build(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2 in /services/github-bot

[dependabot]

Bumps github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2.

Release notes

Sourced from github.com/golang-jwt/jwt/v4's releases.

v4.5.2

See GHSA-mh63-6h87-95cp

Full Changelog: golang-jwt/jwt@v4.5.1...v4.5.2

Commits

• 2f0e9ad Backporting 0951d18 to v4
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[angristan]

@netclode Can you review this dependency update and check if it introduces any breaking changes?

[angristan]

@netclode Can you review this dependency update?

[angristan]

@netclode ping

[netclode]

Netclode encountered an error: receive: unknown: HTTP status 505 HTTP Version Not Supported

[angristan]

@netclode Can you review this dependency update?

[netclode]

Invalid API key · Fix external API key

[angristan]

@netclode hello

[netclode]

Hello! 👋

I see this is a Dependabot security update for github.com/golang-jwt/jwt/v4 from v4.5.1 to v4.5.2. This update addresses a security advisory (GHSA-mh63-6h87-95cp).

Would you like me to:

1. Review this dependency update for breaking changes?
2. Verify the build still works with the updated dependency?

Let me know how I can help!

[angristan]

@netclode Review this dependency update. Check for breaking changes and run the tests.

[netclode]

Dependency Update Review: github.com/golang-jwt/jwt/v4 v4.5.1 → v4.5.2

Security Advisory

This is a security patch addressing CVE-2025-30204 (GHSA-mh63-6h87-95cp):

Attribute	Value
Severity	High (CVSS 7.5)
Impact	Availability (DoS via memory exhaustion)
CWE	CWE-405 (Asymmetric Resource Consumption)

Vulnerability: The ParseUnverified function used strings.Split() on untrusted JWT data. An attacker could send a malicious token containing many period characters, triggering O(n) memory allocations (~16 bytes per character) and causing memory exhaustion.

Breaking Changes Analysis

None expected.

• The jwt/v4 library is an indirect dependency in this project, pulled in through github.com/bradleyfalzon/ghinstallation/v2 for GitHub App authentication
• The github-bot service does not directly import or use JWT APIs
• This is a patch release (v4.5.1 → v4.5.2) containing only the security fix with no API changes

Test Results

?   github.com/angristan/netclode/services/github-bot/cmd/github-bot       [no test files]
?   github.com/angristan/netclode/services/github-bot/internal/config      [no test files]
?   github.com/angristan/netclode/services/github-bot/internal/controlplane [no test files]
?   github.com/angristan/netclode/services/github-bot/internal/ghclient    [no test files]
?   github.com/angristan/netclode/services/github-bot/internal/prompt      [no test files]
?   github.com/angristan/netclode/services/github-bot/internal/server      [no test files]
?   github.com/angristan/netclode/services/github-bot/internal/store       [no test files]
?   github.com/angristan/netclode/services/github-bot/internal/webhook     [no test files]
?   github.com/angristan/netclode/services/github-bot/internal/workflow    [no test files]

No test files exist for the github-bot service, but all packages compile without errors.

Build Verification

• ✅ go mod verify - All module checksums verified
• ✅ go build ./cmd/github-bot - Binary built successfully (31MB)

Recommendation

Safe to merge. This is a straightforward security patch with no breaking changes. The updated dependency addresses a High severity DoS vulnerability while maintaining full API compatibility.

[angristan]

@netclode /review-dep-bump

[netclode]

Now I'll post the review to the PR.Unable to post directly to GitHub (insufficient permissions). Here's the review:

---

Dependency Update Review

Field	Value
Package	github.com/golang-jwt/jwt/v4
Version	4.5.1 → 4.5.2
Bump type	Patch
CVE	CVE-2025-30204 (High, CVSS 7.5)

Security Advisory

Security patch fixing a DoS vulnerability in ParseUnverified. Malicious JWTs with many periods could cause excessive memory allocation (O(n) bytes).

Impact Analysis

• Indirect dependency — pulled in by github.com/bradleyfalzon/ghinstallation/v2 for GitHub App authentication (internal/ghclient/ghclient.go:22)
• No direct usage of jwt package in codebase
• Risk is limited since JWT parsing occurs on GitHub's auth tokens, not arbitrary user input

Verification

• ✅ Build passes
• ⚠️ No tests in service (nothing to run)

Verdict: Safe to merge

Patch-level security fix for an indirect dependency. No breaking changes. Recommend merging promptly.

[angristan]

@netclode /review-dep-bump

[netclode]

Dependency Update Review: github.com/golang-jwt/jwt/v4

Update Summary

Field	Value
Package	github.com/golang-jwt/jwt/v4
Old Version	4.5.1
New Version	4.5.2
Bump Type	Patch

Security Advisory

CVE-2025-30204 (High severity, CVSS 7.5)

ParseUnverified used strings.Split() on untrusted input, allowing attackers to trigger excessive memory allocation with tokens containing many periods (e.g., Bearer ......................). This is an asymmetric resource consumption vulnerability (CWE-405).

What Changed in the Dependency

The fix replaces strings.Split(tokenString, ".") with a bounded splitToken() function that:

• Uses strings.Cut() to extract exactly 3 parts
• Rejects malformed tokens immediately without allocating unbounded slices
• Returns nil instead of a large slice for invalid input

-parts = strings.Split(tokenString, ".")
-if len(parts) != 3 {
+parts, ok = splitToken(tokenString)
+if !ok {

Impact Analysis

Dependency Chain:

github-bot → ghinstallation/v2 → golang-jwt/jwt/v4

• JWT is an indirect dependency via bradleyfalzon/ghinstallation/v2 (GitHub App auth)
• The codebase uses ghinstallation.New() which handles JWT internally
• No direct calls to ParseUnverified in this repository
• ghinstallation uses JWT for signing App authentication tokens, not parsing untrusted tokens

Test Results

Check	Result
Build	✅ Pass
Module verify	✅ Pass
Tests	⚠️ No test files

Verdict: Safe to merge

This is a security patch for a high-severity DoS vulnerability. While the vulnerable function ParseUnverified isn't directly used by this codebase, updating transitive dependencies for security fixes is best practice. The change is minimal and API-compatible.

[angristan]

@dependabot rebase

[netclode]

Invalid API key · Fix external API key