OCPBUGS-53867: Bump github.com/golang-jwt/jwt

[sbiradar10]

Prevent GHSA-mh63-6h87-95cp. We are relying on
https://github.com/Azure/go-autorest that has been archived and isn't receiving more updates. This will force us to move to a different package but we can't wait for that to happen to address the CVE therefore this PR adds a replacement on github.com/golang-jwt/jwt/v4 pointing to v4.5.2.

[openshift-ci-robot]

@sbiradar10: This pull request references Jira Issue OCPBUGS-53867, which is valid.

7 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.14.z) matches configured target version for branch (4.14.z)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
• release note type set to "Release Note Not Required"
• dependent bug Jira Issue OCPBUGS-53866 is in the state Closed (Done-Errata), which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
• dependent Jira Issue OCPBUGS-53866 targets the "4.15.z" version, which is one of the valid target versions: 4.15.0, 4.15.z
• bug has dependents

No GitHub users were found matching the public email listed for the QA contact in Jira ([email protected]), skipping review request.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Prevent GHSA-mh63-6h87-95cp. We are relying on
https://github.com/Azure/go-autorest that has been archived and isn't receiving more updates. This will force us to move to a different package but we can't wait for that to happen to address the CVE therefore this PR adds a replacement on github.com/golang-jwt/jwt/v4 pointing to v4.5.2.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[shannon]

/lgtm

[shannon]

@sbiradar10 It looks like it's complaining about the vendor/modules.txt file not being in sync. Sorry I missed that. Perhaps we need to run go mod vendor again?

[shannon]

@sbiradar10 Yea I believe it needs to be run inside the cmd/move-blobs directory as well as the root, we missed that piece.

[openshift-ci]

New changes are detected. LGTM label has been removed.

[sbiradar10]

@shannon just made changes now

[sbiradar10]

/retest-required

[shannon]

/retest-required

[shannon]

/retest-required

[shannon]

/assign flavianmissi

Can you please review/approve this? This was a follow up to #1224 because we missed the second go.mod file.

[ricardomaraschini]

Can you squash your commits ?

[sbiradar10]

/retest-required

[ricardomaraschini]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ricardomaraschini, sbiradar10, shannon
Once this PR has been reviewed and has the lgtm label, please ask for approval from flavianmissi. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sbiradar10]

/retest-required

[shannon]

/hold

Hi @sbiradar10, I noticed that v5 version is not quite right. It should be v5.2.2 not v5.2.1.

So I will put a hold on this until it's updated. go get github.com/golang-jwt/jwt/[email protected] followed by vendor and tidy should be sufficient here. Then squash it again.

[shannon]

/unhold

[openshift-ci]

@sbiradar10: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.