fix(deps): update dependency jsonwebtoken to v9

[mend-for-github-com]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
jsonwebtoken	^8.3.0 -> ^9.0.0

By merging this PR, the issue #26 will be automatically resolved and closed:

Severity	CVSS Score	CVE
High	8.1	CVE-2022-23539
High	7.6	CVE-2022-23540
Medium	6.3	CVE-2022-23541

---

Release Notes

auth0/node-jsonwebtoken

v9.0.0

Compare Source

Breaking changes: See Migration from v8 to v9

Breaking changes

• Removed support for Node versions 11 and below.
• The verify() function no longer accepts unsigned tokens by default. ([8345030]auth0/node-jsonwebtoken@8345030)
• RSA key size must be 2048 bits or greater. ([ecdf6cc]auth0/node-jsonwebtoken@ecdf6cc)
• Key types must be valid for the signing / verification algorithm

Security fixes

• security: fixes Arbitrary File Write via verify function - CVE-2022-23529
• security: fixes Insecure default algorithm in jwt.verify() could lead to signature validation bypass - CVE-2022-23540
• security: fixes Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - CVE-2022-23541
• security: fixes Unrestricted key type could lead to legacy keys usage - CVE-2022-23539

v8.5.1

Compare Source

Bug fix

• fix: ensure correct PS signing and verification (#​585) (e5874ae428ffc0465e6bd4e660f89f78b56a74a6), closes #​585

Docs

• README: fix markdown for algorithms table (84e03ef70f9c44a3aef95a1dc122c8238854f683)

v8.5.0

Compare Source

New Functionality

• feat: add PS JWA support for applicable node versions (#​573) (eefb9d9c6eec54718fa6e41306bda84788df7bec), closes #​573
• Add complete option in jwt.verify (#​522) (8737789dd330cf9e7870f4df97fd52479adbac22), closes #​522

Test Improvements

• Add tests for private claims in the payload (#​555) (5147852896755dc1291825e2e40556f964411fb2), closes #​555
• Force use_strict during testing (#​577) (7b60c127ceade36c33ff33be066e435802001c94), closes #​577
• Refactor tests related to jti and jwtid (#​544) (7eebbc75ab89e01af5dacf2aae90fe05a13a1454), closes #​544
• ci: remove nsp from tests (#​569) (da8f55c3c7b4dd0bfc07a2df228500fdd050242a), closes #​569

Docs

• Fix 'cert' token which isn't a cert (#​554) (0c24fe68cd2866cea6322016bf993cd897fefc98), closes #​554

v8.4.0

Compare Source

New Functionality

• Add verify option for nonce validation (#​540) (e7938f06fdf2ed3aa88745b72b8ae4ee66c2d0d0), closes #​540

Bug Fixes

• Updating Node version in Engines spec in package.json (#​528) (cfd1079305170a897dee6a5f55039783e6ee2711), closes #​528 #​509
• Fixed error message when empty string passed as expiresIn or notBefore option (#​531) (7f9604ac98d4d0ff8d873c3d2b2ea64bd285cb76), closes #​531

Docs

• Update README.md (#​527) (b76f2a80f5229ee5cde321dd2ff14aa5df16d283), closes #​527
• Update README.md (#​538) (1956c4006472fd285b8a85074257cbdbe9131cbf), closes #​538
• Edited the README.md to make certain parts of the document for the api easier to read, emphasizing the examples. (#​548) (dc89a641293d42f72ecfc623ce2eabc33954cb9d), closes #​548
• Document NotBeforeError (#​529) (29cd654b956529e939ae8f8c30b9da7063aad501), closes #​529

Test Improvements

• Use lolex for faking date in tests (#​491) (677ead6d64482f2067b11437dda07309abe73cfa), closes #​491
• Update dependencies used for running tests (#​518) (5498bdc4865ffb2ba2fd44d889fad7e83873bb33), closes #​518
• Minor test refactoring for recently added tests (#​504) (e2860a9d2a412627d79741a95bc7159971b923b9), closes #​504
• Create and implement async/sync test helpers (#​523) (683d8a9b31ad6327948f84268bd2c8e4350779d1), closes #​523
• Refactor tests related to audience and aud (#​503) (53d405e0223cce7c83cb51ecf290ca6bec1e9679), closes #​503
• Refactor tests related to expiresIn and exp (#​501) (72f0d9e5b11a99082250665d1200c58182903fa6), closes #​501
• Refactor tests related to iat and maxAge (#​507) (877bd57ab2aca9b7d230805b21f921baed3da169), closes #​507
• Refactor tests related to iss and issuer (#​543) (0906a3fa80f52f959ac1b6343d3024ce5c7e9dea), closes #​543
• Refactor tests related to kid and keyid (#​545) (88645427a0adb420bd3e149199a2a6bf1e17277e), closes #​545
• Refactor tests related to notBefore and nbf (#​497) (39adf87a6faef3df984140f88e6724ddd709fd89), closes #​497
• Refactor tests related to subject and sub (#​505) (5a7fa23c0b4ac6c25304dab8767ef840b43a0eca), closes #​505
• Implement async/sync tests for exp claim (#​536) (9ae3f207ac64b7450ea0a3434418f5ca58d8125e), closes #​536
• Implement async/sync tests for nbf claim (#​537) (88bc965061ed65299a395f42a100fb8f8c3c683e), closes #​537
• Implement async/sync tests for sub claim (#​534) (342b07bb105a35739eb91265ba5b9dd33c300fc6), closes #​534
• Implement async/sync tests for the aud claim (#​535) (1c8ff5a68e6da73af2809c9d87faaf78602c99bb), closes #​535

CI

• Added Istanbul to check test-coverage (#​468) (9676a8306428a045e34c3987bd0680fb952b44e3), closes #​468
• Complete ESLint conversion and cleanup (#​490) (cb1d2e1e40547f7ecf29fa6635041df6cbba7f40), closes #​490
• Make code-coverage mandatory when running tests (#​495) (fb0084a78535bfea8d0087c0870e7e3614a2cbe5), closes #​495

---

• If you want to rebase/retry this PR, check this box