deps: Upgrade 9 packages to remove 21 vulnerabilities

[BacklineAI]

🔐 Security Vulnerability Fixes

✅ This pull request was created and verified by Backline to fix security vulnerabilities in your dependencies.

---

📦 Package Updates & Vulnerability Fixes

github.com/getkin/kin-openapi

v0.117.0 → v0.131.0

• 🟧 CVE-2025-30153 - github.com/getkin/kin-openapi/openapi3filter: Improper Handling of Highly Compressed Data (Data Amplification) in github.com/getkin/kin-openapi/openapi3filter.

github.com/golang-jwt/jwt/v4

v4.5.0 → v4.5.2 (Recommended: <= 4.5.2)

• 🟧 CVE-2025-30204 - golang-jwt/jwt: jwt-go allows excessive memory allocation during header parsing.
• 🟦 CVE-2024-51744 - golang-jwt: Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt.

github.com/golang-jwt/jwt/v5

v5.0.0 → v5.2.2 (Recommended: <= 5.2.2)

• 🟧 CVE-2025-30204 - golang-jwt/jwt: jwt-go allows excessive memory allocation during header parsing.

github.com/ulikunitz/xz

v0.5.11 → v0.5.15 (Recommended: <= 0.5.15)

• 🟨 CVE-2025-58058 - github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks memory.

golang.org/x/crypto

v0.23.0 → v0.39.0

• 🟥 CVE-2024-45337 - golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto.
• 🟧 CVE-2025-22869 - golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh.
• 🟨 CVE-2025-47914 - golang.org/x/crypto/ssh/agent: in golang.org/x/crypto/ssh/agent.
• 🟨 CVE-2025-58181 - golang.org/x/crypto/ssh: in golang.org/x/crypto/ssh.

golang.org/x/image

v0.6.0 → v0.18.0 (Recommended: <= 0.18.0)

• 🟧 CVE-2024-24792 - Parsing a corrupt or malicious image with invalid color indices can ca ...
• 🟨 CVE-2023-29407 - golang.org/x/image/tiff: excessive CPU consumption in decoding.
• 🟨 CVE-2023-29408 - golang.org/x/image/tiff: TIFF decoder does not place a limit on the size of compressed tile data.

golang.org/x/net

v0.25.0 → v0.38.0 (Recommended: <= 0.38.0)

• 🟨 CVE-2025-22870 - golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net.
• 🟨 CVE-2025-22872 - golang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net.

golang.org/x/oauth2

v0.7.0 → v0.27.0

• 🟧 CVE-2025-22868 - golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws.

google.golang.org/protobuf

v1.30.0 → v1.33.0 (Recommended: <= 1.33.0)

• 🟨 CVE-2024-24786 - golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON.

^{Legend: 🟥 Critical | 🟧 High | 🟨 Medium | 🟦 Low}

---

⚠️ Breaking Change Notice

** version upgrade to 1.24.0**
Please review the following before merging:

• 🔧 Local Development: Update your local installation to 1.24.0
• 🚀 CI/CD Pipeline: Verify build pipelines and Docker images use 1.24.0
• 📋 Dependencies: Ensure all build tools are compatible with the new version

---

Backline is here to help accelerate the remediation of your security backlog. Here's how we operate:

📥 Fetch Findings – Gather security issues
🔍 Analyze Findings – Understand the context and impact
📝 Plan Remediation – Generate a safe and effective fix strategy
👷 Apply Fix – Implement the remediation in code
🧪 Validate Code – Ensure the changes maintain code quality and integrity
✅ Verify – Run tests to ensure correctness and stability

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud