chore: update dependency jsonwebtoken to v9

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
jsonwebtoken	8.5.1 → 9.0.3
@types/jsonwebtoken (source)	8.5.8 → 9.0.10

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

auth0/node-jsonwebtoken (jsonwebtoken)

v9.0.3

Compare Source

• updates jws version to 4.0.1.

v9.0.2

Compare Source

• security: updating semver to 7.5.4 to resolve CVE-2022-25883, closes #​921.
• refactor: reduce library size by using lodash specific dependencies, closes #​878.

v9.0.1

Compare Source

• fix(stubs): allow decode method to be stubbed

v9.0.0

Compare Source

Breaking changes: See Migration from v8 to v9

Breaking changes

• Removed support for Node versions 11 and below.
• The verify() function no longer accepts unsigned tokens by default. ([8345030]8345030)
• RSA key size must be 2048 bits or greater. ([ecdf6cc]ecdf6cc)
• Key types must be valid for the signing / verification algorithm

Security fixes

• security: fixes Arbitrary File Write via verify function - CVE-2022-23529
• security: fixes Insecure default algorithm in jwt.verify() could lead to signature validation bypass - CVE-2022-23540
• security: fixes Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - CVE-2022-23541
• security: fixes Unrestricted key type could lead to legacy keys usage - CVE-2022-23539

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: packages/shopping/package-lock.json

npm ERR! code ETARGET
npm ERR! notarget No matching version found for loopback4-example-recommender@1.1.1.
npm ERR! notarget In most cases you or one of your dependencies are requesting
npm ERR! notarget a package version that doesn't exist.

npm ERR! A complete log of this run can be found in:
npm ERR!     /tmp/renovate/cache/others/npm/_logs/2024-02-26T21_55_43_973Z-debug-0.log

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: packages/shopping/package-lock.json

npm ERR! code ETARGET
npm ERR! notarget No matching version found for loopback4-example-recommender@1.1.1.
npm ERR! notarget In most cases you or one of your dependencies are requesting
npm ERR! notarget a package version that doesn't exist.

npm ERR! A complete log of this run can be found in:
npm ERR!     /runner/cache/others/npm/_logs/2026-03-27T05_38_29_101Z-debug-0.log