fix(deps): update module github.com/golang-jwt/jwt/v5 to v5.2.2 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/golang-jwt/jwt/v5	v5.2.1 -> v5.2.2

GitHub Vulnerability Alerts

CVE-2025-30204

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

---

Release Notes

golang-jwt/jwt (github.com/golang-jwt/jwt/v5)

v5.2.2

Compare Source

What's Changed

• Fixed GHSA-mh63-6h87-95cp by @​mfridman
• Fixed some typos by @​Ashikpaul in https://github.com/golang-jwt/jwt/pull/382
• build: add go1.22 to ci workflows by @​mfridman in https://github.com/golang-jwt/jwt/pull/383
• Bump golangci/golangci-lint-action from 4 to 5 by @​dependabot in https://github.com/golang-jwt/jwt/pull/387
• Bump golangci/golangci-lint-action from 5 to 6 by @​dependabot in https://github.com/golang-jwt/jwt/pull/389
• chore: bump ci tests to include go1.23 by @​mfridman in https://github.com/golang-jwt/jwt/pull/405
• Fix jwt -show by @​AlexanderYastrebov in https://github.com/golang-jwt/jwt/pull/406
• docs: typo by @​kvii in https://github.com/golang-jwt/jwt/pull/407
• Update SECURITY.md by @​oxisto in https://github.com/golang-jwt/jwt/pull/416
• Update jwt.Parse example to use jwt.WithValidMethods by @​mattt in https://github.com/golang-jwt/jwt/pull/425

New Contributors

• @​Ashikpaul made their first contribution in https://github.com/golang-jwt/jwt/pull/382
• @​kvii made their first contribution in https://github.com/golang-jwt/jwt/pull/407
• @​mattt made their first contribution in https://github.com/golang-jwt/jwt/pull/425

Full Changelog: golang-jwt/jwt@v5.2.1...v5.2.2

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 57.95%. Comparing base (e433ad8) to head (5491353).
Report is 2 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #254   +/-   ##
=======================================
  Coverage   57.95%   57.95%           
=======================================
  Files          96       96           
  Lines        3927     3927           
=======================================
  Hits         2276     2276           
  Misses       1494     1494           
  Partials      157      157           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.