Patch CVE jwt fulnerability

[iorvd]

Preface:
There's a known vulnerability in github.com/dgrijalva/jwt-go - GHSA-w73w-5m7g-f7qc

This PR bumps github.com/spf13/cobra to v1.3.0 in order to remove the deprecated and vulnerable library from the list of dependencies.

[estesp]

Thanks for this contribution; can you sign your commit and force push this branch to update the PR? Thanks!

[iorvd]

Thanks @estesp!

Linter suggests to replace the deprecated library with a new one:

SA1019: Package github.com/golang/protobuf/proto is deprecated:
Use the "google.golang.org/protobuf/proto" package instead.  (staticcheck)

However I'm not sure what to do about this so far as these packages have no common v1.5.2 version.

[chandumlg]

Any update on this PR?

[Polber]

I linked this PR to issue #199 as this PR would solve the issues brought up. There are now 2 known security vulnerabilities in the issue I submitted, as well as the one brought up in this PR. Are there any updates on this PR?

[AkihiroSuda]

There's a known vulnerability in github.com/dgrijalva/jwt-go - GHSA-w73w-5m7g-f7qc

This package is not actually consumed in the continuity repo: https://github.com/containerd/continuity/tree/main/vendor/github.com

So, we are not prioritizing this PR, but we are happy to merge this when it passes CI

[estesp]

cobra has been removed from the library dependencies by the refactoring out of the debug/admin command line tool in #200; I think this can be closed now.