Bump github.com/lestrrat-go/jwx/v2 from 2.1.5 to 2.1.6

[dependabot]

Bumps github.com/lestrrat-go/jwx/v2 from 2.1.5 to 2.1.6.

Release notes

Sourced from github.com/lestrrat-go/jwx/v2's releases.

v2.1.6

What's Changed

Please read the Changes file and upgrade accordingly, especially if you are using the following combinations for JWE:

• DIRECT mode content encryption
• Using A256CBC_HS512
• With an erroneously created CEK of exactly 32-bytes.

---

• jws: backport jws parsing ehancements by @​lestrrat in lestrrat-go/jwx#1363
• [v2] Backport #1367 by @​lestrrat in lestrrat-go/jwx#1368

Full Changelog: lestrrat-go/jwx@v2.1.5...v2.1.6

Changelog

Sourced from github.com/lestrrat-go/jwx/v2's changelog.

v2.1.6 29 Apr 2025

• [jwe] Fixed a long standing bug that could lead to degraded encryption or failure to decrypt JWE messages when a very specific combination of inputs were used for JWE operations.

  This problem only manifested itself when the following conditions in content encryption or decryption were met:

  • Content encryption was specified to use DIRECT mode.
  • Contentn encryption algorithm is specified as A256CBC_HS512
  • The key was erronously constructed with a 32-byte content encryption key (CEK)

  In this case, the user would be passing a mis-constructed key of 32-bytes instead of the intended 64-bytes. In all other cases, this construction would cause an error because crypto/aes.NewCipher would return an error when a key with length not matching 16, 24, and 32 bytes is used. However, due to use using a the provided 32-bytes as half CEK and half the hash, the crypto/aes.NewCipher was passed a 16-byte key, which is fine for AES-128. So internally crypto/aes.NewCipher would choose to use AES-128 instead of AES-256, and happily continue. Note that no other key lengths such as 48 and 128 would have worked. It had to be exactly 32.

  This does indeed result in a downgraded encryption, but we believe it is unlikely that this would cause a problem in the real world, as you would have to very specifically choose to use DIRECT mode, choose the specific content encryption algorithm, AND also use the wrong key size of exactly 32 bytes.

  However, in abandunce of caution, we recommend that you upgrade to v3.0.1 or later, or v2.1.6 or later if you are still on v2 series.

• [jws] Improve performance of jws.SplitCompact and jws.SplitCompactString

• [jwe] Improve performance of jwe.Parse

Commits

• 13e92f3 Merge branch 'develop/v2' into v2
• 5ccb28f Update Changes
• 0081fdb [v2] Backport #1367 (#1368)
• 37a9b05 jws: backport jws parsing ehancements (#1363)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)