[Snyk] Upgrade jose from 5.9.6 to 6.0.10

[nerdy-tech-com-gitub]

Snyk has created this PR to upgrade jose from 5.9.6 to 6.0.10.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

• The recommended version is 12 versions ahead of your current version.

• The recommended version was released 2 months ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Directory Traversal SNYK-JS-VITEST-8688125	129	Proof of Concept
	Incorrect Authorization SNYK-JS-VITE-9653016	129	Proof of Concept
	Information Exposure SNYK-JS-VITE-9685035	129	Proof of Concept
	Directory Traversal SNYK-JS-VITE-9919777	129	Proof of Concept
	Missing Origin Validation in WebSockets SNYK-JS-VITEST-8688130	129	Proof of Concept
	Improper Input Validation SNYK-JS-NANOID-8492085	129	No Known Exploit
	Incorrect Authorization SNYK-JS-VITE-9512410	129	Mature
	Insecure Randomness SNYK-JS-FORMIDABLE-9788127	129	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-KOA-8720152	129	No Known Exploit
	Improper Input Validation SNYK-JS-NANOID-8492085	129	No Known Exploit
	Origin Validation Error SNYK-JS-VITE-8648411	129	Proof of Concept
	Access Control Bypass SNYK-JS-VITE-9576207	129	Proof of Concept
	Cross-site Scripting (XSS) SNYK-JS-KOA-9679272	129	Proof of Concept

Release notes

Package name: jose

• 6.0.10 - 2025-03-12
  

  Refactor

  • removed unused claims methods (74719cf)
  • reorganize jwt claim set utils (1f12d88)
• 6.0.9 - 2025-03-11
  

  Documentation

  • add more symbol document, ignore ts-private fields (8b73687)
  • bump typedoc (6163a8b)
  • drop cdnjs links in README (a910038)
  • drop denoland/x links in README and add jsr (3662b9e)
  • fix key export links from docs/README.md (c8edfc2)

  Refactor

  • always assume structuredClone is present (f7898a9)
  • hide internal private fields and drop ProduceJWT inheritance (ab18881)
  • less objects when JWE JWT Replicated Header Parameters are used (c763a0e)
• 6.0.8 - 2025-02-26
  

  Fixes

  • export [customFetch] symbol from the default entrypoint (1615614), closes #762
• 6.0.7 - 2025-02-25
  

  Documentation

  • improve generate key/secret and import function descriptions (cd06359)

  Fixes

  • use [customFetch] when provided to createRemoteJWKSet (35f6509), closes #760
• 6.0.6 - 2025-02-23
  

  Refactor

  • move base64url around (e1350ef)

  Documentation

  • add various exported symbol descriptions (3b8ff71)
  • add various exported symbol descriptions (fc4e7da)
  • add various exported symbol descriptions (74f02c8)
  • update base64url function descriptions (03d72c8)
• 6.0.5 - 2025-02-23
  

  Refactor

  • types: make JWKParameters.kty compatible with @ types/node and @ types/web (bb6ccfe)

  Documentation

  • add various exported symbol descriptions (f52c2ff)
• 6.0.4 - 2025-02-22
  

  Refactor

  • optimize base64 with tc39/proposal-arraybuffer-base64 (8a0da69), closes #752
  • update getSPKI to use crypto.createPublicKey when available (92392a0), closes #752
  • use Double HMAC pattern for AES-CBC tag comparison (f3ba4c7), closes #752
• 6.0.3 - 2025-02-22
  

  Documentation

  • remove root module tag so that README.md shows up on jsr.io (ee70698)
• 6.0.2 - 2025-02-22
  

  Documentation

  • add module tags to all entrypoints (a5687aa)
• 6.0.1 - 2025-02-22
  

  Fixes

  • types: update build to include extensions in type imports (9b96672)
• 6.0.0 - 2025-02-22
• 5.10.0 - 2025-02-17
• 5.9.6 - 2024-10-20

from jose GitHub release notes

---

Important

• Warning: This PR contains a major version upgrade, and may be a breaking change.
• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Summary by Sourcery

Upgrade jose dependency from version 5.9.6 to 6.0.10 to address multiple security vulnerabilities

New Features:

• Major version upgrade of jose library

Bug Fixes:

• Resolves multiple high and medium severity security vulnerabilities

[sourcery-ai]

Reviewer's Guide

The jose JavaScript library was upgraded from version 5.9.6 to 6.0.10. This was an automated Snyk PR to address multiple security vulnerabilities. This is a major version upgrade and may contain breaking changes.

File-Level Changes

Change	Details	Files
Upgraded jose dependency.	Updated jose version from ^5.6.3 to ^6.0.10. This major version upgrade addresses several security vulnerabilities identified by Snyk.	e2e/package.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.