Bump github.com/golang-jwt/jwt from 3.2.1 to github.com/golang-jwt/jwt/v4 4.5.2

henrybear327 · henrybear327 · commit 8eab95cbd261 · 2025-04-07T22:37:50.000+02:00
Steps executed: - change import path to "github.com/golang-jwt/jwt/v4" - execute `go get github.com/golang-jwt/jwt/v4; go mod tidy` - execute `./scripts/updatebom.sh` Reference: - https://pkg.go.dev/vuln/GO-2025-3553 - https://github.com/golang-jwt/jwt/blob/main/MIGRATION_GUIDE.md Signed-off-by: Chun-Hung Tseng <henrytseng@google.com>
diff --git a/auth/jwt.go b/auth/jwt.go
@@ -21,7 +21,7 @@ import (
 	"errors"
 	"time"
 
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v4"
 	"go.uber.org/zap"
 )
 
diff --git a/auth/jwt_test.go b/auth/jwt_test.go
@@ -20,7 +20,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v4"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/zap"
 )
diff --git a/auth/options.go b/auth/options.go
@@ -21,7 +21,7 @@ import (
 	"io/ioutil"
 	"time"
 
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v4"
 )
 
 const (
diff --git a/bill-of-materials.json b/bill-of-materials.json
@@ -17,6 +17,15 @@
 			}
 		]
 	},
+	{
+		"project": "github.com/cespare/xxhash/v2",
+		"licenses": [
+			{
+				"type": "MIT License",
+				"confidence": 1
+			}
+		]
+	},
 	{
 		"project": "github.com/coreos/go-semver/semver",
 		"licenses": [
@@ -63,7 +72,7 @@
 		]
 	},
 	{
-		"project": "github.com/golang-jwt/jwt",
+		"project": "github.com/golang-jwt/jwt/v4",
 		"licenses": [
 			{
 				"type": "MIT License",
@@ -369,7 +378,7 @@
 		]
 	},
 	{
-		"project": "golang.org/x/sys",
+		"project": "golang.org/x/sys/unix",
 		"licenses": [
 			{
 				"type": "BSD 3-clause \"New\" or \"Revised\" License",
@@ -396,7 +405,25 @@
 		]
 	},
 	{
-		"project": "google.golang.org/genproto",
+		"project": "google.golang.org/genproto/googleapis/api/httpbody",
+		"licenses": [
+			{
+				"type": "Apache License 2.0",
+				"confidence": 1
+			}
+		]
+	},
+	{
+		"project": "google.golang.org/genproto/googleapis/rpc/status",
+		"licenses": [
+			{
+				"type": "Apache License 2.0",
+				"confidence": 1
+			}
+		]
+	},
+	{
+		"project": "google.golang.org/genproto/protobuf/field_mask",
 		"licenses": [
 			{
 				"type": "Apache License 2.0",
@@ -413,6 +440,15 @@
 			}
 		]
 	},
+	{
+		"project": "google.golang.org/protobuf",
+		"licenses": [
+			{
+				"type": "BSD 3-clause \"New\" or \"Revised\" License",
+				"confidence": 0.9663865546218487
+			}
+		]
+	},
 	{
 		"project": "gopkg.in/cheggaaa/pb.v1",
 		"licenses": [
diff --git a/go.mod b/go.mod
@@ -13,7 +13,7 @@ require (
 	github.com/creack/pty v1.1.11
 	github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4
 	github.com/gogo/protobuf v1.3.2
-	github.com/golang-jwt/jwt v3.2.1+incompatible
+	github.com/golang-jwt/jwt/v4 v4.5.2
 	github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903
 	github.com/golang/protobuf v1.5.4
 	github.com/google/btree v1.0.0
@@ -51,6 +51,7 @@ require (
 require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/coreos/license-bill-of-materials v0.0.0-20190913234955-13baff47494e // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/fatih/color v1.7.0 // indirect
 	github.com/gorilla/websocket v1.4.2 // indirect
diff --git a/go.sum b/go.sum
@@ -22,6 +22,8 @@ github.com/coreos/go-semver v0.2.0 h1:3Jm3tLmsgAYcjC+4Up7hJrFBPr+n7rAqYeSw/SZazu
 github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7 h1:u9SHYsPQNyt5tgDm3YN7+9dYrpK96E5wFilTFWIDZOM=
 github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
+github.com/coreos/license-bill-of-materials v0.0.0-20190913234955-13baff47494e h1:vHRufSa2k8tfkcDdia1vJFa+oiBvvPxW94mg76PPAoA=
+github.com/coreos/license-bill-of-materials v0.0.0-20190913234955-13baff47494e/go.mod h1:4xMOusJ7xxc84WclVxKT8+lNfGYDwojOUC2OQNCwcj4=
 github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf h1:CAKfRE2YtTUIjjh1bkBtyYFaUT/WmOqsJjgtihT0vMI=
 github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 github.com/creack/pty v1.1.11 h1:07n33Z8lZxZ2qwegKbObQohDhXDQxiMMz1NOUGYlesw=
@@ -44,8 +46,8 @@ github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/me
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang-jwt/jwt v3.2.1+incompatible h1:73Z+4BJcrTC+KczS6WvTPvRGOp1WmfEP4Q1lOd9Z/+c=
-github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
+github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
+github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903 h1:LbsanbbD6LieFkXbj9YNNBupiGHJgFeLpO0j0Fza1h8=
 github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=

Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,7 @@ import (`
`21`	`21`	`"errors"`
`22`	`22`	`"time"`
`23`	`23`
`24`		`- "github.com/golang-jwt/jwt"`
	`24`	`+ "github.com/golang-jwt/jwt/v4"`
`25`	`25`	`"go.uber.org/zap"`
`26`	`26`	`)`
`27`	`27`
Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,7 @@ import (`
`20`	`20`	`"testing"`
`21`	`21`	`"time"`
`22`	`22`
`23`		`- "github.com/golang-jwt/jwt"`
	`23`	`+ "github.com/golang-jwt/jwt/v4"`
`24`	`24`	`"github.com/stretchr/testify/require"`
`25`	`25`	`"go.uber.org/zap"`
`26`	`26`	`)`
Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,15 @@`
`17`	`17`	`}`
`18`	`18`	`]`
`19`	`19`	`},`
	`20`	`+ {`
	`21`	`+ "project": "github.com/cespare/xxhash/v2",`
	`22`	`+ "licenses": [`
	`23`	`+ {`
	`24`	`+ "type": "MIT License",`
	`25`	`+ "confidence": 1`
	`26`	`+ }`
	`27`	`+ ]`
	`28`	`+ },`
`20`	`29`	`{`
`21`	`30`	`"project": "github.com/coreos/go-semver/semver",`
`22`	`31`	`"licenses": [`
`@@ -63,7 +72,7 @@`
`63`	`72`	`]`
`64`	`73`	`},`
`65`	`74`	`{`
`66`		`- "project": "github.com/golang-jwt/jwt",`
	`75`	`+ "project": "github.com/golang-jwt/jwt/v4",`
`67`	`76`	`"licenses": [`
`68`	`77`	`{`
`69`	`78`	`"type": "MIT License",`
`@@ -369,7 +378,7 @@`
`369`	`378`	`]`
`370`	`379`	`},`
`371`	`380`	`{`
`372`		`- "project": "golang.org/x/sys",`
	`381`	`+ "project": "golang.org/x/sys/unix",`
`373`	`382`	`"licenses": [`
`374`	`383`	`{`
`375`	`384`	`"type": "BSD 3-clause \"New\" or \"Revised\" License",`
`@@ -396,7 +405,25 @@`
`396`	`405`	`]`
`397`	`406`	`},`
`398`	`407`	`{`
`399`		`- "project": "google.golang.org/genproto",`
	`408`	`+ "project": "google.golang.org/genproto/googleapis/api/httpbody",`
	`409`	`+ "licenses": [`
	`410`	`+ {`
	`411`	`+ "type": "Apache License 2.0",`
	`412`	`+ "confidence": 1`
	`413`	`+ }`
	`414`	`+ ]`
	`415`	`+ },`
	`416`	`+ {`
	`417`	`+ "project": "google.golang.org/genproto/googleapis/rpc/status",`
	`418`	`+ "licenses": [`
	`419`	`+ {`
	`420`	`+ "type": "Apache License 2.0",`
	`421`	`+ "confidence": 1`
	`422`	`+ }`
	`423`	`+ ]`
	`424`	`+ },`
	`425`	`+ {`
	`426`	`+ "project": "google.golang.org/genproto/protobuf/field_mask",`
`400`	`427`	`"licenses": [`
`401`	`428`	`{`
`402`	`429`	`"type": "Apache License 2.0",`
`@@ -413,6 +440,15 @@`
`413`	`440`	`}`
`414`	`441`	`]`
`415`	`442`	`},`
	`443`	`+ {`
	`444`	`+ "project": "google.golang.org/protobuf",`
	`445`	`+ "licenses": [`
	`446`	`+ {`
	`447`	`+ "type": "BSD 3-clause \"New\" or \"Revised\" License",`
	`448`	`+ "confidence": 0.9663865546218487`
	`449`	`+ }`
	`450`	`+ ]`
	`451`	`+ },`
`416`	`452`	`{`
`417`	`453`	`"project": "gopkg.in/cheggaaa/pb.v1",`
`418`	`454`	`"licenses": [`