Update module github.com/golang-jwt/jwt/v5 to v5.2.2 [SECURITY] (forgejo) (#7296)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [github.com/golang-jwt/jwt/v5](https://github.com/golang-jwt/jwt) | require | patch | `v5.2.1` -> `v5.2.2` |

---

### jwt-go allows excessive memory allocation during header parsing
[CVE-2025-30204](https://nvd.nist.gov/vuln/detail/CVE-2025-30204) / [GHSA-mh63-6h87-95cp](https://github.com/advisories/GHSA-mh63-6h87-95cp)

<details>
<summary>More information</summary>

#### Details
##### Summary

Function [`parse.ParseUnverified`](https://github.com/golang-jwt/jwt/blob/c035977d9e11c351f4c05dfeae193923cbab49ee/parser.go#L138-L139) currently splits (via a call to [strings.Split](https://pkg.go.dev/strings#Split)) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose _Authorization_ header consists of `Bearer ` followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: [CWE-405: Asymmetric Resource Consumption (Amplification)](https://cwe.mitre.org/data/definitions/405.html)

##### Details

See [`parse.ParseUnverified`](https://github.com/golang-jwt/jwt/blob/c035977d9e11c351f4c05dfeae193923cbab49ee/parser.go#L138-L139)

##### Impact

Excessive memory allocation

#### Severity
- CVSS Score: 7.5 / 10 (High)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`

#### References
- [https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp](https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp)
- [https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3](https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3)
- [https://github.com/golang-jwt/jwt](https://github.com/golang-jwt/jwt)

This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-mh63-6h87-95cp) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>golang-jwt/jwt (github.com/golang-jwt/jwt/v5)</summary>

### [`v5.2.2`](https://github.com/golang-jwt/jwt/releases/tag/v5.2.2)

[Compare Source](https://github.com/golang-jwt/jwt/compare/v5.2.1...v5.2.2)

#### What's Changed

- Fixed https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp by [@&#8203;mfridman](https://github.com/mfridman)
- Fixed some typos by [@&#8203;Ashikpaul](https://github.com/Ashikpaul) in https://github.com/golang-jwt/jwt/pull/382
- build: add go1.22 to ci workflows by [@&#8203;mfridman](https://github.com/mfridman) in https://github.com/golang-jwt/jwt/pull/383
- Bump golangci/golangci-lint-action from 4 to 5 by [@&#8203;dependabot](https://github.com/dependabot) in https://github.com/golang-jwt/jwt/pull/387
- Bump golangci/golangci-lint-action from 5 to 6 by [@&#8203;dependabot](https://github.com/dependabot) in https://github.com/golang-jwt/jwt/pull/389
- chore: bump ci tests to include go1.23 by [@&#8203;mfridman](https://github.com/mfridman) in https://github.com/golang-jwt/jwt/pull/405
- Fix jwt -show by [@&#8203;AlexanderYastrebov](https://github.com/AlexanderYastrebov) in https://github.com/golang-jwt/jwt/pull/406
- docs: typo by [@&#8203;kvii](https://github.com/kvii) in https://github.com/golang-jwt/jwt/pull/407
- Update SECURITY.md by [@&#8203;oxisto](https://github.com/oxisto) in https://github.com/golang-jwt/jwt/pull/416
- Update `jwt.Parse` example to use `jwt.WithValidMethods` by [@&#8203;mattt](https://github.com/mattt) in https://github.com/golang-jwt/jwt/pull/425

#### New Contributors

- [@&#8203;Ashikpaul](https://github.com/Ashikpaul) made their first contribution in https://github.com/golang-jwt/jwt/pull/382
- [@&#8203;kvii](https://github.com/kvii) made their first contribution in https://github.com/golang-jwt/jwt/pull/407
- [@&#8203;mattt](https://github.com/mattt) made their first contribution in https://github.com/golang-jwt/jwt/pull/425

**Full Changelog**: https://github.com/golang-jwt/jwt/compare/v5.2.1...v5.2.2

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - "* 0-3 * * *" (UTC).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yMDUuMSIsInVwZGF0ZWRJblZlciI6IjM5LjIwNS4xIiwidGFyZ2V0QnJhbmNoIjoiZm9yZ2VqbyIsImxhYmVscyI6WyJkZXBlbmRlbmN5LXVwZ3JhZGUiLCJ0ZXN0L25vdC1uZWVkZWQiXX0=-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7296
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
Co-committed-by: Renovate Bot <forgejo-renovate-action@forgejo.org>