fix(deps): update module github.com/lestrrat-go/jwx/v2 to v3

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/lestrrat-go/jwx/v2	v2.1.1 → v3.0.13

---

Release Notes

lestrrat-go/jwx (github.com/lestrrat-go/jwx/v2)

v3.0.13

Compare Source

What's Changed

• Pass value of WithContext to jws.Verify by @​lestrrat in #​1483
• Bump golangci/golangci-lint-action from 8.0.0 to 9.0.0 by @​dependabot[bot] in #​1490
• Bump actions/checkout from 5.0.0 to 5.0.1 by @​dependabot[bot] in #​1494
• Bump actions/setup-go from 6.0.0 to 6.1.0 by @​dependabot[bot] in #​1500
• Bump golang.org/x/crypto from 0.43.0 to 0.45.0 by @​dependabot[bot] in #​1499
• Bump golang.org/x/crypto from 0.39.0 to 0.45.0 in /cmd/jwx by @​dependabot[bot] in #​1495
• Bump actions/checkout from 5.0.1 to 6.0.0 by @​dependabot[bot] in #​1504
• Bump golang.org/x/crypto from 0.43.0 to 0.45.0 in /tools/cmd/genoptions by @​dependabot[bot] in #​1502
• Bump golangci/golangci-lint-action from 9.0.0 to 9.1.0 by @​dependabot[bot] in #​1506
• Fix document for (jwk.Set).LookupKeyID by @​lestrrat in #​1508
• Bump golang.org/x/crypto from 0.43.0 to 0.45.0 in /tools/cmd/genjwt by @​dependabot[bot] in #​1509
• Bump actions/stale from 10.1.0 to 10.1.1 by @​dependabot[bot] in #​1514
• Bump golangci/golangci-lint-action from 9.1.0 to 9.2.0 by @​dependabot[bot] in #​1515
• Bump actions/checkout from 6.0.0 to 6.0.1 by @​dependabot[bot] in #​1516
• Update httprc by @​lestrrat in #​1518
• Bump actions/cache from 4.3.0 to 5.0.1 by @​dependabot[bot] in #​1525
• Appease linter (v2.7.2) by @​lestrrat in #​1526
• Bump golang.org/x/crypto from 0.45.0 to 0.46.0 by @​dependabot[bot] in #​1520
• Add permissions by @​lestrrat in #​1528
• Bump github.com/valyala/fastjson from 1.6.4 to 1.6.7 by @​dependabot[bot] in #​1524
• Fix Clone() by @​lestrrat in #​1530

Full Changelog: lestrrat-go/jwx@v3.0.12...v3.0.13

v3.0.12

Compare Source

What's Changed

• Change go.mod version requirements to go 1.24.0 and introduce toolchain directive by @​henrymcconville in #​1465
• Use go.mod for go version in Bazel module by @​henrymcconville in #​1466
• Enable legacy signers by default, and explicitly populate new signer instances by @​lestrrat in #​1460
• autodoc updates by @​github-actions[bot] in #​1475
• Fix godoclint issues by @​babakks in #​1469
• Bump actions/cache from 4.2.4 to 4.3.0 by @​dependabot[bot] in #​1463
• Bump actions/stale from 10.0.0 to 10.1.0 by @​dependabot[bot] in #​1468
• Bump github.com/segmentio/asm from 1.2.0 to 1.2.1 by @​dependabot[bot] in #​1462
• Bump github/codeql-action from 3 to 4 by @​dependabot[bot] in #​1472
• Bump golang.org/x/crypto from 0.42.0 to 0.43.0 by @​dependabot[bot] in #​1474
• revive godoclint by @​lestrrat in #​1478
• [jwe] Add option to explicitly clear per-recipient headers ("header") for flattened JSON serialization by @​lestrrat in #​1477
• autodoc updates by @​github-actions[bot] in #​1480

New Contributors

• @​henrymcconville made their first contribution in #​1465
• @​babakks made their first contribution in #​1469

Full Changelog: lestrrat-go/jwx@v3.0.11...v3.0.12

v3.0.11

Compare Source

What's Changed

• Bump actions/cache from 4.2.3 to 4.2.4 by @​dependabot[bot] in #​1438
• Bump golang.org/x/crypto from 0.40.0 to 0.41.0 by @​dependabot[bot] in #​1436
• [jwe] Work with non X25519 ECDH encryption by @​lestrrat in #​1442
• Bump actions/checkout from 4.2.2 to 5.0.0 by @​dependabot[bot] in #​1440
• Separate out signature generation / verification into its own framework by @​lestrrat in #​1439
• Bump github.com/lestrrat-go/httprc/v3 from 3.0.0 to 3.0.1 by @​dependabot[bot] in #​1443
• Bump actions/stale from 9.1.0 to 10.0.0 by @​dependabot[bot] in #​1451
• Bump github.com/stretchr/testify from 1.10.0 to 1.11.1 by @​dependabot[bot] in #​1447
• Bump golang.org/x/crypto from 0.41.0 to 0.42.0 by @​dependabot[bot] in #​1456
• Bump actions/setup-go from 5.5.0 to 6.0.0 by @​dependabot[bot] in #​1449
• Warh40k fix/connection leak by @​lestrrat in #​1458
• Allow shutting down jwk cache by @​adam-bates in #​1457

New Contributors

• @​adam-bates made their first contribution in #​1457

Full Changelog: lestrrat-go/jwx@v3.0.10...v3.0.11

v3.0.10

Compare Source

What's Changed

• Fix header not found error by @​lestrrat in #​1435

Full Changelog: lestrrat-go/jwx@v3.0.9...v3.0.10

v3.0.9

Compare Source

What's Changed

• [jwk] Implement X509 related code in jwkbb by @​lestrrat in #​1423
• Tweak error message by @​lestrrat in #​1424
• [jwt] implement distinguishable jwt.Get errors by @​lestrrat in #​1426
• Update bazel to v8 by @​lestrrat in #​1429
• Bump golang.org/x/crypto from 0.39.0 to 0.40.0 by @​dependabot[bot] in #​1428
• Allow HeaderGetXXX() functions to differentiate not found / invalid headers by @​lestrrat in #​1432

Full Changelog: lestrrat-go/jwx@v3.0.8...v3.0.9

v3.0.8

Compare Source

What's Changed

• change from interface{} to any by @​lestrrat in #​1417
• autodoc updates by @​github-actions in #​1418
• Introduce jwe lower level API (jwebb), and refactor a bunch of things. by @​lestrrat in #​1419
• [jws/jwsbb] Add io.Reader for source of randomness by @​lestrrat in #​1420
• Add package level doc for jwe by @​lestrrat in #​1421
• Add jwsbb.HeaderParse by @​lestrrat in #​1422

Full Changelog: lestrrat-go/jwx@v3.0.7...v3.0.8

v3.0.7

Compare Source

What's Changed

• Update examples by @​lestrrat in #​1412
• autodoc updates by @​github-actions in #​1413
• Add error when signature could not be verified by @​lestrrat in #​1414
• Add Header type for quick and dirty access to JWS headers by @​lestrrat in #​1415
• Refactor jwsbb code by @​lestrrat in #​1416

Full Changelog: lestrrat-go/jwx@v3.0.6...v3.0.7

v3.0.6

Compare Source

What's Changed

• Use shared constants for better legibility/greppability by @​lestrrat in #​1398
• Rework pool objects by @​lestrrat in #​1399
• Bump github.com/cloudflare/circl from 1.6.0 to 1.6.1 in /examples by @​dependabot in #​1395
• Add AppendEncode to the interface by @​lestrrat in #​1400
• Upgrade option and blackmagic by @​lestrrat in #​1401
• Add comparison benchmark by @​lestrrat in #​1407
• Implement low-level API for jws, and incorporate it to JWT to achieve massive performance gains by @​lestrrat in #​1408
• autodoc updates by @​github-actions in #​1409
• Rename comparison by @​lestrrat in #​1410

Full Changelog: lestrrat-go/jwx@v3.0.5...v3.0.6

v3.0.5

Compare Source

What's Changed

• Revert "Improve performance (#​1391)" by @​lestrrat in #​1397
• v3.0.4 has also been retracted on go.mod

Full Changelog: lestrrat-go/jwx@v3.0.4...v3.0.5

v3.0.4

Compare Source

v3.0.3

Compare Source

What's Changed

• Add more context to the errors by @​lestrrat in #​1387
• Update httprc version by @​lestrrat in #​1388

Full Changelog: lestrrat-go/jwx@v3.0.2...v3.0.3

v3.0.2

Compare Source

What's Changed

• Bump golangci/golangci-lint-action from 7.0.0 to 8.0.0 by @​dependabot in #​1369
• Bump golang.org/x/crypto from 0.37.0 to 0.38.0 by @​dependabot in #​1372
• Bump actions/setup-go from 5.4.0 to 5.5.0 by @​dependabot in #​1373
• Add .deprecated field to algorithms in anticipation of future deprecations by @​lestrrat in #​1374
• Add .deprecated field to algorithms in anticipation of future deprecations by @​lestrrat in #​1376
• Add doc tweaks to #​1380 by @​lestrrat in #​1383
• autodoc updates by @​github-actions in #​1384
• Use jwk interfaces for each key type rather than concrete types by @​lestrrat in #​1381
• Implement Filter objects for container types by @​lestrrat in #​1377
• autodoc updates by @​github-actions in #​1386
• Implement generic AsMap by @​lestrrat in #​1385

Full Changelog: lestrrat-go/jwx@v3.0.1...v3.0.2

v3.0.1

Compare Source

What's Changed

Please read the Changes file and upgrade accordingly, especially if you are using the following combinations for JWE:

• DIRECT mode content encryption
• Using A256CBC_HS512
• With an erroneously created CEK of exactly 32-bytes.

---

• Bump actions/cache from 4.2.1 to 4.2.3 by @​dependabot in #​1336
• Bump actions/checkout from 4.1.7 to 4.2.2 by @​dependabot in #​1337
• Bump actions/setup-go from 5.0.2 to 5.4.0 by @​dependabot in #​1338
• Update 02-jws.md by @​lestrrat in #​1341
• Bump golang.org/x/crypto from 0.36.0 to 0.37.0 by @​dependabot in #​1342
• Add the claim name to error messages produced by ClaimValueIs() by @​jmalloc in #​1347
• Tweak comments generated by genwa under jwa directory by @​lestrrat in #​1348
• autodoc updates by @​github-actions in #​1349
• Disable funcorder by @​lestrrat in #​1351
• Update .golangci.yml by @​lestrrat in #​1353
• Update github.com/lestrrat-go/blackmagic by @​lestrrat in #​1352
• disable dependabot for develop/v1 branch by @​lestrrat in #​1358
• jws: improve performance for SplitCompact/SplitCompactString by @​drakkan in #​1360
• jwe: use strings.Cut in parseCompact by @​drakkan in #​1362
• Update httprc to v3.0.0-beta2 by @​lestrrat in #​1364
• Create SECURITY.md by @​lestrrat in #​1365
• [v3] Explcitly check key sizes before passing to aes.NewCipher by @​lestrrat in #​1367

New Contributors

• @​jmalloc made their first contribution in #​1347

Full Changelog: lestrrat-go/jwx@v3.0.0...v3.0.1

v3.0.0

Compare Source

What's Changed

• Add support for RSA-OAEP-384 and RSA-OAEP-512 by @​Hannes-Kunnen in #​1142
• fix: typos by @​maro114510 in #​1145
• Update httprc to v1.0.6 by @​lestrrat in #​1150
• Improve API for checking algorithm characteristics around symmetry by @​lestrrat in #​1151
• Fix typos/mistakes/wording/links in documentation/comments by @​Hannes-Kunnen in #​1152
• Apply changes from #​1156 to v2 by @​lestrrat in #​1158
• Avoid problems on 32-bit systems by @​lestrrat in #​1159
• Update minimum required go version to 1.20 by @​lestrrat in #​1161
• Run CI with minimum go version 1.20 by @​lestrrat in #​1162
• Bump golang.org/x/crypto from 0.24.0 to 0.25.0 by @​dependabot in #​1149
• Deprecate jws.WithHeaders by @​lestrrat in #​1163
• Bump golang.org/x/crypto from 0.25.0 to 0.26.0 by @​dependabot in #​1168
• Fix document of how to parse PEM via CLI by @​kg0r0 in #​1174
• Wrap the errors from functions called within ParseRequest by @​lestrrat in #​1176
• V3 modernize infra by @​lestrrat in #​1180
• autodoc updates by @​github-actions in #​1181
• V3 dependabot by @​lestrrat in #​1184
• Completely rework jwk.Cache using github.com/lestrrat-go/httprc/v3 by @​lestrrat in #​1189
• autodoc updates by @​github-actions in #​1190
• Use import by @​lestrrat in #​1191
• include an extra attribute in the trace log for debugging by @​lestrrat in #​1192
• remove old references and unused files by @​lestrrat in #​1193
• Bump golang.org/x/crypto from 0.26.0 to 0.27.0 by @​dependabot in #​1185
• cleanup docs, options around cache by @​lestrrat in #​1194
• autodoc updates by @​github-actions in #​1195
• fix docs by @​lestrrat in #​1196
• Bump golangci/golangci-lint-action from 6.1.0 to 6.1.1 by @​dependabot in #​1197
• Allow flexible key usage values by @​lestrrat in #​1198
• Remove assert by @​lestrrat in #​1200
• Convert jwa constants to function calls returning objects by @​lestrrat in #​1203
• Mention RegisterKeyUsage by @​lestrrat in #​1201
• autodoc updates by @​github-actions in #​1206
• Change accessors in jwk to return (T, bool) by @​lestrrat in #​1207
• autodoc updates by @​github-actions in #​1211
• Bump golang.org/x/crypto from 0.27.0 to 0.28.0 by @​dependabot in #​1210
• Change JWT accessors from returning T to returning (T, bool) by @​lestrrat in #​1212
• autodoc updates by @​github-actions in #​1213
• update comments to include iat (#​1216) by @​lestrrat in #​1217
• Rename the old WithMaxBufferSize option as previously warned by @​lestrrat in #​1218
• Streamline errors by @​lestrrat in #​1220
• autodoc updates by @​github-actions in #​1221
• allow passing context.Contex to jwe.Decrypt by @​lestrrat in #​1222
• Remove non-applicable comment by @​lestrrat in #​1224
• fix document by @​lestrrat in #​1226
• Remove jws.WithHeaders by @​lestrrat in #​1227
• tweak badge URL by @​lestrrat in #​1228
• Add quid pro quo in README by @​lestrrat in #​1225
• Update serialize.go by @​lestrrat in #​1234
• Lint fix by @​lestrrat in #​1235
• Bump golang.org/x/crypto from 0.28.0 to 0.29.0 by @​dependabot in #​1231
• Change random big value to math.MaxInt by @​lestrrat in #​1241
• Bump pozil/auto-assign-issue from 2.0.0 to 2.0.1 by @​dependabot in #​1238
• Bump github.com/stretchr/testify from 1.9.0 to 1.10.0 by @​dependabot in #​1245
• Bump golangci/golangci-lint-action from 6.1.1 to 6.2.0 by @​dependabot in #​1269
• Bump pozil/auto-assign-issue from 2.0.1 to 2.1.2 by @​dependabot in #​1261
• Bump golang.org/x/crypto from 0.29.0 to 0.32.0 by @​dependabot in #​1263
• Bump actions/stale from 9.0.0 to 9.1.0 by @​dependabot in #​1272
• [v3] Fixes to work with go1.24 by @​lestrrat in #​1299
• autodoc updates by @​github-actions in #​1300
• Bump pozil/auto-assign-issue from 2.1.2 to 2.2.0 by @​dependabot in #​1279
• Develop v3 actions cache by @​lestrrat in #​1303
• Bump golangci/golangci-lint-action from 6.2.0 to 6.5.0 by @​dependabot in #​1290
• Bump github.com/decred/dcrd/dcrec/secp256k1/v4 from 4.3.0 to 4.4.0 by @​dependabot in #​1293
• Bump golang.org/x/crypto from 0.32.0 to 0.34.0 by @​dependabot in #​1297
• Bump golang.org/x/crypto from 0.34.0 to 0.35.0 by @​dependabot in #​1307
• jws/jwe: split token into fixed number of parts by @​drakkan in #​1308
• [jwk] Change ecdh importer/exporter by @​lestrrat in #​1315
• Bump golang.org/x/crypto from 0.35.0 to 0.36.0 by @​dependabot in #​1312
• Bump golangci/golangci-lint-action from 6.5.0 to 6.5.1 by @​dependabot in #​1316
• Change default behavior around truncation of time fields by @​lestrrat in #​1318
• Bump golangci/golangci-lint-action from 6.5.1 to 6.5.2 by @​dependabot in #​1320
• Tweaks on #​1322 by @​lestrrat in #​1323
• Bump golangci/golangci-lint-action from 6.5.2 to 7.0.0 by @​dependabot in #​1325
• Implement AWS ALB User Claims parser by @​lestrrat in #​1328
• Add docs for WithBase64Encoder by @​lestrrat in #​1329
• autodoc updates by @​github-actions in #​1330
• avoid internal module by @​lestrrat in #​1331
• Clear key.Precomputed values before testing equality by @​lestrrat in #​1333
• autodoc updates by @​github-actions in #​1332
• autodoc updates by @​github-actions in #​1334

New Contributors

• @​Hannes-Kunnen made their first contribution in #​1142
• @​maro114510 made their first contribution in #​1145
• @​kg0r0 made their first contribution in #​1174
• @​drakkan made their first contribution in #​1308

Full Changelog: lestrrat-go/jwx@v2.1.0...v3.0.0

v2.1.6

Compare Source

What's Changed

Please read the Changes file and upgrade accordingly, especially if you are using the following combinations for JWE:

• DIRECT mode content encryption
• Using A256CBC_HS512
• With an erroneously created CEK of exactly 32-bytes.

---

• jws: backport jws parsing ehancements by @​lestrrat in #​1363
• [v2] Backport #​1367 by @​lestrrat in #​1368

Full Changelog: lestrrat-go/jwx@v2.1.5...v2.1.6

v2.1.5

Compare Source

What's Changed

• jws/jwe: split token into fixed number of parts (#​1308) by @​lestrrat in #​1309
• Bump golangci/golangci-lint-action from 6.5.0 to 6.5.1 by @​dependabot in #​1317
• Bump golangci/golangci-lint-action from 6.5.1 to 6.5.2 by @​dependabot in #​1319
• Bump golangci/golangci-lint-action from 6.5.2 to 7.0.0 by @​dependabot in #​1327
• Remove use of go1.22 in CI by @​lestrrat in #​1356
• v2: jws/jwe: split token into fixed number of parts (#​1308) by @​lestrrat in #​1355
• Bump github.com/lestrrat-go/blackmagic from 1.0.2 to 1.0.3 by @​dependabot in #​1354
• autodoc updates by @​github-actions in #​1359

Full Changelog: lestrrat-go/jwx@v2.1.4...v2.1.5

v2.1.4

Compare Source

What's Changed

• Bump pozil/auto-assign-issue from 2.0.0 to 2.0.1 by @​dependabot in #​1237
• Bump github.com/stretchr/testify from 1.9.0 to 1.10.0 by @​dependabot in #​1243
• Bump golangci/golangci-lint-action from 6.1.1 to 6.2.0 by @​dependabot in #​1268
• Bump pozil/auto-assign-issue from 2.0.1 to 2.1.2 by @​dependabot in #​1260
• Bump golang.org/x/crypto from 0.29.0 to 0.32.0 by @​dependabot in #​1262
• Bump actions/stale from 9.0.0 to 9.1.0 by @​dependabot in #​1271
• [v2] Fixes to work with go1.24 by @​lestrrat in #​1298
• autodoc updates by @​github-actions in #​1301
• Bump pozil/auto-assign-issue from 2.1.2 to 2.2.0 by @​dependabot in #​1276
• Develop v2 actions cache by @​lestrrat in #​1302
• Bump golangci/golangci-lint-action from 6.2.0 to 6.5.0 by @​dependabot in #​1289
• Bump github.com/decred/dcrd/dcrec/secp256k1/v4 from 4.3.0 to 4.4.0 by @​dependabot in #​1291

Full Changelog: lestrrat-go/jwx@v2.1.3...v2.1.4

v2.1.3

Compare Source

What's Changed

• Remove non-applicable comment by @​lestrrat in #​1223
• Bump golang.org/x/crypto from 0.28.0 to 0.29.0 by @​dependabot in #​1232
• Change random big value to math.MaxInt by @​lestrrat in #​1242

Full Changelog: lestrrat-go/jwx@v2.1.2...v2.1.3

v2.1.2

Compare Source

What's Changed

• Bump golang.org/x/crypto from 0.25.0 to 0.26.0 by @​dependabot in #​1168
• Fix document of how to parse PEM via CLI by @​kg0r0 in #​1174
• Wrap the errors from functions called within ParseRequest by @​lestrrat in #​1176
• V2 modernize workflows by @​lestrrat in #​1182
• Dependabot fixes for v2 by @​lestrrat in #​1183
• Use variable by @​lestrrat in #​1186
• Bump golang.org/x/crypto from 0.26.0 to 0.27.0 by @​dependabot in #​1177
• Bump golangci/golangci-lint-action from 6.1.0 to 6.1.1 by @​dependabot in #​1199
• Bump golang.org/x/crypto from 0.27.0 to 0.28.0 by @​dependabot in #​1208
• update comments to include iat by @​cscochris in #​1216

New Contributors

• @​kg0r0 made their first contribution in #​1174
• @​cscochris made their first contribution in #​1216

Full Changelog: lestrrat-go/jwx@v2.1.1...v2.1.2

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 6 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.19 -> 1.24.0
github.com/decred/dcrd/dcrec/secp256k1/v4	v4.3.0 -> v4.4.0
github.com/lestrrat-go/blackmagic	v1.0.2 -> v1.0.4
github.com/segmentio/asm	v1.2.0 -> v1.2.1
golang.org/x/crypto	v0.25.0 -> v0.43.0
golang.org/x/net	v0.21.0 -> v0.45.0
golang.org/x/sys	v0.22.0 -> v0.37.0

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	github.com/​lestrrat-go/​jwx/​v3@​v3.0.13
	github.com/​lestrrat-go/​jwx/​v2@​v2.1.1 ⏵ v2.1.6	+1

View full report

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 6 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.19 -> 1.24.0
github.com/decred/dcrd/dcrec/secp256k1/v4	v4.3.0 -> v4.4.0
github.com/lestrrat-go/blackmagic	v1.0.2 -> v1.0.4
github.com/segmentio/asm	v1.2.0 -> v1.2.1
golang.org/x/crypto	v0.25.0 -> v0.46.0
golang.org/x/net	v0.21.0 -> v0.47.0
golang.org/x/sys	v0.22.0 -> v0.39.0