fix(deps): update module github.com/golang-jwt/jwt/v5 from v5.0.0 to v5.2.2 [security]

[figure-renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/golang-jwt/jwt/v5	v5.0.0 -> v5.2.2

GitHub Vulnerability Alerts

CVE-2025-30204

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

---

Release Notes

golang-jwt/jwt (github.com/golang-jwt/jwt/v5)

v5.2.2

Compare Source

What's Changed

• Fixed GHSA-mh63-6h87-95cp by @​mfridman
• Fixed some typos by @​Ashikpaul in https://github.com/golang-jwt/jwt/pull/382
• build: add go1.22 to ci workflows by @​mfridman in https://github.com/golang-jwt/jwt/pull/383
• Bump golangci/golangci-lint-action from 4 to 5 by @​dependabot in https://github.com/golang-jwt/jwt/pull/387
• Bump golangci/golangci-lint-action from 5 to 6 by @​dependabot in https://github.com/golang-jwt/jwt/pull/389
• chore: bump ci tests to include go1.23 by @​mfridman in https://github.com/golang-jwt/jwt/pull/405
• Fix jwt -show by @​AlexanderYastrebov in https://github.com/golang-jwt/jwt/pull/406
• docs: typo by @​kvii in https://github.com/golang-jwt/jwt/pull/407
• Update SECURITY.md by @​oxisto in https://github.com/golang-jwt/jwt/pull/416
• Update jwt.Parse example to use jwt.WithValidMethods by @​mattt in https://github.com/golang-jwt/jwt/pull/425

New Contributors

• @​Ashikpaul made their first contribution in https://github.com/golang-jwt/jwt/pull/382
• @​kvii made their first contribution in https://github.com/golang-jwt/jwt/pull/407
• @​mattt made their first contribution in https://github.com/golang-jwt/jwt/pull/425

Full Changelog: golang-jwt/jwt@v5.2.1...v5.2.2

v5.2.1

Compare Source

What's Changed

• chore: remove unnecessary conversions from tests by @​estensen in https://github.com/golang-jwt/jwt/pull/370
• Trivial: Typo fix for ECDSA error message by @​tjs-cinemo in https://github.com/golang-jwt/jwt/pull/373
• Fix incorrect error return by @​ss49919201 in https://github.com/golang-jwt/jwt/pull/371

New Contributors

• @​tjs-cinemo made their first contribution in https://github.com/golang-jwt/jwt/pull/373
• @​ss49919201 made their first contribution in https://github.com/golang-jwt/jwt/pull/371

Full Changelog: golang-jwt/jwt@v5.2.0...v5.2.1

v5.2.0

Compare Source

What's Changed

• Exported NewValidator by @​oxisto in https://github.com/golang-jwt/jwt/pull/349
• Improve ErrInvalidKeyType error messages by @​Laurin-Notemann in https://github.com/golang-jwt/jwt/pull/361
• Update MIGRATION_GUIDE.md by @​jbarham in https://github.com/golang-jwt/jwt/pull/363

New Contributors

• @​Laurin-Notemann made their first contribution in https://github.com/golang-jwt/jwt/pull/361
• @​jbarham made their first contribution in https://github.com/golang-jwt/jwt/pull/363

Full Changelog: golang-jwt/jwt@v5.1.0...v5.2.0

v5.1.0

Compare Source

What's Changed

• Using jwt's native ErrInvalidType instead of json.UnsupportedTypeError by @​oxisto in https://github.com/golang-jwt/jwt/pull/316
• Fix typos in comments and test names by @​alexandear in https://github.com/golang-jwt/jwt/pull/317
• Format: add whitespaces, remove empty lines by @​alexandear in https://github.com/golang-jwt/jwt/pull/319
• Refactor example: use io.ReadAll instead of io.Copy by @​alexandear in https://github.com/golang-jwt/jwt/pull/320
• Refactor code by using switch instead of if-else by @​alexandear in https://github.com/golang-jwt/jwt/pull/318
• A quick way to validate token string by @​dcalsky in https://github.com/golang-jwt/jwt/pull/302
• Refactor: remove unnecessary []byte conversion to string by @​alexandear in https://github.com/golang-jwt/jwt/pull/330
• Refactor: compare strings with strings.EqualFold by @​alexandear in https://github.com/golang-jwt/jwt/pull/329
• Avoid use of json.NewDecoder by @​craigpastro in https://github.com/golang-jwt/jwt/pull/313
• Update ParseUnverified godoc by @​duhaesbaert in https://github.com/golang-jwt/jwt/pull/341
• Update ci workflows (add go1.21) by @​mfridman in https://github.com/golang-jwt/jwt/pull/345
• Bump actions/checkout from 3 to 4 by @​dependabot in https://github.com/golang-jwt/jwt/pull/346
• Key rotation with VerificationKeySet by @​mfridman in https://github.com/golang-jwt/jwt/pull/344
• Add explicit ClaimsValidator implementation check for custom claims by @​epelc in https://github.com/golang-jwt/jwt/pull/343
• feat: allow making exp claim required by @​tareksha in https://github.com/golang-jwt/jwt/pull/351
• Add error handling to examples by @​craigpastro in https://github.com/golang-jwt/jwt/pull/312

New Contributors

• @​alexandear made their first contribution in https://github.com/golang-jwt/jwt/pull/317
• @​dcalsky made their first contribution in https://github.com/golang-jwt/jwt/pull/302
• @​craigpastro made their first contribution in https://github.com/golang-jwt/jwt/pull/313
• @​duhaesbaert made their first contribution in https://github.com/golang-jwt/jwt/pull/341
• @​epelc made their first contribution in https://github.com/golang-jwt/jwt/pull/343
• @​tareksha made their first contribution in https://github.com/golang-jwt/jwt/pull/351

Full Changelog: golang-jwt/jwt@v5.0.0...v5.1.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[figure-renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: go get -d -t ./...
go: -d flag is deprecated. -d=true is a no-op
go: github.com/FigureTechnologies/kong-jwt-wallet imports
	github.com/cosmos/btcutil/bech32: cannot find module providing package github.com/cosmos/btcutil/bech32
go: github.com/FigureTechnologies/kong-jwt-wallet imports
	github.com/golang-jwt/jwt/v4: cannot find module providing package github.com/golang-jwt/jwt/v4
go: github.com/FigureTechnologies/kong-jwt-wallet/cmd/token imports
	github.com/btcsuite/btcd/btcec/v2: cannot find module providing package github.com/btcsuite/btcd/btcec/v2
go: github.com/FigureTechnologies/kong-jwt-wallet/signing imports
	github.com/btcsuite/btcd/btcec/v2/ecdsa: cannot find module providing package github.com/btcsuite/btcd/btcec/v2/ecdsa
go: github.com/FigureTechnologies/kong-jwt-wallet/cmd/jwt-wallet tested by
	github.com/FigureTechnologies/kong-jwt-wallet/cmd/jwt-wallet.test imports
	github.com/stretchr/testify/assert: cannot find module providing package github.com/stretchr/testify/assert