Bump jsonwebtoken and twilio

[dependabot]

Bumps jsonwebtoken to 9.0.3 and updates ancestor dependency twilio. These dependencies need to be updated together.

Updates jsonwebtoken from 8.5.1 to 9.0.3

Changelog

Sourced from jsonwebtoken's changelog.

9.0.3 - 2025-12-04

• updates jws version to 4.0.1.

9.0.2 - 2023-08-30

• security: updating semver to 7.5.4 to resolve CVE-2022-25883, closes #921.
• refactor: reduce library size by using lodash specific dependencies, closes #878.

9.0.1 - 2023-07-05

• fix(stubs): allow decode method to be stubbed

9.0.0 - 2022-12-21

Breaking changes: See Migration from v8 to v9

Breaking changes

• Removed support for Node versions 11 and below.
• The verify() function no longer accepts unsigned tokens by default. ([834503079514b72264fd13023a3b8d648afd6a16]auth0/node-jsonwebtoken@8345030)
• RSA key size must be 2048 bits or greater. ([ecdf6cc6073ea13a7e71df5fad043550f08d0fa6]auth0/node-jsonwebtoken@ecdf6cc)
• Key types must be valid for the signing / verification algorithm

Security fixes

• security: fixes Arbitrary File Write via verify function - CVE-2022-23529
• security: fixes Insecure default algorithm in jwt.verify() could lead to signature validation bypass - CVE-2022-23540
• security: fixes Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - CVE-2022-23541
• security: fixes Unrestricted key type could lead to legacy keys usage - CVE-2022-23539

Commits

• ed59e76 chore: bump jws to 4.0.1 (#1007)
• bc28861 Release 9.0.2 (#935)
• 96b8906 refactor: use specific lodash packages (#933)
• ed35062 security: Updating semver to 7.5.4 to resolve CVE-2022-25883 (#932)
• 84539b2 Updating package version to 9.0.1 (#920)
• a99fd4b fix(stubs): allow decode method to be stubbed (#876)
• e1fa9dc Merge pull request from GHSA-8cf7-32gw-wr33
• 5eaedbf chore(ci): remove github test actions job (#861)
• cd4163e chore(ci): configure Github Actions jobs for Tests & Security Scanning (#856)
• ecdf6cc fix!: Prevent accidental use of insecure key sizes & misconfiguration of secr...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by julien.wollscheid, a new releaser for jsonwebtoken since your current version.

Updates twilio from 3.84.1 to 5.13.1

Release notes

Sourced from twilio's releases.

5.13.1

Release Notes

Data-ingress

• API Changes

• 2026-03-23

• Added stage-us1 to supportedRealms for all endpoints

• 2026-03-20

• Content updates:
• Removed estimatedCompletionTime from LongRunningOperationResponse
• Moved operationId from LongRunningOperationResponse to headers

• 2026-03-18

• Added 1 new path(s):
• /v1/ControlPlane/Operations/{OperationId} (GetControlPlaneOperationStatus)

• 2026-03-11

• Minor updates (formatting, metadata)

• 2026-03-11

• Minor updates (formatting, metadata)

• 2026-03-11

• Minor updates (formatting, metadata)

• 2026-03-11

• Minor updates (formatting, metadata)

• 2026-03-11

• Minor updates (formatting, metadata)

• 2026-03-05

• Initial release with 10 paths and 22 operations

Memory

• 2026-03-19

• Added 1 new path(s):
• /v1/ControlPlane/Operations/{operationId} (FetchOperation)

• 2026-03-11

• Minor updates (formatting, metadata)

Docs

5.13.0

Release Notes

Library - Feature

• [PR #1182](twilio/twilio-node#1182): Update README.md. Thanks to @​manisha1997!

Library - Fix

• [PR #1178](twilio/twilio-node#1178): upgrade axios to ^1.13.5 to remediate CVE-2026-25639. Thanks to @​Copilot!
• [PR #1173](twilio/twilio-node#1173): Security upgrade eslint from 8.57.1 to 10.0.0. Thanks to @​twilio-product-security!

Library - Chore

• [PR #1172](twilio/twilio-node#1172): Update jsonwebtoken to 9.0.3 to resolve jws HMAC vulnerability. Thanks to @​Copilot!

... (truncated)

Changelog

Sourced from twilio's changelog.

[2026-03-24] Version 5.13.1

Data-ingress

• API Changes

• 2026-03-23

• Added stage-us1 to supportedRealms for all endpoints

• 2026-03-20

• Content updates:
• Removed estimatedCompletionTime from LongRunningOperationResponse
• Moved operationId from LongRunningOperationResponse to headers

• 2026-03-18

• Added 1 new path(s):
• /v1/ControlPlane/Operations/{OperationId} (GetControlPlaneOperationStatus)

• 2026-03-11

• Minor updates (formatting, metadata)

• 2026-03-11

• Minor updates (formatting, metadata)

• 2026-03-11

• Minor updates (formatting, metadata)

• 2026-03-11

• Minor updates (formatting, metadata)

• 2026-03-11

• Minor updates (formatting, metadata)

• 2026-03-05

• Initial release with 10 paths and 22 operations

Memory

• 2026-03-19

• Added 1 new path(s):
• /v1/ControlPlane/Operations/{operationId} (FetchOperation)

• 2026-03-11

• Minor updates (formatting, metadata)

[2026-03-12] Version 5.13.0

Library - Feature

• [PR #1182](twilio/twilio-node#1182): Update README.md. Thanks to @​manisha1997!

Library - Fix

• [PR #1178](twilio/twilio-node#1178): upgrade axios to ^1.13.5 to remediate CVE-2026-25639. Thanks to @​Copilot!
• [PR #1173](twilio/twilio-node#1173): Security upgrade eslint from 8.57.1 to 10.0.0. Thanks to @​twilio-product-security!

Library - Chore

• [PR #1172](twilio/twilio-node#1172): Update jsonwebtoken to 9.0.3 to resolve jws HMAC vulnerability. Thanks to @​Copilot!

Twiml

• Rename recording_configuration to recording_configuration_id attribute in <Conference>, <Dial>, <Record> verbs and <Recording> noun

Ace

... (truncated)

Upgrade guide

Sourced from twilio's upgrade guide.

Upgrade Guide

All MAJOR version bumps will have upgrade notes posted here.

[2024-03-07] 4.x.x to 5.x.x

---

Overview

Twilio Node Helper Library’s major version 5.0.0 is now available. We ensured that you can upgrade to Node helper Library 5.0.0 version without any breaking changes of existing apis

Behind the scenes Node Helper is now auto-generated via OpenAPI with this release. This enables us to rapidly add new features and enhance consistency across versions and languages. We're pleased to inform you that version 5.0.0 adds support for the application/json content type in the request body.

[2023-01-25] 3.x.x to 4.x.x

---

• Supported Node.js versions updated
  • Upgrade to Node.js >= 14
  • Dropped support for Node.js < 14 (#791)
  • Added support for Node.js 18 (#794)
• Lazy loading enabled by default (#752)
  • Required Twilio modules now lazy load by default
  • See the README for how to disable lazy loading
• Type changes from object to Record (#873)
  • Certain response properties now use the Record type with string keys
  • Including the subresourceUris property for v2010 APIs and the links properties for non-v2010 APIs
• Access Tokens
  • Creating an AccessToken requires an identity in the options (#875)
  • ConversationsGrant has been deprecated in favor of VoiceGrant (#783)
  • IpMessagingGrant has been removed (#784)
• TwiML function deprecations (#788)
  • <Refer>
    • Refer.referSip() replaced by Refer.sip()
  • <Say>

    • Say.ssmlBreak() and Say.break_() replaced by Say.break()

    • Say.ssmlEmphasis() replaced by Say.emphasis()

    • Say.ssmlLang() replaced by Say.lang()

    • Say.ssmlP() replaced by Say.p()

    • Say.ssmlPhoneme() replaced by Say.phoneme()

    • Say.ssmlProsody() replaced by Say.prosody()

    • Say.ssmlS() replaced by Say.s()

    • Say.ssmlSayAs() replaced by Say.sayAs()

    • Say.ssmlSub() replaced by Say.sub()

    • Say.ssmlW() replaced by Say.w()

      Old:

... (truncated)

Commits

• 462c49d Release 5.13.1
• 764868e [Librarian] Regenerated @ 6e3b90a45885c596ade6b11ff7100254b15c9403 c02f66cc96...
• 09d043a Release 5.13.0
• 71daa15 [Librarian] Regenerated @ 6e3b90a45885c596ade6b11ff7100254b15c9403 b84ee26554...
• 0eeae79 feat: Update README.md (#1182)
• 04763df fix: upgrade axios to ^1.13.5 to remediate CVE-2026-25639 (#1178)
• 18afb56 fix: package.json to reduce vulnerabilities (#1173)
• 9b11787 chore: Update jsonwebtoken to 9.0.3 to resolve jws HMAC vulnerability (#1172)
• ae6d33f Release 5.12.2
• 13d8e53 [Librarian] Regenerated @ b71b4c3e1a369dfb33fc0093ed77cf8197b688e1 1ec6a52af6...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for twilio since your current version.

Install script changes

This version adds prepublish script that runs during installation. Review the package contents before updating.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.