security: patch gateway packages

services/gateway/Dockerfile

@@ -1,5 +1,5 @@
 # -------- DEPENDENCIES -------- #
-FROM golang:1.18.3-stretch as build
+FROM golang:1.20.2-buster as build
 
 ADD go.mod /src/go.mod
 ADD go.sum /src/go.sum
@@ -16,7 +16,7 @@ RUN go build -o entry \
 RUN go build -o hcheck "tweek-gateway/healthcheck"
 
 # ------ REGO TESTS ------ #
-FROM golang:1.18.3-stretch as regotests
+FROM golang:1.20.2-buster as regotests
 
 RUN curl -L -o opa https://github.com/open-policy-agent/opa/releases/download/v0.8.2/opa_linux_amd64
 RUN chmod u+x opa

services/gateway/go.mod

@@ -1,66 +1,69 @@
 module tweek-gateway
 
-go 1.18
+go 1.20
 
 require (
-	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/gorilla/mux v1.8.0
 	github.com/jinzhu/configor v1.2.1
-	github.com/joonix/log v0.0.0-20180502111528-d2d3f2f4a806
-	github.com/lestrrat-go/jwx v1.2.0
+	github.com/joonix/log v0.0.0-20230221083239-7988383bab32
+	github.com/lestrrat-go/jwx v1.2.25
 	github.com/minio/minio-go v6.0.14+incompatible
-	github.com/nats-io/nats.go v1.10.0
-	github.com/open-policy-agent/opa v0.28.0
-	github.com/prometheus/client_golang v1.10.0
-	github.com/rs/cors v1.7.0
+	github.com/nats-io/nats.go v1.24.0
+	github.com/open-policy-agent/opa v0.50.0
+	github.com/prometheus/client_golang v1.14.0
+	github.com/rs/cors v1.8.3
 	github.com/sirupsen/logrus v1.9.0
 	github.com/urfave/negroni v1.0.0
-	github.com/vulcand/oxy v1.3.0
-	golang.org/x/crypto v0.3.0
-	google.golang.org/protobuf v1.25.0 // indirect
-	gopkg.in/h2non/gock.v1 v1.0.16
+	github.com/vulcand/oxy v1.4.2
+	golang.org/x/crypto v0.7.0
+	google.golang.org/protobuf v1.30.0 // indirect
+	gopkg.in/h2non/gock.v1 v1.1.2
 )
 
+require github.com/golang-jwt/jwt/v5 v5.0.0-rc.1
+
 require (
-	github.com/BurntSushi/toml v0.3.1 // indirect
+	github.com/BurntSushi/toml v1.2.1 // indirect
 	github.com/OneOfOne/xxhash v1.2.8 // indirect
+	github.com/agnivade/levenshtein v1.1.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/bytecodealliance/wasmtime-go v0.26.0 // indirect
-	github.com/cespare/xxhash/v2 v2.1.1 // indirect
-	github.com/decred/dcrd/dcrec/secp256k1/v3 v3.0.0 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.1.0 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
-	github.com/go-ini/ini v1.57.0 // indirect
+	github.com/go-ini/ini v1.67.0 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
-	github.com/goccy/go-json v0.4.8 // indirect
-	github.com/golang/protobuf v1.4.3 // indirect
-	github.com/gorilla/websocket v1.4.2 // indirect
-	github.com/gravitational/trace v1.1.11 // indirect
+	github.com/goccy/go-json v0.10.1 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/gorilla/websocket v1.5.0 // indirect
+	github.com/gravitational/trace v1.2.1 // indirect
 	github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542 // indirect
-	github.com/jonboulle/clockwork v0.2.0 // indirect
-	github.com/lestrrat-go/backoff/v2 v2.0.7 // indirect
-	github.com/lestrrat-go/blackmagic v1.0.0 // indirect
-	github.com/lestrrat-go/httpcc v1.0.0 // indirect
-	github.com/lestrrat-go/iter v1.0.1 // indirect
-	github.com/lestrrat-go/option v1.0.0 // indirect
-	github.com/mailgun/multibuf v0.0.0-20150714184110-565402cd71fb // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
+	github.com/jonboulle/clockwork v0.3.0 // indirect
+	github.com/kr/pretty v0.3.1 // indirect
+	github.com/lestrrat-go/backoff/v2 v2.0.8 // indirect
+	github.com/lestrrat-go/blackmagic v1.0.1 // indirect
+	github.com/lestrrat-go/httpcc v1.0.1 // indirect
+	github.com/lestrrat-go/iter v1.0.2 // indirect
+	github.com/lestrrat-go/option v1.0.1 // indirect
+	github.com/mailgun/multibuf v0.2.0 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
-	github.com/nats-io/jwt v1.0.1 // indirect
-	github.com/nats-io/nkeys v0.2.0 // indirect
+	github.com/nats-io/nats-server/v2 v2.9.8 // indirect
+	github.com/nats-io/nkeys v0.3.0 // indirect
 	github.com/nats-io/nuid v1.0.1 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/prometheus/client_model v0.2.0 // indirect
-	github.com/prometheus/common v0.18.0 // indirect
-	github.com/prometheus/procfs v0.6.0 // indirect
-	github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect
-	github.com/vulcand/predicate v1.1.0 // indirect
+	github.com/prometheus/client_model v0.3.0 // indirect
+	github.com/prometheus/common v0.42.0 // indirect
+	github.com/prometheus/procfs v0.9.0 // indirect
+	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
+	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
+	github.com/vulcand/predicate v1.2.0 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
-	github.com/yashtewari/glob-intersection v0.0.0-20180916065949-5c77d914dd0b // indirect
-	golang.org/x/net v0.2.0 // indirect
-	golang.org/x/sys v0.2.0 // indirect
-	golang.org/x/term v0.2.0 // indirect
-	golang.org/x/text v0.4.0 // indirect
-	gopkg.in/ini.v1 v1.60.0 // indirect
-	gopkg.in/yaml.v2 v2.3.0 // indirect
+	github.com/yashtewari/glob-intersection v0.1.0 // indirect
+	golang.org/x/net v0.8.0 // indirect
+	golang.org/x/sys v0.6.0 // indirect
+	golang.org/x/term v0.6.0 // indirect
+	golang.org/x/text v0.8.0 // indirect
+	google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
 )