build(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.1.4 in /controller

[dependabot]

Bumps github.com/go-jose/go-jose/v4 from 4.0.4 to 4.1.4.

Release notes

Sourced from github.com/go-jose/go-jose/v4's releases.

v4.1.4

What's Changed

Fixes Panic in JWE decryption. See GHSA-78h2-9frx-2jm8

Full Changelog: go-jose/go-jose@v4.1.3...v4.1.4

v4.1.3

This release drops Go 1.23 support as that Go release is no longer supported. With that, we can drop x/crypto and no longer have any external dependencies in go-jose outside of the standard library!

This release fixes a bug where a critical b64 header was ignored if in an unprotected header. It is now rejected instead of ignored.

What's Changed

• Remove Go 1.23 support by @​mcpherrinm in go-jose/go-jose#205
• Reject JWS with an unprotected critical b64 header by @​mcpherrinm in go-jose/go-jose#210

Full Changelog: go-jose/go-jose@v4.1.2...v4.1.3

v4.1.2

What's Changed

go-jose v4.1.2 improves some documentation, errors, and removes the only 3rd-party dependency.

• Update go-jose documentation by @​mcpherrinm in go-jose/go-jose#198
• Remove dependency on testify by @​wardviaene in go-jose/go-jose#197
• Improve error message for invalid private keys by @​ProjectMutilation in go-jose/go-jose#195
• JWK unsupported error when unmarshalling by @​fprojetto in go-jose/go-jose#191
• Add JSONWebKey type to makeJWERecipient by @​alvarolivie in go-jose/go-jose#200
• testutils/assert: remove True, Nil, NotNil by @​jsha in go-jose/go-jose#202

New Contributors

• @​wardviaene made their first contribution in go-jose/go-jose#197
• @​fprojetto made their first contribution in go-jose/go-jose#191
• @​alvarolivie made their first contribution in go-jose/go-jose#200

Full Changelog: go-jose/go-jose@v4.1.1...v4.1.2

v4.1.1

What's Changed

• Drop go-cmp dependency by @​mcpherrinm in go-jose/go-jose#186
• jws: improve performance and allocations for ParseSignedCompact by @​drakkan in go-jose/go-jose#188
• Add missing quote to unknown curve message #170 by @​sudhanvaghebbale in go-jose/go-jose#189
• Fix incorrect validation by @​ProjectMutilation in go-jose/go-jose#192
• Restore Go 1.23 compatibility by @​anuraaga in go-jose/go-jose#193

New Contributors

• @​drakkan made their first contribution in go-jose/go-jose#188
• @​sudhanvaghebbale made their first contribution in go-jose/go-jose#189
• @​ProjectMutilation made their first contribution in go-jose/go-jose#192
• @​anuraaga made their first contribution in go-jose/go-jose#193

... (truncated)

Commits

• 0e59876 Merge commit from fork
• ddffdbc Bump actions/checkout from 5 to 6 (#213)
• 5348b9a Reject JWS with an unprotected critical b64 header (#210)
• 9153a5e Bump actions/setup-python from 5 to 6 (#208)
• 2126e17 Bump actions/setup-go from 5 to 6 (#209)
• 9860c65 Bump actions/checkout from 4 to 5 (#206)
• 14239fd Remove Go 1.23 support (#205)
• a16e158 Update CI to run on Go 1.24 and 1.25 (#204)
• a1565a4 testutils/assert: remove True, Nil, NotNil (#202)
• 3a80e13 jwe: accept non-pointer JSONWebKey in Recipient (#200)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c9dd118c-806b-44fe-8302-bd466acebd92

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/go_modules/controller/github.com/go-jose/go-jose/v4-4.1.4

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[netlify]

✅ Deploy Preview for jumpstarter-docs ready!

Name	Link
🔨 Latest commit	a6b4e1b
🔍 Latest deploy log	https://app.netlify.com/projects/jumpstarter-docs/deploys/69d663731827140009c6f48b
😎 Deploy Preview	https://deploy-preview-410--jumpstarter-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[ambient-code]

Fix Applied

Dependabot only updated controller/go.mod but missed controller/deploy/operator/go.mod, which also depends on go-jose/go-jose/v4 (was at v4.1.1). Since the operator module has a replace directive pointing to the controller (replace github.com/jumpstarter-dev/jumpstarter-controller => ../../), both modules need compatible dependencies.

CI was failing with:

go: updates to go.mod needed; to update it:
    go mod tidy

I've pushed a commit that runs go mod tidy in controller/deploy/operator/ to sync the go-jose dependency (v4.1.1 → v4.1.4) and ran go fmt in both subprojects. CI should pass now.

[ambient-code]

E2E Test Flakiness

The remaining CI failures (e2e-tests (ubuntu-24.04, helm) and the cancelled operator/arm runs) are flaky tests, not caused by the go-jose bump. Tests 47 and 48 ("can lease and connect to exporters" / "can lease and connect to exporters by name") fail with Error: Connection to exporter lost — the same error seen on completely unrelated branches (e.g. driver-mitmproxy). All core checks (lint-go, tests, deploy-kind, e2e-test-operator, compat tests) pass.

This PR looks good to merge — the dependency bump and operator submodule sync are correct. The e2e flake should be investigated separately.

Note: this go-jose bump includes a security fix (GHSA-78h2-9frx-2jm8 — panic in JWE decryption), so merging is recommended.

[ambient-code]

Dependabot PR Analysis

CI Status

The e2e-tests (ubuntu-24.04, helm) failure is a flaky test — not caused by this dependency change. Tests 47 & 48 ("can lease and connect to exporters" / "can lease and connect to exporters by name") fail with Connection to exporter lost, which is a known race condition in listenQueues cleanup. The same failure is happening on multiple unrelated PRs today. PR #417 (fix-listen-queue-race) addresses the root cause.

All other tests pass, including lint-go, tests, deploy-kind, and e2e-compat-*.

Dependency Analysis

This PR bumps github.com/go-jose/go-jose/v4 from v4.0.4 to v4.1.4 in /controller. It correctly updates both controller/go.mod and controller/deploy/operator/go.mod. This is a focused, clean bump with minimal transitive changes.

Security motivation: v4.1.4 fixes GHSA-78h2-9frx-2jm8 — a panic in JWE decryption. This is worth merging.

⚠️ Note: PR #413 (grpc bump) also pulls in go-jose v4.1.3 as a transitive dependency. These PRs may conflict if merged in certain orders, but merging this one first is cleaner.

🤖 Generated with Claude Code

[ambient-code]

Automated Dependabot PR Review

Checks performed:

1. go.mod completeness: ✅ This PR correctly updates both controller/go.mod and controller/deploy/operator/go.mod — no other go sub-projects in the tree need updates.

2. CI status: ⚠️ The e2e tests (tests 47-48: "can lease and connect to exporters") failed, but this is a flaky infrastructure issue (connection refused / timeout on grpc dial), not related to this dependency change. The same tests fail on unrelated PRs (e.g. #409), and main branch e2e tests all pass consistently.

3. K8s version check: N/A — this is not a k8s dependency bump.

4. Library assessment: This is a security-relevant update. go-jose v4.1.4 fixes:

• GHSA-78h2-9frx-2jm8: Panic in JWE decryption (v4.1.4)
• Rejects JWS with unprotected critical b64 header (v4.1.3)
• Improved error messages and removed external dependencies (v4.1.1-v4.1.2)

No breaking API changes — this is a safe minor version bump with security fixes. Recommended to merge.

[ambient-code]

@dependabot rebase

[dependabot]

Sorry, only users with push access can use that command.

[mangelajo]

@ambient-code please rebase this

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.