fix: bump jsonwebtoken to 9.0.2

[nitrocode]

what

• fix: bump jsonwebtoken to 9.0.2

npm i jsonwebtoken
git add -u

why

• Close CVE-2022-25883

references

• Closes #77
• https://github.com/octokit/auth-app.js/issues/430
• https://github.com/gr2m/universal-github-app-jwt/pull/66
• https://github.com/gr2m/universal-github-app-jwt/releases/tag/v1.1.1
• https://github.com/auth0/node-jsonwebtoken/releases/tag/v9.0.2
• https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795
• https://www.cve.org/CVERecord?id=CVE-2022-25883

[wolfy1339]

Although this fix is fine, npm should be able to pick this version up as it's a patch version, and the dependency in this package is set to accept any version within the major version number.

[gr2m]

something's wrong with the release automation: https://github.com/gr2m/universal-github-app-jwt/actions/runs/7405964716/job/20149666339

I'm looking into it

[github-actions[bot]]

:tada: This PR is included in version 1.1.2 :tada:

The release is available on:

• GitHub release
• npm package (@release-1.x dist-tag)

Your semantic-release bot :package::rocket:

[nitrocode]

@gr2m thanks for fixing it

I noticed that the new version is shown as the latest. That's probably not intentional since there is a 2.x which is probably more recent.

[nitrocode]

@wolfy1339 I tried doing an npm install for a package that uses this package but this package would still use 9.0.0 instead of 9.0.2 unless I explicitly updated it. Perhaps it's because of the package-lock.json file or perhaps I'm doing something wrong?

Thanks for merging anyway. This at least gets snyk to stop complaining 😄