[release/2.7 backport] remove github.com/dgrijalva/jwt-go

[brackendawson]

By updating github.com/Azure/go-autorest/autorest to v.0.11.19 (10e0b31633f168ce1a329dcbdd0ab9842e533fb5)

Backport of #3459

#3361

[codecov-commenter]

Codecov Report

Merging #3465 (5906192) into release/2.7 (18230b7) will not change coverage.
The diff coverage is n/a.

@@             Coverage Diff              @@
##           release/2.7    #3465   +/-   ##
============================================
  Coverage        58.77%   58.77%           
============================================
  Files              102      102           
  Lines             7085     7085           
============================================
  Hits              4164     4164           
  Misses            2280     2280           
  Partials           641      641           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 18230b7...5906192. Read the comment docs.

[thaJeztah]

I see updating Azure/go-autorest brings a substantial number of code changes (for a patch release).

If the bug is in this library, could we instead update just this library to a version with the fix? I see maintains a fork with the fix (IIUC), and we can specify it with a custom location (the equivalent to replace in go.mod);

Suggested change

	github.com/dgrijalva/jwt-go a601269ab70c205d26370c16f7c81e9017c14e04
	github.com/dgrijalva/jwt-go a211650c6ae1cff6d7347d3e24070d65dcfb1122 https://github.com/form3tech-oss/jwt-go.git # v3.2.4

That would only bring the diff of the jwt-go package;
form3tech-oss/jwt-go@a601269...v3.2.4

[thaJeztah]

gave it a quick attempt; #3466

[brackendawson]

Not against using a replace if vndr can do that. Should we consider using the fork which the original repository now links to? https://github.com/golang-jwt/jwt

[thaJeztah]

Oh! Arf... there's two forks now, and both being actively maintained? 😞

[thaJeztah]

I updated #3466 with a commit (allowing the differences between those forks to be reviewed)

[thaJeztah]

This commit looks to be matching v3.2.2; form3tech-oss/jwt-go@9162a5a...v3.2.2, which is missing a security fix in v3.2.4; form3tech-oss/jwt-go@v3.2.2...v3.2.4 (see https://github.com/form3tech-oss/jwt-go/tree/v3.2.4)

[milosgajdos]

If we want this fix in 2.7.x, should we just propagate #3138 i.e. update Azure autorest to ``v0.11.20` and be done with this? If we do do that, we should then close #3466 🤔

[thaJeztah]

#3138 would bring in an even larger diff.

The security fix is only a few line changes (which is why I opened #3466)

[milosgajdos]

which is why I opened #3466

Oh, right. There have been a few related PRs flying around this issue that I've completely lost the track.
I say let's merge #3466. We probably don't need it per se, but if there is nothing that prevents us from having a peace of mind I see no problem with doing that 🤔

[milosgajdos]

Let's close this one in favour of #3466

[thaJeztah]

looks like github didn't auto-close this one for some reason. #3466 was merged, so let me close this one (thanks @brackendawson !)