParseFloat(s, 64)
+		if err != nil {
+			return nil, &UnmarshalTypeError{"number " + s, reflect.TypeOf(0.0), int64(d.off)}
+		}
+
+		// if it has no decimal value use int64
+		if fi, fd := math.Modf(f); fd == 0.0 {
+			return int64(fi), nil
+		}
+		return f, nil
+	default:
+		f, err := strconv.ParseFloat(s, 64)
+		if err != nil {
+			return nil, &UnmarshalTypeError{"number " + s, reflect.TypeOf(0.0), int64(d.off)}
+		}
+		return f, nil
 	}
-	f, err := strconv.ParseFloat(s, 64)
-	if err != nil {
-		return nil, &UnmarshalTypeError{"number " + s, reflect.TypeOf(0.0), int64(d.off)}
-	}
-	return f, nil
+
 }
 
 var numberType = reflect.TypeOf(Number(""))

vendor/gopkg.in/square/go-jose.v2/json/stream.go

@@ -31,9 +31,14 @@ func NewDecoder(r io.Reader) *Decoder {
 	return &Decoder{r: r}
 }
 
+// Deprecated: Use `SetNumberType` instead
 // UseNumber causes the Decoder to unmarshal a number into an interface{} as a
 // Number instead of as a float64.
-func (dec *Decoder) UseNumber() { dec.d.useNumber = true }
+func (dec *Decoder) UseNumber() { dec.d.numberType = UnmarshalJSONNumber }
+
+// SetNumberType causes the Decoder to unmarshal a number into an interface{} as a
+// Number, float64 or int64 depending on `t` enum value.
+func (dec *Decoder) SetNumberType(t NumberUnmarshalType) { dec.d.numberType = t }
 
 // Decode reads the next JSON-encoded value from its
 // input and stores it in the value pointed to by v.

vendor/gopkg.in/square/go-jose.v2/jwk.go

@@ -238,7 +238,7 @@ func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) {
 
 	if certPub != nil && keyPub != nil {
 		if !reflect.DeepEqual(certPub, keyPub) {
-			return errors.New("square/go-jose: invalid JWK, public keys in key and x5c fields to not match")
+			return errors.New("square/go-jose: invalid JWK, public keys in key and x5c fields do not match")
 		}
 	}
 
@@ -332,7 +332,7 @@ func (s *JSONWebKeySet) Key(kid string) []JSONWebKey {
 
 const rsaThumbprintTemplate = `{"e":"%s","kty":"RSA","n":"%s"}`
 const ecThumbprintTemplate = `{"crv":"%s","kty":"EC","x":"%s","y":"%s"}`
-const edThumbprintTemplate = `{"crv":"%s","kty":"OKP",x":"%s"}`
+const edThumbprintTemplate = `{"crv":"%s","kty":"OKP","x":"%s"}`
 
 func ecThumbprintInput(curve elliptic.Curve, x, y *big.Int) (string, error) {
 	coordLength := curveSize(curve)
@@ -406,7 +406,7 @@ func (k *JSONWebKey) IsPublic() bool {
 	}
 }
 
-// Public creates JSONWebKey with corresponding publik key if JWK represents asymmetric private key.
+// Public creates JSONWebKey with corresponding public key if JWK represents asymmetric private key.
 func (k *JSONWebKey) Public() JSONWebKey {
 	if k.IsPublic() {
 		return *k

vendor/gopkg.in/square/go-jose.v2/opaque.go

@@ -17,7 +17,7 @@
 package jose
 
 // OpaqueSigner is an interface that supports signing payloads with opaque
-// private key(s). Private key operations preformed by implementors may, for
+// private key(s). Private key operations performed by implementers may, for
 // example, occur in a hardware module. An OpaqueSigner may rotate signing keys
 // transparently to the user of this interface.
 type OpaqueSigner interface {

vendor/gopkg.in/square/go-jose.v2/shared.go

@@ -183,7 +183,7 @@ type Header struct {
 	// Unverified certificate chain parsed from x5c header.
 	certificates []*x509.Certificate
 
-	// Any headers not recognised above get unmarshaled
+	// Any headers not recognised above get unmarshalled
 	// from JSON in a generic manner and placed in this map.
 	ExtraHeaders map[HeaderKey]interface{}
 }
@@ -295,12 +295,12 @@ func (parsed rawHeader) getAPV() (*byteBuffer, error) {
 	return parsed.getByteBuffer(headerAPV)
 }
 
-// getIV extracts parsed "iv" frpom the raw JSON.
+// getIV extracts parsed "iv" from the raw JSON.
 func (parsed rawHeader) getIV() (*byteBuffer, error) {
 	return parsed.getByteBuffer(headerIV)
 }
 
-// getTag extracts parsed "tag" frpom the raw JSON.
+// getTag extracts parsed "tag" from the raw JSON.
 func (parsed rawHeader) getTag() (*byteBuffer, error) {
 	return parsed.getByteBuffer(headerTag)
 }

vendor/modules.txt

@@ -16,7 +16,7 @@ github.com/beorn7/perks/quantile
 # github.com/cespare/xxhash/v2 v2.1.2
 ## explicit; go 1.11
 github.com/cespare/xxhash/v2
-# github.com/coreos/go-oidc/v3 v3.1.0
+# github.com/coreos/go-oidc/v3 v3.4.0
 ## explicit; go 1.14
 github.com/coreos/go-oidc/v3/oidc
 # github.com/davecgh/go-spew v1.1.1
@@ -105,7 +105,7 @@ golang.org/x/image/math/fixed
 # golang.org/x/mod v0.5.1
 ## explicit; go 1.17
 golang.org/x/mod/semver
-# golang.org/x/net v0.0.0-20220225172249-27dd8689420f
+# golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b
 ## explicit; go 1.17
 golang.org/x/net/bpf
 golang.org/x/net/context
@@ -115,8 +115,8 @@ golang.org/x/net/internal/iana
 golang.org/x/net/internal/socket
 golang.org/x/net/ipv4
 golang.org/x/net/ipv6
-# golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b
-## explicit; go 1.11
+# golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094
+## explicit; go 1.17
 golang.org/x/oauth2
 golang.org/x/oauth2/clientcredentials
 golang.org/x/oauth2/internal
@@ -143,11 +143,11 @@ golang.org/x/tools/internal/gocommand
 golang.org/x/tools/internal/packagesinternal
 golang.org/x/tools/internal/typeparams
 golang.org/x/tools/internal/typesinternal
-# golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1
-## explicit; go 1.11
+# golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f
+## explicit; go 1.17
 golang.org/x/xerrors
 golang.org/x/xerrors/internal
-# google.golang.org/appengine v1.6.6
+# google.golang.org/appengine v1.6.7
 ## explicit; go 1.11
 google.golang.org/appengine/internal
 google.golang.org/appengine/internal/base
@@ -192,7 +192,7 @@ gopkg.in/alexcesaro/quotedprintable.v3
 # gopkg.in/mail.v2 v2.3.1
 ## explicit
 gopkg.in/mail.v2
-# gopkg.in/square/go-jose.v2 v2.5.1
+# gopkg.in/square/go-jose.v2 v2.6.0
 ## explicit
 gopkg.in/square/go-jose.v2
 gopkg.in/square/go-jose.v2/cipher