go modules depencies:gopkg.in/square/go-jose.v2 vulnerabilities in api/go.mod

Issue description

When running a trivy scan on apisix-dashboard v3.0.1 it reported several CVEs on the dependencies. And when I try to fix these cves, They will be resolved except gopkg.in/square/go-jose.v2(https://github.com/square/go-jose/tree/v2.6.0), and it seems would not upgrade. Is it possible to replace gopkg.in/square/go-jose.v2 by other module? or there may be other ways to resolve it?

api/go.mod (gomod)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌────────────────────────────┬────────────────┬──────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────┐
│          Library           │ Vulnerability  │ Severity │  Status  │ Installed Version │ Fixed Version │                        Title                         │
├────────────────────────────┼────────────────┼──────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ gopkg.in/square/go-jose.v2 │ CVE-2024-28180 │ MEDIUM   │ affected │ 2.6.0             │               │ jose-go: improper handling of highly compressed data │
│                            │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2024-28180           │
└────────────────────────────┴────────────────┴──────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────┘

Expected behavior

fix this cve of gopkg.in/square/go-jose.v2-v2.6.0

How to Reproduce

git clone -b v3.0.1 https://github.com/apache/apisix-dashboard.git
cd apisix-dashboard
trivy fs .

Screenshots

No response

Environment

apisix version (cmd: apisix version):
OS (cmd: uname -a):
OpenResty / Nginx version (cmd: nginx -V or openresty -V):
etcd version, if have (cmd: run etcd --version):
apisix-dashboard version, if have: 3.0.1
Browser version, if have:

Additional context