Update module github.com/golang-jwt/jwt/v5 to v5.2.2 [SECURITY] (v7.0/forgejo) (#7297)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [github.com/golang-jwt/jwt/v5](https://github.com/golang-jwt/jwt) | require | patch | `v5.2.0` -> `v5.2.2` |

---

### jwt-go allows excessive memory allocation during header parsing
[CVE-2025-30204](https://nvd.nist.gov/vuln/detail/CVE-2025-30204) / [GHSA-mh63-6h87-95cp](GHSA-mh63-6h87-95cp)

<details>
<summary>More information</summary>

#### Details
##### Summary

Function [`parse.ParseUnverified`](https://github.com/golang-jwt/jwt/blob/c035977d9e11c351f4c05dfeae193923cbab49ee/parser.go#L138-L139) currently splits (via a call to [strings.Split](https://pkg.go.dev/strings#Split)) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose _Authorization_ header consists of `Bearer ` followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: [CWE-405: Asymmetric Resource Consumption (Amplification)](https://cwe.mitre.org/data/definitions/405.html)

##### Details

See [`parse.ParseUnverified`](https://github.com/golang-jwt/jwt/blob/c035977d9e11c351f4c05dfeae193923cbab49ee/parser.go#L138-L139)

##### Impact

Excessive memory allocation

#### Severity
- CVSS Score: 7.5 / 10 (High)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`

#### References
- [https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp](https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp)
- [https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3](https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3)
- [https://github.com/golang-jwt/jwt](https://github.com/golang-jwt/jwt)

This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-mh63-6h87-95cp) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>golang-jwt/jwt (github.com/golang-jwt/jwt/v5)</summary>

### [`v5.2.2`](https://github.com/golang-jwt/jwt/releases/tag/v5.2.2)

[Compare Source](golang-jwt/jwt@v5.2.1...v5.2.2)

#### What's Changed

-   Fixed GHSA-mh63-6h87-95cp by [@&#8203;mfridman](https://github.com/mfridman)
-   Fixed some typos by [@&#8203;Ashikpaul](https://github.com/Ashikpaul) in golang-jwt/jwt#382
-   build: add go1.22 to ci workflows by [@&#8203;mfridman](https://github.com/mfridman) in golang-jwt/jwt#383
-   Bump golangci/golangci-lint-action from 4 to 5 by [@&#8203;dependabot](https://github.com/dependabot) in golang-jwt/jwt#387
-   Bump golangci/golangci-lint-action from 5 to 6 by [@&#8203;dependabot](https://github.com/dependabot) in golang-jwt/jwt#389
-   chore: bump ci tests to include go1.23 by [@&#8203;mfridman](https://github.com/mfridman) in golang-jwt/jwt#405
-   Fix jwt -show by [@&#8203;AlexanderYastrebov](https://github.com/AlexanderYastrebov) in golang-jwt/jwt#406
-   docs: typo by [@&#8203;kvii](https://github.com/kvii) in golang-jwt/jwt#407
-   Update SECURITY.md by [@&#8203;oxisto](https://github.com/oxisto) in golang-jwt/jwt#416
-   Update `jwt.Parse` example to use `jwt.WithValidMethods` by [@&#8203;mattt](https://github.com/mattt) in golang-jwt/jwt#425

#### New Contributors

-   [@&#8203;Ashikpaul](https://github.com/Ashikpaul) made their first contribution in golang-jwt/jwt#382
-   [@&#8203;kvii](https://github.com/kvii) made their first contribution in golang-jwt/jwt#407
-   [@&#8203;mattt](https://github.com/mattt) made their first contribution in golang-jwt/jwt#425

**Full Changelog**: golang-jwt/jwt@v5.2.1...v5.2.2

### [`v5.2.1`](https://github.com/golang-jwt/jwt/releases/tag/v5.2.1)

[Compare Source](golang-jwt/jwt@v5.2.0...v5.2.1)

#### What's Changed

-   chore: remove unnecessary conversions from tests by [@&#8203;estensen](https://github.com/estensen) in golang-jwt/jwt#370
-   Trivial: Typo fix for ECDSA error message by [@&#8203;tjs-cinemo](https://github.com/tjs-cinemo) in golang-jwt/jwt#373
-   Fix incorrect error return by [@&#8203;ss49919201](https://github.com/ss49919201) in golang-jwt/jwt#371

#### New Contributors

-   [@&#8203;tjs-cinemo](https://github.com/tjs-cinemo) made their first contribution in golang-jwt/jwt#373
-   [@&#8203;ss49919201](https://github.com/ss49919201) made their first contribution in golang-jwt/jwt#371

**Full Changelog**: golang-jwt/jwt@v5.2.0...v5.2.1

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - "* 0-3 * * *" (UTC).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yMDUuMSIsInVwZGF0ZWRJblZlciI6IjM5LjIwNS4xIiwidGFyZ2V0QnJhbmNoIjoidjcuMC9mb3JnZWpvIiwibGFiZWxzIjpbImRlcGVuZGVuY3ktdXBncmFkZSIsInRlc3Qvbm90LW5lZWRlZCJdfQ==-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7297
Reviewed-by: Earl Warren <[email protected]>
Co-authored-by: Renovate Bot <[email protected]>
Co-committed-by: Renovate Bot <[email protected]>

Author: Renovate Bot

go.mod

@@ -53,7 +53,7 @@ require (
 	github.com/gobwas/glob v0.2.3
 	github.com/gogs/chardet v0.0.0-20211120154057-b7413eaefb8f
 	github.com/gogs/go-gogs-client v0.0.0-20210131175652-1d7215cd8d85
-	github.com/golang-jwt/jwt/v5 v5.2.0
+	github.com/golang-jwt/jwt/v5 v5.2.2
 	github.com/google/go-github/v57 v57.0.0
 	github.com/google/pprof v0.0.0-20240227163752-401108e1b7e7
 	github.com/google/uuid v1.6.0

go.sum

@@ -372,8 +372,8 @@ github.com/gogs/go-gogs-client v0.0.0-20210131175652-1d7215cd8d85/go.mod h1:fR6z
 github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
 github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
 github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
-github.com/golang-jwt/jwt/v5 v5.2.0 h1:d/ix8ftRUorsN+5eMIlF4T6J8CAt9rch3My2winC1Jw=
-github.com/golang-jwt/jwt/v5 v5.2.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
+github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
 github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 h1:au07oEsX2xN0ktxqI+Sida1w446QrXBRJ0nee3SNZlA=
 github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=