Bump github.com/golang-jwt/jwt from v3.2.2 to v5.3.0

[Copilot]

Upgrades JWT library to address CVE: excessive memory allocation during header parsing in v3.2.2.

Changes

• Dependency: github.com/golang-jwt/jwt v3.2.2+incompatible → github.com/golang-jwt/jwt/v5 v5.3.0
• API migration: Refactored Parser initialization to v5 functional options pattern

  // Before: direct struct manipulation
  jwtParser := &jwt.Parser{ValidMethods: []string{}, SkipClaimsValidation: false}
  jwtParser.ValidMethods = append(jwtParser.ValidMethods, jwt.SigningMethodRS256.Name, ...)
  
  // After: functional options
  validMethods := []string{jwt.SigningMethodRS256.Name, ...}
  jwtParser := jwt.NewParser(jwt.WithValidMethods(validMethods))

• Claims: jwt.StandardClaims → jwt.RegisteredClaims in test fixtures

No behavioral changes - existing validation ensures auth methods are configured before parser instantiation.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• filippo.io
  • Triggering command: /update-job-proxy /update-job-proxy go (dns block)
  • Triggering command: /update-job-proxy /update-job-proxy ACCEPT csi/net-interfacextensions.objectformat test -e cae0058f819b3e53e49f19aed490682de9a012/shallow.lock 170/2318195299cafcc831485164085dd243a78b34e9e14c-e est -o /tmp/ccbhr8TO.o /tmp/dependabot-blob test -e tarfield_Class_2_CA.pem /tmp/dependabot-cli/dependabot/dependabot /usr/local/bin/test . ux_amd64/vet /usr/bin/network-t test (dns block)
• go.googlesource.com
  • Triggering command: /update-job-proxy /update-job-proxy go (dns block)
  • Triggering command: /update-job-proxy /update-job-proxy ACCEPT csi/net-interfacextensions.objectformat test -e cae0058f819b3e53e49f19aed490682de9a012/shallow.lock 170/2318195299cafcc831485164085dd243a78b34e9e14c-e est -o /tmp/ccbhr8TO.o /tmp/dependabot-blob test -e tarfield_Class_2_CA.pem /tmp/dependabot-cli/dependabot/dependabot /usr/local/bin/test . ux_amd64/vet /usr/bin/network-t test (dns block)
• go.uber.org
  • Triggering command: /update-job-proxy /update-job-proxy go (dns block)
  • Triggering command: /update-job-proxy /update-job-proxy ACCEPT csi/net-interfacextensions.objectformat test -e cae0058f819b3e53e49f19aed490682de9a012/shallow.lock 170/2318195299cafcc831485164085dd243a78b34e9e14c-e est -o /tmp/ccbhr8TO.o /tmp/dependabot-blob test -e tarfield_Class_2_CA.pem /tmp/dependabot-cli/dependabot/dependabot /usr/local/bin/test . ux_amd64/vet /usr/bin/network-t test (dns block)
• go.yaml.in
  • Triggering command: /update-job-proxy /update-job-proxy go (dns block)
  • Triggering command: /update-job-proxy /update-job-proxy ACCEPT csi/net-interfacextensions.objectformat test -e cae0058f819b3e53e49f19aed490682de9a012/shallow.lock 170/2318195299cafcc831485164085dd243a78b34e9e14c-e est -o /tmp/ccbhr8TO.o /tmp/dependabot-blob test -e tarfield_Class_2_CA.pem /tmp/dependabot-cli/dependabot/dependabot /usr/local/bin/test . ux_amd64/vet /usr/bin/network-t test (dns block)
• google.golang.org
  • Triggering command: /update-job-proxy /update-job-proxy go (dns block)
  • Triggering command: /update-job-proxy /update-job-proxy ACCEPT csi/net-interfacextensions.objectformat test -e cae0058f819b3e53e49f19aed490682de9a012/shallow.lock 170/2318195299cafcc831485164085dd243a78b34e9e14c-e est -o /tmp/ccbhr8TO.o /tmp/dependabot-blob test -e tarfield_Class_2_CA.pem /tmp/dependabot-cli/dependabot/dependabot /usr/local/bin/test . ux_amd64/vet /usr/bin/network-t test (dns block)
• gopkg.in
  • Triggering command: /update-job-proxy /update-job-proxy go (dns block)
  • Triggering command: /update-job-proxy /update-job-proxy ACCEPT csi/net-interfacextensions.objectformat test -e cae0058f819b3e53e49f19aed490682de9a012/shallow.lock 170/2318195299cafcc831485164085dd243a78b34e9e14c-e est -o /tmp/ccbhr8TO.o /tmp/dependabot-blob test -e tarfield_Class_2_CA.pem /tmp/dependabot-cli/dependabot/dependabot /usr/local/bin/test . ux_amd64/vet /usr/bin/network-t test (dns block)
• k8s.io
  • Triggering command: /update-job-proxy /update-job-proxy go (dns block)
  • Triggering command: /update-job-proxy /update-job-proxy ACCEPT csi/net-interfacextensions.objectformat test -e cae0058f819b3e53e49f19aed490682de9a012/shallow.lock 170/2318195299cafcc831485164085dd243a78b34e9e14c-e est -o /tmp/ccbhr8TO.o /tmp/dependabot-blob test -e tarfield_Class_2_CA.pem /tmp/dependabot-cli/dependabot/dependabot /usr/local/bin/test . ux_amd64/vet /usr/bin/network-t test (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Bump github.com/golang-jwt/jwt version</issue_title>
<issue_description></issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Bump github.com/golang-jwt/jwt version #118

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.