Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR updates our Okta SDK dependency to v4, so that we transitively remove a go-jose dependency CVE-2024-28180. (Old versions of go-jose are pulled in other places as well and tracked in the issue named by the branch; this seems to be the only one that requires code changes on our part.)
Unfortunately, to get rid of the <=v2.6.2 vulerability, we had to move the
okta-sdk
to at least v3, which causes these breaking changes below. There didn't appear to be additional (relevant) changes between v3 and v4, so I moved to v4 directly.This version is still broken (hence, draft); I put it here so I can link it in various sustaining channels/threads.
TODO only if you're a HashiCorp employee
to N, N-1, and N-2, using the
backport/ent/x.x.x+ent
labels. If this PR is in the CE repo, you should only backport to N, using thebackport/x.x.x
label, not the enterprise labels.in the PR description, commit message, or branch name.