Update module github.com/golang-jwt/jwt/v5 to v5.2.2 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/golang-jwt/jwt/v5	v5.2.1 → v5.2.2

GitHub Vulnerability Alerts

CVE-2025-30204

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

---

Release Notes

golang-jwt/jwt (github.com/golang-jwt/jwt/v5)

v5.2.2

Compare Source

What's Changed

• Fixed GHSA-mh63-6h87-95cp by @​mfridman
• Fixed some typos by @​Ashikpaul in #​382
• build: add go1.22 to ci workflows by @​mfridman in #​383
• Bump golangci/golangci-lint-action from 4 to 5 by @​dependabot in #​387
• Bump golangci/golangci-lint-action from 5 to 6 by @​dependabot in #​389
• chore: bump ci tests to include go1.23 by @​mfridman in #​405
• Fix jwt -show by @​AlexanderYastrebov in #​406
• docs: typo by @​kvii in #​407
• Update SECURITY.md by @​oxisto in #​416
• Update jwt.Parse example to use jwt.WithValidMethods by @​mattt in #​425

New Contributors

• @​Ashikpaul made their first contribution in #​382
• @​kvii made their first contribution in #​407
• @​mattt made their first contribution in #​425

Full Changelog: golang-jwt/jwt@v5.2.1...v5.2.2

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: go get -t ./...
go: downloading github.com/jackc/pgx/v5 v5.7.1
go: downloading gorm.io/gorm v1.25.12
go: downloading github.com/gin-gonic/gin v1.10.0
go: downloading github.com/go-playground/validator/v10 v10.23.0
go: downloading github.com/adhocore/gronx v1.19.5
go: downloading github.com/rs/zerolog v1.33.0
go: downloading github.com/spf13/viper v1.19.0
go: downloading gorm.io/driver/postgres v1.5.9
go: downloading github.com/golang-jwt/jwt/v5 v5.2.2
go: downloading github.com/stretchr/testify v1.9.0
go: downloading github.com/prometheus/client_golang v1.20.5
go: downloading google.golang.org/grpc v1.68.0
go: downloading github.com/terrapi-solution/protocol v1.2.6
go: downloading github.com/swaggo/files v1.0.1
go: downloading github.com/swaggo/gin-swagger v1.6.0
go: downloading github.com/jackc/pgpassfile v1.0.0
go: downloading github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761
go: downloading golang.org/x/crypto v0.28.0
go: downloading golang.org/x/text v0.19.0
go: downloading github.com/jinzhu/now v1.1.5
go: downloading github.com/gin-contrib/sse v0.1.0
go: downloading github.com/mattn/go-isatty v0.0.20
go: downloading golang.org/x/net v0.30.0
go: downloading github.com/gabriel-vasile/mimetype v1.4.3
go: downloading github.com/go-playground/universal-translator v0.18.1
go: downloading github.com/leodido/go-urn v1.4.0
go: downloading github.com/fsnotify/fsnotify v1.7.0
go: downloading github.com/mitchellh/mapstructure v1.5.0
go: downloading github.com/sagikazarmark/locafero v0.4.0
go: downloading github.com/sagikazarmark/slog-shim v0.1.0
go: downloading github.com/spf13/afero v1.11.0
go: downloading github.com/spf13/cast v1.6.0
go: downloading github.com/spf13/pflag v1.0.5
go: downloading github.com/jinzhu/inflection v1.0.0
go: downloading github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
go: downloading github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2
go: downloading gopkg.in/yaml.v3 v3.0.1
go: downloading github.com/klauspost/compress v1.17.9
go: downloading github.com/prometheus/client_model v0.6.1
go: downloading github.com/prometheus/common v0.55.0
go: downloading google.golang.org/protobuf v1.35.1
go: downloading github.com/beorn7/perks v1.0.1
go: downloading github.com/cespare/xxhash/v2 v2.3.0
go: downloading github.com/prometheus/procfs v0.15.1
go: downloading golang.org/x/sys v0.26.0
go: downloading github.com/swaggo/swag v1.16.4
go: downloading github.com/pelletier/go-toml/v2 v2.2.2
go: downloading github.com/ugorji/go/codec v1.2.12
go: downloading github.com/bytedance/sonic v1.11.6
go: downloading github.com/goccy/go-json v0.10.2
go: downloading github.com/json-iterator/go v1.1.12
go: downloading github.com/go-playground/locales v0.14.1
go: downloading github.com/mattn/go-colorable v0.1.13
go: downloading github.com/sourcegraph/conc v0.3.0
go: downloading golang.org/x/exp v0.0.0-20230905200255-921286631fa9
go: downloading github.com/subosito/gotenv v1.6.0
go: downloading github.com/hashicorp/hcl v1.0.0
go: downloading gopkg.in/ini.v1 v1.67.0
go: downloading github.com/magiconair/properties v1.8.7
go: downloading github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
go: downloading google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1
go: downloading github.com/KyleBanks/depth v1.2.1
go: downloading github.com/go-openapi/spec v0.21.0
go: downloading golang.org/x/tools v0.26.0
go: downloading github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
go: downloading github.com/modern-go/reflect2 v1.0.2
go: downloading github.com/jackc/puddle/v2 v2.2.2
go: downloading github.com/go-openapi/jsonpointer v0.21.0
go: downloading github.com/go-openapi/jsonreference v0.21.0
go: downloading github.com/go-openapi/swag v0.23.0
go: downloading github.com/cloudwego/base64x v0.1.4
go: downloading golang.org/x/arch v0.8.0
go: downloading go.uber.org/multierr v1.9.0
go: downloading golang.org/x/sync v0.8.0
go: downloading github.com/mailru/easyjson v0.7.7
go: downloading github.com/bytedance/sonic/loader v0.1.1
go: downloading github.com/klauspost/cpuid/v2 v2.2.7
go: downloading github.com/twitchyliquid64/golang-asm v0.15.1
go: downloading go.uber.org/atomic v1.9.0
go: downloading github.com/josharian/intern v1.0.0
go: downloading github.com/cloudwego/iasm v0.2.0
go: github.com/terrapi-solution/controller/router/http/swagger imports
	github.com/terrapi-solution/controller/docs: cannot find module providing package github.com/terrapi-solution/controller/docs