Update module github.com/golang-jwt/jwt/v5 to v5.2.2 [SECURITY] (forgejo) (#7296)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [github.com/golang-jwt/jwt/v5](https://github.com/golang-jwt/jwt) | require | patch | `v5.2.1` -> `v5.2.2` |

---

### jwt-go allows excessive memory allocation during header parsing
[CVE-2025-30204](https://nvd.nist.gov/vuln/detail/CVE-2025-30204) / [GHSA-mh63-6h87-95cp](GHSA-mh63-6h87-95cp)

<details>
<summary>More information</summary>

#### Details
##### Summary

Function [`parse.ParseUnverified`](https://github.com/golang-jwt/jwt/blob/c035977d9e11c351f4c05dfeae193923cbab49ee/parser.go#L138-L139) currently splits (via a call to [strings.Split](https://pkg.go.dev/strings#Split)) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose _Authorization_ header consists of `Bearer ` followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: [CWE-405: Asymmetric Resource Consumption (Amplification)](https://cwe.mitre.org/data/definitions/405.html)

##### Details

See [`parse.ParseUnverified`](https://github.com/golang-jwt/jwt/blob/c035977d9e11c351f4c05dfeae193923cbab49ee/parser.go#L138-L139)

##### Impact

Excessive memory allocation

#### Severity
- CVSS Score: 7.5 / 10 (High)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`

#### References
- [https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp](https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp)
- [https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3](https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3)
- [https://github.com/golang-jwt/jwt](https://github.com/golang-jwt/jwt)

This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-mh63-6h87-95cp) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>golang-jwt/jwt (github.com/golang-jwt/jwt/v5)</summary>

### [`v5.2.2`](https://github.com/golang-jwt/jwt/releases/tag/v5.2.2)

[Compare Source](golang-jwt/jwt@v5.2.1...v5.2.2)

#### What's Changed

-   Fixed GHSA-mh63-6h87-95cp by [@&#8203;mfridman](https://github.com/mfridman)
-   Fixed some typos by [@&#8203;Ashikpaul](https://github.com/Ashikpaul) in golang-jwt/jwt#382
-   build: add go1.22 to ci workflows by [@&#8203;mfridman](https://github.com/mfridman) in golang-jwt/jwt#383
-   Bump golangci/golangci-lint-action from 4 to 5 by [@&#8203;dependabot](https://github.com/dependabot) in golang-jwt/jwt#387
-   Bump golangci/golangci-lint-action from 5 to 6 by [@&#8203;dependabot](https://github.com/dependabot) in golang-jwt/jwt#389
-   chore: bump ci tests to include go1.23 by [@&#8203;mfridman](https://github.com/mfridman) in golang-jwt/jwt#405
-   Fix jwt -show by [@&#8203;AlexanderYastrebov](https://github.com/AlexanderYastrebov) in golang-jwt/jwt#406
-   docs: typo by [@&#8203;kvii](https://github.com/kvii) in golang-jwt/jwt#407
-   Update SECURITY.md by [@&#8203;oxisto](https://github.com/oxisto) in golang-jwt/jwt#416
-   Update `jwt.Parse` example to use `jwt.WithValidMethods` by [@&#8203;mattt](https://github.com/mattt) in golang-jwt/jwt#425

#### New Contributors

-   [@&#8203;Ashikpaul](https://github.com/Ashikpaul) made their first contribution in golang-jwt/jwt#382
-   [@&#8203;kvii](https://github.com/kvii) made their first contribution in golang-jwt/jwt#407
-   [@&#8203;mattt](https://github.com/mattt) made their first contribution in golang-jwt/jwt#425

**Full Changelog**: golang-jwt/jwt@v5.2.1...v5.2.2

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - "* 0-3 * * *" (UTC).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yMDUuMSIsInVwZGF0ZWRJblZlciI6IjM5LjIwNS4xIiwidGFyZ2V0QnJhbmNoIjoiZm9yZ2VqbyIsImxhYmVscyI6WyJkZXBlbmRlbmN5LXVwZ3JhZGUiLCJ0ZXN0L25vdC1uZWVkZWQiXX0=-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7296
Reviewed-by: Earl Warren <[email protected]>
Co-authored-by: Renovate Bot <[email protected]>
Co-committed-by: Renovate Bot <[email protected]>

Author: Renovate Bot

go.mod

@@ -53,7 +53,7 @@ require (
 	github.com/gobwas/glob v0.2.3
 	github.com/gogs/chardet v0.0.0-20211120154057-b7413eaefb8f
 	github.com/gogs/go-gogs-client v0.0.0-20210131175652-1d7215cd8d85
-	github.com/golang-jwt/jwt/v5 v5.2.1
+	github.com/golang-jwt/jwt/v5 v5.2.2
 	github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0
 	github.com/google/go-github/v64 v64.0.0
 	github.com/google/pprof v0.0.0-20241017200806-017d972448fc

go.sum

@@ -985,8 +985,8 @@ github.com/gogs/go-gogs-client v0.0.0-20210131175652-1d7215cd8d85 h1:UjoPNDAQ5JP
 github.com/gogs/go-gogs-client v0.0.0-20210131175652-1d7215cd8d85/go.mod h1:fR6z1Ie6rtF7kl/vBYMfgD5/G5B1blui7z426/sj2DU=
 github.com/golang-jwt/jwt/v4 v4.5.1 h1:JdqV9zKUdtaa9gdPlywC3aeoEsR681PlKC+4F5gQgeo=
 github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
-github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
-github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
+github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 h1:au07oEsX2xN0ktxqI+Sida1w446QrXBRJ0nee3SNZlA=
 github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
 github.com/golang-sql/sqlexp v0.1.0 h1:ZCD6MBpcuOVfGVqsEmY5/4FtYiKz6tSyUv9LPEDei6A=