update jsonwebtoken dependency

[AntoineAA]

Update jsonwebtoken dependency to address

• jsonwebtoken unrestricted key type could lead to legacy keys usage - https://github.com/advisories/GHSA-8cf7-32gw-wr33
• jsonwebtoken has insecure input validation in jwt.verify function - https://github.com/advisories/GHSA-27h2-hvpr-p74q
• jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
• jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6

[maheshupasani]

@nelsonic when this PR will get closed ?

[diego-deriv]

Will be nice to have this Merged

[nelsonic]

Hi Friends! 👋 Merging the PR is only part of the work. 🧑‍💻 I'm stoked that @AntoineAA made the time to create this 1-line PR. 🎉 But merging it will not automatically publish the new version to NPM. That requires additional steps. ⌛ Which, I'm finally back at my "Node.js" computer and can do. 👍

[maheshupasani]

Thank you very much @nelsonic @AntoineAA

[nelsonic]

@maheshupasani again, this is only the start of the update. A 1-line update to package.json, while very welcome, does not publish the package to NPM. That requires several extra steps: https://github.com/dwyl/hapi-auth-jwt2/pull/375

https://xkcd.com/2347 |> https://www.explainxkcd.com/wiki/index.php/2347:_Dependency

[nelsonic]

hapi-auth-jwt2@10.4.0 published to NPM contains this update. 📦
Thanks again. 👌

[nelsonic]

https://www.npmjs.com/package/hapi-auth-jwt2/v/10.4.0

[maheshupasani]

Thank you @nelsonic

[AntoineAA]

@nelsonic thanks for the package maintenance!