Update bump-dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
github.com/lestrrat-go/jwx/v3	v3.0.13 → v3.1.0			require	minor
golang	c259ff7 → 7ef9411			final	digest
nginx	0c3a604 → 1a9ab83			final	digest
python	17a4e59 → 355522f			stage	digest

---

Release Notes

lestrrat-go/jwx (github.com/lestrrat-go/jwx/v3)

v3.1.0

Compare Source

See Changes file for curated list of changes

What's Changed

• Appease linter by @​lestrrat in #​1543
• Bump kentaro-m/auto-assign-action from 2.0.0 to 2.0.1 by @​dependabot[bot] in #​1538
• Bump actions/checkout from 6.0.1 to 6.0.2 by @​dependabot[bot] in #​1542
• Bump actions/setup-go from 6.1.0 to 6.2.0 by @​dependabot[bot] in #​1536
• Bump actions/cache from 5.0.1 to 5.0.2 by @​dependabot[bot] in #​1539
• Add AGENTS.md by @​lestrrat in #​1546
• exclude AGENTS.md by @​lestrrat in #​1548
• Bump actions/cache from 5.0.2 to 5.0.3 by @​dependabot[bot] in #​1545
• Bump golang.org/x/crypto from 0.46.0 to 0.47.0 by @​dependabot[bot] in #​1535
• Add symlink by @​lestrrat in #​1549
• Fix jwk.Cache worker issues by @​lestrrat in #​1552
• Exclude CLAUDE.md from autodoc by @​lestrrat in #​1555
• Bump github.com/valyala/fastjson from 1.6.7 to 1.6.9 by @​dependabot[bot] in #​1561
• Bump actions/stale from 10.1.1 to 10.2.0 by @​dependabot[bot] in #​1559
• Bump golang.org/x/crypto from 0.47.0 to 0.48.0 by @​dependabot[bot] in #​1557
• Reduce allocations in concatkdf Read by @​lestrrat in #​1562
• Eliminate redundant lock acquisitions in LookupKeyID by @​lestrrat in #​1563
• Replace make+copy with bytes.Clone by @​lestrrat in #​1564
• Use base64.Encode instead of EncodeToString in JWS marshal by @​lestrrat in #​1565
• Cache keyalg/ctalg String() in JWE encrypt/decrypt by @​lestrrat in #​1566
• Inline ndata() in concatkdf New by @​lestrrat in #​1567
• Fix dependabot workflow by @​lestrrat in #​1574
• Bump github.com/valyala/fastjson from 1.6.9 to 1.6.10 by @​dependabot[bot] in #​1568
• Bump github.com/decred/dcrd/dcrec/secp256k1/v4 from 4.4.0 to 4.4.1 by @​dependabot[bot] in #​1570
• Bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 in /examples by @​dependabot[bot] in #​1571
• Bump actions/setup-go from 6.2.0 to 6.3.0 by @​dependabot[bot] in #​1573
• harden dependabot workflow by @​lestrrat in #​1575
• fix inverted rlocker condition in RSA key export by @​lestrrat in #​1576
• Fix jwe decrypt typo by @​lestrrat in #​1577
• Fix example naming by @​lestrrat in #​1578
• Chore remove unused blank assigns by @​lestrrat in #​1579
• add WhitelistError sentinel, use errors.Is in test by @​lestrrat in #​1581
• standardize error helpers in jws and jwe by @​lestrrat in #​1582
• add fuzz testing infrastructure for jwt/jws/jwe/jwk by @​lestrrat in #​1583
• fix flaky cache and jwt validation tests by @​lestrrat in #​1585
• add .claude/docs and pre-read rules to AGENTS.md by @​lestrrat in #​1584
• Bump golang.org/x/crypto from 0.48.0 to 0.49.0 by @​dependabot[bot] in #​1587
• Bump github.com/emmansun/gmsm from 0.21.5 to 0.41.1 in /examples by @​dependabot[bot] in #​1590
• Bump actions/cache from 5.0.3 to 5.0.4 by @​dependabot[bot] in #​1593
• Bump github.com/goccy/go-json from 0.10.3 to 0.10.6 by @​dependabot[bot] in #​1589
• Bump kentaro-m/auto-assign-action from 2.0.1 to 2.0.2 by @​dependabot[bot] in #​1595
• use standard go deprecation markers in jws by @​lestrrat in #​1596
• fix probe field name in panic message by @​lestrrat in #​1597
• Bump github.com/lestrrat-go/httprc/v3 from 3.0.4 to 3.0.5 by @​dependabot[bot] in #​1599
• Bump actions/setup-go from 6.3.0 to 6.4.0 by @​dependabot[bot] in #​1600
• enforce crit header validation in jws.Verify per RFC 7515 by @​lestrrat in #​1601
• validate crit header in VerifyCompactFast by @​lestrrat in #​1602
• fix X25519 ECDH-ES to include apu/apv in KDF by @​lestrrat in #​1603
• enforce minimum PBES2 iteration count by @​lestrrat in #​1604
• reject null JSON values for string claims (#​1484) by @​lestrrat in #​1605
• add RFC 9864 fully-specified EdDSA signature algorithms by @​lestrrat in #​1606
• add extension APIs and KeyKind dispatch for external algorithm modules by @​lestrrat in #​1607
• add jwkunsafe package docs and tests by @​lestrrat in #​1609
• delegate custom algorithm registration to dsig by @​lestrrat in #​1610
• autodoc updates by @​github-actions[bot] in #​1611
• pin ed448 module to latest jwx by @​lestrrat in #​1612
• move ed448 to external jwx-circl-ed448 repo by @​lestrrat in #​1613
• autodoc updates by @​github-actions[bot] in #​1614
• pin jwx-circl-ed448 to latest commit by @​lestrrat in #​1615
• update Changes for v3.0.14 by @​lestrrat in #​1616
• use jwk.Import fallback in AlgorithmsForKey by @​lestrrat in #​1617
• fix OKP key export dispatch for Ed448 by @​lestrrat in #​1618
• fix misleading Ed448 dispatch comments in jwsbb by @​lestrrat in #​1619
• add RegisterAlgorithmForCurve, filter AlgorithmsForKey by curve by @​lestrrat in #​1620
• pin jwx-circl-ed448 to ce28e4b in examples by @​lestrrat in #​1621
• add WithMaxFetchBodySize to limit Fetch response body by @​lestrrat in #​1622
• add per-call PBES2 count overrides to jwe.Decrypt by @​lestrrat in #​1623
• fix X509CertChain() to return false when chain is nil by @​lestrrat in #​1624
• fix data race in x509 decoder registry iteration by @​lestrrat in #​1625
• add max key count limit to PEM parsing loop by @​lestrrat in #​1626
• reject negative WithAcceptableSkew in jwt.Validate by @​lestrrat in #​1627
• accept year 0000 in OIDC birthdate per spec by @​lestrrat in #​1628
• update Changes for #​1620-#​1628 by @​lestrrat in #​1629
• add max input size limit to jwt/jwe ParseReader by @​lestrrat in #​1630
• add global default for MaxFetchBodySize by @​lestrrat in #​1631
• fix parse size limit race, validation, and jws coverage by @​lestrrat in #​1632
• add max recipients limit for JWE messages by @​lestrrat in #​1633
• add default HTTP timeout for jwk.Fetch by @​lestrrat in #​1634
• document jti replay protection as caller responsibility by @​lestrrat in #​1635
• add max signatures limit for JWS messages by @​lestrrat in #​1636
• add default redirect policy for jwk.Fetch by @​lestrrat in #​1637
• add jwk.DefaultHTTPClient by @​lestrrat in #​1638
• check redirect scheme downgrade at every hop by @​lestrrat in #​1639
• apply default redirect policy to jwk.Cache by @​lestrrat in #​1640
• make null string claim rejection opt-in by @​lestrrat in #​1641
• add jwk.WrapHTTPClientDefaults by @​lestrrat in #​1642
• update Changes for #​1630-#​1640 by @​lestrrat in #​1643
• document WithHTTPClient bypass of defaults by @​lestrrat in #​1646
• use atomic wrappers for global settings by @​lestrrat in #​1647
• reuse shared HTTP client in Cache.Register by @​lestrrat in #​1648
• accept ParseOption in jws.ParseString by @​lestrrat in #​1650
• validate maxSignatures is positive by @​lestrrat in #​1649
• document body size limit approach in jwk.Fetch by @​lestrrat in #​1651
• remove minor entries from Changes by @​lestrrat in #​1653
• make WithStrictStringClaims per-call only by @​lestrrat in #​1654
• add per-call opt-out for crit header validation by @​lestrrat in #​1655
• protect global settings with mutex by @​lestrrat in #​1656
• document WithStrictStringClaims scope to JWT only by @​lestrrat in #​1657
• document WithStrictStringClaims scope includes JWK by @​lestrrat in #​1658
• deep-copy slice fields in generated Set methods by @​lestrrat in #​1659
• zero private key fields on UnmarshalJSON error by @​lestrrat in #​1660
• document x509 validation as out of scope by @​lestrrat in #​1661
• update Changes for #​1659 and #​1660 by @​lestrrat in #​1662
• fix inconsistent mutex locking in data structures by @​lestrrat in #​1666
• replace intermediate map in MarshalJSON with pair+pool by @​lestrrat in #​1667
• validate algorithm-key compatibility in WithKey by @​lestrrat in #​1668
• reduce allocations in JWE encrypt path by @​lestrrat in #​1676
• Bump golang.org/x/crypto from 0.49.0 to 0.50.0 by @​dependabot[bot] in #​1684
• clean up jws sign/verify code for legibility by @​lestrrat in #​1687
• clean up jws sign/verify key selection code by @​lestrrat in #​1689
• fix dependabot workflow for develop/v2 bazel by @​lestrrat in #​1691
• use squash merge in dependabot workflow by @​lestrrat in #​1692
• remove auto-approve and auto-merge from dependabot workflow by @​lestrrat in #​1693
• scrub full backing array in byte slice pool by @​lestrrat in #​1729
• clear fieldPair list before returning to pool by @​lestrrat in #​1732
• rework jws crit header validation by @​lestrrat in #​1733
• add jwe crit header validation by @​lestrrat in #​1735
• clone per-recipient headers, recycle via headerPool by @​lestrrat in #​1739
• reject ecdh keys in AlgorithmsForKey by @​lestrrat in #​1741
• stop pooling escaping big.Int in buildRSAPublicKey by @​lestrrat in #​1745
• auto-declare b64 crit when WithDetachedPayload is set by @​lestrrat in #​1748
• fail loudly on rand.Reader errors in key gen helpers by @​lestrrat in #​1751
• drop big.Int pool by @​lestrrat in #​1754
• fix race in jwk/ecdsa lookup functions by @​lestrrat in #​1756
• clone protected headers in signatureBuilder.Build by @​lestrrat in #​1759
• fix ValidationCtx extractors panicking on uninitialized contexts by @​lestrrat in #​1761
• docs: note ES256K low-S non-enforcement by @​lestrrat in #​1763
• reject empty ciphertext/iv/tag in jwe.Message.UnmarshalJSON by @​lestrrat in #​1768
• drop unprotected header merge from jwe.Decrypt by @​lestrrat in #​1770
• document VerifyCompactFast b64:true assumption by @​lestrrat in #​1773
• pin unprotected header merge fix with regression test by @​lestrrat in #​1776
• validate AES-CBC IV length in aescbc.Hmac.Open by @​lestrrat in #​1778
• reslice pooled jwe buffers before defer by @​lestrrat in #​1781
• reject sub-minimum input in RFC 3394 keywrap primitives by @​lestrrat in #​1784
• add jwe.WithPBES2Count encrypt option by @​lestrrat in #​1782
• jwe: use privkey.Size() for RSA PKCS1v1.5 length check by @​lestrrat in #​1788
• document default InsecureWhitelist on jwk.Fetch (JWK-001) by @​lestrrat in #​1790
• reject crit-bearing messages in jws.VerifyCompactFast by @​lestrrat in #​1793
• jwe: stop aliasing AAD backing slices when concatenating external aad by @​lestrrat in #​1796
• validate ECDSA point on curve (JWK-003) by @​lestrrat in #​1797
• copy recipientKey in KeyDecryptAESGCMKW to avoid caller aliasing (JWE-002) by @​lestrrat in #​1800
• strip key options in jwt.ParseInsecure by @​lestrrat in #​1802
• Bump actions/cache from 5.0.4 to 5.0.5 by @​dependabot[bot] in #​1795
• enforce jws signatures cap before decoding entries by @​lestrrat in #​1804
• cap SplitCompactReader non-finite reads at 10 MiB by @​lestrrat in #​1806
• copy rawKey in symmetricKey.Import to avoid caller aliasing by @​lestrrat in #​1808
• enforce max parse input size in jws.Parse and jwe.Parse by @​lestrrat in #​1809
• fix cert.Chain.Add to strip real PEM markers by @​lestrrat in #​1814
• fix jwk x509 decoder unregister index and race by @​lestrrat in #​1812
• fix jwt fast path json injection via unescaped kid by @​lestrrat in #​1817
• fix nil-aware ok return in jws header accessors by @​lestrrat in #​1818
• fix: jwk.PublicSetOf rejects symmetric keys by default (v3.1.0) by @​lestrrat in #​1829
• autodoc updates by @​github-actions[bot] in #​1832
• fix jwk rsa exponent truncation and thumbprint collision by @​lestrrat in #​1833
• fix cert.Chain MarshalJSON and validate Add input by @​lestrrat in #​1836
• fix jwt fast path json injection via unescaped alg by @​lestrrat in #​1838
• track aes-cbc-hmac tag length independently of key size by @​lestrrat in #​1841
• fix jwe aescbc open opaque errors by @​lestrrat in #​1843
• fix jwe keyset selecting keys without alg field by @​lestrrat in #​1845
• fix jwe ecdh-es invalid-curve attack surface by @​lestrrat in #​1847
• fix jwk.Set.AddKey panic on nil or struct keys by @​lestrrat in #​1852
• fix jwk parser to validate keys after unmarshal by @​lestrrat in #​1854
• wrap underlying error in jwk set single-key fallback by @​lestrrat in #​1856
• fix cmd/jwx output file mode and truncation by @​lestrrat in #​1858
• fix jwt.ParseHeader bearer scheme per rfc 6750 by @​lestrrat in #​1859
• make MissingRequiredClaimError.Is type-only by @​lestrrat in #​1862
• document WithUseNumber concurrency contract as startup-only by @​lestrrat in #​1864
• reject key-bearing options in jwt.ParseInsecure by @​lestrrat in #​1867
• bound jws keyset verification fan-out by header alg by @​lestrrat in #​1869
• add jwk.WithForceAssign to overwrite existing kid by @​lestrrat in #​1874
• tighten HeaderGetStringBytes lifetime doc by @​lestrrat in #​1876
• fix jwxio limited reader detection by @​lestrrat in #​1877
• fix jwa error truncation by @​lestrrat in #​1880
• fix jwa registry snapshots by @​lestrrat in #​1883
• tighten jws validateAlgorithmForKey escape by @​lestrrat in #​1887
• fix jws jku kid-miss silent nil by @​lestrrat in #​1888
• surface jku kid-miss error from jkuProvider by @​lestrrat in #​1891
• fix jws VerifyCompactFast header alg cross-check by @​lestrrat in #​1893
• fix okp key length checks by @​lestrrat in #​1896
• fix jwa builtin protection by @​lestrrat in #​1899
• fix v3 rsa jwk validation by @​lestrrat in #​1895
• fix compact sign errors by @​lestrrat in #​1902
• zero bytes.Buffer backing array on pool return by @​lestrrat in #​1905
• remove internal/json.Dump debug helper by @​lestrrat in #​1907
• fix SplitCompactReader LimitedReader size bypass by @​lestrrat in #​1909
• fix jwe godoc references by @​lestrrat in #​1911
• fix v3 jwt package docs by @​lestrrat in #​1915
• fix v3 jwe cek length checks by @​lestrrat in #​1918
• make x5c cert limits configurable by @​lestrrat in #​1919
• document v3 transform.AsMap aliasing by @​lestrrat in #​1920
• fix v3 ecdsa algorithms snapshot by @​lestrrat in #​1923
• fix jwxio limitedreader bounds by @​lestrrat in #​1924
• warn about jws WithKey misuse in v3 by @​lestrrat in #​1930
• fix v3 jws parse autodetect by @​lestrrat in #​1927
• fix empty compact jws signature by @​lestrrat in #​1933
• fix v3 jwe p2c validation by @​lestrrat in #​1935
• fix v3 jwe gcmkw header typing by @​lestrrat in #​1939
• fix v3 jwe aescbc append by @​lestrrat in #​1937
• document jwe compression caveats by @​lestrrat in #​1941
• warn about jwe rsa1_5 by @​lestrrat in #​1943
• document jwe WithKey pairs in v3 by @​lestrrat in #​1945
• fix PublicSetOf oct bypass in v3 by @​lestrrat in #​1946
• docs: warn about short symmetric keys by @​lestrrat in #​1949
• add jws.WithDetachedPayloadReader for streaming detached payloads by @​lestrrat in #​1663
• jws: return non-nil empty []byte from streaming Verify by @​lestrrat in #​1979
• clarify jwe decrypt unprotected-header scope by @​lestrrat in #​1983
• drop raw input-byte caps from parse apis by @​lestrrat in #​1985
• fix ClaimValueIs panic on non-comparable values by @​lestrrat in #​1987
• clarify EncryptStatic CEK for direct-CEK algs by @​lestrrat in #​1990
• jwk: add WithMaxKeys cap on JWKS entries by @​lestrrat in #​1991
• jws: expand WithDetachedPayloadReader encoder-missing error with install hint by @​lestrrat in #​1993
• jws: document goroutine-safety for WithDetachedPayloadReader by @​lestrrat in #​1997
• jws: explain RFC 8032 EdDSA streaming incompatibility in error message by @​lestrrat in #​1995
• jws: align streaming HMAC key-type error with non-streaming path by @​lestrrat in #​2000
• jwe: fix grammar in ECDH-ES/DIRECT multi-recipient error by @​lestrrat in #​2002
• jws: drop double-wrap on compact parse errors by @​lestrrat in #​2004
• jwt: guard Validate against nil token by @​lestrrat in #​2007
• jws: make jkuProvider surface missing-alg error by @​lestrrat in #​2009
• jws: surface per-key selectKey errors in keySetProvider by @​lestrrat in #​2011
• jws: surface use=enc mismatch as explicit error by @​lestrrat in #​2013
• jwt: stop using dynamic fmt.Errorf format string in ParseRequest by @​lestrrat in #​2017
• jws: document kid precedence on WithProtectedHeaders by @​lestrrat in #​2024
• jwk: add WithRejectDuplicateKID parse option by @​lestrrat in #​2027
• jwk: replace misleading RegisterKeyImporter godoc by @​lestrrat in #​2029
• jwt: wrap unsupported-time-claim error as ValidateError by @​lestrrat in #​2015
• changes: add jwk.WithRejectDuplicateKID entry by @​lestrrat in #​2033
• fix v3.1.0 changelog inaccuracies and add missing entries by @​lestrrat in #​2037

Full Changelog: lestrrat-go/jwx@v3.0.13...v3.1.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Only on Wednesday (* * * * 3)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 7 additional dependencies were updated

Details:

Package	Change
github.com/decred/dcrd/dcrec/secp256k1/v4	v4.4.0 -> v4.4.1
github.com/goccy/go-json	v0.10.3 -> v0.10.6
github.com/lestrrat-go/dsig	v1.0.0 -> v1.2.1
github.com/lestrrat-go/httprc/v3	v3.0.2 -> v3.0.5
github.com/valyala/fastjson	v1.6.7 -> v1.6.10
golang.org/x/crypto	v0.46.0 -> v0.50.0
golang.org/x/sys	v0.39.0 -> v0.43.0