Update jsonwebtoken requirement from 9 to 10 in /spiffe

[dependabot]

Updates the requirements on jsonwebtoken to permit the latest version.

Changelog

Sourced from jsonwebtoken's changelog.

10.0.0 (2025-09-29)

• BREAKING: now using traits for crypto backends, you have to choose between aws_lc_rs and rust_crypto
• Add Clone bound to decode
• Support decoding byte slices
• Support JWS

9.3.1 (2024-02-06)

• Update base64

9.3.0 (2024-03-12)

• Add Validation.reject_tokens_expiring_in_less_than, the opposite of leeway

9.2.0 (2023-12-01)

• Add an option to not validate aud in the Validation struct
• Get the current timestamp in wasm without using std
• Update ring to 0.17

9.1.0 (2023-10-21)

• Supports deserialization of unsupported algorithms for JWKs

9.0.0 (2023-10-16)

• Update ring
• Rejects JWTs containing audiences when the Validation doesn't contain any

8.3.0 (2023-03-15)

• Update base64
• Implement Clone for TokenData if T impls Clone

8.2.0 (2022-12-03)

• Add DecodingKey::from_jwk
• Can now use PEM certificates if you have the use_pem feature enabled

8.1.1 (2022-06-17)

• Fix invalid field name on OctetKeyParameters

8.1.0 (2022-04-12)

• Make optional fields in the spec really optional

... (truncated)

Commits

• See full diff in compare view

Most Recent Ignore Conditions Applied to This Pull Request

Dependency Name	Ignore Conditions
jsonwebtoken	[>= 9.a, < 10]

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dsykes16]

This will require some manual work, and also requires Keats/jsonwebtoken#441 on the jsonwebtoken side. I'll put up a PR once the upstream change is made in jsonwebtoken. The main benefit will be supporting rust_crypto or aws_lc_rs instead of requiring ring.

[maxlambrecht]

This will require some manual work, and also requires Keats/jsonwebtoken#441 on the jsonwebtoken side. I'll put up a PR once the upstream change is made in jsonwebtoken. The main benefit will be supporting rust_crypto or aws_lc_rs instead of requiring ring.

Sounds good!
Thanks, @dsykes16!