update github.com/golang-jwt/jwt to github.com/golang-jwt/jwt/v4

[jxsl13]

As the title already states, update the dependency.

I find it pretty weird.
When using github.com/labstack/echo-jwt you get the github.com/golang-jwt/jwt/v4 dependency (https://github.com/labstack/echo-jwt/blob/main/go.mod)
which in turn imports github.com/labstack/echo/middleware importing the github.com/golang-jwt/jwt v3.x.x+incompatible.
You are basically getting both major versions as dependencies which is kind of dirty :).

[aldas]

This is because core has deprecated JWT middleware with that dependency. Go module logic does not use/download that version if you are not using it.

[jxsl13]

I'm indirectly using both, when I use the new echo-jwt/v4 repo, am I not?

[aldas]

no, you are not using it - unless you invoke code that uses it. It is there because echo-jwt uses types from github.com/labstack/echo/v4/middleware package which contains older deprecated version of middleware which uses v3.x.x....

This has to do with https://go.dev/ref/mod#graph-pruning

At go 1.17 and above, the go command adds an indirect requirement for each module that provides any package imported (even indirectly) by a package or test in the main module or passed as an argument to go get.

[aldas]

I am no expert how go mod exactly works but I know that not all things that are in go.mod files are fetched fully - some of the rows there are fetched to get their metadata ( go.mod,maybe .sum also?) for version resolution and that is all.

[jxsl13]

thanks for the clarification

[jxsl13]

will close on tuesday. Maybe someone will add a comment.