I note this package - golang-github-dgrijalva-jwt-go - has been marked as vulnerable to CVE-2020-26160 in both Debian stretch and buster.
https://security-tracker.debian.org/tracker/CVE-2020-26160 But I can't find any code in these versions that even mentions the aud/audience fields. So I plan to mark these versions as not vulnerable. -- Brian May <b...@debian.org>
