chore: Update jsonwebtoken to 9.0.3 to resolve jws HMAC vulnerability

[Copilot]

Problem

jsonwebtoken@9.0.2 depends on jws@3.2.2, which contains a HIGH severity vulnerability (GHSA-869p-cjfg-cm3x) in HMAC signature verification.

Changes

• Update jsonwebtoken dependency from ^9.0.2 to ^9.0.3

This resolves the transitive dependency:

jsonwebtoken@9.0.2 → jws@3.2.2 (vulnerable)
jsonwebtoken@9.0.3 → jws@4.0.1 (patched)

No API changes or breaking changes.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Security: jsonwebtoken dependency uses vulnerable jws@3.2.2</issue_title>
<issue_description>## Summary
The twilio package depends on jsonwebtoken@9.0.2 which in turn uses jws@3.2.2, which has a HIGH severity vulnerability (GHSA-869p-cjfg-cm3x) regarding improper HMAC signature verification.

Vulnerability Details

• Package: jws
• • Vulnerable versions: <3.2.3
• • • Patched versions: >=3.2.3
• • • • Advisory: GHSA-869p-cjfg-cm3x

Request

Please update jsonwebtoken to a version that uses jws@3.2.3 or later, or update the dependency chain to resolve this vulnerability.

Current Path

`twilio@5.11.1 </issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Security: jsonwebtoken dependency uses vulnerable jws@3.2.2 #1165

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud