chore(deps): bump github.com/lestrrat-go/jwx/v3 from 3.0.13 to 3.1.0

[dependabot]

Bumps github.com/lestrrat-go/jwx/v3 from 3.0.13 to 3.1.0.

Release notes

Sourced from github.com/lestrrat-go/jwx/v3's releases.

v3.1.0

See Changes file for curated list of changes

What's Changed

• Appease linter by @​lestrrat in lestrrat-go/jwx#1543
• Bump kentaro-m/auto-assign-action from 2.0.0 to 2.0.1 by @​dependabot[bot] in lestrrat-go/jwx#1538
• Bump actions/checkout from 6.0.1 to 6.0.2 by @​dependabot[bot] in lestrrat-go/jwx#1542
• Bump actions/setup-go from 6.1.0 to 6.2.0 by @​dependabot[bot] in lestrrat-go/jwx#1536
• Bump actions/cache from 5.0.1 to 5.0.2 by @​dependabot[bot] in lestrrat-go/jwx#1539
• Add AGENTS.md by @​lestrrat in lestrrat-go/jwx#1546
• exclude AGENTS.md by @​lestrrat in lestrrat-go/jwx#1548
• Bump actions/cache from 5.0.2 to 5.0.3 by @​dependabot[bot] in lestrrat-go/jwx#1545
• Bump golang.org/x/crypto from 0.46.0 to 0.47.0 by @​dependabot[bot] in lestrrat-go/jwx#1535
• Add symlink by @​lestrrat in lestrrat-go/jwx#1549
• Fix jwk.Cache worker issues by @​lestrrat in lestrrat-go/jwx#1552
• Exclude CLAUDE.md from autodoc by @​lestrrat in lestrrat-go/jwx#1555
• Bump github.com/valyala/fastjson from 1.6.7 to 1.6.9 by @​dependabot[bot] in lestrrat-go/jwx#1561
• Bump actions/stale from 10.1.1 to 10.2.0 by @​dependabot[bot] in lestrrat-go/jwx#1559
• Bump golang.org/x/crypto from 0.47.0 to 0.48.0 by @​dependabot[bot] in lestrrat-go/jwx#1557
• Reduce allocations in concatkdf Read by @​lestrrat in lestrrat-go/jwx#1562
• Eliminate redundant lock acquisitions in LookupKeyID by @​lestrrat in lestrrat-go/jwx#1563
• Replace make+copy with bytes.Clone by @​lestrrat in lestrrat-go/jwx#1564
• Use base64.Encode instead of EncodeToString in JWS marshal by @​lestrrat in lestrrat-go/jwx#1565
• Cache keyalg/ctalg String() in JWE encrypt/decrypt by @​lestrrat in lestrrat-go/jwx#1566
• Inline ndata() in concatkdf New by @​lestrrat in lestrrat-go/jwx#1567
• Fix dependabot workflow by @​lestrrat in lestrrat-go/jwx#1574
• Bump github.com/valyala/fastjson from 1.6.9 to 1.6.10 by @​dependabot[bot] in lestrrat-go/jwx#1568
• Bump github.com/decred/dcrd/dcrec/secp256k1/v4 from 4.4.0 to 4.4.1 by @​dependabot[bot] in lestrrat-go/jwx#1570
• Bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 in /examples by @​dependabot[bot] in lestrrat-go/jwx#1571
• Bump actions/setup-go from 6.2.0 to 6.3.0 by @​dependabot[bot] in lestrrat-go/jwx#1573
• harden dependabot workflow by @​lestrrat in lestrrat-go/jwx#1575
• fix inverted rlocker condition in RSA key export by @​lestrrat in lestrrat-go/jwx#1576
• Fix jwe decrypt typo by @​lestrrat in lestrrat-go/jwx#1577
• Fix example naming by @​lestrrat in lestrrat-go/jwx#1578
• Chore remove unused blank assigns by @​lestrrat in lestrrat-go/jwx#1579
• add WhitelistError sentinel, use errors.Is in test by @​lestrrat in lestrrat-go/jwx#1581
• standardize error helpers in jws and jwe by @​lestrrat in lestrrat-go/jwx#1582
• add fuzz testing infrastructure for jwt/jws/jwe/jwk by @​lestrrat in lestrrat-go/jwx#1583
• fix flaky cache and jwt validation tests by @​lestrrat in lestrrat-go/jwx#1585
• add .claude/docs and pre-read rules to AGENTS.md by @​lestrrat in lestrrat-go/jwx#1584
• Bump golang.org/x/crypto from 0.48.0 to 0.49.0 by @​dependabot[bot] in lestrrat-go/jwx#1587
• Bump github.com/emmansun/gmsm from 0.21.5 to 0.41.1 in /examples by @​dependabot[bot] in lestrrat-go/jwx#1590
• Bump actions/cache from 5.0.3 to 5.0.4 by @​dependabot[bot] in lestrrat-go/jwx#1593
• Bump github.com/goccy/go-json from 0.10.3 to 0.10.6 by @​dependabot[bot] in lestrrat-go/jwx#1589
• Bump kentaro-m/auto-assign-action from 2.0.1 to 2.0.2 by @​dependabot[bot] in lestrrat-go/jwx#1595
• use standard go deprecation markers in jws by @​lestrrat in lestrrat-go/jwx#1596
• fix probe field name in panic message by @​lestrrat in lestrrat-go/jwx#1597
• Bump github.com/lestrrat-go/httprc/v3 from 3.0.4 to 3.0.5 by @​dependabot[bot] in lestrrat-go/jwx#1599
• Bump actions/setup-go from 6.3.0 to 6.4.0 by @​dependabot[bot] in lestrrat-go/jwx#1600

... (truncated)

Changelog

Sourced from github.com/lestrrat-go/jwx/v3's changelog.

v3.1.0 19 Apr 2026

• [jwk] Add jwk.WithRejectDuplicateKID(bool) — when enabled, jwk.Parse / jwk.ParseReader / jwk.ParseString return an error if the input JWKS contains more than one key sharing the same non-empty kid. Usable as a jwk.Configure() global or a per-call override. Default behavior (first-match-wins) is unchanged.

• [jwk] Add jwk.WithMaxKeys(int) — caps the number of keys accepted by jwk.Parse / jwk.ParseReader / jwk.ParseString in both the JSON "keys" array and the PEM/X.509 block stream (default 1000). Usable as a jwk.Configure() global or a per-call override. Replaces the hardcoded internal PEM cap of the same value, so the default behavior is unchanged. Backport of the v4 amplification cap that mirrors jws.WithMaxSignatures and jwe.WithMaxRecipients.

• [jws] Add jws.WithDetachedPayloadReader(io.Reader) — a streaming variant of jws.WithDetachedPayload([]byte) that consumes the payload from an io.Reader instead of a byte slice, so the payload is never materialized in memory. It is a jws.Sign() / jws.Verify() option; the two remain the default entry points. Only HMAC/RSA/ECDSA algorithms are supported; EdDSA, custom-family algorithms, and algorithms registered via jws.RegisterSigner() / jws.RegisterVerifier() are rejected with a clear error pointing at jws.WithDetachedPayload(). On sign, multiple jws.WithKey() options combined with jws.WithJSON() produce a general-form multi-signature JWS (the payload is streamed once and fanned out to each signer). On verify, only single-signature JWS input is supported; jws.WithKeySet(), jws.WithKeyProvider(), and jws.WithVerifyAuto() are not accepted. (#1663)

• [jws] Add jws.Base64StreamEncoder — the stream-capable extension of jws.Base64Encoder. The default encoder and *base64.Encoding values supplied via jws.WithBase64Encoder() are auto-wrapped, so typical callers see no change. Custom encoders only need to implement this additional interface if they want to be usable with jws.WithDetachedPayloadReader(). (#1663)

• [jws] Fix jws.Sign with WithDetachedPayload + WithJSON to omit the "payload" member from the output per RFC 7515 Appendix F. Previously the payload was still emitted, producing non-detached JSON. (#1663)

• [jwk] BREAKING: jwk.PublicSetOf now returns an error when the input set contains a symmetric (oct) key. Previously, symmetric keys were silently passed through — which meant callers following the documented "publish my public JWKS" pattern could leak HMAC secret material. Callers who genuinely want the legacy pass-through behavior can opt in with jwk.WithAllowSymmetric(true). The signature is now variadic (PublicSetOf(v Set, options ...PublicSetOption)), so existing call sites compile unchanged. The minor version is bumped from v3.0.x →

... (truncated)

Commits

• 16e0548 Update Changes for v3.1.0
• 0785220 fix v3.1.0 changelog inaccuracies and add missing entries (#2037)
• 2813fac changes: add jwk.WithRejectDuplicateKID entry (#2033)
• 823811c Merge pull request #2015 from lestrrat-go/fix-v3-jwt-unsupported-timeclaim-error
• 0aeedda jwt: wrap unsupported-time-claim error as ValidateError
• 0693dfc Merge pull request #2029 from lestrrat-go/fix-v3-jwk-register-importer-doc
• d4cf6bf Merge pull request #2027 from lestrrat-go/fix-v3-jwk-reject-dup-kid
• 4f8e302 Merge pull request #2024 from lestrrat-go/fix-v3-jws-kid-precedence-doc
• e78871e Merge pull request #2017 from lestrrat-go/fix-v3-jwt-parserequest-format-string
• ff8b7d4 Merge pull request #2013 from lestrrat-go/fix-v3-jws-keyset-use-enc-error
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)