deps: migrate jwt/xsync/errors libraries + add jwtutil helper#1606
Merged
Conversation
xsync v4: MapOf is an alias for Map; the LoadOrCompute callback signature changed to return (V, bool), so existing call sites pass false as the cancel flag. go-jose v4: jwt.ParseSigned now requires an explicit signature- algorithm allowlist (HS256, matching what we sign with), and Builder.CompactSerialize was renamed to Serialize. v4 also enforces RFC 7518's HMAC key-size minimum (HS256 ≥ 32 bytes); secrets issued via utils.RandomSecret already satisfy this, but any deployment using a custom shorter secret will now hit ErrInvalidKeySize.
|
boks1971
approved these changes
Jun 4, 2026
go-jose v4 enforces RFC 7518's HMAC key-size minimum (HS256 requires
keys ≥ 32 bytes), which would break OSS deployments using short
secrets — including the livekit-server --dev default ("devkey":"secret").
golang-jwt/jwt/v5 does not enforce a minimum, preserving the previous
behavior.
The new combined tokenClaims struct embeds jwt.RegisteredClaims with
ClaimGrants so the on-wire payload is unchanged. A token leeway of one
minute is set to match go-jose's previous DefaultLeeway. Verify now
re-parses the raw token string (golang-jwt does not separate parsing
from signature verification), and its first return type changes from
*jose.Claims to *jwt.RegisteredClaims; all in-tree callers ignore that
return.
Reverts the test secret bumps from the previous commit since the
length requirement no longer applies.
paulwe
changed the title
pkg/errors was unmaintained since 2021 and stdlib errors + fmt.Errorf %w covers our (wrap-only) usage. Removed from redis/redis.go and observability/egressobs/egress.go. go.uber.org/atomic moves to sync/atomic, which gained generic typed values in Go 1.19+. Most call sites are straightforward import swaps plus s/.Inc()/.Add(1)/. atomic.NewUint64(0) becomes var ... atomic.Uint64. Three stdlib gaps required local wrappers: - configutil.AtomicFloat32/Float64 (Uint32/Uint64 + math.Floatbits) - configutil.AtomicDuration (Int64) - configutil.AtomicString, AtomicTime (atomic.Pointer) - utils/hwstats/cpu.go uses a private atomicFloat64 with the same trick go.uber.org/atomic remains an indirect dep via backend-common; protocol no longer pulls it directly. This is a breaking change for callers of configutil.NewAtomic* helpers that named the returned type explicitly: uber.org/atomic.Bool returns become sync/atomic.Bool, and Float32/Float64/String/Duration/Time returns become *configutil.Atomic<T> wrappers.
This was referenced Jun 4, 2026
Merged
biglittlebigben
approved these changes
Jun 4, 2026
The stdlib sync/atomic migration was reverted because: - sync/atomic lacks Float32/Float64/String/Duration/Time types, requiring shim types around bit-packing or atomic.Pointer that complicate the configutil public API and don't carry their weight at this scale. - configutil.NewAtomic* return-type changes cascade as breaking changes across all downstream consumers. pkg/errors → stdlib stays. jwt and xsync upgrades stay.
paulwe
changed the title
Restores the convenience that go-jose's JSONWebKeySet provided when picking the right key from a set during verification, which golang-jwt/jwt/v5 leaves to the caller. The new utils/jwtutil package wraps the manual kid lookup + WithValidMethods enforcement that has to repeat at every signer/verifier site otherwise. Also fixes a stale ST1005 (capitalized error string) in redis/redis.go that surfaced after the pkg/errors → stdlib swap.
Direct deps bumped: hashicorp/go-retryablehttp 0.7.7 -> 0.7.8 mackerelio/go-osstat 0.2.5 -> 0.2.7 maxbrunsfeld/counterfeiter/v6 v6.11.1 -> v6.12.2 nyaruka/phonenumbers v1.6.5 -> v1.8.0 prometheus/client_golang 1.22.0 -> 1.23.2 prometheus/procfs 0.16.1 -> 0.20.1 otel/exporters/otlp/otlptrace/otlptracehttp + sdk 1.43.0 -> 1.44.0 No newer major versions actionable. phonenumbers v2.0.0-rc1 exists but is release-candidate only. twitchtv/twirp v8.1.3+incompatible stays (upstream has no module-aware path).
paulwe
changed the title
Verifies that compact JWTs produced by jwtutil's HMACKeySet are still readable by go-jose v4 consumers, and vice versa, after the switch from go-jose/v4 to golang-jwt/jwt/v5. go-jose/v4 is added as a test-only dependency; the 32-byte key satisfies its HS256 minimum.
pion/sctp v1.10.0 (and the paired pion/webrtc/v4 v4.2.14 that needs its new API) causes a regression in livekit-server's TestDataPublishSlowSubscriber. Pinning here so downstream consumers pick the safe versions via MVS.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Source-level migration off three unmaintained / breaking-changed deps, plus an internal helper to insulate downstream consumers from JWT library churn.
auth/accesstoken.go,auth/verifier.go, tests). Took a brief detour through go-jose/v4 (4ec1794) before switching to golang-jwt (878cf9b) because go-jose/v4 enforces an HS256 >=32-byte secret minimum that breaks the OSSlivekit-server --devdefault. golang-jwt/v5 matches v3's permissive behavior and is ~18x more popular.MapOfis now an alias forMap;LoadOrComputecallback signature changed tofunc() (V, bool)(the new bool is "cancel").errors/fmt.Errorf %w(b6c88bd). Also droppedgo.uber.org/atomicin the same commit, then reverted (ab1b54f) when it produced ABI friction with downstream cloud-protocol struct fields.utils/jwtutil(29568b8) — new package wrapping*jwt.Parser+ anHMACKeySetfor kid-based key rotation, so cloud-protocol/s2sa and other consumers don't each re-implement the verifier.go get -usweep + counterfeiter v6.12.2 (a7a83da).Downstream impact
auth.APIKeyTokenVerifierinternals changed (no longer holds a*jose.JSONWebToken); public API is unchanged.utils/jwtutilis the new recommended way to verify JWTs against a rotated key set; cloud-protocol's worker token provider already consumes it.Test plan
go build ./...go test ./...(modulo pre-existing Docker/Postgres/AWS-creds-gated tests)