Handle vulnerabilty against CVE-2025-30204 (!5481) · Merge requests · GitLab.org / gitlab-runner · GitLab

What does this MR do?

Handle vulnerabilty against CVE-2025-30204

Bump github.com/golang-jwt/jwt/v5 to v5.2.2, which we need for managing caches on Azure:

; go mod why github.com/golang-jwt/jwt/v5
# github.com/golang-jwt/jwt/v5
gitlab.com/gitlab-org/gitlab-runner/cache/azure
github.com/Azure/azure-sdk-for-go/sdk/azidentity
github.com/Azure/azure-sdk-for-go/sdk/azidentity.test
github.com/golang-jwt/jwt/v5
;

Why was this MR needed?

To not be vulnerable against CVE-2025-30204.

What's the best way to test this MR?

See the pipeline go green

What are the relevant issue numbers?

related: https://gitlab.com/gitlab-org/gitlab-runner/-/issues/38690

Edited Apr 01, 2025 by Hannes Hörl