[vendor] remove jwt/v5 pin

jrvaldes · jrvaldes · commit bf10b0093aaa · 2026-03-11T10:29:48.000-04:00
the jwt/v5 replacement no longer needed,
transitive deps are v5.2.2 or higher, which are safe

go mod graph | grep "golang-jwt/jwt/v5"
    github.com/coreos/ignition/v2@v2.23.0 github.com/golang-jwt/jwt/v5@v5.2.3
    github.com/prometheus/common@v0.67.5 github.com/golang-jwt/jwt/v5@v5.3.0
    k8s.io/apiextensions-apiserver@v0.35.2 github.com/golang-jwt/jwt/v5@v5.2.2
    k8s.io/apiserver@v0.35.2 github.com/golang-jwt/jwt/v5@v5.2.2
    k8s.io/kubernetes@v1.35.2 github.com/golang-jwt/jwt/v5@v5.2.2
diff --git a/go.mod b/go.mod
@@ -2,9 +2,6 @@ module github.com/openshift/windows-machine-config-operator
 
 go 1.25.7
 
-// fix CVE-2025-30204 transitive deps still using older v4. Remove once `go mod graph` shows only 4.5.2 or higher
-replace github.com/golang-jwt/jwt/v5 => github.com/golang-jwt/jwt/v5 v5.2.2
-
 require (
 	github.com/apparentlymart/go-cidr v1.1.0
 	github.com/aws/aws-sdk-go v1.55.8
diff --git a/vendor/modules.txt b/vendor/modules.txt
@@ -1482,4 +1482,3 @@ sigs.k8s.io/structured-merge-diff/v6/value
 ## explicit; go 1.22
 sigs.k8s.io/yaml
 sigs.k8s.io/yaml/kyaml
-# github.com/golang-jwt/jwt/v5 => github.com/golang-jwt/jwt/v5 v5.2.2
