chore(deps): update dependency jose to v6

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
jose	^4.15.5 -> ^6.0.0

---

Release Notes

panva/jose (jose)

v6.1.3

Compare Source

Refactor

• avoid export * as for google closure's compiler sake (6303d98), closes #​832

v6.1.2

Compare Source

Refactor

• fallback to checking instanceof for CryptoKey (901cd90), closes #​765 #​803 #​821 #​827 #​828

v6.1.1

Compare Source

Documentation

• add link to RFC9864 (767edde)
• link to ML-DSA for JOSE (ed4252c)
• remove mention of Edge Runtime from the readme (94fdde7)
• update README.md (25098ef)

Refactor

• eliminate named exports in the source code (f6ae30d)
• expose setKeyManagementParameters also on a GeneralEncrypt Recipient (16e6b23)
• faster path for symmetric key checks (a44c2ec)
• improve en/decoding overheads (daee426)

v6.1.0

Compare Source

Features

• support AKP JWKs in calculateJwkThumbprint and calculateJwkThumbprintUri (cf2092a)
• support for the ML-DSA PQC Algorithm Identifiers (25ddce4)

v6.0.13

Compare Source

Refactor

• more readability in ecdhes.ts (84da9de)
• update asn1.ts helpers (b4f8fb3)

v6.0.12

Compare Source

Documentation

• add known caveats to customFetch (02e1f1e)
• mention the apu/apv parameter names in setKeyManagementParameters (6274d5a)
• update compact setKeyManagementParameters (2f44381)
• use GitHub Flavored Markdown for notes and warnings (f6b4ffc)

Refactor

• createPublicKey is not a constructor (61ded78)
• update asn1.ts helper functions (b2b611c)

v6.0.11

Compare Source

Fixes

• typ checking edge-cases when it contains a slash (/) character (31e4baf)

v6.0.10

Compare Source

Refactor

• removed unused claims methods (74719cf)
• reorganize jwt claim set utils (1f12d88)

v6.0.9

Compare Source

Documentation

• add more symbol document, ignore ts-private fields (8b73687)
• bump typedoc (6163a8b)
• drop cdnjs links in README (a910038)
• drop denoland/x links in README and add jsr (3662b9e)
• fix key export links from docs/README.md (c8edfc2)

Refactor

• always assume structuredClone is present (f7898a9)
• hide internal private fields and drop ProduceJWT inheritance (ab18881)
• less objects when JWE JWT Replicated Header Parameters are used (c763a0e)

v6.0.8

Compare Source

Fixes

• export [customFetch] symbol from the default entrypoint (1615614), closes #​762

v6.0.7

Compare Source

Documentation

• improve generate key/secret and import function descriptions (cd06359)

Fixes

• use [customFetch] when provided to createRemoteJWKSet (35f6509), closes #​760

v6.0.6

Compare Source

Refactor

• move base64url around (e1350ef)

Documentation

• add various exported symbol descriptions (3b8ff71)
• add various exported symbol descriptions (fc4e7da)
• add various exported symbol descriptions (74f02c8)
• update base64url function descriptions (03d72c8)

v6.0.5

Compare Source

Refactor

• types: make JWKParameters.kty compatible with @​types/node and @​types/web (bb6ccfe)

Documentation

• add various exported symbol descriptions (f52c2ff)

v6.0.4

Compare Source

Refactor

• optimize base64 with tc39/proposal-arraybuffer-base64 (8a0da69), closes #​752
• update getSPKI to use crypto.createPublicKey when available (92392a0), closes #​752
• use Double HMAC pattern for AES-CBC tag comparison (f3ba4c7), closes #​752

v6.0.3

Compare Source

Documentation

• remove root module tag so that README.md shows up on jsr.io (ee70698)

v6.0.2

Compare Source

Documentation

• add module tags to all entrypoints (a5687aa)

v6.0.1

Compare Source

Refactor

• more readability in ecdhes.ts (84da9de)
• update asn1.ts helpers (b4f8fb3)

v6.0.0

Compare Source

⚠ BREAKING CHANGES

• The PEMImportOptions type interface is renamed to KeyImportOptions.
• all builds and bundles now use ES2022 as target
• createRemoteJWKSet now uses fetch, because of that its Node.js only options.agent property has been removed and new fetch-related options were added
• drop support for Ed448 and X448
• drop support for JWK key_ops and CryptoKey usages "(un)wrapKey" and "deriveKey"
• resolved keys returned as part of verify/decrypt operations (when get key functions are used) are always normalized to either Uint8Array / CryptoKey depending on what's more efficient for the executed operation
• Key "Type" Generics are removed
• CJS-style require is now only possible when require(esm) support is present in the Node.js runtime
• private KeyObject instances can no longer be used for verify operations
• private KeyObject instances can no longer be used for encryption operations
• generateSecret, generateKeyPair, importPKCS8, importSPKI, importJWK, and importX509 now yield a CryptoKey instead of a KeyObject in Node.js
• drop support for Node.js 18.x and earlier
• runtime-specific npm releases (jose-browser-runtime, jose-node-cjs-runtime, and jose-node-esm-runtime) are no longer maintained or supported
• removed secp256k1 JWS support
• removed deprecated experimental APIs
• removed RSA1_5 JWE support

Features

• enable CryptoKey and KeyObject inputs in JWK thumbprint functions (6fc9c44)
• JSON Web Key is now an allowed input everywhere (ebda967)

Refactor

• always use infered CryptoKey (c4abaa2)
• backport the Ed25519 JWS Algorithm Identifier support (7a94cb9)
• drop support for Ed448 and X448 (2fae1c4)
• drop support for JWK key_ops and CryptoKey usages "(un)wrapKey" and "deriveKey" (ef918be)
• ensure export functions continue to work with KeyObject inputs (28e9e68)
• hardcode the cryptoRuntime export since it is now always WebCryptoAPI (e00f273)
• JWK import extractable default for public keys is now true (64dcebe)
• PEM import extractable default for public keys is now true (4e9f114)
• removed deprecated APIs (5352083)
• removed secp256k1 JWS support (e2b58a5)
• restructure src/lib and src/runtime now that runtime is fixed (9b236ce)
• target is now ES2022 everywhere (aa590d5)
• update importJWK args to align with other import functions (355a2dd)
• WebCryptoAPI is now the only crypto used (161de46)

v5.10.0

Compare Source

Features

• support fully specified Ed25519 algorithm identifier (c39f57d)

v5.9.6

Compare Source

Reverts

• Revert "refactor(build): simplify package exports" (2ef3a52)

v5.9.5

Compare Source

Refactor

• build: simplify package exports (4783f7f)

v5.9.4

Compare Source

Refactor

• types: update error definitions (510c5ca)

v5.9.3

Compare Source

Refactor

• use as Type for type assertions instead of (c4dc24d)

v5.9.2

Compare Source

Refactor

• types: remove index signatures from JWK interfaces (ccf0cda)

v5.9.1

Compare Source

Fixes

• types: add missing index signature on the convenience JWK types (90a93dc)

v5.9.0

Compare Source

Features

• allow JWK objects as "key" input to sign and verify (c6302ea)

v5.8.0

Compare Source

Features

• add subpath module exports (72ecff6)

Refactor

• omit LocalJWKSet export since it's no longer needed for RemoteJWKSet (c502731)

v5.7.0

Compare Source

Features

• graduate jwksCache to stable API (0f09c12)

v5.6.3

Compare Source

Fixes

• add sideEffects:false to nested ESM package.json files (f3aff1c)

v5.6.2

Compare Source

Refactor

• CryptoKey normalization is not always async (b7751f5)
• weak cache normalized CryptoKey instances (32b25a5)

Fixes

• ensure KeyObject type in Web API encrypt/decrypt (b7920bd)

v5.6.1

Compare Source

Refactor

• normalize is always defined for Web API runtimes (7bcb103)

Fixes

• workaround turbo's eager optimizations (723a042), closes #​690

v5.6.0

Compare Source

Features

• support KeyObject inputs in WebCryptoAPI runtimes given compatibility (e178b8f)

v5.5.0

Compare Source

Features

• add experimental support for edge compute runtimes JWKS caching (ab166e2), closes #​551 #​661 #​653 #​415

v5.4.1

Compare Source

Fixes

• ensure latest release on npm is v5.x (a9b2a30)

v5.4.0

Compare Source

Features

• expose JWT's payload in JWTClaimValidationFailed instances (58bcffb), closes #​680

Refactor

• add explicit return types everywhere (cc2b2d7)

v5.3.0

Compare Source

Features

• allow observing remote JWKS resolver state and its manual reload (fa8b639)

Refactor

• if should not be the only statement in else blocks (a6b716b)

v5.2.4

Compare Source

Refactor

• use createLocalJWKSet instead of LocalJWKSet in createRemoteJWKSet (a7c566c)

v5.2.3

Compare Source

Refactor

• move iv generation and optional outputs around (05c4351)

v5.2.2

Compare Source

Fixes

• types: iv and tag is optional in JSON serializations (53019cd)

v5.2.1

Compare Source

Fixes

• build: refactor export targets for browser, node cjs, and node esm builds (50cbc65)

v5.2.0

Compare Source

Features

• extend JWT NumericDate setter syntax (ae363c3)

v5.1.3

Compare Source

v5.1.2

Compare Source

Fixes

• do not mutate JWTVerifyOptions.requiredClaims (1bf9cec), closes #​610

v5.1.1

Compare Source

Refactor

• deprecate the RSA1_5 JWE Algorithm (f746da1)

v5.1.0

Compare Source

Features

• add payload generics to jose.decodeJwt (9de49e2), closes #​604

v5.0.2

Compare Source

Fixes

• createRemoteJWKSet: ensure a default user-agent header is present (887dd3c), closes #​600

v5.0.1

Compare Source

Fixes

• also use ES2020 in the CDN bundles (8c4d390)

v5.0.0

Compare Source

⚠ BREAKING CHANGES

• Node.js: return Uint8Array (not a Buffer) from base64url.decode
• Browser distribution is now built using ES2020 as a target
• Node.js distribution is now built using ES2022 as a target
• types: jwtVerify and jwtDecrypt type argument for the resolved
  KeyLike type is now a second optional type argument following a type
  for the JWT Claims Set (aka payload)
• PBES2 Key Management Algorithms' use in decrypt
  functions now requires the use of the keyManagementAlgorithms option
  to explicitly opt-in for their use.
• importJWK "octAsKeyObject" option was removed.
  importJWK will no longer return CryptoKey or KeyObject for "oct" (octet
  sequence) JWK key types, it will instead always return a Uint8Array
  formed from the "k" (Key Value) Parameter regardless of the other JWK
  Parameters that may be present.
• End-Of-Life versions of Node.js as of October 2023 are
  no longer supported. Node.js 18, 20, and 21 and future releases are
  the ones that remain supported.
• The JWE "zip" (Compression Algorithm) Header Parameter
  is no longer supported by this JOSE implementation.

Features

• add Date as valid input to timestamp setting functions (bd830a4)
• default to an empty payload in JWT producing constructors (98d6ca1)
• types: add optional Generics for JWT verify and decrypt (61bd2a0), closes #​568

Reverts

• Revert "test: fix test under lts/erbium" (b64b6c7)

Refactor

• Browser distribution is now built using ES2020 as a target (1836684)
• drop support for EOL Node.js versions (b5aee54)
• importJWK always returns a Uint8Array for symmetric key inputs (163e1b0)
• Node.js distribution is now built using ES2022 as a target (239697a)
• Node.js: return Uint8Array (not a Buffer) from base64url.decode (02d5182)
• PBES2 Algorithms require explicit opt-in during verification (e2da031)
• remove support for JWE "zip" (Compression Algorithm) Header Parameter (16998b1)
• types: rename type parameters for the KeyLike returns (eddd400)
• update allow list error messages (fe8114c)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.