fix: upgrade deprecated JWT and JOSE libraries (CVE-2024-51744)

[rohilsurana]

Summary

• Upgrades github.com/oauth2-proxy/mockoidc to latest commit (2024-02-14) which migrated from deprecated github.com/golang-jwt/jwt v3 and unmaintained gopkg.in/square/go-jose.v2 to github.com/golang-jwt/jwt/v5 and github.com/go-jose/go-jose/v3
• Upgrades github.com/golang-jwt/jwt/v5 from v5.0.0 to v5.3.1 (resolves CVE-2024-51744 audience claim validation bypass)
• Upgrades github.com/lestrrat-go/jwx/v2 from v2.0.21 to v2.1.6 (primary JWT library)
• Upgrades github.com/go-webauthn/webauthn from v0.8.6 to v0.11.2

Removed deprecated/unmaintained dependencies

• github.com/golang-jwt/jwt v3.2.2+incompatible (deprecated v1/v3 with CVE-2024-51744)
• gopkg.in/square/go-jose.v2 v2.6.0 (unmaintained, replaced by go-jose/go-jose/v3)

Test plan

• go build ./... passes
• go vet ./... passes
• go test ./core/... passes
• go test ./internal/... passes
• go mod tidy produces clean state

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
frontier	Ready	Preview, Comment	Jun 3, 2026 4:42pm

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated internal dependencies to improve security, performance, and compatibility across the application.

Walkthrough

This PR updates Go module dependencies in go.mod, bumping direct authentication libraries (webauthn v0.8.6→v0.11.2, jwx/v2 v2.0.21→v2.1.6, mockoidc), upgrading related indirect authentication tooling (jwt/v5, go-tpm, cbor, webauthn/x), removing obsolete go-jose, and incrementing other transitive cryptography and utility library versions.

Changes

Dependency Version Updates

Layer / File(s)	Summary
Direct authentication dependencies go.mod	Main require block upgrades for webauthn (v0.8.6→v0.11.2), jwx/v2 (v2.0.21→v2.1.6), and mockoidc to newer versions.
Indirect authentication and cryptography tooling go.mod	Transitive indirect dependencies upgraded (jwt/v5, go-tpm, cbor, webauthn/x) and obsolete gopkg.in/square/go-jose.v2 removed from indirect requires.
Other transitive library updates go.mod	Remaining indirect version bumps for secp256k1 (v4.2.0→v4.4.0), goccy/go-json (v0.10.2→v0.10.3), and lestrrat-go libraries (blackmagic v1.0.2→v1.0.3, httprc v1.0.5→v1.0.6).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• rsbh
• whoAbhishekSah
• AmanGIT07

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coveralls]

Coverage Report for CI Build 26899180527

Coverage remained the same at 43.153%

Details

• Coverage remained the same as the base build.
• Patch coverage: No coverable lines changed in this PR.
• No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.

---

Coverage Stats

Relevant Lines:	38000
Covered Lines:	16398
Line Coverage:	43.15%
Coverage Strength:	12.09 hits per line

---

💛 - Coveralls

[coderabbitai]

Actionable comments posted: 1

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c02ffeb4-1609-4b66-b239-70f9bbd834cc

📥 Commits

Reviewing files that changed from the base of the PR and between c2f9a2c and c81ea47.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify CVE-2024-51744 fix and check for security advisories

echo "=== Checking CVE-2024-51744 fix version ==="
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: GO, package: "github.com/golang-jwt/jwt/v5") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
        identifiers {
          type
          value
        }
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

echo -e "\n=== Checking for advisories on upgraded packages ==="
for pkg in "github.com/go-webauthn/webauthn" "github.com/lestrrat-go/jwx/v2" "github.com/oauth2-proxy/mockoidc"; do
  echo "Checking $pkg..."
  gh api graphql -f query="
  {
    securityVulnerabilities(first: 5, ecosystem: GO, package: \"$pkg\") {
      nodes {
        advisory {
          summary
          severity
          publishedAt
        }
        vulnerableVersionRange
        firstPatchedVersion {
          identifier
        }
      }
    }
  }"
done

Repository: raystack/frontier

Length of output: 1786

---

🏁 Script executed:

#!/bin/bash
# Check for breaking changes in webauthn v0.8.6 -> v0.11.2

echo "=== Searching for webauthn release notes and breaking changes ==="
echo "Checking v0.9.0, v0.10.0, v0.11.0, v0.11.2 release notes..."

for version in v0.9.0 v0.10.0 v0.11.0 v0.11.2; do
  echo -e "\n--- Release $version ---"
  gh api repos/go-webauthn/webauthn/releases/tags/$version --jq '.body' 2>/dev/null || echo "Release notes not found"
done

Repository: raystack/frontier

Length of output: 7492

---

🌐 Web query:

What is the latest stable version of github.com/go-webauthn/webauthn, github.com/lestrrat-go/jwx/v2, and github.com/golang-jwt/jwt/v5?

💡 Result:

As of June 3, 2026, the latest stable versions for the requested Go modules are as follows: - github.com/go-webauthn/webauthn: The latest stable version is v0.17.4 [1]. - github.com/lestrrat-go/jwx/v2: The latest stable version is v2.1.6 [2][3]. - github.com/golang-jwt/jwt/v5: The latest stable version is v5.3.1 [4][5][6].

Citations:

• 1: https://pkg.go.dev/github.com/go-webauthn/webauthn
• 2: https://pkg.go.dev/github.com/lestrrat-go/jwx/v2@v2.1.6
• 3: https://pkg.go.dev/github.com/lestrrat-go/jwx/v2
• 4: https://github.com/golang-jwt/jwt/releases/tag/v5.3.1
• 5: https://pkg.go.dev/github.com/golang-jwt/jwt/v5@v5.3.1
• 6: https://pkg.go.dev/github.com/golang-jwt/jwt/v5

---

Fix CVE claim and re-check webauthn breaking-change compatibility for the go.mod upgrades

• CVE-2024-51744 / jwt/v5: security advisory data for github.com/golang-jwt/jwt/v5 returned no entries for CVE-2024-51744 (it only surfaced CVE-2025-30204, patched in 5.2.2), so the “fixed by v5.3.1” claim isn’t supported by the advisory results.
• webauthn breaking changes (upgrade to github.com/go-webauthn/webauthn v0.11.2): v0.11.0 release notes list multiple BREAKING CHANGES (including removal of WebAuthnIcon from the User interface, removal of Config fields like RPIcon/RPOrigin/Timeout, removal of Transports, stricter CredentialFlags BE/BS validation, metadata rework, and default modality behavior changes). The repo should be checked against these specific API changes.
• Security patch currency: github.com/go-webauthn/webauthn latest stable is v0.17.4 (current is v0.11.2). jwx/v2 and jwt/v5 are already at latest stable (v2.1.6, v5.3.1).
• Deprecated deps removal: ensure removal of deprecated jwt/v3 / go-jose.v2 is complete beyond direct go.mod requires (e.g., via go mod tidy / transitive graph checks), since current evidence only covers advisories and release notes.