Is github.com/square/go-jose safe to use?

github.com/square/go-jose has 4 known vulnerabilities on the latest version (v2.6.0+incompatible). DepScope rates its health at 41/100 (high risk).

What is the latest version of github.com/square/go-jose?

The latest version of github.com/square/go-jose is v2.6.0+incompatible, released 2021-05-29.

Yes. github.com/square/go-jose has 4 known vulnerabilities. See depscope.dev/pkg/go/github.com/square/go-jose for details.

No, github.com/square/go-jose is actively maintained. Latest release: v2.6.0+incompatible (2021-05-29).

DepScope has no curated alternatives for github.com/square/go-jose at this time.

github.com/square/go-jose is licensed under Apache-2.0.

govv2.6.0+incompatible

An implementation of JOSE standards (JWE, JWS, JWT) in Go

License Apache-2.0permissive31 versions55 maintainers0 deps1,959 weekly dl

/ 100

Health

safe to use

github.com/square/[email protected]+incompatible is safe to use (health: 41/100)

Update to >= 4.0.5 to fix known vulnerabilities

Health breakdown0 – 100

0/25

maintenance

6/20

popularity

23/25

security

12/15

maturity

0/15

community

Vulnerabilities

1 medium3 low

Advisories (4)

Severity	ID	Summary	Fixed in
medium	GO-2023-2334	Decryption of malicious PBES2 JWE objects can consume unbounded system resources	2.6.2
unknown	CVE-2016-9123	Integer overflow in github.com/square/go-jose	0.0.0-20160903044734-789a4c4bd4c1
unknown	GHSA-2c7c-3mj9-8fqh	Denial of service via decryption of malicious PBES2 JWE objects in github.com/go-jose/go-jose/v3	3.0.1
unknown	CVE-2025-27144	DoS in go-jose Parsing in github.com/go-jose/go-jose	4.0.5

API access

Get this data programmatically — free, no authentication.

curl https://depscope.dev/api/check/go/github.com/square/go-jose

Last updated · 2021-05-29T01:40:59Z