fix(deps): update module github.com/golang-jwt/jwt/v5 to v5.2.2 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/golang-jwt/jwt/v5	v5.2.1 → v5.2.2

GitHub Vulnerability Alerts

CVE-2025-30204

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

---

Release Notes

golang-jwt/jwt (github.com/golang-jwt/jwt/v5)

v5.2.2

Compare Source

What's Changed

• Fixed GHSA-mh63-6h87-95cp by @​mfridman
• Fixed some typos by @​Ashikpaul in #​382
• build: add go1.22 to ci workflows by @​mfridman in #​383
• Bump golangci/golangci-lint-action from 4 to 5 by @​dependabot in #​387
• Bump golangci/golangci-lint-action from 5 to 6 by @​dependabot in #​389
• chore: bump ci tests to include go1.23 by @​mfridman in #​405
• Fix jwt -show by @​AlexanderYastrebov in #​406
• docs: typo by @​kvii in #​407
• Update SECURITY.md by @​oxisto in #​416
• Update jwt.Parse example to use jwt.WithValidMethods by @​mattt in #​425

New Contributors

• @​Ashikpaul made their first contribution in #​382
• @​kvii made their first contribution in #​407
• @​mattt made their first contribution in #​425

Full Changelog: golang-jwt/jwt@v5.2.1...v5.2.2

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	github.com/​golang-jwt/​jwt/​v5@​v5.2.1 ⏵ v5.2.2	+1	+16

View full report

[ellipsis-dev]

Important

Looks good to me! 👍

Reviewed everything up to 73a74e2 in 40 seconds. Click for details.

• Reviewed 26 lines of code in 2 files
• Skipped 0 files when reviewing.
• Skipped posting 2 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

1. go.mod:7

• Draft comment:
  Updated github.com/golang-jwt/jwt/v5 dependency to v5.2.2, addressing CVE-2025-30204. Ensure that your tests cover JWT parsing scenarios.
• Reason this comment was not posted:
  Confidence changes required: 0% <= threshold 50% None

2. go.sum:32

• Draft comment:
  New checksums for github.com/golang-jwt/jwt/v5 v5.2.2 are added correctly. No issues noted.
• Reason this comment was not posted:
  Confidence changes required: 0% <= threshold 50% None

Workflow ID: wflow_Rtmo8BORgFGoYD9t

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}