Bump the dependencies group across 1 directory with 3 updates

[dependabot]

Updates the requirements on jsonwebtoken, recrypt and reqwest to permit the latest version.
Updates jsonwebtoken to 10.3.0

Changelog

Sourced from jsonwebtoken's changelog.

10.3.0 (2026-01-27)

• Export everything needed to define your own CryptoProvider
• Fix type confusion with exp/nbf when not required

10.2.0 (2025-11-06)

• Remove Clone bound from decode functions

10.1.0 (2025-10-18)

• add dangerous::insecure_decode
• Implement TryFrom &Jwk for DecodingKey

10.0.0 (2025-09-29)

• BREAKING: now using traits for crypto backends, you have to choose between aws_lc_rs and rust_crypto
• Add Clone bound to decode
• Support decoding byte slices
• Support JWS

9.3.1 (2024-02-06)

• Update base64

9.3.0 (2024-03-12)

• Add Validation.reject_tokens_expiring_in_less_than, the opposite of leeway

9.2.0 (2023-12-01)

• Add an option to not validate aud in the Validation struct
• Get the current timestamp in wasm without using std
• Update ring to 0.17

9.1.0 (2023-10-21)

• Supports deserialization of unsupported algorithms for JWKs

9.0.0 (2023-10-16)

• Update ring
• Rejects JWTs containing audiences when the Validation doesn't contain any

8.3.0 (2023-03-15)

• Update base64
• Implement Clone for TokenData if T impls Clone

... (truncated)

Commits

• abbc307 Fix type confusion
• e99740d fix: bump minimal version requirements (#481)
• 50d15e0 Use try_sign to avoid panics (#479)
• 245858f Bump some dep
• 122c2ed Bump action number in CI
• 72e0c7f Expose cryptography backends via CryptoProvider (#452)
• 53a3fc2 Do not fail for clippy
• 3226cfc Prepare for release
• dfe58f9 Remove unnecessary Clone bounds from decode functions (#458)
• 9b3e19c Fix function names in README (#457)
• Additional commits viewable in compare view

Updates recrypt to 0.15.0

Changelog

Sourced from recrypt's changelog.

0.15.0

• [#193]
  • Update rand to 0.9.x
  • Update gridiron to 0.12.2 to support 64 bit optimization. Note that the 64 bit backend is the default. See feature flags section of the readme.
  • Change MSRV to Rust 1.88.0

0.14.1 (2024-12-05)

• [#190]
  • Fix performance regression with generating ed25519 keypairs introduced in 0.14.0.

0.14.0 (2024-12-03)

• [#184]
  • Switch from ed25519-dalek-fiat to ed25519-dalek.
  • Remove u64_backend and u32_backend features.
• [#184]
  • Change MSRV to Rust 1.70.0
• [#177]
  • Change MSRV to Rust 1.60.0
• [#175]
  • Change MSRV to Rust 1.57.0

0.13.1 (2021-11-29)

Public API changes

None

Notable internal changes

[#163](IronCoreLabs/recrypt-rs#163) Fix compilation error for certain combinations of transitive dependencies related to ed25519-dalek-fiat

0.13.0 (yanked)

Public API changes

• [#158] Change MSRV to Rust 1.56.0

Notable internal changes

• [#152] Remove dependency on arrayvec
• [#157] Depend on ed25519-dalek-fiat instead of ed25519-dalek
• [#157] Upgrade to rand 0.8
• [#157] Upgrade to rand_chacha 0.3
• [#157] Upgrade to gridiron 0.9
• [#158] Remove dependency on arrayref
• [#159] Relax dependency version requirements

... (truncated)

Commits

• See full diff in compare view

Updates reqwest to 0.12.28

Release notes

Sourced from reqwest's releases.

v0.12.28

What's Changed

• fix: correctly import TokioIo on Windows by @​seanmonstar in seanmonstar/reqwest#2896

Full Changelog: seanmonstar/reqwest@v0.12.27...v0.12.28

Changelog

Sourced from reqwest's changelog.

v0.12.28

• Fix compiling on Windows if TLS and SOCKS features are not enabled.

v0.12.27

• Add ClientBuilder::windows_named_pipe(name) option that will force all requests over that Windows Named Piper.

v0.12.26

• Fix sending Accept-Encoding header only with values configured with reqwest, regardless of underlying tower-http config.

v0.12.25

• Add Error::is_upgrade() to determine if the error was from an HTTP upgrade.
• Fix sending Proxy-Authorization if only username is configured.
• Fix sending Proxy-Authorization to HTTPS proxies when the target is HTTP.
• Refactor internal decompression handling to use tower-http.

v0.12.24

• Refactor cookie handling to an internal middleware.
• Refactor internal random generator.
• Refactor base64 encoding to reduce a copy.
• Documentation updates.

v0.12.23

• Add ClientBuilder::unix_socket(path) option that will force all requests over that Unix Domain Socket.
• Add ClientBuilder::retry(policy) and reqwest::retry::Builder to configure automatic retries.
• Add ClientBuilder::dns_resolver2() with more ergonomic argument bounds, allowing more resolver implementations.
• Add http3_* options to blocking::ClientBuilder.
• Fix default TCP timeout values to enabled and faster.
• Fix SOCKS proxies to default to port 1080
• (wasm) Add cache methods to RequestBuilder.

v0.12.22

• Fix socks proxies when resolving IPv6 destinations.

v0.12.21

• Fix socks proxy to use socks4a:// instead of socks4h://.
• Fix Error::is_timeout() to check for hyper and IO timeouts too.
• Fix request Error to again include URLs when possible.
• Fix socks connect error to include more context.
• (wasm) implement Default for Body.

v0.12.20

... (truncated)

Commits

• d978599 v0.12.28
• ef2768a fix: correctly import TokioIo on Windows (#2896)
• 1bf6441 v0.12.27
• 4967b1b feat: add windows_named_pipe() option to client builder (#2789)
• ef5b239 chore: Use http_body_util::BodyDataStream (#2892)
• a810004 chore: Disable unused tokio-util codec feature (#2893)
• 01f03a4 v0.12.26
• e908f57 fix(http3): correct compression defaults (#2890)
• 509c904 fix: disable default compression from tower-http if not enabled in reqwest (#...
• 896aaea deps: update cookie_store to 0.22 (#2886)
• Additional commits viewable in compare view

Most Recent Ignore Conditions Applied to This Pull Request

Dependency Name	Ignore Conditions
jsonwebtoken	[>= 10.2.a, < 10.3]

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[coltfred]

Note that recrypt isn't in this upgrade.

[giarc3]

It would be nice if we did the gridiron "you can only pick one" thing. But it doesn't have to be this PR

[coltfred]

It would be nice to have that for sure. When we bring recrypt up to version we can add both of them as you must have one or the other.