chore(deps): bump github.com/lestrrat-go/jwx/v2 from 2.0.21 to 2.1.6

[dependabot]

Bumps github.com/lestrrat-go/jwx/v2 from 2.0.21 to 2.1.6.

Release notes

Sourced from github.com/lestrrat-go/jwx/v2's releases.

v2.1.6

What's Changed

Please read the Changes file and upgrade accordingly, especially if you are using the following combinations for JWE:

• DIRECT mode content encryption
• Using A256CBC_HS512
• With an erroneously created CEK of exactly 32-bytes.

---

• jws: backport jws parsing ehancements by @​lestrrat in lestrrat-go/jwx#1363
• [v2] Backport #1367 by @​lestrrat in lestrrat-go/jwx#1368

Full Changelog: lestrrat-go/jwx@v2.1.5...v2.1.6

v2.1.5

What's Changed

• jws/jwe: split token into fixed number of parts (#1308) by @​lestrrat in lestrrat-go/jwx#1309
• Bump golangci/golangci-lint-action from 6.5.0 to 6.5.1 by @​dependabot in lestrrat-go/jwx#1317
• Bump golangci/golangci-lint-action from 6.5.1 to 6.5.2 by @​dependabot in lestrrat-go/jwx#1319
• Bump golangci/golangci-lint-action from 6.5.2 to 7.0.0 by @​dependabot in lestrrat-go/jwx#1327
• Remove use of go1.22 in CI by @​lestrrat in lestrrat-go/jwx#1356
• v2: jws/jwe: split token into fixed number of parts (#1308) by @​lestrrat in lestrrat-go/jwx#1355
• Bump github.com/lestrrat-go/blackmagic from 1.0.2 to 1.0.3 by @​dependabot in lestrrat-go/jwx#1354
• autodoc updates by @​github-actions in lestrrat-go/jwx#1359

Full Changelog: lestrrat-go/jwx@v2.1.4...v2.1.5

v2.1.4

What's Changed

• Bump pozil/auto-assign-issue from 2.0.0 to 2.0.1 by @​dependabot in lestrrat-go/jwx#1237
• Bump github.com/stretchr/testify from 1.9.0 to 1.10.0 by @​dependabot in lestrrat-go/jwx#1243
• Bump golangci/golangci-lint-action from 6.1.1 to 6.2.0 by @​dependabot in lestrrat-go/jwx#1268
• Bump pozil/auto-assign-issue from 2.0.1 to 2.1.2 by @​dependabot in lestrrat-go/jwx#1260
• Bump golang.org/x/crypto from 0.29.0 to 0.32.0 by @​dependabot in lestrrat-go/jwx#1262
• Bump actions/stale from 9.0.0 to 9.1.0 by @​dependabot in lestrrat-go/jwx#1271
• [v2] Fixes to work with go1.24 by @​lestrrat in lestrrat-go/jwx#1298
• autodoc updates by @​github-actions in lestrrat-go/jwx#1301
• Bump pozil/auto-assign-issue from 2.1.2 to 2.2.0 by @​dependabot in lestrrat-go/jwx#1276
• Develop v2 actions cache by @​lestrrat in lestrrat-go/jwx#1302
• Bump golangci/golangci-lint-action from 6.2.0 to 6.5.0 by @​dependabot in lestrrat-go/jwx#1289
• Bump github.com/decred/dcrd/dcrec/secp256k1/v4 from 4.3.0 to 4.4.0 by @​dependabot in lestrrat-go/jwx#1291

Full Changelog: lestrrat-go/jwx@v2.1.3...v2.1.4

v2.1.3

What's Changed

... (truncated)

Changelog

Sourced from github.com/lestrrat-go/jwx/v2's changelog.

Changes

v3 has many incompatibilities with v2. To see the full list of differences between v2 and v3, please read the Changes-v3.md file (https://github.com/lestrrat-go/jwx/blob/develop/v3/Changes-v3.md)

v3.1.0 UNRELEASED

• [jwk] BREAKING: jwk.PublicSetOf now returns an error when the input set contains a symmetric (oct) key. Previously, symmetric keys were silently passed through — which meant callers following the documented "publish my public JWKS" pattern could leak HMAC secret material. Callers who genuinely want the legacy pass-through behavior can opt in with jwk.WithAllowSymmetric(true). The signature is now variadic (PublicSetOf(v Set, options ...PublicSetOption)), so existing call sites compile unchanged. The minor version is bumped from v3.0.x → v3.1.0 to reflect this deliberate behavior change.

  jwk.PublicKeyOf on a single symmetric key is unchanged — it still returns the key as-is, matching its documented behavior.

• [jws][jwe][jwk] Replace intermediate map[string]any allocation in MarshalJSON with a pair-slice + sync.Pool pattern, matching the approach already used in jwt. Eliminates per-call map and key-slice allocations in the serialization hot path.

• [jwt][jwe][jws][jwk] Fix inconsistent mutex locking across main data structures. Named getters on JWK key types, MarshalJSON on JWK keys, UnmarshalJSON on JWE headers, makePairs/MarshalJSON on JWT tokens, rawBuffer on JWS headers, and Set/Keys on jwk.Set were missing proper lock protection. Switch all mutex fields from *sync.RWMutex (pointer) to sync.RWMutex (value) so go vet -copylocks catches accidental copies, and convert affected value-receiver methods to pointer receivers.

• [jwt][jwe][jws] Add WithMaxParseInputSize(int64) to limit bytes read from an io.Reader in ParseReader and ReadFile. Default is 10 MB. Can be set globally via Settings() or per-call. (#1630, #1632)

• [jwe] Add WithMaxRecipients(int) to reject JWE messages with more recipients than the configured limit. Default is 100. Can be set globally via jwe.Settings() or per-call in jwe.Decrypt() / jwe.Parse(). (#1633)

• [jws] Add WithMaxSignatures(int) to reject JWS JSON-serialized messages with more signatures than the configured limit. Default is 100. Can be set globally via jws.Settings() or per-call in jws.Parse(). (#1636)

• [jwk] The default HTTP client used by jwk.Fetch() and jwk.Cache now enforces a 30-second timeout, blocks HTTPS-to-HTTP redirect downgrades at every hop, and limits redirect chains to 5 hops. This mitigates SSRF via redirect chains and slowloris-style DoS from unresponsive JWKS endpoints. Callers who provide their own http.Client via jwk.WithHTTPClient() are

... (truncated)

Commits

• 13e92f3 Merge branch 'develop/v2' into v2
• 5ccb28f Update Changes
• 0081fdb [v2] Backport #1367 (#1368)
• 37a9b05 jws: backport jws parsing ehancements (#1363)
• a980d23 Merge branch 'develop/v2' into v2
• e613cad Update Changes
• 37f80be autodoc updates (#1359)
• bf4893d Bump github.com/lestrrat-go/blackmagic from 1.0.2 to 1.0.3 (#1354)
• 64959e1 jws/jwe: split token into fixed number of parts (#1308) (#1355)
• 7c11c78 Remove use of go1.22 in CI (#1356)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)