Bump github.com/lestrrat-go/jwx/v2 from 2.0.6 to 2.0.9

[dependabot]

Bumps github.com/lestrrat-go/jwx/v2 from 2.0.6 to 2.0.9.

Release notes

Sourced from github.com/lestrrat-go/jwx/v2's releases.

v2.0.9

v2.0.9 - 21 Mar 2023
[Security Fixes]
  * Updated use of golang.org/x/crypto to v0.7.0
[Bug fixes]
  * Emitted PEM file for EC private key types used the wrong PEM armor ([#875](https://github.com/lestrrat-go/jwx/issues/875))
[Miscellaneous]
  * Banners for generated files have been modified to allow tools to pick them up ([#867](https://github.com/lestrrat-go/jwx/issues/867))
  * Remove unused variables around ReadFileOption ([#866](https://github.com/lestrrat-go/jwx/issues/866))
  * Fix test failures
  * Support bazel out of the box
  * Now you can create JWS messages using `{"alg":"none"}`, by calling `jws.Sign()`
    with `jws.WithInsecureNoSignature()` option. ([#888](https://github.com/lestrrat-go/jwx/issues/888), [#890](https://github.com/lestrrat-go/jwx/issues/890)).
Note that there is no way to call
`jws.Verify()` while allowing `{"alg":"none"}` as you wouldn't be _verifying_
the message if we allowed the "none" algorithm. `jws.Parse()` will parse such
messages witout verification.
jwt also allows you to sign using alg="none", but there's no symmetrical

way to verify such messages.

v2.0.8

v2.0.8 - 25 Nov 2022
[Security Fixes]
  * [jws][jwe] Starting from go 1.19, code related to elliptic algorithms
    panics (instead of returning an error) when certain methods
    such as `ScalarMult` are called using points that are not on the
    elliptic curve being used.
Using inputs that cause this condition, and you accept unverified JWK
from the outside it may be possible for a third-party to cause panics
in your program.
This has been fixed by verifying that the point being used is actually

on the curve before such computations (#840)


[Miscellaneous]

jwx.GuessFormat now returns jwx.InvalidFormat when the heuristics
is sure that the buffer format is invalid.

v2.0.7

v2.0.7 - 15 Nov 2022
[New features]
  * [jwt] Each `jwt.Token` now has an `Options()` method
  * [jwt] `jwt.Settings(jwt.WithFlattenedAudience(true))` has a slightly
</tr></table> 

... (truncated)

Changelog

Sourced from github.com/lestrrat-go/jwx/v2's changelog.

v2.0.9 - 21 Mar 2023 [Security Fixes]

• Updated use of golang.org/x/crypto to v0.7.0 [Bug fixes]

• Emitted PEM file for EC private key types used the wrong PEM armor (#875) [Miscellaneous]

• Banners for generated files have been modified to allow tools to pick them up (#867)

• Remove unused variables around ReadFileOption (#866)

• Fix test failures

• Support bazel out of the box

• Now you can create JWS messages using {"alg":"none"}, by calling jws.Sign() with jws.WithInsecureNoSignature() option. (#888, #890).

  Note that there is no way to call jws.Verify() while allowing {"alg":"none"} as you wouldn't be verifying the message if we allowed the "none" algorithm. jws.Parse() will parse such messages witout verification.

  jwt also allows you to sign using alg="none", but there's no symmetrical way to verify such messages.

v2.0.8 - 25 Nov 2022 [Security Fixes]

• [jws][jwe] Starting from go 1.19, code related to elliptic algorithms panics (instead of returning an error) when certain methods such as ScalarMult are called using points that are not on the elliptic curve being used.

  Using inputs that cause this condition, and you accept unverified JWK from the outside it may be possible for a third-party to cause panics in your program.

  This has been fixed by verifying that the point being used is actually on the curve before such computations (#840) [Miscellaneous]

• jwx.GuessFormat now returns jwx.InvalidFormat when the heuristics is sure that the buffer format is invalid.

v2.0.7 - 15 Nov 2022 [New features]

• [jwt] Each jwt.Token now has an Options() method

• [jwt] jwt.Settings(jwt.WithFlattenedAudience(true)) has a slightly different semantic than before. Instead of changing a global variable, it now specifies that the default value of each per-token option for jwt.FlattenAudience is true.

  Therefore, this is what happens:

  // No global settings tok := jwt.New()

... (truncated)

Commits

• fccc524 Update v2 (#894)
• 7803b82 merge develop/v2 to v2 (#853)
• 6e8e918 Merge branch 'develop/v2' into v2
• 9eb25df a couple of typos (#822)
• 8c8b7a0 Update Changes
• 0d462aa autodoc updates (#838)
• 10c0ecd [jwt] Implement per-token options, including FlattenAudience (#837)
• b681d01 Include benchmark for #834 (#835)
• edb55b0 Update develop/v2 to testify v1.8.1 (#833)
• 0222275 explain about Refresh from Register's document (#830)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)