Bump github.com/MicahParks/jwkset from 0.5.17 to 0.6.0

[dependabot]

Bumps github.com/MicahParks/jwkset from 0.5.17 to 0.6.0.

Release notes

Sourced from github.com/MicahParks/jwkset's releases.

v0.6.0

The purpose of this release is to fix a bug pointed out by @​rohitkoul in MicahParks/jwkset#7. There is a bug in the refresh goroutine related to key replacement.

The project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation.

Regardless of this bug, please note that removing a key from a JWK Set does not equate to instant revocation for most use cases as it takes time for JWK Set updates to propagate to all clients.

Relevant issues:

• MicahParks/jwkset#40

Relevant pull requests:

• MicahParks/jwkset#41

Commits

• 01db49a HTTP client only overwrites and appends JWK to local cache during refresh (#41)
• ce57ded Update go.mod
• 3435757 Update website deps
• 9a9c935 Expose ValidateOptions in HTTPClientStorageOptions (#38)
• 0a74b02 Update website deps
• d5640eb Improve certificate thumbprint check (#37)
• 0077150 Add ca certs back into Docker image (#35)
• 17cffe8 Makes the final image more secure (#34)
• c725950 fix return of httpStorage in NewStorageFromHTTP (#30)
• ecea66a Update website deps
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.