chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.2

[dependabot]

Bumps github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.2.

Release notes

Sourced from github.com/golang-jwt/jwt/v4's releases.

v4.5.2

See GHSA-mh63-6h87-95cp

Full Changelog: golang-jwt/jwt@v4.5.1...v4.5.2

v4.5.1

Security

Unclear documentation of the error behavior in ParseWithClaims in <= 4.5.0 could lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by ParseWithClaims return both error codes. If users only check for the jwt.ErrTokenExpired using error.Is, they will ignore the embedded jwt.ErrTokenSignatureInvalid and thus potentially accept invalid tokens.

This issue was documented in GHSA-29wx-vh33-7x7r and fixed in this release.

Note: v5 was not affected by this issue. So upgrading to this release version is also recommended.

What's Changed

• Back-ported error-handling logic in ParseWithClaims from v5 branch. This fixes GHSA-29wx-vh33-7x7r.

Full Changelog: golang-jwt/jwt@v4.5.0...v4.5.1

Commits

• 2f0e9ad Backporting 0951d18 to v4
• 7b1c1c0 Merge commit from fork
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign kasemalem for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[konflux-ci-qe-bot]

@dependabot[bot]: The following test has Failed, say /retest to rerun failed tests.

PipelineRun Name	Status	Rerun command	Build Log	Test Log
konflux-e2e-f28qm	Failed	/retest	View Pipeline Log	View Test Logs

Inspecting Test Artifacts

To inspect your test artifacts, follow these steps:

1. Install ORAS (see the ORAS installation guide).
2. Download artifacts with the following commands:

mkdir -p oras-artifacts
cd oras-artifacts
oras pull quay.io/konflux-test-storage/konflux-team/e2e-tests:konflux-e2e-f28qm

Test results analysis

🚨 Failed to provision a cluster, see the log for more details:

Click to view logs

INFO: Log in to your Red Hat account...
INFO: Configure AWS Credentials...
WARN: The current version (1.2.50) is not up to date with latest rosa cli released version (1.2.52).
WARN: It is recommended that you update to the latest version.
INFO: Logged in as 'konflux-ci-418295695583' on 'https://api.openshift.com'
INFO: Create ROSA with HCP cluster...
WARN: The current version (1.2.50) is not up to date with latest rosa cli released version (1.2.52).
WARN: It is recommended that you update to the latest version.
time=2025-04-10T10:26:39Z level=info msg=Ignored check for policy key 'sts_hcp_ec2_registry_permission_policy' (zero egress feature toggle is not enabled)
INFO: Creating cluster 'kx-24b1c48350'
INFO: To view a list of clusters and their status, run 'rosa list clusters'
INFO: Cluster 'kx-24b1c48350' has been created.
INFO: Once the cluster is installed you will need to add an Identity Provider before you can login into the cluster. See 'rosa create idp --help' for more information.
Name:                       kx-24b1c48350

Domain Prefix:              kx-24b1c48350

Display Name:               kx-24b1c48350

ID:                         2i2ktpf0m0n4gm8vot8c9te7kb8n5vnv

External ID:                3d4b6f18-5da4-4468-b920-ffbd2a0f54b7

Control Plane:              ROSA Service Hosted

OpenShift Version:          4.15.48

Channel Group:              stable

DNS:                        Not ready

AWS Account:                418295695583

AWS Billing Account:        418295695583

API URL:

Console URL:

Region:                     us-east-1

Availability:

Control Plane:           MultiAZ
Data Plane:              MultiAZ

Nodes:

Compute (desired):       3
Compute (current):       0

Network:
Type:                    OVNKubernetes
Service CIDR:            172.30.0.0/16
Machine CIDR:            10.0.0.0/16
Pod CIDR:                10.128.0.0/14
Host Prefix:             /23
Subnets:                 subnet-001fc23497e4a3aeb, subnet-00ffba09365a434bc, subnet-074cbf0329958194a, subnet-0689cd077699b690a, subnet-0f9f09e46f74cde64, subnet-033f48892ddbaa09d

EC2 Metadata Http Tokens:   optional

Role (STS) ARN:             arn:aws:iam::418295695583:role/ManagedOpenShift-HCP-ROSA-Installer-Role

Support Role ARN:           arn:aws:iam::418295695583:role/ManagedOpenShift-HCP-ROSA-Support-Role

Instance IAM Roles:
Worker:                  arn:aws:iam::418295695583:role/ManagedOpenShift-HCP-ROSA-Worker-Role

Operator IAM Roles:
arn:aws:iam::418295695583:role/rosa-hcp-kube-system-capa-controller-manager
arn:aws:iam::418295695583:role/rosa-hcp-kube-system-control-plane-operator
arn:aws:iam::418295695583:role/rosa-hcp-kube-system-kms-provider
arn:aws:iam::418295695583:role/rosa-hcp-kube-system-kube-controller-manager
arn:aws:iam::418295695583:role/rosa-hcp-openshift-image-registry-installer-cloud-credentials
arn:aws:iam::418295695583:role/rosa-hcp-openshift-ingress-operator-cloud-credentials
arn:aws:iam::418295695583:role/rosa-hcp-openshift-cluster-csi-drivers-ebs-cloud-credentials
arn:aws:iam::418295695583:role/rosa-hcp-openshift-cloud-network-config-controller-cloud-credent

Managed Policies:           Yes

State:                      waiting (Waiting for user action)

Private:                    No

Delete Protection:          Disabled

Created:                    Apr 10 2025 10:26:50 UTC

User Workload Monitoring:   Enabled

Details Page:               https://console.redhat.com/openshift/details/s/2vX9z3gK2gvlwLtIDOt0qVdtzln

OIDC Endpoint URL:          https://oidc.op1.openshiftapps.com/2du11g36ejmoo4624pofphlrgf4r9tf3 (Managed)

Etcd Encryption:            Disabled

Audit Log Forwarding:       Disabled

External Authentication:    Disabled

Zero Egress:                Disabled

INFO: Preparing to create operator roles.

INFO: Operator Roles already exists

INFO: Preparing to create OIDC Provider.

INFO: OIDC provider already exists

INFO: To determine when your cluster is Ready, run 'rosa describe cluster -c kx-24b1c48350'.

INFO: To watch your cluster installation logs, run 'rosa logs install -c kx-24b1c48350 --watch'.

INFO: Track the progress of the cluster creation...

WARN: The current version (1.2.50) is not up to date with latest rosa cli released version (1.2.52).

WARN: It is recommended that you update to the latest version.

�[0;33mW:�[m Region flag will be removed from this command in future versions

INFO: Cluster 'kx-24b1c48350' is in waiting state waiting for installation to begin. Logs will show up within 5 minutes

0001-01-01 00:00:00 +0000 UTC hostedclusters kx-24b1c48350 Version

2025-04-10 10:30:39 +0000 UTC hostedclusters kx-24b1c48350 Condition not found in the CVO.

2025-04-10 10:30:39 +0000 UTC hostedclusters kx-24b1c48350 Condition not found in the CVO.

2025-04-10 10:30:39 +0000 UTC hostedclusters kx-24b1c48350 The hosted control plane is not found

2025-04-10 10:30:39 +0000 UTC hostedclusters kx-24b1c48350 The hosted control plane is not found

2025-04-10 10:30:39 +0000 UTC hostedclusters kx-24b1c48350 The hosted control plane is not found

2025-04-10 10:30:39 +0000 UTC hostedclusters kx-24b1c48350 The hosted control plane is not found

2025-04-10 10:30:39 +0000 UTC hostedclusters kx-24b1c48350 The hosted control plane is not found

2025-04-10 10:30:39 +0000 UTC hostedclusters kx-24b1c48350 The hosted control plane is not found

2025-04-10 10:30:39 +0000 UTC hostedclusters kx-24b1c48350 Condition not found in the CVO.

2025-04-10 10:30:39 +0000 UTC hostedclusters kx-24b1c48350 Waiting for hosted control plane to be healthy

2025-04-10 10:30:39 +0000 UTC hostedclusters kx-24b1c48350 Reconciliation active on resource

2025-04-10 10:30:39 +0000 UTC hostedclusters kx-24b1c48350 Condition not found in the CVO.

2025-04-10 10:30:39 +0000 UTC hostedclusters kx-24b1c48350 Configuration passes validation

2025-04-10 10:30:39 +0000 UTC hostedclusters kx-24b1c48350 Ignition server deployment not found

2025-04-10 10:30:39 +0000 UTC hostedclusters kx-24b1c48350 Condition not found in the CVO.

2025-04-10 10:30:39 +0000 UTC hostedclusters kx-24b1c48350 HostedCluster is supported by operator configuration

2025-04-10 10:30:39 +0000 UTC hostedclusters kx-24b1c48350 The hosted control plane is not found

2025-04-10 10:30:39 +0000 UTC hostedclusters kx-24b1c48350 ValidAWSIdentityProvider StatusUnknown

2025-04-10 10:30:40 +0000 UTC certificates cluster-api-cert Issuing certificate as Secret does not exist

2025-04-10 10:30:40 +0000 UTC certificates cluster-api-cert Issuing certificate as Secret does not exist

2025-04-10 10:30:46 +0000 UTC hostedclusters kx-24b1c48350 Release image is valid

2025-04-10 10:30:52 +0000 UTC hostedclusters kx-24b1c48350 HostedCluster is at expected version

2025-04-10 10:30:57 +0000 UTC hostedclusters kx-24b1c48350 failed to get referenced secret ocm-production-2i2ktpf0m0n4gm8vot8c9te7kb8n5vnv/cluster-api-cert: Secret "cluster-api-cert" not found

2025-04-10 10:30:57 +0000 UTC hostedclusters kx-24b1c48350 Required platform credentials are found

2025-04-10 10:32:07 +0000 UTC certificates cluster-api-cert Certificate is up to date and has not expired

2025-04-10 10:32:22 +0000 UTC hostedclusters kx-24b1c48350 Reconciliation completed successfully

2025-04-10 10:32:22 +0000 UTC hostedclusters kx-24b1c48350 OIDC configuration is valid

2025-04-10 10:32:27 +0000 UTC hostedclusters kx-24b1c48350 router load balancer is not provisioned; 0s since creation.; private-router load balancer is not provisioned; 0s since creation.; router load balancer is not provisioned; 0s since creation.

2025-04-10 10:32:27 +0000 UTC hostedclusters kx-24b1c48350 All is well

2025-04-10 10:32:27 +0000 UTC hostedclusters kx-24b1c48350 AWS KMS is not configured

2025-04-10 10:32:27 +0000 UTC hostedclusters kx-24b1c48350 Kube APIServer deployment not found

2025-04-10 10:32:27 +0000 UTC hostedclusters kx-24b1c48350 capi-provider deployment has 1 unavailable replicas

2025-04-10 10:32:27 +0000 UTC hostedclusters kx-24b1c48350 EtcdAvailable StatefulSetNotFound

2025-04-10 10:32:27 +0000 UTC hostedclusters kx-24b1c48350 Configuration passes validation

2025-04-10 10:32:27 +0000 UTC hostedclusters kx-24b1c48350 lookup api.kx-24b1c48350.kgz7.p3.openshiftapps.com on 172.30.0.10:53: no such host

2025-04-10 10:32:49 +0000 UTC hostedclusters kx-24b1c48350 All is well

2025-04-10 10:32:52 +0000 UTC hostedclusters kx-24b1c48350 WebIdentityErr

2025-04-10 10:33:20 +0000 UTC hostedclusters kx-24b1c48350 EtcdAvailable QuorumAvailable

2025-04-10 10:34:25 +0000 UTC hostedclusters kx-24b1c48350 Kube APIServer deployment is available

2025-04-10 10:34:53 +0000 UTC hostedclusters kx-24b1c48350 All is well

2025-04-10 10:35:11 +0000 UTC hostedclusters kx-24b1c48350 All is well

2025-04-10 10:35:24 +0000 UTC hostedclusters kx-24b1c48350 ClusterVersionSucceeding FromClusterVersion

2025-04-10 10:35:24 +0000 UTC hostedclusters kx-24b1c48350 ClusterVersionAvailable FromClusterVersion

2025-04-10 10:35:24 +0000 UTC hostedclusters kx-24b1c48350 Working towards 4.15.48: 518 of 606 done (85% complete)

2025-04-10 10:35:24 +0000 UTC hostedclusters kx-24b1c48350 Payload loaded version="4.15.48" image="quay.io/openshift-release-dev/ocp-release@sha256:8354a185d9bebfcd3d640a57c8c06d8f6135ace8d02070dff02a6f8bd6c7e5fc" architecture="Multi"

2025-04-10 10:35:31 +0000 UTC hostedclusters kx-24b1c48350 The hosted control plane is available

INFO: Cluster 'kx-24b1c48350' is now ready

INFO: ROSA with HCP cluster is ready, create a cluster admin account for accessing the cluster

WARN: The current version (1.2.50) is not up to date with latest rosa cli released version (1.2.52).

WARN: It is recommended that you update to the latest version.

INFO: Storing login command...

INFO: Check if it's able to login to OCP cluster...

Retried 1 times...

INFO: Check if apiserver is ready...

..............................ERROR: API server is not ready

---