fix(deps): update dependency jose to v5

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
jose	^4.14.6 -> ^5.0.0

---

Release Notes

panva/jose (jose)

v5.9.2

Compare Source

Refactor

• types: remove index signatures from JWK interfaces (ccf0cda)

v5.9.1

Compare Source

Fixes

• types: add missing index signature on the convenience JWK types (90a93dc)

v5.9.0

Compare Source

Features

• allow JWK objects as "key" input to sign and verify (c6302ea)

v5.8.0

Compare Source

Features

• add subpath module exports (72ecff6)

Refactor

• omit LocalJWKSet export since it's no longer needed for RemoteJWKSet (c502731)

v5.7.0

Compare Source

Features

• graduate jwksCache to stable API (0f09c12)

v5.6.3

Compare Source

Fixes

• add sideEffects:false to nested ESM package.json files (f3aff1c)

v5.6.2

Compare Source

Refactor

• CryptoKey normalization is not always async (b7751f5)
• weak cache normalized CryptoKey instances (32b25a5)

Fixes

• ensure KeyObject type in Web API encrypt/decrypt (b7920bd)

v5.6.1

Compare Source

Refactor

• normalize is always defined for Web API runtimes (7bcb103)

Fixes

• workaround turbo's eager optimizations (723a042), closes #​690

v5.6.0

Compare Source

Features

• support KeyObject inputs in WebCryptoAPI runtimes given compatibility (e178b8f)

v5.5.0

Compare Source

Features

• add experimental support for edge compute runtimes JWKS caching (ab166e2), closes #​551 #​661 #​653 #​415

v5.4.1

Compare Source

Fixes

• ensure latest release on npm is v5.x (a9b2a30)

v5.4.0

Compare Source

Features

• expose JWT's payload in JWTClaimValidationFailed instances (58bcffb), closes #​680

Refactor

• add explicit return types everywhere (cc2b2d7)

v5.3.0

Compare Source

Features

• allow observing remote JWKS resolver state and its manual reload (fa8b639)

Refactor

• if should not be the only statement in else blocks (a6b716b)

v5.2.4

Compare Source

Refactor

• use createLocalJWKSet instead of LocalJWKSet in createRemoteJWKSet (a7c566c)

v5.2.3

Compare Source

Refactor

• move iv generation and optional outputs around (05c4351)

v5.2.2

Compare Source

Fixes

• types: iv and tag is optional in JSON serializations (53019cd)

v5.2.1

Compare Source

Fixes

• build: refactor export targets for browser, node cjs, and node esm builds (50cbc65)

v5.2.0

Compare Source

Features

• extend JWT NumericDate setter syntax (ae363c3)

v5.1.3

Compare Source

v5.1.2

Compare Source

Fixes

• do not mutate JWTVerifyOptions.requiredClaims (1bf9cec), closes #​610

v5.1.1

Compare Source

Refactor

• deprecate the RSA1_5 JWE Algorithm (f746da1)

v5.1.0

Compare Source

Features

• add payload generics to jose.decodeJwt (9de49e2), closes #​604

v5.0.2

Compare Source

Fixes

• createRemoteJWKSet: ensure a default user-agent header is present (887dd3c), closes #​600

v5.0.1

Compare Source

Fixes

• also use ES2020 in the CDN bundles (8c4d390)

v5.0.0

Compare Source

⚠ BREAKING CHANGES

• Node.js: return Uint8Array (not a Buffer) from base64url.decode
• Browser distribution is now built using ES2020 as a target
• Node.js distribution is now built using ES2022 as a target
• types: jwtVerify and jwtDecrypt type argument for the resolved
  KeyLike type is now a second optional type argument following a type
  for the JWT Claims Set (aka payload)
• PBES2 Key Management Algorithms' use in decrypt
  functions now requires the use of the keyManagementAlgorithms option
  to explicitly opt-in for their use.
• importJWK "octAsKeyObject" option was removed.
  importJWK will no longer return CryptoKey or KeyObject for "oct" (octet
  sequence) JWK key types, it will instead always return a Uint8Array
  formed from the "k" (Key Value) Parameter regardless of the other JWK
  Parameters that may be present.
• End-Of-Life versions of Node.js as of October 2023 are
  no longer supported. Node.js 18, 20, and 21 and future releases are
  the ones that remain supported.
• The JWE "zip" (Compression Algorithm) Header Parameter
  is no longer supported by this JOSE implementation.

Features

• add Date as valid input to timestamp setting functions (bd830a4)
• default to an empty payload in JWT producing constructors (98d6ca1)
• types: add optional Generics for JWT verify and decrypt (61bd2a0), closes #​568

Reverts

• Revert "test: fix test under lts/erbium" (b64b6c7)

Refactor

• Browser distribution is now built using ES2020 as a target (1836684)
• drop support for EOL Node.js versions (b5aee54)
• importJWK always returns a Uint8Array for symmetric key inputs (163e1b0)
• Node.js distribution is now built using ES2022 as a target (239697a)
• Node.js: return Uint8Array (not a Buffer) from base64url.decode (02d5182)
• PBES2 Algorithms require explicit opt-in during verification (e2da031)
• remove support for JWE "zip" (Compression Algorithm) Header Parameter (16998b1)
• types: rename type parameters for the KeyLike returns (eddd400)
• update allow list error messages (fe8114c)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.