deps(rust): update jsonwebtoken requirement from 9.3 to 10.3 in /apps/core

[dependabot]

Updates the requirements on jsonwebtoken to permit the latest version.

Changelog

Sourced from jsonwebtoken's changelog.

10.3.0 (2026-01-27)

• Export everything needed to define your own CryptoProvider
• Fix type confusion with exp/nbf when not required

10.2.0 (2025-11-06)

• Remove Clone bound from decode functions

10.1.0 (2025-10-18)

• add dangerous::insecure_decode
• Implement TryFrom &Jwk for DecodingKey

10.0.0 (2025-09-29)

• BREAKING: now using traits for crypto backends, you have to choose between aws_lc_rs and rust_crypto
• Add Clone bound to decode
• Support decoding byte slices
• Support JWS

9.3.1 (2024-02-06)

• Update base64

9.3.0 (2024-03-12)

• Add Validation.reject_tokens_expiring_in_less_than, the opposite of leeway

9.2.0 (2023-12-01)

• Add an option to not validate aud in the Validation struct
• Get the current timestamp in wasm without using std
• Update ring to 0.17

9.1.0 (2023-10-21)

• Supports deserialization of unsupported algorithms for JWKs

9.0.0 (2023-10-16)

• Update ring
• Rejects JWTs containing audiences when the Validation doesn't contain any

8.3.0 (2023-03-15)

• Update base64
• Implement Clone for TokenData if T impls Clone

... (truncated)

Commits

• abbc307 Fix type confusion
• e99740d fix: bump minimal version requirements (#481)
• 50d15e0 Use try_sign to avoid panics (#479)
• 245858f Bump some dep
• 122c2ed Bump action number in CI
• 72e0c7f Expose cryptography backends via CryptoProvider (#452)
• 53a3fc2 Do not fail for clippy
• 3226cfc Prepare for release
• dfe58f9 Remove unnecessary Clone bounds from decode functions (#458)
• 9b3e19c Fix function names in README (#457)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: dependencies, rust. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[decebal]

🤖 Dependency Update Adoption Status

Status: ⚠️ REQUIRES CODE CHANGES

Analysis

• Dependency: jsonwebtoken 9.3 → 10.3
• Type: Major version update (Rust crate)
• CI Status: Failing - Rust Quality Gates

Breaking Changes in jsonwebtoken 10.x

The jsonwebtoken crate v10 includes breaking API changes:

• New validation configuration API
• Changes to error types
• Modified token encoding/decoding signatures

Recommendation

This update requires code modifications to adapt to the new API. The migration is worthwhile for:

• Security improvements
• Better error handling
• Performance enhancements

Action:

1. Review the jsonwebtoken changelog
2. Update JWT-related code in apps/core to use the new API
3. Ensure all auth tests pass after migration

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.