fix(deps): update go deps to v4 (major)

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/go-jose/go-jose/v3	v3.0.3 -> v4.0.4
github.com/pion/webrtc/v3	v3.2.28 -> v4.0.1

---

Release Notes

go-jose/go-jose (github.com/go-jose/go-jose/v3)

v4.0.4

Compare Source

Fixed

• Reverted "Allow unmarshalling JSONWebKeySets with unsupported key types" as a
  breaking change. See #​136 / #​137.

v4.0.3

Compare Source

Changed

• Allow unmarshalling JSONWebKeySets with unsupported key types (#​130)
• Document that OpaqueKeyEncrypter can't be implemented (for now) (#​129)
• Dependency updates

v4.0.2

Compare Source

Changed

• Improved documentation of Verify() to note that JSONWebKeySet is a supported
  argument type (#​104)
• Defined exported error values for missing x5c header and unsupported elliptic
  curves error cases (#​117)

v4.0.1

Compare Source

Fixed

• An attacker could send a JWE containing compressed data that used large
  amounts of memory and CPU when decompressed by Decrypt or DecryptMulti.
  Those functions now return an error if the decompressed data would exceed
  250kB or 10x the compressed size (whichever is larger). Thanks to
  Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@​zer0yu and @​chenjj)
  for reporting.

v4.0.0

Compare Source

This release makes some breaking changes in order to more thoroughly
address the vulnerabilities discussed in Three New Attacks Against JSON Web
Tokens, "Sign/encrypt confusion", "Billion hash attack", and "Polyglot
token".

Changed

• Limit JWT encryption types (exclude password or public key types) (#​78)
• Enforce minimum length for HMAC keys (#​85)
• jwt: match any audience in a list, rather than requiring all audiences (#​81)
• jwt: accept only Compact Serialization (#​75)
• jws: Add expected algorithms for signatures (#​74)
• Require specifying expected algorithms for ParseEncrypted,
  ParseSigned, ParseDetached, jwt.ParseEncrypted, jwt.ParseSigned,
  jwt.ParseSignedAndEncrypted (#​69, #​74)
  • Usually there is a small, known set of appropriate algorithms for a program
    to use and it's a mistake to allow unexpected algorithms. For instance the
    "billion hash attack" relies in part on programs accepting the PBES2
    encryption algorithm and doing the necessary work even if they weren't
    specifically configured to allow PBES2.
• Revert "Strip padding off base64 strings" (#​82)
• The specs require base64url encoding without padding.
• Minimum supported Go version is now 1.21

Added

• ParseSignedCompact, ParseSignedJSON, ParseEncryptedCompact, ParseEncryptedJSON.
  • These allow parsing a specific serialization, as opposed to ParseSigned and
    ParseEncrypted, which try to automatically detect which serialization was
    provided. It's common to require a specific serialization for a specific
    protocol - for instance JWT requires Compact serialization.

pion/webrtc (github.com/pion/webrtc/v3)

v4.0.1

Compare Source

What's Changed

• Add SetFireOnTrackBeforeFirstRTP by @​edaniels in https://github.com/pion/webrtc/pull/2933

Full Changelog: pion/webrtc@v4.0.0...v4.0.1

v4.0.0

Compare Source

Changelog

• 3f1622a Add v4 Release Notes to README
• bb41f23 Don't use JitterBuffer in SampleBuilder
• dc1f8ff Add ice transport api to get selected pair stats

v3.3.4

Compare Source

Changelog

• 90222f6 Update ICE version
• c3c7178 Add ice transport api to get selected pair stats

v3.3.3

Compare Source

Changelog

• c088755 Update ICE

v3.3.2

Compare Source

Changelog

• 8bf9954 Return object icluding stat id for selected pair

v3.3.1

Compare Source

Changelog

• f99d4ed Don't reuse transceiver in one round negotiation
• 540af5b Prevent ICETransport start/stop deadlock
• 6ac4b71 Fix concurrent pc.GracefulClose

v3.3.0

Compare Source

New Feature

peerconnection.SCTPTransport now provides an OnClose callback that can be used to detect remote peer connection close similar to the OnError callback.

What's Changed

• Provide SCTP Association OnClose callback by @​sukunrt in https://github.com/pion/webrtc/pull/2861

Full Changelog: pion/webrtc@v3.2.51...v3.3.0

v3.2.51

Compare Source

What's Changed

• Enable tests for /v3 branch by @​Sean-Der in https://github.com/pion/webrtc/pull/2842
• v3: Add PeerConnection.GracefulClose by @​edaniels in https://github.com/pion/webrtc/pull/2854

Full Changelog: pion/webrtc@v3.2.50...v3.2.51

v3.2.50

Compare Source

Changelog

• 2364173 Fix our-of-order twcc fb cause by rtx blocked
• 69cd4e4 Close unhandled rtcp simulcast streams
• a598bab Bump ice to v2.3.31

v3.2.49

Compare Source

Changelog

• 5437ff5 Added support for SRTP_NULL_HMAC_SHA1_80 cipher

v3.2.48

Compare Source

Changelog

• bd3aaae Fix TestPeerConnection_Simulcast
• af63d2b Properly handle non-media probes
• 482d9eb Updated pion modules to latest versions
• 48cfc63 Hold pc.mu while populating local candidates

v3.2.47

Compare Source

Changelog

• 7407903 Match header extensions to remote media sections

v3.2.46

Compare Source

Changelog

• 49ccf87 Update ice to v2.3.28

v3.2.45

Compare Source

Changelog

• 5bf5bed Revert 7c8bfbd and add test

v3.2.44

Compare Source

What's Changed

• Add links to RTP payload format specifications by @​aler9 in https://github.com/pion/webrtc/pull/2795

Full Changelog: pion/webrtc@v3.2.43...v3.2.44

v3.2.43

Compare Source

What's Changed

• Fix race condition in test by @​aler9 in https://github.com/pion/webrtc/pull/2785
• Make onNegotiationNeeded conform to spec by @​edaniels in https://github.com/pion/webrtc/pull/2792

Full Changelog: pion/webrtc@v3.2.42...v3.2.43

v3.2.42

Compare Source

Changelog

• 43a6a69 Reset state machine after negotiationNeededOp

v3.2.41

Compare Source

What's Changed

• fix TestPeerConnection_Simulcast_RTX on v3 by @​aalekseevx in https://github.com/pion/webrtc/pull/2769
• Properly update metadata when PayloadType is 0 by @​aler9 in https://github.com/pion/webrtc/pull/2783
• Fix AV1 and VP9 codec matching by @​aler9 in https://github.com/pion/webrtc/pull/2773

Full Changelog: pion/webrtc@v3.2.40...v3.2.41

v3.2.40

Compare Source

Changelog

• 7cad104 Update module github.com/pion/ice/v2 to v2.3.24

v3.2.39

Compare Source

Changelog

• e7cf3ba Update RtxSSRC for simulcast track remote

v3.2.38

Compare Source

Changelog

• 7be0482 Update module github.com/pion/sctp to v1.8.16
• 9d76240 Update module github.com/pion/ice/v2 to v2.3.15

v3.2.37

Compare Source

Changelog

• a43143e Add padding support to TrackLocalStaticSample

v3.2.36

Compare Source

Changelog

• 2f0fe93 Declare Go 1.17 as minimum version

v3.2.35

Compare Source

Changelog

• f53f0a9 Update github.com/pion/transport/v2 to v2.2.4
• c1e5386 Declare Go 1.19 as minimum version

v3.2.34

Compare Source

Changelog

• cb8ab4a Update github.com/pion/sctp to v1.8.14

v3.2.33

Compare Source

Changelog

• eb6e395 Retract v3.2.28

v3.2.32

Compare Source

Changelog

• 4c25aa6 Include msid-semantic in Session Attributes

v3.2.31

Compare Source

Changelog

• b84753e Update github.com/pion/rtp to v1.8.5

v3.2.30

Compare Source

Changelog

• 10dca09 Update github.com/pion/sdp/v3 to v3.0.9
• de2e7b7 Put SCTP Zero Checksum behind SettingEngine
• 39919d7 SampleBuilder: Deprecate PopWithTimestamp

v3.2.29

Compare Source

Changelog

• 0b447fd Update module github.com/pion/sdp to v3.0.8

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 16 additional dependencies were updated

Details:

Package	Change
github.com/pion/sdp/v3	v3.0.6 -> v3.0.9
github.com/pion/datachannel	v1.5.5 -> v1.5.9
github.com/pion/dtls/v2	v2.2.7 -> v2.2.12
github.com/pion/ice/v2	v2.3.13 -> v2.3.36
github.com/pion/interceptor	v0.1.25 -> v0.1.37
github.com/pion/rtcp	v1.2.12 -> v1.2.14
github.com/pion/rtp	v1.8.3 -> v1.8.9
github.com/pion/sctp	v1.8.12 -> v1.8.33
github.com/pion/srtp/v2	v2.0.18 -> v2.0.20
github.com/pion/transport/v2	v2.2.3 -> v2.2.10
github.com/pion/turn/v2	v2.1.3 -> v2.1.6
golang.org/x/crypto	v0.25.0 -> v0.28.0
golang.org/x/net	v0.27.0 -> v0.29.0
golang.org/x/sync	v0.7.0 -> v0.8.0
golang.org/x/sys	v0.22.0 -> v0.26.0
golang.org/x/text	v0.16.0 -> v0.19.0

[changeset-bot]

⚠️ No Changeset found

Latest commit: 5f826ff

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

💥 An error occurred when fetching the changed packages and changesets in this PR

Some errors occurred when validating the changesets config:
The package or glob expression "github.com/livekit/protocol" specified in the `fixed` option does not match any package in the project. You may have misspelled the package name or provided an invalid glob expression. Note that glob expressions must be defined according to https://www.npmjs.com/package/micromatch.