chore(deps): bump github.com/lestrrat-go/jwx/v2 from 2.0.6 to 2.0.8 in /spi/gnap

[dependabot]

Bumps github.com/lestrrat-go/jwx/v2 from 2.0.6 to 2.0.8.

Release notes

Sourced from github.com/lestrrat-go/jwx/v2's releases.

v2.0.8

v2.0.8 - 25 Nov 2022
[Security Fixes]
  * [jws][jwe] Starting from go 1.19, code related to elliptic algorithms
    panics (instead of returning an error) when certain methods
    such as `ScalarMult` are called using points that are not on the
    elliptic curve being used.
Using inputs that cause this condition, and you accept unverified JWK
from the outside it may be possible for a third-party to cause panics
in your program.
This has been fixed by verifying that the point being used is actually

on the curve before such computations (#840)


[Miscellaneous]

jwx.GuessFormat now returns jwx.InvalidFormat when the heuristics
is sure that the buffer format is invalid.

v2.0.7

v2.0.7 - 15 Nov 2022
[New features]
  * [jwt] Each `jwt.Token` now has an `Options()` method
  * [jwt] `jwt.Settings(jwt.WithFlattenedAudience(true))` has a slightly
    different semantic than before. Instead of changing a global variable,
    it now specifies that the default value of each per-token option for
    `jwt.FlattenAudience` is true.
Therefore, this is what happens:
// No global settings

tok := jwt.New()

tok.Options.IsEnabled(jwt.FlattenAudience) // false
// With global settings

jwt.Settings(jwt.WithFlattenedAudience(true))

tok := jwt.New()

tok.Options.IsEnabled(jwt.FlattenAudience) // true

// But you can still turn FlattenAudience off for this

// token alone

tok.Options.Disable(jwt.FlattenAudience)
Note that while unlikely to happen for users relying on the old behavior,

this change DOES introduce timing issues: whereas old versions switched the

JSON marshaling for ALL tokens immediately after calling jwt.Settings,

the new behavior does NOT affect tokens that have been created before the

call to jwt.Settings (but marshaled afterwards).


</tr></table>

... (truncated)

Changelog

Sourced from github.com/lestrrat-go/jwx/v2's changelog.

v2.0.8 - 25 Nov 2022 [Security Fixes]

• [jws][jwe] Starting from go 1.19, code related to elliptic algorithms panics (instead of returning an error) when certain methods such as ScalarMult are called using points that are not on the elliptic curve being used.

  Using inputs that cause this condition, and you accept unverified JWK from the outside it may be possible for a third-party to cause panics in your program.

  This has been fixed by verifying that the point being used is actually on the curve before such computations (#840) [Miscellaneous]

• jwx.GuessFormat now returns jwx.InvalidFormat when the heuristics is sure that the buffer format is invalid.

v2.0.7 - 15 Nov 2022 [New features]

• [jwt] Each jwt.Token now has an Options() method

• [jwt] jwt.Settings(jwt.WithFlattenedAudience(true)) has a slightly different semantic than before. Instead of changing a global variable, it now specifies that the default value of each per-token option for jwt.FlattenAudience is true.

  Therefore, this is what happens:

  // No global settings tok := jwt.New() tok.Options.IsEnabled(jwt.FlattenAudience) // false

  // With global settings jwt.Settings(jwt.WithFlattenedAudience(true)) tok := jwt.New() tok.Options.IsEnabled(jwt.FlattenAudience) // true // But you can still turn FlattenAudience off for this // token alone tok.Options.Disable(jwt.FlattenAudience)

  Note that while unlikely to happen for users relying on the old behavior, this change DOES introduce timing issues: whereas old versions switched the JSON marshaling for ALL tokens immediately after calling jwt.Settings, the new behavior does NOT affect tokens that have been created before the call to jwt.Settings (but marshaled afterwards).

  So the following may happen:

  // < v2.0.7 tok := jwt.New() jwt.Settings(jwt.WithFlattenedAudience(true))

... (truncated)

Commits

• 7803b82 merge develop/v2 to v2 (#853)
• 6e8e918 Merge branch 'develop/v2' into v2
• 9eb25df a couple of typos (#822)
• 8c8b7a0 Update Changes
• 0d462aa autodoc updates (#838)
• 10c0ecd [jwt] Implement per-token options, including FlattenAudience (#837)
• b681d01 Include benchmark for #834 (#835)
• edb55b0 Update develop/v2 to testify v1.8.1 (#833)
• 0222275 explain about Refresh from Register's document (#830)
• 3ef1dc5 notes about being read-only (#829)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #332.